Buat teman2 yg punya Router Mikrotik mungkin kalau sering lihat log bakalan kesal kalau banyak yg mencoba untuk login ke route kita. ini saya alami sendiri setiap ol masuk ke route dan lihat log waduh banyak ip yg mencoba melakukan BRUTE FORCE untuk masuk…..

code :

ip firewall filter add chain=input in-interface=ether1 protocol=tcp dst-port=22 src-address-list=ftp_blacklist action=drop # accept 10 incorrect logins per minute

/ ip firewall filter add chain=output action=accept protocol=tcp content=”530 Login incorrect” dst-limit=1/1m,9,dst-address/1m #add to blacklist add chain=output action=add-dst-to-address-list protocol=tcp content=”530 Login incorrect” address-list=blacklist address-list-timeout=24h

Maksud dari kode diatas adalah jika dalam 1 menit berusaha 10 kali login ( dst-limit=1/1m,9 di login nya yg kesepuluh masuk daftar hitam dan dibanned selama 24jam, address-list=blacklist address-list-timeout=24h). untuk memberi range port edit bagian

CODE

/ ip firewall filter add chain=input in-interface=ether1 protocol=tcp dst-port=22 src-address-list=ftp_blacklist action=drop

menjadi

CODE

/ ip firewall filter add chain=input in-interface=ether1 protocol=tcp dst-port=21-23 src-address-list=ftp_blacklist action=drop

catatan : untuk router warnet, jangan gunakan port 80, karena apabila dari client mencoba masuk, maka dengan otomatis client bakalan tidak bisa browsing ( berdasarkan Pengalaman ). makanya blok port 21-23.

source:xcode.or.id

Popularity: 20% [?]

ip ether1 202.162.211.5
ip ether2 to client 192.168.1.253
ip firewall nat add chain=dstnat action=dst-nat to-addresses=192.168.1.253
to-ports=80 protocol=tcp dst-address=202.162.211.5 dst-port=80

Popularity: 9% [?]

——————————————-
;;; Limit Download Exstension 128kbps ;;;
——————————————-

ip firewall filter add chain=forward action=add-dst-to-address-list
protocol=tcp src-address=192.168.253.0/24
address-list=limit-exstension address-list-timeout=1h content=.srt

ip firewall filter add chain=forward action=add-dst-to-address-list
protocol=tcp src-address=192.168.253.0/24
address-list=limit-exstension address-list-timeout=1h content=.mp3

ip firewall filter add chain=forward action=add-dst-to-address-list
protocol=tcp src-address=192.168.253.0/24
address-list=limit-exstension address-list-timeout=1h content=.mp4

ip firewall filter add chain=forward action=add-dst-to-address-list
protocol=tcp src-address=192.168.253.0/24
address-list=limit-exstension address-list-timeout=1h content=.m4v

ip firewall filter add chain=forward action=add-dst-to-address-list
protocol=tcp src-address=192.168.253.0/24
address-list=limit-exstension address-list-timeout=1h content=.m2ts

ip firewall filter add chain=forward action=add-dst-to-address-list
protocol=tcp src-address=192.168.253.0/24
address-list=limit-exstension address-list-timeout=1h content=.mpeg

ip firewall filter add chain=forward action=add-dst-to-address-list
protocol=tcp src-address=192.168.253.0/24
address-list=limit-exstension address-list-timeout=1h content=.flv

ip firewall filter add chain=forward action=add-dst-to-address-list
protocol=tcp src-address=192.168.253.0/24
address-list=limit-exstension address-list-timeout=1h content=.mkv

ip firewall filter add chain=forward action=add-dst-to-address-list
protocol=tcp src-address=192.168.253.0/24
address-list=limit-exstension address-list-timeout=1h content=.bup

ip firewall filter add chain=forward action=add-dst-to-address-list
protocol=tcp src-address=192.168.253.0/24
address-list=limit-exstension address-list-timeout=1h content=.wmv

ip firewall filter add chain=forward action=add-dst-to-address-list
protocol=tcp src-address=192.168.253.0/24
address-list=limit-exstension address-list-timeout=1h content=.wma

ip firewall filter add chain=forward action=add-dst-to-address-list
protocol=tcp src-address=192.168.253.0/24
address-list=limit-exstension address-list-timeout=1h content=.mpg

ip firewall filter add chain=forward action=add-dst-to-address-list
protocol=tcp src-address=192.168.253.0/24
address-list=limit-exstension address-list-timeout=1h content=.fla

ip firewall filter add chain=forward action=add-dst-to-address-list
protocol=tcp src-address=192.168.253.0/24
address-list=limit-exstension address-list-timeout=1h content=.wmz

ip firewall filter add chain=forward action=add-dst-to-address-list
protocol=tcp src-address=192.168.253.0/24
address-list=limit-exstension address-list-timeout=1h content=.arf

ip firewall filter add chain=forward action=add-dst-to-address-list
protocol=tcp src-address=192.168.253.0/24
address-list=limit-exstension address-list-timeout=1h content=.001

ip firewall filter add chain=forward action=add-dst-to-address-list
protocol=tcp src-address=192.168.253.0/24
address-list=limit-exstension address-list-timeout=1h content=.fil

ip firewall filter add chain=forward action=add-dst-to-address-list
protocol=tcp src-address=192.168.253.0/24
address-list=limit-exstension address-list-timeout=1h content=.scb

ip firewall filter add chain=forward action=add-dst-to-address-list
protocol=tcp src-address=192.168.253.0/24
address-list=limit-exstension address-list-timeout=1h content=.mood

ip firewall filter add chain=forward action=add-dst-to-address-list
protocol=tcp src-address=192.168.253.0/24
address-list=limit-exstension address-list-timeout=1h content=.rar

ip firewall filter add chain=forward action=add-dst-to-address-list
protocol=tcp src-address=192.168.253.0/24
address-list=limit-exstension address-list-timeout=1h content=.tar.gz

ip firewall filter add chain=forward action=add-dst-to-address-list
protocol=tcp src-address=192.168.253.0/24
address-list=limit-exstension address-list-timeout=1h content=.tar.bz2

ip firewall filter add chain=forward action=add-dst-to-address-list
protocol=tcp src-address=192.168.253.0/24
address-list=limit-exstension address-list-timeout=1h content=.exe

ip firewall filter add chain=forward action=add-dst-to-address-list
protocol=tcp src-address=192.168.253.0/24
address-list=limit-exstension address-list-timeout=1h content=.rar

ip firewall filter add chain=forward action=add-dst-to-address-list
protocol=tcp src-address=192.168.253.0/24
address-list=limit-exstension address-list-timeout=1h content=.zip

———————————————————————————————–

ip firewall mangle add chain=forward action=mark-packet
new-packet-mark=limit-bandwidth-exstension passthrough=yes
protocol=tcp src-address-list=limit-exstension

————————————————————————————————

queue simple add name=”download-file-exstension” dst-address=0.0.0.0/0
interface=all parent=none packet-marks=limit-bandwidth-exstension
direction=both priority=4 queue=default-small/default-small
limit-at=128k/128k max-limit=128k/128k burst-limit=0/0
burst-threshold=0/0 burst-time=0s/0s total-queue=default-small

————————————————————————————————-
Untuk Queue simple diletakkan pada baris paling atas.

——-
Sumber http://www.forummikrotik.com/

Popularity: 18% [?]

125.163.64.xxx = ip router —> eth0
192.168.0.87 = ip komputer lokal —>eth1
212 = port forwarding
$EXTIF=eth0

iptables -t nat -A PREROUTING -p tcp -i $EXTIF -d 125.163.64.xxx
–dport 212 -j DNAT –to 192.168.0.87:212
iptables -A FORWARD -p tcp -i $EXTIF -d 192.168.0.87 –dport 212 -j ACCEPT

Popularity: 9% [?]