Wednesday, 11 July 2012

Bloking ICMP " Mikrotik "


# Cara blok ICMP pada Mikrotik #
tambahkan scrip dibwah ini ke new terminal lalu enter 
/ip firewall filter add chain=forward protocol=icmp icmp-options=11:0 action=drop comment="ngeDrop Traceroute dari client"
/ip firewall filter add chain=forward protocol=icmp icmp-options=3:3 action=drop comment="ngeDrop Traceroute dari client"

#Blok Ip Spam
add chain=forward src-address=0.0.0.0/8 action=drop 
add chain=forward dst-address=0.0.0.0/8 action=drop 
add chain=forward src-address=127.0.0.0/8 action=drop
add chain=forward dst-address=127.0.0.0/8 action=drop
add chain=forward src-address=224.0.0.0/3 action=drop
add chain=forward dst-address=224.0.0.0/3 action=drop

# Bloking TCP
add chain=tcp protocol=tcp dst-port=69 action=drop \
       comment="deny TFTP" 
add chain=tcp protocol=tcp dst-port=111 action=drop \
       comment="deny RPC portmapper"  
add chain=tcp protocol=tcp dst-port=135 action=drop \
       comment="deny RPC portmapper"  
add chain=tcp protocol=tcp dst-port=137-139 action=drop \
       comment="deny NBT"  
add chain=tcp protocol=tcp dst-port=445 action=drop \
       comment="deny cifs"  
add chain=tcp protocol=tcp dst-port=2049 action=drop comment="deny NFS"  
add chain=tcp protocol=tcp dst-port=12345-12346 action=drop comment="deny NetBus"  
add chain=tcp protocol=tcp dst-port=20034 action=drop comment="deny NetBus"  
add chain=tcp protocol=tcp dst-port=3133 action=drop comment="deny BackOriffice"  
add chain=tcp protocol=tcp dst-port=67-68 action=drop comment="deny DHCP" 

# Bloking UDP
add chain=udp protocol=udp dst-port=69 action=drop comment="deny TFTP"  
add chain=udp protocol=udp dst-port=111 action=drop comment="deny PRC portmapper"  
add chain=udp protocol=udp dst-port=135 action=drop comment="deny PRC portmapper"  
add chain=udp protocol=udp dst-port=137-139 action=drop comment="deny NBT"  
add chain=udp protocol=udp dst-port=2049 action=drop comment="deny NFS"  
add chain=udp protocol=udp dst-port=3133 action=drop comment="deny BackOriffice"  

#allow ICMP
add chain=icmp protocol=icmp icmp-options=0:0 action=accept \
       comment="drop invalid connections"  
add chain=icmp protocol=icmp icmp-options=3:0 action=accept \
       comment="allow established connections"  
add chain=icmp protocol=icmp icmp-options=3:1 action=accept \
       comment="allow already established connections"  
add chain=icmp protocol=icmp icmp-options=4:0 action=accept \
       comment="allow source quench"  
add chain=icmp protocol=icmp icmp-options=8:0 action=accept \
       comment="allow echo request"  
add chain=icmp protocol=icmp icmp-options=11:0 action=accept \
       comment="allow time exceed"  
add chain=icmp protocol=icmp icmp-options=12:0 action=accept \ 
        comment="allow parameter bad"  
add chain=icmp action=drop comment="deny all other types"  

No comments:

Post a Comment