Just Documentation :
add chain=tcp protocol=tcp dst-port=67-68 action=drop comment=”deny DHCP”
add chain=tcp protocol=tcp dst-port=69 action=drop comment=”deny TFTP”
add chain=tcp protocol=tcp dst-port=111 action=drop comment=”deny RPC portmapper”
add chain=tcp protocol=tcp dst-port=135 action=drop comment=”deny RPC portmapper”
add chain=tcp protocol=tcp dst-port=137-139 action=drop comment=”deny NBT”
add chain=tcp protocol=tcp dst-port=445 action=drop comment=”deny cifs”
add chain=tcp protocol=tcp dst-port=593 action=drop comment=”________”
add chain=tcp protocol=tcp dst-port=1024-1030 action=drop comment=”________”
add chain=tcp protocol=tcp dst-port=1080 action=drop comment=”Drop MyDoom”
add chain=tcp protocol=tcp dst-port=1214 action=drop comment=”________”
add chain=tcp protocol=tcp dst-port=1363 action=drop comment=”ndm requester”
add chain=tcp protocol=tcp dst-port=1364 action=drop comment=”ndm server”
add chain=tcp protocol=tcp dst-port=1368 action=drop comment=”screen cast”
add chain=tcp protocol=tcp dst-port=1373 action=drop comment=”hromgrafx”
add chain=tcp protocol=tcp dst-port=1377 action=drop comment=”cichlid”
add chain=tcp protocol=tcp dst-port=1433-1434 action=drop comment=”Worm”
add chain=tcp protocol=tcp dst-port=2745 action=drop comment=”Bagle Virus”
add chain=tcp protocol=tcp dst-port=2283 action=drop comment=”Drop Dumaru.Y”
add chain=tcp protocol=tcp dst-port=2535 action=drop comment=”Drop Beagle”
add chain=tcp protocol=tcp dst-port=2745 action=drop comment=”Drop Beagle.C-K”
add chain=tcp protocol=tcp dst-port=3127-3128 action=drop comment=”Drop MyDoom”
add chain=tcp protocol=tcp dst-port=3410 action=drop comment=”Drop Backdoor OptixPro”
add chain=tcp protocol=tcp dst-port=4444 action=drop comment=”Worm”
add chain=tcp protocol=tcp dst-port=2049 action=drop comment=”deny NFS”
add chain=tcp protocol=tcp dst-port=3133 action=drop comment=”deny BackOriffice”
add chain=tcp protocol=tcp dst-port=5554 action=drop comment=”Drop Sasser”
add chain=tcp protocol=tcp dst-port=8866 action=drop comment=”Drop Beagle.B”
add chain=tcp protocol=tcp dst-port=9898 action=drop comment=”Drop Dabber.A-B”
add chain=tcp protocol=tcp dst-port=10000 action=drop comment=”Drop Dumaru.Y”
add chain=tcp protocol=tcp dst-port=10080 action=drop comment=”Drop MyDoom.B”
add chain=tcp protocol=tcp dst-port=12345-12346 action=drop comment=”deny NetBus”
add chain=tcp protocol=tcp dst-port=17300 action=drop comment=”Drop Kuang2″
add chain=tcp protocol=tcp dst-port=20034 action=drop comment=”deny NetBus”
add chain=tcp protocol=tcp dst-port=27374 action=drop comment=”Drop SubSeven”
add chain=tcp protocol=tcp dst-port=65506 action=drop comment=”Drop PhatBot, Agobot, Gaobot”
add chain=udp protocol=udp dst-port=4444 action=drop comment=”Worm”
add chain=udp protocol=udp dst-port=69 action=drop comment=”deny TFTP”
add chain=udp protocol=udp dst-port=111 action=drop comment=”deny PRC portmapper”
add chain=udp protocol=udp dst-port=135 action=drop comment=”deny PRC portmapper”
add chain=udp protocol=udp dst-port=137-139 action=drop comment=”deny NBT”
add chain=udp protocol=udp dst-port=2049 action=drop comment=”deny NFS”
add chain=udp protocol=udp dst-port=3133 action=drop comment=”deny BackOriffice”
add chain=icmp protocol=icmp icmp-options=0:0 action=accept comment=”drop invalid connections”
add chain=icmp protocol=icmp icmp-options=3:0 action=accept comment=”allow established connections”
add chain=icmp protocol=icmp icmp-options=3:1 action=accept comment=”allow already established connections”
add chain=icmp protocol=icmp icmp-options=4:0 action=accept comment=”allow source quench”
add chain=icmp protocol=icmp icmp-options=8:0 action=accept comment=”allow echo request”
add chain=icmp protocol=icmp icmp-options=11:0 action=accept comment=”allow time exceed”
add chain=icmp protocol=icmp icmp-options=12:0 action=accept comment=”allow parameter bad”
add chain=icmp action=drop comment=”deny all other types”
Kamis, 11 September 2008
Block List Port for Mikrotik
Label: MikroTik
Diposting : yudhadewa di 16.20.00 0 coment-ar
Redirect Mikrotik ke SquidBox
Translasi dari command ip-tables pada linux ke mikrotik (sumber command syntax linux dari : http://tldp.org/HOWTO/TransparentProxy-6.html)
Method pertama :
- iptables -t nat -A PREROUTING -i eth0 -s ! squid-box -p tcp –dport 80 -j DNAT –to squid-box:3128
- iptables -t nat -A POSTROUTING -o eth0 -s local-network -d squid-box -j SNAT –to iptables-box
- iptables -A FORWARD -s local-network -d squid-box -i eth0 -o eth0 -p tcp –dport 3128 -j ACCEPT
Spesifikasi :
- Squid Box : 192.168.1.1, Mikrotik: 192.168.1.254
- Mikrotik versi 2.9.27
- LAN : ether1, Internet : ether2
Translasi ke mikrotik method pertama :
- Pada table NAT :
- tambahkan dst-nat, src-address = !192.168.1.1 protocol=tcp dst-port=80 in-interface=ether1 action=dstnat to-addresses=192.168.1.1 to-port=3128
- tambahkan src-nat, src-address=192.168.1.0/24 out-interface=ether1 action=srcnat to-addresses=192.168.1.254 to-port=0-65535
- tambahkan filter rules chain=forward src-address=192.168.1.0/24 dst-address=192.168.1.1 dst-port=3128 in-interface=ether1 out-interface=ether2 action=accept
Method kedua :
- iptables -t mangle -A PREROUTING -j ACCEPT -p tcp –dport 80 -s squid-box
- iptables -t mangle -A PREROUTING -j MARK –set-mark 3 -p tcp –dport 80
- ip rule add fwmark 3 table 2
- ip route add default via squid-box dev eth1 table 2
- Next, squid-box. Use this command, which should look remarkably similar to a command we’ve seen previously.
- iptables -A PREROUTING -t nat -i eth0 -p tcp –dport 80 -j REDIRECT –to-port 3128
Translasi ke mikrotik method kedua :
- Pada table mangle, tambahkan chain=prerouting protocol=tcp dst-port=80 action=mark routing new routing mark=mark80
- Pada table filter, tambahkan chain=forward routing mark=mark80 action=accept
- Pada IP-Route, tambahkan destination=0.0.0.0/0 gateway=192.168.1.1 mark=mark80 distance=1 interface=ether1
- Untuk di Squid Box silakan sesuai dengan firewall yang anda gunakan, saya menggunakan shorewall, cukup menambahkan di file /etc/shorewall/ruless -> REDIRECT local 3128 tcp www - !192.168.1.1
data sub:
-----------------------------------------------------------------------------------
http://cangkirkopi.wordpress.com/2007/07/30/redirect-mikrotik-ke-squidbox/
Label: MikroTik
Diposting : yudhadewa di 16.17.00 0 coment-ar
Transparent Proxy Mikrotik Server
asumsikan bahwa transparent proxy sudah berjalan normal pada Proxy Server
1. Table NAT ( IP > Firewall > NAT )
dst-nat, src-address = !192.168.0.254 protocol=tcp dst-port=80 in-interface=ether2 action=dstnat to-addresses=192.168.0.254 to-port=3128
src-nat, src-address=192.168.0.0/24 out-interface=ether2 action=srcnat to-addresses=192.168.0.1 to-port=0-65535
2. Table Filter Rules
chain=forward src-address=192.168.0.0/24 dst-address=192.168.0.254 dst-port=3128 in-interface=ether2 out-interface=ether1 action=accept
dengan script ini akhirnya transparent proxy tanpa menggunakan fitur proxy Mikrotik dapat berjalan dengan sempurna.
Label: MikroTik
Diposting : yudhadewa di 16.15.00 0 coment-ar
Firewall Untuk Proxy DansGuardian
Bagi anda yang membutuhkan firewall bersama DansGuardian. Dapat menginstalasi script berikut.
Siapkan port ke Firewall. Bagian ini memang sifatnya optional, tapi sangat di sarankan. Copy perintah berikut ke file /etc/network/if-up.d/iptables-config
#!/bin/bash
iptables -F
# set the default policy for each of the pre-defined chains
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD DROP
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# to allow incoming SSH and Proxy
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -m state --state NEW -p tcp -m tcp -s 127.0.0.1 --dport 3128 -j ACCEPT
iptables -A INPUT -m state --state NEW -p tcp -m tcp --dport 8080 -j ACCEPT
# drop everything else
iptables -A INPUT -i eth+ -p udp -j DROP
iptables -A INPUT -i eth+ -p tcp -m tcp --syn -j DROP
Pastikan iptables-config dapat di execute / jalankan
# chmod +x /etc/network/if-up.d/iptables-config
Label: Linux
Diposting : yudhadewa di 16.07.00 0 coment-ar
Install SSH, Squid cache & DansGuardian
Install SSH, Squid cache & DansGuardian
# apt-get install openssh-server squid dansguardian
Konfigurasi DansGuardian
# vi /etc/dansguardian/dansguardian.conf
Lakukan
- Jika IP address Server adalah, 192.168.0.1. Ubah
accessdeniedaddress = 'http://YOURSERVER.YOURDOMAIN/cgi-bin/dansguardian.pl'
menjadi
accessdeniedaddress = 'http://192.168.0.1/cgi-bin/dansguardian.pl'
- Buang / comment kalimat "UNCONFIGURED - Please remove this line after configuration" setelah semua proses konfigurasi selesai.
- Ubah variabel 'virusscan' menjadi off, jika anda belum menyiapkan ClamAV untuk DansGuardian. Biasanya di Ubuntu, ClamAV akan terinstall bersama dengan DansGuardian.
Jika anda menggunakan ClamAV, pastikan ClamAV meng-update database yang terbaru menggunakan perintah
# freshclam
Aktifkan SSH, DansGuardian, & Squid cache saat startup
# update-rc.d ssh defaults
# update-rc.d squid defaults
# update-rc.d dansguardian defaults
Restart
# /etc/init.d/networking restart
# /etc/init.d/squid restart
# /etc/init.d/dansguardian restart
selesai
Setup di Sisi Client
Pastikan proxy server di arahkan ke
IP address Server DansGuardian
Port 8080
Label: Linux
Diposting : yudhadewa di 16.06.00 0 coment-ar