Menu Home

SETTING FIREWALL PADA MIKROTIK

Firewall Pada MikrotikFirewall merupakan sistem yang digunakan pada software/hardware untuk melindungi, membatasi dan juga melakukan blok client agar tidak dapat mengakses resource tertentu. Selain itu firewall digunakan jugan untuk mencegah, meminimalisir, dam juga melindungi jaringan lokal dari serangan luar. MikroTik RouterOS memiliki beberapa fitur firewall, antara lain :

  • IP protocols
  • packet content
  • packet arrival time
  • peer-to-peer protocols filtering
  • traffic classification by:
  • rate at which packets arrive and sequence numbers
  • IP addresses (network or list) and address types (broadcast, local, multicast, unicast)
  • port or port range
  • stateful packet inspection
  • protocol options (ICMP type and code fields, TCP flags, IP options and MSS)
  • interface the packet arrived from or left through
  • internal flow and connection marks
  • DSCP byte
  • Layer-7 protocol detection
  • packet size
  • source MAC address
  • dll

Penggunaan firewall pada mikrotik tidak lepas dari tujuan di atas. Pada artikel Firewall pada Mikrotik kali ini akan dibahas tentang penggunaan firewall yang memiliki efek :

  1. Router mikrotik hanya dapat diakses FTP, SSH, Web dan Winbox dari IP yang didefinisikan dalam address-list sehingga tidak bisa diakses dari sembarang tempat.
  2. Port-port yang sering dimanfaatkan virus di blok sehingga traffic virus tidak dapat dilewatkan, tetapi perlu diperhatikan jika ada user yang kesulitan mengakses service tertentu harus dicek pada chain=”virus” apakah port yang dibutuhkan user tersebut terblok oleh firewall.
  3. Packet ping dibatasi untuk menghindari excess ping.

Pertama buat address-list yang berisikan alamat IP radio, IP LAN, dan IP WAN. Dalam kasus kali ini menggunakan IP sebagai berikut:
IP radio 192.168.0.0/16
IP LAN 11.11.10.0/24
IP WAN 172.168.2.0/24

Berikut script untuk membuat firewall tersebut:

1. Membuat script firewall adress-list

/ ip firewall address-list
add list=alurdatanet address=192.168.0.0/16 comment=”IP Radio” disabled=no
add list=alurdatanet address=11.11.10.0/24 comment=”LAN”
disabled=no
add list=alurdatanet address=172.168.2.0/24 comment=”Datautama” disabled=no

2.  Membuat script firewall filter

/ ip firewall filter
add chain=forward connection-state=established action=accept comment=”allow established connections” disabled=no

add chain=forward connection-state=related action=accept comment=”allow related connections” disabled=no

add chain=virus protocol=udp dst-port=135-139 action=drop comment=”Drop Messenger Worm” disabled=no

add chain=forward connection-state=invalid action=drop comment=”drop invalid connections” disabled=no

add chain=virus protocol=tcp dst-port=135-139 action=drop comment=”Drop Blaster Worm” disabled=no add chain=virus 

protocol=tcp dst-port=1433-1434 action=drop comment=”Worm” disabled=no

add chain=virus protocol=tcp dst-port=445 action=drop comment=”Drop Blaster Worm” disabled=no

add chain=virus protocol=udp dst-port=445 action=drop comment=”Drop Blaster Worm” disabled=no

add chain=virus protocol=tcp dst-port=593 action=drop comment=”” disabled=no

add chain=virus protocol=tcp dst-port=1024-1030 action=drop comment=”” disabled=no

add chain=virus protocol=tcp dst-port=1080 action=drop comment=”Drop MyDoom” disabled=no

add chain=virus protocol=tcp dst-port=1214 action=drop comment=”” disabled=no

add chain=virus protocol=tcp dst-port=1363 action=drop comment=”ndm requester” disabled=no

add chain=virus protocol=tcp dst-port=1364 action=drop comment=”ndm server” disabled=no

add chain=virus protocol=tcp dst-port=1368 action=drop comment=”screen cast” disabled=no

add chain=virus protocol=tcp dst-port=1373 action=drop comment=”hromgrafx” disabled=no

add chain=virus protocol=tcp dst-port=1377 action=drop comment=”cichlid” disabled=no

add chain=virus protocol=tcp dst-port=2745 action=drop comment=”Bagle Virus” disabled=no

add chain=virus protocol=tcp dst-port=2283 action=drop comment=”Drop Dumaru.Y” disabled=no

add chain=virus protocol=tcp dst-port=2535 action=drop comment=”Drop Beagle” disabled=no

add chain=virus protocol=tcp dst-port=2745 action=drop comment=”Drop Beagle.C-K” disabled=no

add chain=virus protocol=tcp dst-port=3127 action=drop comment=”Drop MyDoom” disabled=no

add chain=virus protocol=tcp dst-port=3410 action=drop comment=”Drop Backdoor OptixPro” disabled=no

add chain=virus protocol=tcp dst-port=4444 action=drop comment=”Worm” disabled=no

add chain=virus protocol=udp dst-port=4444 action=drop comment=”Worm” disabled=no

add chain=virus protocol=tcp dst-port=5554 action=drop comment=”Drop Sasser” disabled=no

add chain=virus protocol=tcp dst-port=8866 action=drop comment=”Drop Beagle.B” disabled=no

add chain=virus protocol=tcp dst-port=9898 action=drop comment=”Drop Dabber.A-B” disabled=no

add chain=virus protocol=tcp dst-port=10000 action=drop comment=”Drop Dumaru” disabled=yes

add chain=virus protocol=tcp dst-port=10080 action=drop comment=”Drop MyDoom.B” disabled=no

add chain=virus protocol=tcp dst-port=12345 action=drop comment=”Drop NetBus” disabled=no

add chain=virus protocol=tcp dst-port=17300 action=drop comment=”Drop Kuang2" disabled=no

add chain=virus protocol=tcp dst-port=27374 action=drop comment=”Drop SubSeven” disabled=no

add chain=virus protocol=tcp dst-port=65506 action=drop comment=”Drop PhatBot,Agobot,Gaobot” disabled=no

add chain=forward action=jump jump-target=virus comment=”jump to the virus chain” disabled=no

add chain=input connection-state=established action=accept comment=”Accept established connections” disabled=no

add chain=input connection-state=related action=accept comment=”Accept related connections” disabled=no

add chain=input connection-state=invalid action=drop comment=”Drop invalid connections” disabled=no

add chain=input protocol=udp action=accept comment=”UDP” disabled=no

add chain=input protocol=icmp limit=50/5s,2 action=accept comment=”Allow limited pings” disabled=no

add chain=input protocol=icmp action=drop comment=”Drop excess pings” disabled=no

add chain=input protocol=tcp dst-port=21 src-address-list=ournetwork action=accept comment=”FTP” disabled=no

add chain=input protocol=tcp dst-port=22 src-address-list=ournetwork action=accept comment=”SSH for secure shell” 

disabled=no

add chain=input protocol=tcp dst-port=23 src-address-list=ournetwork action=accept comment=”Telnet” disabled=no

add chain=input protocol=tcp dst-port=80 src-address-list=ournetwork action=accept comment=”Web” disabled=no

add chain=input protocol=tcp dst-port=8291 src-address-list=ournetwork action=accept comment=”winbox” disabled=no

add chain=input protocol=tcp dst-port=1723 action=accept comment=”pptp-server” disabled=no

add chain=input src-address-list=ournetwork action=accept comment=”From Datautama” disabled=no

add chain=input action=log log-prefix=”DROP INPUT” comment=”Log everything else” disabled=no

add chain=input action=drop comment=”Drop everything else” disabled=no

Seperti itulah script firewall yang saya share kali ini, semoga dapat membantu dan selamat mencoba.

source code dari teman teman DutaUtama 🙂

Categories: Mikrotik

Tagged as:

alur data

Leave a Reply

Your email address will not be published. Required fields are marked *