Sunday, May 29, 2011

Mikrotik firewall dasar

Setelah selesai menginstall router mikrotik, demi keamanan selain mengatur user dan password baru, biar lebih aman lagi kita atur juga akses ke router. Apa saja yang boleh masuk dan keluar ke router kita. Kita gak mau kan ada apa-apa dengan router kesayangan kita ini  . Anggap saja router adalah rumah kita. Bolehkah orang masuk dengan bebas ataukah harus sesuai dengan ijin kita.

Hal-hal tersebut berkaitan sekali dengan firewall. Untuk sebuah router yang baru diinstall bisa ditambahkan kan rule-rule dasar sebagai berikut :
/ ip firewall filter
add chain=input connection-state=established action=accept comment=”accept established connection packets” disabled=no
add chain=input connection-state=related action=accept comment=”accept related connection packets” disabled=no
add chain=input connection-state=invalid action=drop comment=”drop invalid packets” disabled=no

rule tersebut hanya membolehkan koneksi yang valid saja dan men-drop koneksi yang tidak valid.
add chain=input src-address-list=ournetwork action=accept comment="Allow access from known network" disabled=no


rule tersebut membolehkan akses dari ip tertentu yang telah dimasukkan di address-list bernama ournetwork
Apakah sudah cukup dengan rule-rule diatas saja?. Banyak sekali hal-hal yang perlu diantisipasi. Seperti serangan-serangan dari luar misal ping flood, DoS dan port scanning, dll. Bila kita cari lewat search engine, banyak sekali contoh-contoh mikrotik firewall. Namun perlu hati-hat,  langsung copy-paste belum tentu bisa berjalan di router kita


referensi : wiki.mikrotik.com

Berikut contoh firewall untuk mengamankan mikrotik :
/ ip firewall filter
add chain=input protocol=tcp dst-port=1337 action= add-src-to-address-list  address-list=knock address-list-timeout=15s comment=”” disabled=no
add chain=input protocol=tcp dst-port=7331 src-address-list=knock action= add-src-to-address-list address-list=safe  address-list-timeout=15m comment=”” disabled=no

add chain=input connection-state=established action=accept comment=”accept established connection packets” disabled=no
add chain=input connection-state=related action=accept comment=”accept related connection packets” disabled=no
add chain=input connection-state=invalid action=drop comment=”drop invalid packets” disabled=no

add chain=input protocol=tcp psd=21,3s,3,1 action=drop comment=”detect and drop port scan connections” disabled=no
add chain=input protocol=tcp connection-limit=3,32 src-address-list=black_list action=tarpit comment=”suppress DoS attack” disabled=no
add chain=input protocol=tcp connection-limit=10,32 action= add-src-to-address-list address-list=black_list  address-list-timeout=1d comment=”detect DoS attack” disabled=no

add chain=input protocol=icmp action=jump jump-target=ICMP comment=”jump to chain ICMP” disabled=no
add chain=input action=jump jump-target=services comment=”jump to chain services” disabled=no

add chain=input dst-address-type=broadcast action=accept comment=”Allow Broadcast Traffic” disabled=no

add chain=input action=log log-prefix=”Filter:” comment=”” disabled=no

add chain=input src-address=63.219.6.0/24 action=accept comment=”Allow access to router from known network”
add chain=input src-address=192.168.168.0/24 action=accept
add chain=input src-address=192.168.60.0/26 action=accept
add chain=input action=drop comment=”drop everything else” disabled=no

add chain=ICMP protocol=icmp icmp-options=0:0-255 limit=5,5 action=accept comment=”0:0 and limit for 5pac/s” disabled=no
add chain=ICMP protocol=icmp icmp-options=3:3 limit=5,5 action=accept comment=”3:3 and limit for 5pac/s” disabled=no
add chain=ICMP protocol=icmp icmp-options=3:4 limit=5,5 action=accept comment=”3:4 and limit for 5pac/s” disabled=no
add chain=ICMP protocol=icmp icmp-options=8:0-255 limit=5,5 action=accept comment=”8:0 and limit for 5pac/s” disabled=no
add chain=ICMP protocol=icmp icmp-options=11:0-255 limit=5,5 action=accept comment=”11:0 and limit for 5pac/s” disabled=no
add chain=ICMP protocol=icmp action=drop comment=”Drop everything else” disabled=no

add chain=services src-address-list=127.0.0.1 dst-address=127.0.0.1 action=accept comment=”accept localhost” disabled=no
add chain=services protocol=udp dst-port=20561 action=accept comment=”allow MACwinbox ” disabled=no
add chain=services protocol=tcp dst-port=2000 action=accept comment=”Bandwidth server” disabled=yes
add chain=services protocol=udp dst-port=5678 action=accept comment=” MT Discovery Protocol” disabled=no
add chain=services protocol=tcp dst-port=161 action=accept comment=”allow SNMP” disabled=no
add chain=services protocol=tcp dst-port=179 action=accept comment=”Allow BGP” disabled=yes
add chain=services protocol=udp dst-port=5000-5100 action=accept comment=”allow BGP” disabled=yes
add chain=services protocol=udp dst-port=123 action=accept comment=”Allow NTP” disabled=yes
add chain=services protocol=tcp dst-port=1723 action=accept comment=”Allow PPTP” disabled=yes
add chain=services protocol=gre action=accept comment=”allow PPTP and EoIP” disabled=yes
add chain=services protocol=tcp dst-port=53 action=accept comment=”allow DNS request” disabled=no
add chain=services protocol=udp dst-port=53 action=accept comment=”Allow DNS request” disabled=no
add chain=services protocol=udp dst-port=1900 action=accept comment=”UPnP” disabled=yes
add chain=services protocol=tcp dst-port=2828 action=accept comment=”UPnP” disabled=yes
add chain=services protocol=udp dst-port=67-68 action=accept comment=”allow DHCP” disabled=yes
add chain=services protocol=tcp dst-port=8080 action=accept comment=”allow Web Proxy” disabled=yes
add chain=services protocol=ipencap action=accept comment=”allow IPIP” disabled=yes
add chain=services protocol=tcp dst-port=443 action=accept comment=”allow https for Hotspot” disabled=yes
add chain=services protocol=tcp dst-port=1080 action=accept comment=”allow Socks for Hotspot” disabled=yes
add chain=services protocol=udp dst-port=500 action=accept comment=”allow IPSec connections” disabled=yes
add chain=services protocol=ipsec-esp action=accept comment=”allow IPSec” disabled=yes
add chain=services protocol=ipsec-ah action=accept comment=”allow IPSec” disabled=yes
add chain=services protocol=udp dst-port=520-521 action=accept comment=”allow RIP” disabled=yes
add chain=services protocol=ospf action=accept comment=”allow OSPF” disabled=yes
add chain=services action=return comment=”” disabled=no

add chain=forward connection-state=established comment=”allow established connections”
add chain=forward connection-state=related comment=”allow related connections”
add chain=forward connection-state=invalid action=drop comment=”drop invalid connections”

add chain=virus protocol=tcp dst-port=135-139 action=drop comment=”Drop Blaster Worm”
add chain=virus protocol=udp dst-port=135-139 action=drop comment=”Drop Messenger Worm”
add chain=virus protocol=tcp dst-port=445 action=drop comment=”Drop Blaster Worm”
add chain=virus protocol=udp dst-port=445 action=drop comment=”Drop Blaster Worm”
add chain=virus protocol=tcp dst-port=593 action=drop comment=”________”
add chain=virus protocol=tcp dst-port=1024-1030 action=drop comment=”________”
add chain=virus protocol=tcp dst-port=1080 action=drop comment=”Drop MyDoom”
add chain=virus protocol=tcp dst-port=1214 action=drop comment=”________”
add chain=virus protocol=tcp dst-port=1363 action=drop comment=”ndm requester”
add chain=virus protocol=tcp dst-port=1364 action=drop comment=”ndm server”
add chain=virus protocol=tcp dst-port=1368 action=drop comment=”screen cast”
add chain=virus protocol=tcp dst-port=1373 action=drop comment=”hromgrafx”
add chain=virus protocol=tcp dst-port=1377 action=drop comment=”cichlid”
add chain=virus protocol=tcp dst-port=1433-1434 action=drop comment=”Worm”
add chain=virus protocol=tcp dst-port=2745 action=drop comment=”Bagle Virus”
add chain=virus protocol=tcp dst-port=2283 action=drop comment=”Drop Dumaru.Y”
add chain=virus protocol=tcp dst-port=2535 action=drop comment=”Drop Beagle”
add chain=virus protocol=tcp dst-port=2745 action=drop comment=”Drop Beagle.C-K”
add chain=virus protocol=tcp dst-port=3127-3128 action=drop comment=”Drop MyDoom”
add chain=virus protocol=tcp dst-port=3410 action=drop comment=”Drop Backdoor OptixPro”
add chain=virus protocol=tcp dst-port=4444 action=drop comment=”Worm”
add chain=virus protocol=udp dst-port=4444 action=drop comment=”Worm”
add chain=virus protocol=tcp dst-port=5554 action=drop comment=”Drop Sasser”
add chain=virus protocol=tcp dst-port=6881-6889 action=drop comment=”________”
add chain=virus protocol=tcp dst-port=8866 action=drop comment=”Drop Beagle.B”
add chain=virus protocol=tcp dst-port=9898 action=drop comment=”Drop Dabber.A-B”
add chain=virus protocol=tcp dst-port=10000 action=drop comment=”Drop Dumaru.Y”
add chain=virus protocol=tcp dst-port=10080 action=drop comment=”Drop MyDoom.B”
add chain=virus protocol=tcp dst-port=12345 action=drop comment=”Drop NetBus”
add chain=virus protocol=tcp dst-port=17300 action=drop comment=”Drop Kuang2″
add chain=virus protocol=tcp dst-port=27374 action=drop comment=”Drop SubSeven”
add chain=virus protocol=tcp dst-port=65506 action=drop comment=”Drop PhatBot, Agobot, Gaobot”

add chain=forward action=jump jump-target=virus comment=”jump to the virus chain”

add chain=forward protocol=icmp comment=”allow ping”
add chain=forward protocol=udp comment=”allow udp”
add chain=forward src-address=63.219.6.0/24 action=accept comment=”Allow access to internet from known network”
add chain=forward src-address=192.168.60.0/26 action=accept
add chain=forward src-address=192.168.168.0/24 action=accept
add chain=forward action=drop comment=”drop everything else”

No comments:

Post a Comment

Terima kasih atas komentar yang anda sampaikan , sehingga dapat menambah wawasan saya sebagai penulis dan membuat blog ini semakin berguna banyak orang