Planning Internet Cafe With Speedy internet Connection

Tuesday, December 25, 2007

Using PC LINUX and router Mikrotik

Network Schema 192.168.1.2/29

Modem 4 Port ----------Mikrotik ---Hub-------Client 192.168.0.0/24

192.168.1.1/29 192.168.0.254/24

Linux proxy
192.168.1.3/29

A. Router Mikrotik Configuration

a. Interface

/ interface ethernet
set Local name="Local" mtu=1500 mac-address=00:50:DA:5F:AB:16 arp=enabled \
disable-running-check=yes auto-negotiation=yes full-duplex=yes \
cable-settings=default speed=100Mbps comment="" disabled=no
set Public name="Public" mtu=1500 mac-address=00:A0:D2:11:C2:79 arp=enabled \
disable-running-check=yes auto-negotiation=yes full-duplex=yes \
cable-settings=default speed=100Mbps comment="" disabled=no

b. ARP

/ ip arp
add address=192.168.0.7 mac-address=00:19:21:14:4A:E7 interface=Local \
comment="" disabled=no
add address=192.168.0.4 mac-address=00:E0:4D:2F:81:6E interface=Local \
comment="" disabled=no
add address=192.168.0.1 mac-address=00:1B:B9:57:79:75 interface=Local \
comment="" disabled=no
add address=192.168.0.6 mac-address=00:E0:4D:2F:4D:F3 interface=Local \
comment="" disabled=no
add address=192.168.0.11 mac-address=00:1B:B9:57:7E:31 interface=Local \
comment="" disabled=no
add address=192.168.0.2 mac-address=00:E0:4D:2F:81:6D interface=Local \
comment="" disabled=no
add address=192.168.0.5 mac-address=00:19:21:DD:90:F4 interface=Local \
comment="" disabled=no
add address=192.168.0.10 mac-address=00:1B:B9:95:EB:6D interface=Local \
comment="" disabled=no
add address=192.168.0.253 mac-address=00:1A:92:56:79:5E interface=Local \
comment="" disabled=no
add address=192.168.1.1 mac-address=00:18:6E:CA:4F:2E interface=Public \
comment="" disabled=no
add address=192.168.1.3 mac-address=00:1B:11:66:2A:69 interface=Public \
comment="" disabled=no
c. DNS ISP
/ ip dns
set primary-dns=192.168.1.3 secondary-dns=202.134.0.155 \
allow-remote-requests=yes cache-size=2048KiB cache-max-ttl=1w

d. IP address

/ ip address
add address=192.168.1.2/29 network=192.168.1.0 broadcast=192.168.1.7 \
interface=Public comment="" disabled=no
add address=192.168.0.254/24 network=192.168.0.0 broadcast=192.168.0.255 \
interface=Local comment="" disabled=no

e. Mangle

/ ip firewall mangle
add chain=prerouting src-address=192.168.0.0/24 protocol=icmp \
action=mark-connection new-connection-mark=ICMP-CM passthrough=yes \
comment="ToS" disabled=no
add chain=prerouting connection-mark=ICMP-CM action=mark-packet \
new-packet-mark=ICMP-PM passthrough=yes comment="" disabled=no
add chain=prerouting packet-mark=ICMP-PM action=change-tos new-tos=min-delay \
comment="" disabled=no
add chain=prerouting src-address=192.168.0.0/24 protocol=tcp dst-port=53 \
action=mark-connection new-connection-mark=DNS-CM passthrough=yes \
comment="" disabled=no
add chain=prerouting src-address=192.168.0.0/24 protocol=udp dst-port=53 \
action=mark-connection new-connection-mark=DNS-CM passthrough=yes \
comment="" disabled=no
add chain=prerouting connection-mark=DNS-CM action=mark-packet \
new-packet-mark=DNS-PM passthrough=yes comment="" disabled=no
add chain=prerouting packet-mark=DNS-PM action=change-tos new-tos=min-delay \
comment="" disabled=no
add chain=prerouting protocol=tcp dst-port=80 action=mark-connection \
new-connection-mark=http_conn passthrough=yes comment="Services" \
disabled=no
add chain=prerouting protocol=tcp dst-port=443 action=mark-connection \
new-connection-mark=http_conn passthrough=yes comment="" disabled=no
add chain=prerouting protocol=tcp dst-port=8080 action=mark-connection \
new-connection-mark=http_conn passthrough=yes comment="" disabled=no
add chain=prerouting protocol=tcp dst-port=3128 action=mark-connection \
new-connection-mark=http_conn passthrough=yes comment="" disabled=no
add chain=prerouting connection-mark=http_conn action=mark-packet \
new-packet-mark=http passthrough=no comment="" disabled=no
add chain=prerouting protocol=tcp dst-port=5050-5061 action=mark-connection \
new-connection-mark=ym_conn passthrough=yes comment="" disabled=no
add chain=prerouting connection-mark=ym_conn action=mark-packet \
new-packet-mark=ym passthrough=no comment="" disabled=no
add chain=prerouting protocol=udp dst-port=27015 action=mark-connection \
new-connection-mark=cs_conn passthrough=yes comment="" disabled=no
add chain=prerouting connection-mark=cs_conn action=mark-packet \
new-packet-mark=cs passthrough=no comment="" disabled=no
add chain=prerouting protocol=tcp dst-port=6667-7000 action=mark-connection \
new-connection-mark=irc_conn passthrough=yes comment="" disabled=no
add chain=prerouting connection-mark=irc_conn action=mark-packet \
new-packet-mark=irc passthrough=no comment="" disabled=no
add chain=prerouting protocol=tcp dst-port=8291 action=mark-connection \
new-connection-mark=mt_conn passthrough=yes comment="" disabled=no
add chain=prerouting connection-mark=mt_conn action=mark-packet \
new-packet-mark=mt passthrough=no comment="" disabled=no
add chain=prerouting protocol=tcp dst-port=110 action=mark-connection \
new-connection-mark=email_conn passthrough=yes comment="" disabled=no
add chain=prerouting protocol=tcp dst-port=25 action=mark-connection \
new-connection-mark=email_conn passthrough=yes comment="" disabled=no
add chain=prerouting connection-mark=email_conn action=mark-packet \
new-packet-mark=email passthrough=no comment="" disabled=no
add chain=prerouting protocol=tcp dst-port=22 action=mark-connection \
new-connection-mark=ssh_conn passthrough=yes comment="" disabled=no
add chain=prerouting connection-mark=ssh_conn action=mark-packet \
new-packet-mark=ssh passthrough=no comment="" disabled=no
add chain=prerouting protocol=tcp dst-port=500-3127 action=mark-connection \
new-connection-mark=games_conn passthrough=yes comment="" disabled=no
add chain=prerouting protocol=tcp dst-port=3129-6665 action=mark-connection \
new-connection-mark=games_conn passthrough=yes comment="" disabled=no
add chain=prerouting protocol=tcp dst-port=7001-65535 action=mark-connection \
new-connection-mark=games_conn passthrough=yes comment="" disabled=no
add chain=prerouting protocol=udp dst-port=500-3127 action=mark-connection \
new-connection-mark=games_conn passthrough=yes comment="" disabled=no
add chain=prerouting protocol=udp dst-port=3129-6665 action=mark-connection \
new-connection-mark=games_conn passthrough=yes comment="" disabled=no
add chain=prerouting protocol=udp dst-port=7001-65535 action=mark-connection \
new-connection-mark=games_conn passthrough=yes comment="" disabled=no
add chain=prerouting connection-mark=games_conn action=mark-packet \
new-packet-mark=games passthrough=no comment="" disabled=no
add chain=prerouting src-address=192.168.0.0/24 action=mark-packet \
new-packet-mark=Naik passthrough=no comment="Up Traffic" disabled=no
add chain=forward src-address=192.168.0.0/24 action=mark-connection \
new-connection-mark=Koneksi passthrough=yes comment="Conn-Mark" \
disabled=no
add chain=forward in-interface=Public connection-mark=Koneksi \
action=mark-packet new-packet-mark=Turun passthrough=no \
comment="Down-Direct Connection" disabled=no
add chain=output out-interface=Local dst-address=192.168.0.0/24 \
action=mark-packet new-packet-mark=Turun passthrough=no comment="Down-Via \
Proxy" disabled=no
f. ip nat

/ ip firewall nat
add chain=srcnat out-interface=Public action=masquerade comment="" disabled=no
add chain=dstnat src-address=192.168.0.0/24 protocol=tcp dst-port=80 \
dst-address-list=!servergames action=dst-nat to-addresses=192.168.1.3 \
to-ports=8080 comment="Pakai Proxy Linux" disabled=no
add chain=dstnat src-address=192.168.0.0/24 protocol=tcp dst-port=3128 \
dst-address-list=!servergames action=dst-nat to-addresses=192.168.1.3 \
to-ports=8080 comment="" disabled=no
add chain=dstnat src-address=192.168.0.0/24 protocol=tcp dst-port=8080 \
dst-address-list=!servergames action=dst-nat to-addresses=192.168.1.3 \
to-ports=8080 comment="" disabled=no
add chain=dstnat src-address=192.168.0.0/24 protocol=tcp dst-port=80 \
action=redirect to-ports=8080 comment="Tanpa proxy Linux" disabled=yes
add chain=dstnat src-address=192.168.0.0/24 protocol=tcp dst-port=3128 \
action=redirect to-ports=8080 comment="" disabled=yes
add chain=dstnat src-address=192.168.0.0/24 protocol=tcp dst-port=8080 \
action=redirect to-ports=8080 comment="" disabled=yes

g. filter

/ ip firewall filter
add chain=input connection-state=invalid action=drop comment="Drop invalid \
connections" disabled=no
add chain=input connection-state=established action=accept comment="Allow \
esatblished connections" disabled=no
add chain=input connection-state=related action=accept comment="Allow related \
connections" disabled=no
add chain=input protocol=udp action=accept comment="Allow UDP" disabled=no
add chain=input protocol=icmp action=accept comment="Allow ICMP" disabled=no
add chain=input in-interface=!Public action=accept comment="Allow connection \
to router from local network" disabled=no
add chain=input action=drop comment="Drop everything else" disabled=no
add chain=input protocol=tcp dst-port=1337 action=add-src-to-address-list \
address-list=knock address-list-timeout=15s comment="" disabled=no
add chain=input protocol=tcp dst-port=7331 src-address-list=knock \
action=add-src-to-address-list address-list=safe address-list-timeout=15m \
comment="" disabled=no
add chain=input connection-state=established action=accept comment="accept \
established connection packets" disabled=no
add chain=input connection-state=related action=accept comment="accept related \
connection packets" disabled=no
add chain=input connection-state=invalid action=drop comment="drop invalid \
packets" disabled=no
add chain=input protocol=tcp psd=21,3s,3,1 action=drop comment="detect and \
drop port scan connections" disabled=no
add chain=input protocol=tcp connection-limit=3,32 src-address-list=black_list \
action=tarpit comment="suppress DoS attack" disabled=no
add chain=input protocol=tcp connection-limit=10,32 \
action=add-src-to-address-list address-list=black_list \
address-list-timeout=1d comment="detect DoS attack" disabled=no
add chain=input protocol=icmp action=jump jump-target=ICMP comment="jump to \
chain ICMP" disabled=no
add chain=input action=jump jump-target=services comment="jump to chain \
services" disabled=no
add chain=input dst-address-type=broadcast action=accept comment="Allow \
Broadcast Traffic" disabled=no
add chain=input action=log log-prefix="Filter:" comment="" disabled=no
add chain=input action=accept comment="Allow access to router from known \
network" disabled=no
add chain=input src-address=192.168.0.0/24 action=accept comment="" \
disabled=no
add chain=input src-address=192.168.5.0/29 action=accept comment="" \
disabled=no
add chain=input src-address=192.168.4.0/29 action=accept comment="" \
disabled=no
add chain=input src-address=63.219.6.0/24 action=accept comment="" disabled=no
add chain=input src-address=125.0.0.0/8 action=accept comment="" disabled=no
add chain=input action=drop comment="drop everything else" disabled=no
add chain=ICMP protocol=icmp icmp-options=0:0-255 limit=5,5 action=accept \
comment="0:0 and limit for 5pac/s" disabled=no
add chain=ICMP protocol=icmp icmp-options=3:3 limit=5,5 action=accept \
comment="3:3 and limit for 5pac/s" disabled=no
add chain=ICMP protocol=icmp icmp-options=3:4 limit=5,5 action=accept \
comment="3:4 and limit for 5pac/s" disabled=no
add chain=ICMP protocol=icmp icmp-options=8:0-255 limit=5,5 action=accept \
comment="8:0 and limit for 5pac/s" disabled=no
add chain=ICMP protocol=icmp icmp-options=11:0-255 limit=5,5 action=accept \
comment="11:0 and limit for 5pac/s" disabled=no
add chain=ICMP protocol=icmp action=drop comment="Drop everything else" \
disabled=no
add chain=input protocol=tcp psd=21,3s,3,1 action=add-src-to-address-list \
address-list="port scanners" address-list-timeout=2w comment="Port \
scanners to list " disabled=no
add chain=input protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg \
action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w comment="NMAP FIN Stealth scan" disabled=no
add chain=input protocol=tcp tcp-flags=fin,syn action=add-src-to-address-list \
address-list="port scanners" address-list-timeout=2w comment="SYN/FIN \
scan" disabled=no
add chain=input protocol=tcp tcp-flags=syn,rst action=add-src-to-address-list \
address-list="port scanners" address-list-timeout=2w comment="SYN/RST \
scan" disabled=no
add chain=input protocol=tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack \
action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w comment="FIN/PSH/URG scan" disabled=no
add chain=input protocol=tcp tcp-flags=fin,syn,rst,psh,ack,urg \
action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w comment="ALL/ALL scan" disabled=no
add chain=input protocol=tcp tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg \
action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w comment="NMAP NULL scan" disabled=no
add chain=input src-address-list="port scanners" action=drop comment="dropping \
port scanners" disabled=no
add chain=forward connection-state=established action=accept comment="allow \
established connections" disabled=no
add chain=forward connection-state=related action=accept comment="allow \
related connections" disabled=no
add chain=forward connection-state=invalid action=drop comment="drop invalid \
connections" disabled=no
add chain=virus protocol=tcp dst-port=135-139 action=drop comment="Drop \
Blaster Worm" disabled=no
add chain=virus protocol=udp dst-port=135-139 action=drop comment="Drop \
Messenger Worm" disabled=no
add chain=virus protocol=tcp dst-port=445 action=drop comment="Drop Blaster \
Worm" disabled=no
add chain=virus protocol=udp dst-port=445 action=drop comment="Drop Blaster \
Worm" disabled=no
add chain=virus protocol=tcp dst-port=593 action=drop comment="________" \
disabled=no
add chain=virus protocol=tcp dst-port=1024-1030 action=drop comment="________" \
disabled=no
add chain=virus protocol=tcp dst-port=1080 action=drop comment="Drop MyDoom" \
disabled=no
add chain=virus protocol=tcp dst-port=1214 action=drop comment="________" \
disabled=no
add chain=virus protocol=tcp dst-port=1363 action=drop comment="ndm requester" \
disabled=no
add chain=virus protocol=tcp dst-port=1364 action=drop comment="ndm server" \
disabled=no
add chain=virus protocol=tcp dst-port=1368 action=drop comment="screen cast" \
disabled=no
add chain=virus protocol=tcp dst-port=1373 action=drop comment="hromgrafx" \
disabled=no
add chain=virus protocol=tcp dst-port=1377 action=drop comment="cichlid" \
disabled=no
add chain=virus protocol=tcp dst-port=1433-1434 action=drop comment="Worm" \
disabled=no
add chain=virus protocol=tcp dst-port=2745 action=drop comment="Bagle Virus" \
disabled=no
add chain=virus protocol=tcp dst-port=2283 action=drop comment="Drop Dumaru.Y" \
disabled=no
add chain=virus protocol=tcp dst-port=2535 action=drop comment="Drop Beagle" \
disabled=no
add chain=virus protocol=tcp dst-port=2745 action=drop comment="Drop \
Beagle.C-K" disabled=no
add chain=virus protocol=tcp dst-port=3127 action=drop comment="Drop MyDoom" \
disabled=no
add chain=virus protocol=tcp dst-port=3410 action=drop comment="Drop Backdoor \
OptixPro" disabled=no
add chain=virus protocol=tcp dst-port=4444 action=drop comment="Worm" \
disabled=no
add chain=virus protocol=udp dst-port=4444 action=drop comment="Worm" \
disabled=no
add chain=virus protocol=tcp dst-port=5554 action=drop comment="Drop Sasser" \
disabled=no
add chain=virus protocol=tcp dst-port=8866 action=drop comment="Drop Beagle.B" \
disabled=no
add chain=virus protocol=tcp dst-port=9898 action=drop comment="Drop \
Dabber.A-B" disabled=no
add chain=virus protocol=tcp dst-port=10000 action=drop comment="Drop \
Dumaru.Y" disabled=no
add chain=virus protocol=tcp dst-port=10080 action=drop comment="Drop \
MyDoom.B" disabled=no
add chain=virus protocol=tcp dst-port=12345 action=drop comment="Drop NetBus" \
disabled=no
add chain=virus protocol=tcp dst-port=17300 action=drop comment="Drop Kuang2" \
disabled=no
add chain=virus protocol=tcp dst-port=27374 action=drop comment="Drop \
SubSeven" disabled=no
add chain=virus protocol=tcp dst-port=65506 action=drop comment="Drop PhatBot, \
Agobot, Gaobot" disabled=no
add chain=forward action=jump jump-target=virus comment="jump to the virus \
chain" disabled=no
add chain=input connection-state=invalid action=drop comment="Drop Invalid \
connections" disabled=no
add chain=input connection-state=established action=accept comment="Allow \
Established connections" disabled=no
add chain=input protocol=udp action=accept comment="Allow UDP" disabled=no
add chain=input protocol=icmp action=accept comment="Allow ICMP" disabled=no
add chain=input action=drop comment="Drop anything else" disabled=no
add chain=forward protocol=tcp connection-state=invalid action=drop \
comment="drop invalid connections" disabled=no
add chain=forward connection-state=established action=accept comment="allow \
already established connections" disabled=no
add chain=forward connection-state=related action=accept comment="allow \
related connections" disabled=no
add chain=forward src-address=0.0.0.0/8 action=drop comment="" disabled=no
add chain=forward dst-address=0.0.0.0/8 action=drop comment="" disabled=no
add chain=forward src-address=127.0.0.0/8 action=drop comment="" disabled=no
add chain=forward dst-address=127.0.0.0/8 action=drop comment="" disabled=no
add chain=forward src-address=224.0.0.0/3 action=drop comment="" disabled=no
add chain=forward dst-address=224.0.0.0/3 action=drop comment="" disabled=no
add chain=forward protocol=tcp action=jump jump-target=tcp comment="" \
disabled=no
add chain=forward protocol=udp action=jump jump-target=udp comment="" \
disabled=no
add chain=forward protocol=icmp action=jump jump-target=icmp comment="" \
disabled=no
add chain=tcp protocol=tcp dst-port=69 action=drop comment="deny TFTP" \
disabled=no
add chain=tcp protocol=tcp dst-port=111 action=drop comment="deny RPC \
portmapper" disabled=no
add chain=tcp protocol=tcp dst-port=135 action=drop comment="deny RPC \
portmapper" disabled=no
add chain=tcp protocol=tcp dst-port=137-139 action=drop comment="deny NBT" \
disabled=no
add chain=tcp protocol=tcp dst-port=445 action=drop comment="deny cifs" \
disabled=no
add chain=tcp protocol=tcp dst-port=2049 action=drop comment="deny NFS" \
disabled=no
add chain=tcp protocol=tcp dst-port=12345-12346 action=drop comment="deny \
NetBus" disabled=no
add chain=tcp protocol=tcp dst-port=20034 action=drop comment="deny NetBus" \
disabled=no
add chain=tcp protocol=tcp dst-port=3133 action=drop comment="deny \
BackOriffice" disabled=no
add chain=tcp protocol=tcp dst-port=67-68 action=drop comment="deny DHCP" \
disabled=no
add chain=udp protocol=udp dst-port=69 action=drop comment="deny TFTP" \
disabled=no
add chain=udp protocol=udp dst-port=111 action=drop comment="deny PRC \
portmapper" disabled=no
add chain=udp protocol=udp dst-port=135 action=drop comment="deny PRC \
portmapper" disabled=no
add chain=udp protocol=udp dst-port=137-139 action=drop comment="deny NBT" \
disabled=no
add chain=udp protocol=udp dst-port=2049 action=drop comment="deny NFS" \
disabled=no
add chain=udp protocol=udp dst-port=3133 action=drop comment="deny \
BackOriffice" disabled=no
add chain=icmp protocol=icmp icmp-options=0:0 action=accept comment="drop \
invalid connections" disabled=no
add chain=icmp protocol=icmp icmp-options=3:0 action=accept comment="allow \
established connections" disabled=no
add chain=icmp protocol=icmp icmp-options=3:1 action=accept comment="allow \
already established connections" disabled=no
add chain=icmp protocol=icmp icmp-options=4:0 action=accept comment="allow \
source quench" disabled=no
add chain=icmp protocol=icmp icmp-options=8:0 action=accept comment="allow \
echo request" disabled=no
add chain=icmp protocol=icmp icmp-options=11:0 action=accept comment="allow \
time exceed" disabled=no
add chain=icmp protocol=icmp icmp-options=12:0 action=accept comment="allow \
parameter bad" disabled=no
add chain=icmp action=drop comment="deny all other types" disabled=no
add chain=input connection-state=established action=accept comment="Accept \
established connections" disabled=no
add chain=input connection-state=related action=accept comment="Accept related \
connections" disabled=no
add chain=input connection-state=invalid action=drop comment="Drop invalid \
connections" disabled=no
add chain=input protocol=udp action=accept comment="UDP" disabled=no
add chain=input protocol=icmp limit=50/5s,2 action=accept comment="Allow \
limited pings" disabled=no
add chain=input protocol=icmp action=drop comment="Drop excess pings" \
disabled=no
add chain=input protocol=tcp dst-port=22 action=accept comment="SSH for secure \
shell" disabled=no
add chain=input protocol=tcp dst-port=8291 action=accept comment="winbox" \
disabled=no
add chain=input src-address=159.148.172.192/28 action=accept comment="From \
Mikrotikls network" disabled=no
add chain=input src-address=192.168.0.0/24 action=accept comment="From our \
private LAN" disabled=no
add chain=input action=log log-prefix="DROP INPUT" comment="Log everything \
else" disabled=no
add chain=tcp protocol=tcp p2p=all-p2p action=drop comment="deny DHCP" \
disabled=no
add chain=tcp src-address=192.168.0.2 protocol=tcp dst-port=3133 p2p=all-p2p \
action=drop comment="deny BackOriffice" disabled=no
h. ip firewaal address list
/ ip firewall address-list
add list=servergames address=202.93.20.201 comment="" disabled=no
i.queue type

/ queue type
set default name="default" kind=pfifo pfifo-limit=50
set ethernet-default name="ethernet-default" kind=pfifo pfifo-limit=50
set wireless-default name="wireless-default" kind=sfq sfq-perturb=5 \
sfq-allot=1514
set synchronous-default name="synchronous-default" kind=red red-limit=60 \
red-min-threshold=10 red-max-threshold=50 red-burst=20 red-avg-packet=1000
set hotspot-default name="hotspot-default" kind=sfq sfq-perturb=5 \
sfq-allot=1514
add name="PFIFO-64" kind=pfifo pfifo-limit=64
add name="default-small" kind=pfifo pfifo-limit=10
add name="pcq-download" kind=pcq pcq-rate=384000 pcq-limit=50 \
pcq-classifier=dst-address pcq-total-limit=2000
add name="pcq-upload" kind=pcq pcq-rate=64000 pcq-limit=50 \
pcq-classifier=src-address pcq-total-limit=2000

j.queue tree

/ queue tree
add name="ICMP" parent=global-in packet-mark=ICMP-PM limit-at=8000 \
queue=PFIFO-64 priority=1 max-limit=16000 burst-limit=0 burst-threshold=0 \
burst-time=0s disabled=no
add name="DNS" parent=global-in packet-mark=DNS-PM limit-at=8000 \
queue=PFIFO-64 priority=1 max-limit=16000 burst-limit=0 burst-threshold=0 \
burst-time=0s disabled=no
add name="downstream" parent=Local packet-mark=Turun limit-at=0 \
queue=pcq-download priority=1 max-limit=0 burst-limit=0 burst-threshold=0 \
burst-time=0s disabled=no
add name="upstream" parent=global-in packet-mark=Naik limit-at=0 \
queue=pcq-upload priority=1 max-limit=0 burst-limit=0 burst-threshold=0 \
burst-time=0s disabled=no
k. queue simple

/ queue simple
add name="Fantasy.net" dst-address=0.0.0.0/0 interface=Local parent=none \
priority=1 queue=default/default limit-at=0/786000 max-limit=0/786000 \
total-queue=default disabled=no
add name="01" target-addresses=192.168.0.1/32 dst-address=0.0.0.0/0 \
interface=Local parent=Fantasy.net priority=8 \
queue=ethernet-default/ethernet-default limit-at=0/16000 \
max-limit=8000/48000 total-queue=default time=0s-0s, p2p=fasttrack \
disabled=no
add name="02" target-addresses=192.168.0.2/32 dst-address=0.0.0.0/0 \
interface=Local parent=Fantasy.net priority=8 \
queue=ethernet-default/ethernet-default limit-at=0/16000 \
max-limit=8000/48000 total-queue=default disabled=no
add name="03" target-addresses=192.168.0.3/32 dst-address=0.0.0.0/0 \
interface=Local parent=Fantasy.net priority=8 \
queue=ethernet-default/ethernet-default limit-at=0/16000 \
max-limit=8000/48000 total-queue=default disabled=no
add name="04" target-addresses=192.168.0.4/32 dst-address=0.0.0.0/0 \
interface=Local parent=Fantasy.net priority=8 \
queue=ethernet-default/ethernet-default limit-at=0/16000 \
max-limit=8000/48000 total-queue=default time=0s-0s, disabled=no
add name="06" target-addresses=192.168.0.6/32 dst-address=0.0.0.0/0 \
interface=Local parent=Fantasy.net priority=8 \
queue=ethernet-default/ethernet-default limit-at=0/16000 \
max-limit=8000/48000 total-queue=default p2p=fasttrack disabled=no
add name="05" target-addresses=192.168.0.5/32 dst-address=0.0.0.0/0 \
interface=Local parent=Fantasy.net priority=8 \
queue=ethernet-default/ethernet-default limit-at=0/16000 \
max-limit=8000/60000 total-queue=default disabled=no
add name="07" target-addresses=192.168.0.7/32 dst-address=0.0.0.0/0 \
interface=Local parent=Fantasy.net priority=8 \
queue=ethernet-default/ethernet-default limit-at=0/16000 \
max-limit=8000/48000 total-queue=default disabled=no
add name="08" target-addresses=192.168.0.8/32 dst-address=0.0.0.0/0 \
interface=Local parent=Fantasy.net priority=8 \
queue=ethernet-default/ethernet-default limit-at=0/16000 \
max-limit=8000/48000 total-queue=default disabled=no
add name="09" target-addresses=192.168.0.9/32 dst-address=0.0.0.0/0 \
interface=Local parent=Fantasy.net priority=8 \
queue=ethernet-default/ethernet-default limit-at=0/16000 \
max-limit=8000/48000 total-queue=default disabled=no
add name="10" target-addresses=192.168.0.10/32 dst-address=0.0.0.0/0 \
interface=Local parent=Fantasy.net priority=8 queue=default/default \
limit-at=0/16000 max-limit=8000/48000 total-queue=default disabled=no
add name="11" target-addresses=192.168.0.11/32 dst-address=0.0.0.0/0 \
interface=Local parent=Fantasy.net priority=8 \
queue=ethernet-default/ethernet-default limit-at=0/16000 \
max-limit=8000/48000 total-queue=default p2p=all-p2p disabled=no
add name="Server" target-addresses=192.168.0.253/32 dst-address=0.0.0.0/0 \
interface=Local parent=Fantasy.net priority=8 \
queue=ethernet-default/ethernet-default limit-at=0/16000 \
max-limit=8000/120000 total-queue=default disabled=yes

B. LINUX Proxy

a. vi /etc/sysconfig/network-scripts/ifcfg-eth0

DEVICE=eth0

BOOTPROTO=static
BROADCAST=192.168.1.255
HWADDR=00:1B:11:66:2A:69
IPADDR=192.168.1.3
NETMASK=255.255.255.0
NETWORK=192.168.1.0
ONBOOT=yes
TYPE=Ethernet

b. Routing Proxy Ke Modem

[root@proxies squid]# netstat -r
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
192.168.1.0 * 255.255.255.0 U 0 0 0 eth0

169.254.0.0 * 255.255.0.0 U 0 0 0 eth0

default . 192.168.1.1 UG 0 0 0 eth0

c. named.conf

tambahkan opsi fowarder di named.conf

// query-source address * port 53;
forwarders {
203.130.193.74;
202.134.0.155;
202.134.2.5;
};

};

d. resolve.conf

[root@proxies squid]# cat /etc/resolv.conf
nameserver 192.168.1.1
nameserver 203.130.193.74
nameserver 202.134.0.155
nameserver 202.134.2.5

e. Squid.conf

http_port 8080
#icp_port 3130

icp_query_timeout 0
maximum_icp_query_timeout 5000
mcast_icp_query_timeout 2000
dead_peer_timeout 10 seconds
hierarchy_stoplist cgi-bin ? localhost
acl QUERY urlpath_regex cgi-bin \? localhost

### Opsi Cache
cache_mem 6 MB
cache_swap_low 98
cache_swap_high 99
maximum_object_size 128 MB
minimum_object_size 0 KB
maximum_object_size_in_memory 32 KB
ipcache_size 10240
ipcache_low 98
ipcache_high 99
fqdncache_size 256
cache_replacement_policy heap LFUDA
memory_replacement_policy heap GDSF

### Opsi Tuning Squid
refresh_pattern -i \.(swfpngjpgjpegbmptiffpnggif) 43200 90% 129600 reload-into-ims override-lastmod
refresh_pattern -i \.(movmpgmpegflvavimp33gpsiswma) 43200 90% 129600 reload-into-ims override-lastmod
refresh_pattern -i \.(zipraracebzbz2targzexe) 43200 90% 129600 reload-into-ims override-lastmod
refresh_pattern -i (.*html$.*htm.*shtml.*aspx.*asp) 43200 90% 1440 reload-into-ims override-lastmod
refresh_pattern -i \.(classcssjsgifjpg)$ 10080 100% 43200 override-expire
refresh_pattern -i \.(jpejpegpngbmptif)$ 10080 100% 43200 override-expire
refresh_pattern -i \.(tiffmovaviqtmpeg)$ 10080 100% 43200 override-expire
refresh_pattern -i \.(mpgmpewavaumid)$ 10080 100% 43200 override-expire
refresh_pattern -i \.(zipgzarjlhalzh)$ 10080 100% 43200 override-expire
refresh_pattern -i \.(rartgztarexebin)$ 10080 100% 43200 override-expire
refresh_pattern -i \.(hqxpdfrtfdocswf)$ 10080 100% 43200 override-expire
refresh_pattern -i \.(inccabadtxtdll)$ 10080 100% 43200 override-expire
refresh_pattern -i \.(aspacgiplshtmlphp3php)$ 2 20% 4320 reload-into-ims
refresh_pattern ^http://*.google.*/.* 720 100% 4320 reload-into-ims override-lastmod
refresh_pattern ^http://*korea.*/.* 720 100% 4320 reload-into-ims override-lastmod
refresh_pattern ^http://*.akamai.*/.* 720 100% 4320 reload-into-ims override-lastmod
refresh_pattern ^http://*.windowsmedia.*/.* 720 100% 4320 reload-into-ims override-lastmod
refresh_pattern ^http://*.googlesyndication.*/.* 720 100% 4320 reload-into-ims override-lastmod
refresh_pattern ^http://*.plasa.*/.* 720 100% 4320 reload-into-ims override-lastmod
refresh_pattern ^http://*.telkom.*/.* 720 100% 4320 reload-into-ims override-lastmod
refresh_pattern ^http://www.friendster.com/.* 720 100% 4320 reload-into-ims override-lastmod
refresh_pattern ^http://mail.yahoo.com/.* 720 100% 4320 reload-into-ims override-lastmod
refresh_pattern ^http://*.yahoo.*/.* 720 100% 4320 reload-into-ims override-lastmod
refresh_pattern ^http://*.yimg.*/.* 720 100% 4320 reload-into-ims override-lastmod
refresh_pattern ^http://*.gmail.*/.* 720 100% 4320 reload-into-ims override-lastmod
refresh_pattern ^http://*.detik.*/.* 720 100% 4320 reload-into-ims override-lastmod
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern ^ftp: 43200 90% 129600 reload-into-ims override-expire
#refresh_pattern ^ftp: 1440 20% 10080
#refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 4320
#refresh_pattern . 180 95% 120960 reload-into-ims override-lastmod

### Direktori cache
#cache_dir aufs /cache 20000 16 256
#cache_dir diskd /cache 7000 16 256 Q1=72 Q2=88
cache_dir aufs /cache 50000 16 256

### Log
cache_access_log /var/log/squid/access.log
logfile_rotate 1
cache_log none
cache_store_log none
emulate_httpd_log off
log_ip_on_direct on
log_fqdn off
log_icp_queries off

### DNS server
dns_nameservers 127.0.0.1

quick_abort_min 0
quick_abort_max 0
quick_abort_pct 98%
negative_ttl 15 minute
positive_dns_ttl 24 hours
negative_dns_ttl 5 minutes
range_offset_limit 0 KB

### Opsi Timeout
connect_timeout 1 minute
peer_connect_timeout 5 seconds
read_timeout 30 minute
request_timeout 1 minute
#client_lifetime 10 hour
half_closed_clients off
pconn_timeout 15 second
shutdown_lifetime 15 second

### Opsi ACL
acl manager proto cache_object
acl all src 0.0.0.0/0.0.0.0
acl client src 192.168.1.0/29
acl tidakbebasdownload time 08:00-22:00
acl porn url_regex -i /usr/local/squid/etc/bokep.txt time 08:00-22:00
acl noporn url_regex -i /usr/local/squid/etc/nobokep.txt time 08:00-22:00
acl file_terlarang url_regex -i hot_indonesia.exe
acl file_terlarang url_regex -i hotsurprise_id.exe
acl file_terlarang url_regex -i best-mp3-download.exe
acl file_terlarang url_regex -i R32.exe
acl file_terlarang url_regex -i rb32.exe
acl file_terlarang url_regex -i mp3.exe
acl file_terlarang url_regex -i HOTSEX.exe
acl file_terlarang url_regex -i Browser_Plugin.exe
acl file_terlarang url_regex -i DDialer.exe
acl file_terlarang url_regex -i od-teen
acl file_terlarang url_regex -i URLDownload.exe
acl file_terlarang url_regex -i od-stnd67.exe
acl file_terlarang url_regex -i Download_Plugin.exe
acl file_terlarang url_regex -i od-teen52.exe
acl file_terlarang url_regex -i malaysex
acl file_terlarang url_regex -i edita.html
acl file_terlarang url_regex -i info.exe
acl file_terlarang url_regex -i run.exe
acl file_terlarang url_regex -i Lovers2Go
acl file_terlarang url_regex -i GlobalDialer
acl file_terlarang url_regex -i WebDialer
acl file_terlarang url_regex -i britneynude
acl file_terlarang url_regex -i download.exe
acl file_terlarang url_regex -i backup.exe
acl file_terlarang url_regex -i GnoOS2003
acl file_terlarang url_regex -i wintrim.exe
acl file_terlarang url_regex -i MPREXE.EXE
acl file_terlarang url_regex -i exengd.EXE
acl file_terlarang url_regex -i xxxvideo.exe
acl file_terlarang url_regex -i Save.exe
acl file_terlarang url_regex -i ATLBROWSER.DLL
acl file_terlarang url_regex -i NawaL_rm
acl file_terlarang url_regex -i Socks32.dll
acl file_terlarang url_regex -i Sc32Lnch.exe
acl file_terlarang url_regex -i dat0.exe
acl IIX dst_as 7713 4622 4795 7597 4787 4795 4800
acl block url_regex -i \.(aiffasfavidifdivxmovmoviemp3mpe?g?mpv2oggra?msndqtwavwmfwmv)$
acl local-domain dstdomain localhost
acl Bad_ports port 7 9 11 19 22 23 25 53 110 119 513 514
acl Safe_ports port 21 70 80 210 443 488 563 591 777 1025-65535
acl Virus urlpath_regex winnt/system32/cmd.exe?
acl connect method CONNECT
acl post method POST
acl ssl method CONNECT
acl purge method PURGE
acl IpAddrProbeUA browser ^Mozilla/4.0.\(compatible;.MSIE.5.5;.Windows.98\)$
acl IpAddrProbeURL url_regex //[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+/$
no_cache deny QUERY manager

http_access allow manager IIX Safe_ports
http_access allow client
http_access deny porn !noporn
http_access deny Bad_ports Virus IpAddrProbeUA IpAddrProbeURL
http_access deny file_terlarang
http_access deny all

### Paramater Administratif
cache_mgr support@fantasy.war.net.id
cache_effective_user squid
cache_effective_group squid
visible_hostname proxy.fantasy.war.net.id

### Opsi Akselerator
memory_pools off
forwarded_for on
log_icp_queries off
icp_hit_stale on
minimum_direct_hops 4
minimum_direct_rtt 400
store_avg_object_size 13 KB
store_objects_per_bucket 20
client_db on
netdb_low 9900
netdb_high 10000
netdb_ping_period 30 seconds
query_icmp off
pipeline_prefetch on
reload_into_ims on
pipeline_prefetch on
vary_ignore_expire on
max_open_disk_fds 100
nonhierarchical_direct on
prefer_direct off

### Pendukung Transparan Proxy
httpd_accel_host virtual
httpd_accel_port 80
httpd_accel_with_proxy on
httpd_accel_uses_host_header on

### Membatasi Besar File untuk download
reply_body_max_size 3512000 allow client block tidakbebasdownload

### SNMP
#snmp_port 3401
#acl snmppublic snmp_community public
#snmp_access allow all

header_access User-Agent deny all
header_replace User-Agent Mozilla/5.0 (compatible; MSIE 6.0)
header_access Accept deny all
header_replace Accept */*
header_access Accept-Language deny all
header_replace Accept-Language id, en

f. firewall tambahan di proxy

#05-12-05
/sbin/iptables -I INPUT -p tcp -s 0/0 -d 0/0 --destination-port 12 -j DROP
/sbin/iptables -A FORWARD -p tcp -s 0/0 -d 0/0 --destination-port 12 -j REJECT
/sbin/iptables -I INPUT -p tcp -s 192.168.0.0/32 -d 0/0 --destination-port 12 -j DROP
/sbin/iptables -A FORWARD -p tcp -s 192.168.0.0/32 -d 0/0 --destination-port 12 -j REJECT
/sbin/iptables -I INPUT -p tcp -s 0/0 -d 0/0 --destination-port 16 -j DROP
/sbin/iptables -A FORWARD -p tcp -s 0/0 -d 0/0 --destination-port 16 -j REJECT
/sbin/iptables -I INPUT -p tcp -s 192.168.0.0/32 -d 0/0 --destination-port 16 -j DROP
/sbin/iptables -A FORWARD -p tcp -s 192.168.0.0/32 -d 0/0 --destination-port 16 -j REJECT
/sbin/iptables -I INPUT -p tcp -s 0/0 -d 0/0 --destination-port 17 -j DROP
/sbin/iptables -A FORWARD -p tcp -s 0/0 -d 0/0 --destination-port 17 -j REJECT
/sbin/iptables -I INPUT -p tcp -s 192.168.0.0/32 -d 0/0 --destination-port 17 -j DROP
/sbin/iptables -A FORWARD -p tcp -s 192.168.0.0/32 -d 0/0 --destination-port 17 -j REJECT
/sbin/iptables -I INPUT -p tcp -s 0/0 -d 0/0 --destination-port 12:20 -j DROP
/sbin/iptables -A FORWARD -p tcp -s 0/0 -d 0/0 --destination-port 12:20 -j REJECT
/sbin/iptables -I INPUT -p tcp -s 192.168.0.0/32 -d 0/0 --destination-port 12:20 -j DROP
/sbin/iptables -A FORWARD -p tcp -s 192.168.0.0/32 -d 0/0 --destination-port 12:20 -j REJECT

/sbin/iptables -I INPUT -p tcp -s 0/0 -d 0/0 --destination-port 110 -j DROP
/sbin/iptables -A FORWARD -p tcp -s 0/0 -d 0/0 --destination-port 110 -j REJECT
/sbin/iptables -I INPUT -p tcp -s 192.168.0.0/32 -d 0/0 --destination-port 110 -j DROP
/sbin/iptables -A FORWARD -p tcp -s 192.168.0.0/32 -d 0/0 --destination-port 110 -j REJECT
/sbin/iptables -I INPUT -p tcp -s 192.168.0.0/32 -d 0/0 --destination-port 25 -j DROP
/sbin/iptables -A FORWARD -p tcp -s 192.168.0.0/32 -d 0/0 --destination-port 25 -j REJECT
/sbin/iptables -I INPUT -p tcp -s 0/0 -d 0/0 --destination-port 25 -j DROP
/sbin/iptables -A FORWARD -p tcp -s 0/0 -d 0/0 --destination-port 25 -j REJECT
/sbin/iptables -I INPUT -p tcp -s 192.168.0.0/32 -d 0/0 --destination-port 24 -j DROP
/sbin/iptables -A FORWARD -p tcp -s 192.168.0.0/32 -d 0/0 --destination-port 24 -j REJECT
/sbin/iptables -I INPUT -p tcp -s 0/0 -d 0/0 --destination-port 123 -j DROP
/sbin/iptables -A FORWARD -p tcp -s 0/0 -d 0/0 --destination-port 123 -j REJECT
/sbin/iptables -I INPUT -p tcp -s 192.168.0.0/32 -d 0/0 --destination-port 123 -j DROP
/sbin/iptables -A FORWARD -p tcp -s 192.168.0.0/32 -d 0/0 --destination-port 123 -j REJECT
/sbin/iptables -I INPUT -p tcp -s 0/0 -d 0/0 --destination-port 24 -j DROP
/sbin/iptables -A FORWARD -p tcp -s 0/0 -d 0/0 --destination-port 24 -j REJECT
/sbin/iptables -I INPUT -p tcp -s 192.168.0.0/32 -d 0/0 --destination-port 24 -j DROP
/sbin/iptables -A FORWARD -p tcp -s 192.168.0.0/32 -d 0/0 --destination-port 24 -j REJECT
/sbin/iptables -I INPUT -p tcp -s 192.168.0.0/32 -d 0/0 --destination-port 23 -j DROP
/sbin/iptables -A FORWARD -p tcp -s 192.168.0.0/32 -d 0/0 --destination-port 23 -j REJECT

/sbin/iptables -N syn-flood
/sbin/iptables -A INPUT -i input_interface -p tcp --syn -j syn-flood
/sbin/iptables -A syn-flood -m limit --limit 1/s --limit-burst 4 -j RETURN
/sbin/iptables -A syn-flood -j DROP

/sbin/iptables -I INPUT -p tcp -s 0/0 -d 0/0 --destination-port 199 -j DROP
/sbin/iptables -I INPUT -p udp -s 0/0 -d 0/0 --destination-port 199 -j DROP
/sbin/iptables -A FORWARD -p tcp -s 0/0 -d 0/0 --destination-port 199 -j REJECT
/sbin/iptables -A FORWARD -p udp -s 0/0 -d 0/0 --destination-port 199 -j REJECT
/sbin/iptables -I INPUT -p tcp -s 0/0 -d 0/0 --destination-port 119 -j DROP
/sbin/iptables -I INPUT -p udp -s 0/0 -d 0/0 --destination-port 119 -j DROP
/sbin/iptables -A FORWARD -p tcp -s 0/0 -d 0/0 --destination-port 119 -j REJECT
/sbin/iptables -A FORWARD -p udp -s 0/0 -d 0/0 --destination-port 119 -j REJECT
/sbin/iptables -I INPUT -p tcp -s 0/0 -d 0/0 --destination-port 111 -j DROP
/sbin/iptables -I INPUT -p udp -s 0/0 -d 0/0 --destination-port 111 -j DROP
/sbin/iptables -A FORWARD -p tcp -s 0/0 -d 0/0 --destination-port 111 -j REJECT
/sbin/iptables -A FORWARD -p udp -s 0/0 -d 0/0 --destination-port 111 -j REJECT
/sbin/iptables -I INPUT -p tcp -s 0/0 -d 0/0 --destination-port 411 -j DROP
/sbin/iptables -I INPUT -p udp -s 0/0 -d 0/0 --destination-port 411 -j DROP
/sbin/iptables -A FORWARD -p tcp -s 0/0 -d 0/0 --destination-port 67:68 -j REJECT
/sbin/iptables -A FORWARD -p udp -s 0/0 -d 0/0 --destination-port 67:68 -j REJECT

Have nice try this tips.

Labels: , ,

0 comments: