Scribd Logo
Загрузить

Добро пожаловать в Scribd!

  • Bloqueo p2p

    Загружено:

    maxdarwin9
    63 просмотров2 страницы
    ejemplo de bloqueo de P2P con mikrotik

    Оригинальное название

    bloqueo p2p

    Авторское право

    © © All Rights Reserved

    Доступные форматы

    TXT, PDF, TXT или читайте онлайн в Scribd

    Этот документ был вам полезен?

    Это неприемлемый материал?

    Пожаловаться на этот документ
    ejemplo de bloqueo de P2P con mikrotik

    Авторское право:

    © All Rights Reserved
    Скачайте в формате TXT, PDF, TXT или читайте онлайн в Scribd
    Отметить как неприемлемый контент
    63 просмотров2 страницы

    Bloqueo p2p

    Загружено:

    maxdarwin9
    ejemplo de bloqueo de P2P con mikrotik

    Авторское право:

    © All Rights Reserved
    Скачайте в формате TXT, PDF, TXT или читайте онлайн в Scribd
    Отметить как неприемлемый контент
    из 2

    Bloqueo P2P Capa 7

    /ip firewall layer7-protocol


    add comment="Bloqueo Bit Torrent" name=layer7-bittorrent-exp regexp="^(\\x13bitt\
    orrent protocol|azver\\x01\$|get /scrape\\\?info_hash=get /announce\\\?inf\
    o_hash=|get /client/bitcomet/|GET /data\\\?fid=)|d1:ad2:id20:|\\x08'7P\\)[\
    RP]"

    /ip firewall filter


    add action=add-src-to-address-list address-list=Torrent-Conn \
    address-list-timeout=2m chain=forward layer7-protocol=\
    layer7-bittorrent-exp src-address=10.10.11.0/24 src-address-list=\
    !allow-bit
    add action=add-src-to-address-list address-list=Torrent-Conn \
    address-list-timeout=2m chain=forward p2p=all-p2p src-address=\
    10.10.11.0/24 src-address-list=!allow-bit

    /ip firewall filter


    add action=drop chain=forward dst-port=!0-1024,8291,5900,5800,3389,14147,5222,59905
    protocol=tcp \
    src-address-list=Torrent-Conn
    add action=drop chain=forward dst-port=!0-1024,8291,5900,5800,3389,14147,5222,59905
    protocol=udp \
    src-address-list=Torrent-Conn

    Firewall Filters

    Las reglas m�s b�sicas que debe tener un RB Mikrotik

    / ip firewall filter
    add chain=input connection-state=established comment="Accept established
    connections"
    add chain=input connection-state=related comment="Accept related connections"
    add chain=input connection-state=invalid action=drop comment="Drop invalid
    connections"
    add chain=input protocol=udp action=accept comment="UDP" disabled=no
    add chain=input protocol=icmp limit=50/5s,2 comment="Allow limited pings"
    add chain=input protocol=icmp action=drop comment="Drop excess pings"
    add chain=input protocol=tcp dst-port=22 comment="SSH for secure shell"
    add chain=input protocol=tcp dst-port=8291 comment="winbox"
    # Edit these rules to reflect your actual IP addresses! #
    add chain=input src-address=159.148.172.192/28 comment="From Mikrotikls network"
    add chain=input src-address=10.0.0.0/8 comment="From our private LAN"
    # End of Edit #
    add chain=input action=log log-prefix="DROP INPUT" comment="Log everything else"
    add chain=input action=drop comment="Drop everything else"

    Ahora tenemos la protecci�n contra: synflood, ICMP Flood, escaneo de puertos, spam
    por correo electr�nico y mucho m�s. Para obtener m�s informaci�n, lea los
    comentarios.

    /ip firewall filter


    add action=add-src-to-address-list address-list=Syn_Flooder address-list-
    timeout=30m chain=input comment="Add Syn Flood IP to the list" connection-
    limit=30,32 protocol=\
    tcp tcp-flags=syn
    add action=drop chain=input comment="Drop to syn flood list" src-address-
    list=Syn_Flooder
    add action=add-src-to-address-list address-list=Port_Scanner address-list-
    timeout=1w chain=input comment="Port Scanner Detect" protocol=tcp psd=21,3s,3,1
    add action=drop chain=input comment="Drop to port scan list" src-address-
    list=Port_Scanner
    add action=jump chain=input comment="Jump for icmp input flow" jump-target=ICMP
    protocol=icmp
    add action=accept chain=input comment="Allows access to winbox from the WAN # DO
    NOT ENABLE THIS RULE IF YOU DO NOT WANT TO ACCESS FROM THE INTERNET" disabled=yes \
    dst-port=8291 in-interface="ISP ether10" protocol=tcp
    add action=drop chain=input comment="Block all access to the winbox - except to
    support list # DO NOT ENABLE THIS RULE BEFORE ADD YOUR SUBNET IN THE SUPPORT
    ADDRESS LIST" \
    disabled=yes dst-port=8291 protocol=tcp src-address-list=!support
    add action=jump chain=forward comment="Jump for icmp forward flow" jump-target=ICMP
    protocol=icmp
    add action=drop chain=forward comment="Drop to bogon list" dst-address-list=bogons
    add action=drop chain=forward comment="Avoid spammers action" dst-port=25,587
    protocol=tcp src-address-list=spammers
    add action=accept chain=input comment="Accept DNS - UDP" port=53 protocol=udp
    add action=accept chain=input comment="Accept DNS - TCP" port=53 protocol=tcp
    add action=accept chain=input comment="Accept to established connections"
    connection-state=established
    add action=accept chain=input comment="Accept to related connections" connection-
    state=related
    add action=accept chain=input comment="Full access to SUPPORT address list" src-
    address-list=support
    add action=drop chain=input comment="Drop anything else! # DO NOT ENABLE THIS RULE
    BEFORE YOU MAKE SURE ABOUT ALL ACCEPT RULES YOU NEED" disabled=yes
    add action=accept chain=ICMP comment="Echo reply" icmp-options=0:0 protocol=icmp
    add action=accept chain=ICMP comment="Time Exceeded" icmp-options=11:0
    protocol=icmp
    add action=accept chain=ICMP comment="Destination unreachable" icmp-options=3:0-1
    protocol=icmp
    add action=accept chain=ICMP comment=PMTUD icmp-options=3:4 protocol=icmp
    add action=drop chain=ICMP comment="Drop to the other ICMPs" protocol=icmp

    Вам также может понравиться