Hal-hal tersebut berkaitan sekali dengan firewall. Untuk sebuah router yang baru diinstall bisa ditambahkan kan rule-rule dasar sebagai berikut :
/ ip firewall filter
add chain=input connection-state=established action=accept comment=”accept established connection packets” disabled=no
add chain=input connection-state=related action=accept comment=”accept related connection packets” disabled=no
add chain=input connection-state=invalid action=drop comment=”drop invalid packets” disabled=no
rule tersebut hanya membolehkan koneksi yang valid saja dan men-drop koneksi yang tidak valid.
add chain=input src-address-list=ournetwork action=accept comment="Allow access from known network" disabled=no
rule tersebut membolehkan akses dari ip tertentu yang telah dimasukkan di address-list bernama ournetwork
Apakah sudah cukup dengan rule-rule diatas saja?. Banyak sekali hal-hal yang perlu diantisipasi. Seperti serangan-serangan dari luar misal ping flood, DoS dan port scanning, dll. Bila kita cari lewat search engine, banyak sekali contoh-contoh mikrotik firewall. Namun perlu hati-hat, langsung copy-paste belum tentu bisa berjalan di router kita
referensi : wiki.mikrotik.com
Berikut contoh firewall untuk mengamankan mikrotik :
/ ip firewall filter
add chain=input protocol=tcp dst-port=1337 action= add-src-to-address-list address-list=knock address-list-timeout=15s comment=”” disabled=no
add chain=input protocol=tcp dst-port=7331 src-address-list=knock action= add-src-to-address-list address-list=safe address-list-timeout=15m comment=”” disabled=no
add chain=input connection-state=established action=accept comment=”accept established connection packets” disabled=no
add chain=input connection-state=related action=accept comment=”accept related connection packets” disabled=no
add chain=input connection-state=invalid action=drop comment=”drop invalid packets” disabled=no
add chain=input protocol=tcp psd=21,3s,3,1 action=drop comment=”detect and drop port scan connections” disabled=no
add chain=input protocol=tcp connection-limit=3,32 src-address-list=black_list action=tarpit comment=”suppress DoS attack” disabled=no
add chain=input protocol=tcp connection-limit=10,32 action= add-src-to-address-list address-list=black_list address-list-timeout=1d comment=”detect DoS attack” disabled=no
add chain=input protocol=icmp action=jump jump-target=ICMP comment=”jump to chain ICMP” disabled=no
add chain=input action=jump jump-target=services comment=”jump to chain services” disabled=no
add chain=input dst-address-type=broadcast action=accept comment=”Allow Broadcast Traffic” disabled=no
add chain=input action=log log-prefix=”Filter:” comment=”” disabled=no
add chain=input src-address=63.219.6.0/24 action=accept comment=”Allow access to router from known network”
add chain=input src-address=192.168.168.0/24 action=accept
add chain=input src-address=192.168.60.0/26 action=accept
add chain=input action=drop comment=”drop everything else” disabled=no
add chain=ICMP protocol=icmp icmp-options=0:0-255 limit=5,5 action=accept comment=”0:0 and limit for 5pac/s” disabled=no
add chain=ICMP protocol=icmp icmp-options=3:3 limit=5,5 action=accept comment=”3:3 and limit for 5pac/s” disabled=no
add chain=ICMP protocol=icmp icmp-options=3:4 limit=5,5 action=accept comment=”3:4 and limit for 5pac/s” disabled=no
add chain=ICMP protocol=icmp icmp-options=8:0-255 limit=5,5 action=accept comment=”8:0 and limit for 5pac/s” disabled=no
add chain=ICMP protocol=icmp icmp-options=11:0-255 limit=5,5 action=accept comment=”11:0 and limit for 5pac/s” disabled=no
add chain=ICMP protocol=icmp action=drop comment=”Drop everything else” disabled=no
add chain=services src-address-list=127.0.0.1 dst-address=127.0.0.1 action=accept comment=”accept localhost” disabled=no
add chain=services protocol=udp dst-port=20561 action=accept comment=”allow MACwinbox ” disabled=no
add chain=services protocol=tcp dst-port=2000 action=accept comment=”Bandwidth server” disabled=yes
add chain=services protocol=udp dst-port=5678 action=accept comment=” MT Discovery Protocol” disabled=no
add chain=services protocol=tcp dst-port=161 action=accept comment=”allow SNMP” disabled=no
add chain=services protocol=tcp dst-port=179 action=accept comment=”Allow BGP” disabled=yes
add chain=services protocol=udp dst-port=5000-5100 action=accept comment=”allow BGP” disabled=yes
add chain=services protocol=udp dst-port=123 action=accept comment=”Allow NTP” disabled=yes
add chain=services protocol=tcp dst-port=1723 action=accept comment=”Allow PPTP” disabled=yes
add chain=services protocol=gre action=accept comment=”allow PPTP and EoIP” disabled=yes
add chain=services protocol=tcp dst-port=53 action=accept comment=”allow DNS request” disabled=no
add chain=services protocol=udp dst-port=53 action=accept comment=”Allow DNS request” disabled=no
add chain=services protocol=udp dst-port=1900 action=accept comment=”UPnP” disabled=yes
add chain=services protocol=tcp dst-port=2828 action=accept comment=”UPnP” disabled=yes
add chain=services protocol=udp dst-port=67-68 action=accept comment=”allow DHCP” disabled=yes
add chain=services protocol=tcp dst-port=8080 action=accept comment=”allow Web Proxy” disabled=yes
add chain=services protocol=ipencap action=accept comment=”allow IPIP” disabled=yes
add chain=services protocol=tcp dst-port=443 action=accept comment=”allow https for Hotspot” disabled=yes
add chain=services protocol=tcp dst-port=1080 action=accept comment=”allow Socks for Hotspot” disabled=yes
add chain=services protocol=udp dst-port=500 action=accept comment=”allow IPSec connections” disabled=yes
add chain=services protocol=ipsec-esp action=accept comment=”allow IPSec” disabled=yes
add chain=services protocol=ipsec-ah action=accept comment=”allow IPSec” disabled=yes
add chain=services protocol=udp dst-port=520-521 action=accept comment=”allow RIP” disabled=yes
add chain=services protocol=ospf action=accept comment=”allow OSPF” disabled=yes
add chain=services action=return comment=”” disabled=no
add chain=forward connection-state=established comment=”allow established connections”
add chain=forward connection-state=related comment=”allow related connections”
add chain=forward connection-state=invalid action=drop comment=”drop invalid connections”
add chain=virus protocol=tcp dst-port=135-139 action=drop comment=”Drop Blaster Worm”
add chain=virus protocol=udp dst-port=135-139 action=drop comment=”Drop Messenger Worm”
add chain=virus protocol=tcp dst-port=445 action=drop comment=”Drop Blaster Worm”
add chain=virus protocol=udp dst-port=445 action=drop comment=”Drop Blaster Worm”
add chain=virus protocol=tcp dst-port=593 action=drop comment=”________”
add chain=virus protocol=tcp dst-port=1024-1030 action=drop comment=”________”
add chain=virus protocol=tcp dst-port=1080 action=drop comment=”Drop MyDoom”
add chain=virus protocol=tcp dst-port=1214 action=drop comment=”________”
add chain=virus protocol=tcp dst-port=1363 action=drop comment=”ndm requester”
add chain=virus protocol=tcp dst-port=1364 action=drop comment=”ndm server”
add chain=virus protocol=tcp dst-port=1368 action=drop comment=”screen cast”
add chain=virus protocol=tcp dst-port=1373 action=drop comment=”hromgrafx”
add chain=virus protocol=tcp dst-port=1377 action=drop comment=”cichlid”
add chain=virus protocol=tcp dst-port=1433-1434 action=drop comment=”Worm”
add chain=virus protocol=tcp dst-port=2745 action=drop comment=”Bagle Virus”
add chain=virus protocol=tcp dst-port=2283 action=drop comment=”Drop Dumaru.Y”
add chain=virus protocol=tcp dst-port=2535 action=drop comment=”Drop Beagle”
add chain=virus protocol=tcp dst-port=2745 action=drop comment=”Drop Beagle.C-K”
add chain=virus protocol=tcp dst-port=3127-3128 action=drop comment=”Drop MyDoom”
add chain=virus protocol=tcp dst-port=3410 action=drop comment=”Drop Backdoor OptixPro”
add chain=virus protocol=tcp dst-port=4444 action=drop comment=”Worm”
add chain=virus protocol=udp dst-port=4444 action=drop comment=”Worm”
add chain=virus protocol=tcp dst-port=5554 action=drop comment=”Drop Sasser”
add chain=virus protocol=tcp dst-port=6881-6889 action=drop comment=”________”
add chain=virus protocol=tcp dst-port=8866 action=drop comment=”Drop Beagle.B”
add chain=virus protocol=tcp dst-port=9898 action=drop comment=”Drop Dabber.A-B”
add chain=virus protocol=tcp dst-port=10000 action=drop comment=”Drop Dumaru.Y”
add chain=virus protocol=tcp dst-port=10080 action=drop comment=”Drop MyDoom.B”
add chain=virus protocol=tcp dst-port=12345 action=drop comment=”Drop NetBus”
add chain=virus protocol=tcp dst-port=17300 action=drop comment=”Drop Kuang2″
add chain=virus protocol=tcp dst-port=27374 action=drop comment=”Drop SubSeven”
add chain=virus protocol=tcp dst-port=65506 action=drop comment=”Drop PhatBot, Agobot, Gaobot”
add chain=forward action=jump jump-target=virus comment=”jump to the virus chain”
add chain=forward protocol=icmp comment=”allow ping”
add chain=forward protocol=udp comment=”allow udp”
add chain=forward src-address=63.219.6.0/24 action=accept comment=”Allow access to internet from known network”
add chain=forward src-address=192.168.60.0/26 action=accept
add chain=forward src-address=192.168.168.0/24 action=accept
add chain=forward action=drop comment=”drop everything else”
No comments:
Post a Comment
Terima kasih atas komentar yang anda sampaikan , sehingga dapat menambah wawasan saya sebagai penulis dan membuat blog ini semakin berguna banyak orang