- 论坛徽章:
- 0
|
ROUTEROS 学习笔记
ROUTEROS Firewall设置
CODE:
/ ip firewall connection tracking
set enabled=yes tcp-syn-sent-timeout=1m tcp-syn-received-timeout=1m \
tcp-established-timeout=1d tcp-fin-wait-timeout=10s \
tcp-close-wait-timeout=10s tcp-last-ack-timeout=10s \
tcp-time-wait-timeout=10s tcp-close-timeout=10s udp-timeout=10s \
udp-stream-timeout=3m icmp-timeout=10s generic-timeout=10m
/ ip firewall filter
add chain=input protocol=tcp dst-port=135-139 action=drop
add chain=input protocol=udp dst-port=135-139 action=drop
add chain=input connection-state=established action=accept
add chain=input connection-state=related action=accept
add chain=input src-address=127.0.0.1 dst-address=127.0.0.1 action=accept
add chain=input connection-state=invalid action=drop
add chain=input dst-address-type=!local action=drop
add chain=input src-address-type=!unicast action=drop
add chain=input protocol=tcp psd=21,3s,3,1 action=drop
add chain=input protocol=tcp connection-limit=10,32 action=add-src-to-address-list address-list=black_list address-list-timeout=1d
add chain=input protocol=tcp connection-limit=3,32 src-address-list=black_list action=tarpit
add chain=input protocol=icmp icmp-options=0:0-255 limit=5,5 action=accept
add chain=input protocol=icmp icmp-options=3:3 limit=5,5 action=accept
add chain=input protocol=icmp icmp-options=3:4 limit=5,5 action=accept
add chain=input protocol=icmp icmp-options=8:0-255 limit=5,5 action=accept
add chain=input protocol=icmp icmp-options=11:0-255 limit=5,5 action=accept
add chain=output protocol=icmp icmp-options=0:0-255 limit=5,5 action=accept
add chain=output protocol=icmp icmp-options=3:3 limit=5,5 action=accept
add chain=output protocol=icmp icmp-options=3:4 limit=5,5 action=accept
add chain=output protocol=icmp icmp-options=8:0-255 limit=5,5 action=accept
add chain=output protocol=icmp icmp-options=11:0-255 limit=5,5 action=accept
add chain=forward protocol=icmp icmp-options=0:0-255 limit=5,5 action=accept
add chain=forward protocol=icmp icmp-options=3:3 limit=5,5 action=accept
add chain=forward protocol=icmp icmp-options=3:4 limit=5,5 action=accept
add chain=forward protocol=icmp icmp-options=8:0-255 limit=5,5 action=accept
add chain=forward protocol=icmp icmp-options=11:0-255 limit=5,5 action=accept
add chain=input protocol=icmp action=drop
add chain=output protocol=icmp action=drop
add chain=forward protocol=icmp action=drop
/ ip firewall service-port
set ftp ports=21 disabled=no
set tftp ports=69 disabled=no
set irc ports=6667 disabled=no
set h323 disabled=no
set quake3 disabled=no
set mms disabled=no
set gre disabled=no
set pptp disabled=no
/ip firewall mangle
add chain=forward protocol=tcp tcp-flags=syn action=change-mss new-mss=1440
[Copy to clipboard]
说明:
/ ip firewall connection tracking
set enabled=yes tcp-syn-sent-timeout=1m tcp-syn-received-timeout=1m \
tcp-established-timeout=1d tcp-fin-wait-timeout=10s \
tcp-close-wait-timeout=10s tcp-last-ack-timeout=10s \
tcp-time-wait-timeout=10s tcp-close-timeout=10s udp-timeout=10s \
udp-stream-timeout=3m icmp-timeout=10s generic-timeout=10m
# + 放火墙部分 +
#
/ ip firewall filter
# 关135-139端口 不用多说了
add chain=input protocol=tcp dst-port=135-139 action=drop comment="drop Port"
add chain=input protocol=udp dst-port=135-139 action=drop
# + 对本机数据包相关 +
#
# 允许已建立的连接
add chain=input connection-state=established action=accept comment="input"
add chain=input connection-state=related action=accept
# 允许本机对本机
add chain=input src-address=127.0.0.1 dst-address=127.0.0.1 action=accept
# 丢弃明显异常包
add chain=input connection-state=invalid action=drop
# 丢弃目标非本机的包
add chain=input dst-address-type=!local action=drop
# 丢弃多播包
add chain=input src-address-type=!unicast action=drop
# + 安全相关 +
#
# 在短时间内从同一地址用不断变化的端口向本机发送大量数据包,视为端口扫描
add chain=input protocol=tcp psd=21,3s,3,1 action=drop comment="..."
# 短时间内同时建立大量TCP连接(超过10),视为DoS拒绝服务攻击,进黑名单一天!
add chain=input protocol=tcp connection-limit=10,32 action=add-src-to-address-list address-list=black_list address-list-timeout=1d disabled=no
# 黑名单上的只能建立3个并发连接,tarpit
add chain=input protocol=tcp connection-limit=3,32 src-address-list=black_list action=tarpit disabled=no
# + ICMP相关 +
#
# 允许常见命令ping tracert,其它ICMP丢弃
add chain=input protocol=icmp icmp-options=0:0-255 limit=5,5 action=accept
add chain=input protocol=icmp icmp-options=3:3 limit=5,5 action=accept
add chain=input protocol=icmp icmp-options=3:4 limit=5,5 action=accept
add chain=input protocol=icmp icmp-options=8:0-255 limit=5,5 action=accept
add chain=input protocol=icmp icmp-options=11:0-255 limit=5,5 action=accept
add chain=output protocol=icmp icmp-options=0:0-255 limit=5,5 action=accept
add chain=output protocol=icmp icmp-options=3:3 limit=5,5 action=accept
add chain=output protocol=icmp icmp-options=3:4 limit=5,5 action=accept
add chain=output protocol=icmp icmp-options=8:0-255 limit=5,5 action=accept
add chain=output protocol=icmp icmp-options=11:0-255 limit=5,5 action=accept
add chain=forward protocol=icmp icmp-options=0:0-255 limit=5,5 action=accept
add chain=forward protocol=icmp icmp-options=3:3 limit=5,5 action=accept
add chain=forward protocol=icmp icmp-options=3:4 limit=5,5 action=accept
add chain=forward protocol=icmp icmp-options=8:0-255 limit=5,5 action=accept
add chain=forward protocol=icmp icmp-options=11:0-255 limit=5,5 action=accept
add chain=input protocol=icmp action=drop
add chain=output protocol=icmp action=drop
add chain=forward protocol=icmp action=drop
/ ip firewall service-port
set ftp ports=21 disabled=no
set tftp ports=69 disabled=no
set irc ports=6667 disabled=no
set h323 disabled=no
set quake3 disabled=no
set mms disabled=no
set gre disabled=no
set pptp disabled=no
# + MMS值 +
# 一定要设置的哦...不然某些网页打不开的...
/ip firewall mangle
add chain=forward protocol=tcp tcp-flags=syn action=change-mss new-mss=1440
一些封禁名单。。。
/ ip firewall address-list
add list=not_in_internet address=0.0.0.0/8 comment="" disabled=no
add list=not_in_internet address=172.16.0.0/12 comment="" disabled=no
add list=not_in_internet address=10.0.0.0/8 comment="" disabled=no
add list=not_in_internet address=169.254.0.0/16 comment="" disabled=no
add list=not_in_internet address=127.0.0.0/8 comment="" disabled=no
add list=not_in_internet address=224.0.0.0/3 comment="" disabled=no
add list=Prohibits address=218.83.153.93 comment="pipicn.com" disabled=no
add list=Prohibits address=61.129.75.206 comment="hot.vagaa.com" disabled=no
add list=Prohibits address=193.138.221.214 comment="vagaa" disabled=no
add list=Prohibits address=218.201.43.106 comment="help.vagaa.com" disabled=no
add list=Prohibits address=58.17.4.26 comment="PP" disabled=no
add list=Prohibits address=220.194.55.102 comment="PP" disabled=no
add list=Prohibits address=202.107.233.211 comment="PP" disabled=no
/ ip firewall service-port
set ftp disabled=no
set tftp ports=69 disabled=yes
set irc ports=6667 disabled=yes
set h323 disabled=yes
set quake3 disabled=no
set mms disabled=no
set gre disabled=yes
set pptp disabled=yes
2.9X系列:
限线程脚本:
:for aaa from 2 to 254 do={/ip firewall filter add chain=forward src-address=(192.168.0. . $aaa) protocol=tcp connection-limit=50,32 action=drop}
限速脚本:
:for aaa from 2 to 254 do={/queue simple add name=(queue . $aaa) dst-address=(192.168.2. . $aaa) limit-at=0/0 max-limit=32000000/32000000}
说明:
脚本为一行不是两行
aaa是变量
2 to 254是2~254
192.168.0. . $aaa是IP
上两句加起来是192.168.0.2~192.168.0.254的意思
connection-limit=50是线程数这里为50
max-limit=2000000/2000000是上行/下行
使用:
WinBox-System-Scripts-+
Name(脚本名程)
Source(脚本)
OK-选择要运行的脚本-Run Script
查看:
限线程:WinBox-IP-Firewall-Filter Rules(看是否已经填加进来)
限速:WinBox-Queues-Simple Queues(看是否已经填加进来)
限速脚本:
:for aaa from 2 to 254 do={/queue simple add name=(queue . $aaa) dst-address=(192.168.2. . $aaa) limit-at=0/0 max-limit=32000000/32000000}
说明:
脚本为一行不是两行
aaa是变量
2 to 254是2~254
192.168.0. . $aaa是IP
上两句加起来是192.168.0.2~192.168.0.254的意思
connection-limit=50是线程数这里为50
max-limit=2000000/2000000是上行/下行
用WINBOX登入ROS2.9X系列版本 到“NEW TERMINAL ”处输入以上的命令就行了。注意脚本变量的就行了
比较实用ROS路由限速脚本
ROS路由限速脚本!!
先看一个脚本:
:for aaa from 2 to 254 do={/queue simple add name=(queue . $aaa) dst-address=(192.168.0. . $aaa) limit-at=0/0 max-limit=1638400/819200 burst-limit=3276800/819200 burst-threshold=1474560/819200 burst-time=30/30}
脚本为一行不是两行
aaa是变量,你可以改成你想要的..但是要注意,前后三个,一定要相同!
2 to 254是2~254 这个我刚刚开始看不明白,因为我是中国人嘛…不学E文
192.168.0. . $aaa是IP 详细的说…192.168.0.空格.空格$变量名上两句加起来是192.168.0.2~192.168.0.254的意思
(queue . $aaa)=(你要在simple queues 显示的规则名前缀.空格.空格$aaa)
下来的就是这了
Limit-at=0/0 这个没必要理会,就是限制在多少,上行/下行的意思,不知道,有没有说错.
max-limit=1638400/819200 是最大的上行/下行速度
burst-limit=3276800/819200 是突破速度的最大值,这些网上有查的.
burst-threshold=1474560/819200 突破速度的阀值
burst-time=30/30 突破速度的时间,这为30秒.
下面这个一看就明白了就不多说了
1KB=1024B
1Byte=8bit
公式 KB*1024*8=?
以上脚本意为
192.168.0.2~192.168.0.254 IP段内IP在30秒内平均值小于突破阀值时,
最大下载速度可以超出最大速度值,并达到最大突破速度值,
如果30秒内平均值大于突破速度阀值时,IP速度最大值为
你所设置的max-limit值
使用:WinBox-System-Scripts-按+号Name(弄个好记的名字)
Source(把你按照上面说的,写好的脚本,粘贴下去)
OK-选择你刚刚起的名字-按Run Script
再看下 WinBox-queues- simple queues 是不是显示有一大堆,以你设置的规则名前缀+变量IP号的规则?如果是,那恭喜你成功了!
__________________________________________________________________________________________________
用WinBox登陆RouterOS,Tools---Torch
在Torch选项卡上点击[start]就可以看到了
用RouterOS查看局域网每个IP流量的方法,TX是下行速度,RX是上行速度
______________________________________________________________________________________________________
小包策略(研究)
/ ip firewall mangle
add chain=forward protocol=tcp tcp-flags=syn action=change-mss new-mss=1440 comment="" disabled=no
add chain=forward p2p=all-p2p action=mark-connection new-connection-mark=p2p_conn passthrough=yes comment="" disabled=no
add chain=forward connection-mark=p2p_conn action=mark-packet new-packet-mark=p2p passthrough=yes comment="" disabled=no
add chain=forward connection-mark=!p2p_conn action=mark-packet new-packet-mark=general passthrough=yes comment="" disabled=no
add chain=forward packet-size=32-512 action=mark-packet new-packet-mark=small passthrough=yes comment="" disabled=no
add chain=forward packet-size=512-1200 action=mark-packet new-packet-mark=big passthrough=yes comment="" disabled=no
/ queue tree
add name="p2p1" parent=wan packet-mark=p2p limit-at=2000000 queue=default priority=8 max-limit=6000000 burst-limit=0 burst-threshold=0 burst-time=0s disabled=no
add name="p2p2" parent=lan packet-mark=p2p limit-at=2000000 queue=default priority=8 max-limit=6000000 burst-limit=0 burst-threshold=0 burst-time=0s disabled=no
add name="ClassA" parent=lan packet-mark="" limit-at=0 queue=default priority=8 max-limit=100000000 burst-limit=0 burst-threshold=0 burst-time=0s disabled=no
add name="ClassB" parent=ClassA packet-mark="" limit-at=0 queue=default priority=8 max-limit=0 burst-limit=0 burst-threshold=0 burst-time=0s disabled=no
add name="Leaf1" parent=ClassA packet-mark=general limit-at=0 queue=default priority=7 max-limit=0 burst-limit=0 burst-threshold=0 burst-time=0s disabled=no
add name="Leaf2" parent=ClassB packet-mark=small limit-at=0 queue=default priority=5 max-limit=0 burst-limit=0 burst-threshold=0 burst-time=0s disabled=no
add name="Leaf3" parent=ClassB packet-mark=big limit-at=0 queue=default priority=6 max-limit=0 burst-limit=0 burst-threshold=0 burst-time=0s disabled=no
————————————————————————————————————————————————————
1。单电信线路用不到电信路由表。
2。防火墙:只能举个例子给,看个人理解了
add chain=input protocol=tcp dst-port=135-139 action=drop
在input(联入)链中加入一条规则,丢弃所有TCP协议上的135-139端口的数据包。
add chain=forward protocol=tcp dst-port=80 action=drop
输入这个规则,则所有机器都无法访问外网的80端口,也就是基本打不开网页了。
3。ROS的管理分为本地控制台管理,远程telnet,winbox,ssh的管理。比较常用的是winbox,图形化简单易上手,推荐使用。
4。常见的ROS问题就是ARP攻击导致掉线。
-------------------------------------------------------------------------------------------------------
防ddos攻击:
add src-address=192.168.0.0/24 in-interface=X action=accept comment="ddos_X" disabled=no
add in-interface=X action=drop comment="" disabled=no
限制bt等p2p的连接数(可选)
add src-address=192.168.0.0/24 protocol=tcp tcp-options=syn-only p2p=all-p2p action=drop connection-limit=80 comment="limit \
p2p conn=20" disabled=no
如果你看谁不顺眼可以在防ddos前加上他的mac让他上不了网(一定在ddos前加)
add src-mac-address=XX:XX:XX:XX:XX:XX action=drop disabled=no
记住,防火墙是逐行执行的,如果符合前面的规则,后面的就不执行了。
对于封的端口,你可以根据你自己的判断来增减端口,比如你不让所有的人浏览网页,就封80端口,不让所以的人上qq,就封掉qq的端口
本文来自ChinaUnix博客,如果查看原文请点:http://blog.chinaunix.net/u1/52542/showart_489913.html |
|
免费注册
发表于 2008-03-05 16:02