分类: 系统运维
2008-03-05 16:02:34
ROUTEROS 学习笔记 |
ROUTEROS Firewall设置 CODE: / ip firewall connection tracking set enabled=yes tcp-syn-sent-timeout=1m tcp-syn-received-timeout=1m \ tcp-established-timeout=1d tcp-fin-wait-timeout=10s \ tcp-close-wait-timeout=10s tcp-last-ack-timeout=10s \ tcp-time-wait-timeout=10s tcp-close-timeout=10s udp-timeout=10s \ udp-stream-timeout=3m icmp-timeout=10s generic-timeout=10m / ip firewall filter add chain=input protocol=tcp dst-port=135-139 action=drop add chain=input protocol=udp dst-port=135-139 action=drop add chain=input connection-state=established action=accept add chain=input connection-state=related action=accept add chain=input src-address=127.0.0.1 dst-address=127.0.0.1 action=accept add chain=input connection-state=invalid action=drop add chain=input dst-address-type=!local action=drop add chain=input src-address-type=!unicast action=drop add chain=input protocol=tcp psd=21,3s,3,1 action=drop add chain=input protocol=tcp connection-limit=10,32 action=add-src-to-address-list address-list=black_list address-list-timeout=1d add chain=input protocol=tcp connection-limit=3,32 src-address-list=black_list action=tarpit add chain=input protocol=icmp icmp-options=0:0-255 limit=5,5 action=accept add chain=input protocol=icmp icmp-options=3:3 limit=5,5 action=accept add chain=input protocol=icmp icmp-options=3:4 limit=5,5 action=accept add chain=input protocol=icmp icmp-options=8:0-255 limit=5,5 action=accept add chain=input protocol=icmp icmp-options=11:0-255 limit=5,5 action=accept add chain=output protocol=icmp icmp-options=0:0-255 limit=5,5 action=accept add chain=output protocol=icmp icmp-options=3:3 limit=5,5 action=accept add chain=output protocol=icmp icmp-options=3:4 limit=5,5 action=accept add chain=output protocol=icmp icmp-options=8:0-255 limit=5,5 action=accept add chain=output protocol=icmp icmp-options=11:0-255 limit=5,5 action=accept add chain=forward protocol=icmp icmp-options=0:0-255 limit=5,5 action=accept add chain=forward protocol=icmp icmp-options=3:3 limit=5,5 action=accept add chain=forward protocol=icmp icmp-options=3:4 limit=5,5 action=accept add chain=forward protocol=icmp icmp-options=8:0-255 limit=5,5 action=accept add chain=forward protocol=icmp icmp-options=11:0-255 limit=5,5 action=accept add chain=input protocol=icmp action=drop add chain=output protocol=icmp action=drop add chain=forward protocol=icmp action=drop / ip firewall service-port set ftp ports=21 disabled=no set tftp ports=69 disabled=no set irc ports=6667 disabled=no set h323 disabled=no set quake3 disabled=no set mms disabled=no set gre disabled=no set pptp disabled=no /ip firewall mangle add chain=forward protocol=tcp tcp-flags=syn action=change-mss new-mss=1440 [Copy to clipboard] 说明: / ip firewall connection tracking set enabled=yes tcp-syn-sent-timeout=1m tcp-syn-received-timeout=1m \ tcp-established-timeout=1d tcp-fin-wait-timeout=10s \ tcp-close-wait-timeout=10s tcp-last-ack-timeout=10s \ tcp-time-wait-timeout=10s tcp-close-timeout=10s udp-timeout=10s \ udp-stream-timeout=3m icmp-timeout=10s generic-timeout=10m # + 放火墙部分 + # / ip firewall filter # 关135-139端口 不用多说了 add chain=input protocol=tcp dst-port=135-139 action=drop comment="drop Port" add chain=input protocol=udp dst-port=135-139 action=drop # + 对本机数据包相关 + # # 允许已建立的连接 add chain=input connection-state=established action=accept comment="input" add chain=input connection-state=related action=accept # 允许本机对本机 add chain=input src-address=127.0.0.1 dst-address=127.0.0.1 action=accept # 丢弃明显异常包 add chain=input connection-state=invalid action=drop # 丢弃目标非本机的包 add chain=input dst-address-type=!local action=drop # 丢弃多播包 add chain=input src-address-type=!unicast action=drop # + 安全相关 + # # 在短时间内从同一地址用不断变化的端口向本机发送大量数据包,视为端口扫描 add chain=input protocol=tcp psd=21,3s,3,1 action=drop comment="..." # 短时间内同时建立大量TCP连接(超过10),视为DoS拒绝服务攻击,进黑名单一天! add chain=input protocol=tcp connection-limit=10,32 action=add-src-to-address-list address-list=black_list address-list-timeout=1d disabled=no # 黑名单上的只能建立3个并发连接,tarpit add chain=input protocol=tcp connection-limit=3,32 src-address-list=black_list action=tarpit disabled=no # + ICMP相关 + # # 允许常见命令ping tracert,其它ICMP丢弃 add chain=input protocol=icmp icmp-options=0:0-255 limit=5,5 action=accept add chain=input protocol=icmp icmp-options=3:3 limit=5,5 action=accept add chain=input protocol=icmp icmp-options=3:4 limit=5,5 action=accept add chain=input protocol=icmp icmp-options=8:0-255 limit=5,5 action=accept add chain=input protocol=icmp icmp-options=11:0-255 limit=5,5 action=accept add chain=output protocol=icmp icmp-options=0:0-255 limit=5,5 action=accept add chain=output protocol=icmp icmp-options=3:3 limit=5,5 action=accept add chain=output protocol=icmp icmp-options=3:4 limit=5,5 action=accept add chain=output protocol=icmp icmp-options=8:0-255 limit=5,5 action=accept add chain=output protocol=icmp icmp-options=11:0-255 limit=5,5 action=accept add chain=forward protocol=icmp icmp-options=0:0-255 limit=5,5 action=accept add chain=forward protocol=icmp icmp-options=3:3 limit=5,5 action=accept add chain=forward protocol=icmp icmp-options=3:4 limit=5,5 action=accept add chain=forward protocol=icmp icmp-options=8:0-255 limit=5,5 action=accept add chain=forward protocol=icmp icmp-options=11:0-255 limit=5,5 action=accept add chain=input protocol=icmp action=drop add chain=output protocol=icmp action=drop add chain=forward protocol=icmp action=drop / ip firewall service-port set ftp ports=21 disabled=no set tftp ports=69 disabled=no set irc ports=6667 disabled=no set h323 disabled=no set quake3 disabled=no set mms disabled=no set gre disabled=no set pptp disabled=no # + MMS值 + # 一定要设置的哦...不然某些网页打不开的... /ip firewall mangle add chain=forward protocol=tcp tcp-flags=syn action=change-mss new-mss=1440 一些封禁名单。。。 / ip firewall address-list add list=not_in_internet address=0.0.0.0/8 comment="" disabled=no add list=not_in_internet address=172.16.0.0/12 comment="" disabled=no add list=not_in_internet address=10.0.0.0/8 comment="" disabled=no add list=not_in_internet address=169.254.0.0/16 comment="" disabled=no add list=not_in_internet address=127.0.0.0/8 comment="" disabled=no add list=not_in_internet address=224.0.0.0/3 comment="" disabled=no add list=Prohibits address=218.83.153.93 comment="pipicn.com" disabled=no add list=Prohibits address=61.129.75.206 comment="hot.vagaa.com" disabled=no add list=Prohibits address=193.138.221.214 comment="vagaa" disabled=no add list=Prohibits address=218.201.43.106 comment="help.vagaa.com" disabled=no add list=Prohibits address=58.17.4.26 comment="PP" disabled=no add list=Prohibits address=220.194.55.102 comment="PP" disabled=no add list=Prohibits address=202.107.233.211 comment="PP" disabled=no / ip firewall service-port set ftp disabled=no set tftp ports=69 disabled=yes set irc ports=6667 disabled=yes set h323 disabled=yes set quake3 disabled=no set mms disabled=no set gre disabled=yes set pptp disabled=yes 2.9X系列: 限线程脚本: :for aaa from 2 to 254 do={/ip firewall filter add chain=forward src-address=(192.168.0. . $aaa) protocol=tcp connection-limit=50,32 action=drop} 限速脚本: :for aaa from 2 to 254 do={/queue simple add name=(queue . $aaa) dst-address=(192.168.2. . $aaa) limit-at=0/0 max-limit=32000000/32000000} 说明: 脚本为一行不是两行 aaa是变量 2 to 254是2~254 192.168.0. . $aaa是IP 上两句加起来是192.168.0.2~192.168.0.254的意思 connection-limit=50是线程数这里为50 max-limit=2000000/2000000是上行/下行 使用: WinBox-System-Scripts-+ Name(脚本名程) Source(脚本) OK-选择要运行的脚本-Run Script 查看: 限线程:WinBox-IP-Firewall-Filter Rules(看是否已经填加进来) 限速:WinBox-Queues-Simple Queues(看是否已经填加进来) 限速脚本: :for aaa from 2 to 254 do={/queue simple add name=(queue . $aaa) dst-address=(192.168.2. . $aaa) limit-at=0/0 max-limit=32000000/32000000} 说明: 脚本为一行不是两行 aaa是变量 2 to 254是2~254 192.168.0. . $aaa是IP 上两句加起来是192.168.0.2~192.168.0.254的意思 connection-limit=50是线程数这里为50 max-limit=2000000/2000000是上行/下行 用WINBOX登入ROS2.9X系列版本 到“NEW TERMINAL ”处输入以上的命令就行了。注意脚本变量的就行了 比较实用ROS路由限速脚本 ROS路由限速脚本!! 先看一个脚本: :for aaa from 2 to 254 do={/queue simple add name=(queue . $aaa) dst-address=(192.168.0. . $aaa) limit-at=0/0 max-limit=1638400/819200 burst-limit=3276800/819200 burst-threshold=1474560/819200 burst-time=30/30} 脚本为一行不是两行 aaa是变量,你可以改成你想要的..但是要注意,前后三个,一定要相同! 2 to 254是2~254 这个我刚刚开始看不明白,因为我是中国人嘛…不学E文 192.168.0. . $aaa是IP 详细的说…192.168.0.空格.空格$变量名上两句加起来是192.168.0.2~192.168.0.254的意思 (queue . $aaa)=(你要在simple queues 显示的规则名前缀.空格.空格$aaa) 下来的就是这了 Limit-at=0/0 这个没必要理会,就是限制在多少,上行/下行的意思,不知道,有没有说错. max-limit=1638400/819200 是最大的上行/下行速度 burst-limit=3276800/819200 是突破速度的最大值,这些网上有查的. burst-threshold=1474560/819200 突破速度的阀值 burst-time=30/30 突破速度的时间,这为30秒. 下面这个一看就明白了就不多说了 1KB=1024B 1Byte=8bit 公式 KB*1024*8=? 以上脚本意为 192.168.0.2~192.168.0.254 IP段内IP在30秒内平均值小于突破阀值时, 最大下载速度可以超出最大速度值,并达到最大突破速度值, 如果30秒内平均值大于突破速度阀值时,IP速度最大值为 你所设置的max-limit值 使用:WinBox-System-Scripts-按+号Name(弄个好记的名字) Source(把你按照上面说的,写好的脚本,粘贴下去) OK-选择你刚刚起的名字-按Run Script 再看下 WinBox-queues- simple queues 是不是显示有一大堆,以你设置的规则名前缀+变量IP号的规则?如果是,那恭喜你成功了! __________________________________________________________________________________________________ 用WinBox登陆RouterOS,Tools---Torch 在Torch选项卡上点击[start]就可以看到了 用RouterOS查看局域网每个IP流量的方法,TX是下行速度,RX是上行速度 ______________________________________________________________________________________________________ 小包策略(研究) / ip firewall mangle add chain=forward protocol=tcp tcp-flags=syn action=change-mss new-mss=1440 comment="" disabled=no add chain=forward p2p=all-p2p action=mark-connection new-connection-mark=p2p_conn passthrough=yes comment="" disabled=no add chain=forward connection-mark=p2p_conn action=mark-packet new-packet-mark=p2p passthrough=yes comment="" disabled=no add chain=forward connection-mark=!p2p_conn action=mark-packet new-packet-mark=general passthrough=yes comment="" disabled=no add chain=forward packet-size=32-512 action=mark-packet new-packet-mark=small passthrough=yes comment="" disabled=no add chain=forward packet-size=512-1200 action=mark-packet new-packet-mark=big passthrough=yes comment="" disabled=no / queue tree add name="p2p1" parent=wan packet-mark=p2p limit-at=2000000 queue=default priority=8 max-limit=6000000 burst-limit=0 burst-threshold=0 burst-time=0s disabled=no add name="p2p2" parent=lan packet-mark=p2p limit-at=2000000 queue=default priority=8 max-limit=6000000 burst-limit=0 burst-threshold=0 burst-time=0s disabled=no add name="ClassA" parent=lan packet-mark="" limit-at=0 queue=default priority=8 max-limit=100000000 burst-limit=0 burst-threshold=0 burst-time=0s disabled=no add name="ClassB" parent=ClassA packet-mark="" limit-at=0 queue=default priority=8 max-limit=0 burst-limit=0 burst-threshold=0 burst-time=0s disabled=no add name="Leaf1" parent=ClassA packet-mark=general limit-at=0 queue=default priority=7 max-limit=0 burst-limit=0 burst-threshold=0 burst-time=0s disabled=no add name="Leaf2" parent=ClassB packet-mark=small limit-at=0 queue=default priority=5 max-limit=0 burst-limit=0 burst-threshold=0 burst-time=0s disabled=no add name="Leaf3" parent=ClassB packet-mark=big limit-at=0 queue=default priority=6 max-limit=0 burst-limit=0 burst-threshold=0 burst-time=0s disabled=no ———————————————————————————————————————————————————— 1。单电信线路用不到电信路由表。 2。防火墙:只能举个例子给,看个人理解了 add chain=input protocol=tcp dst-port=135-139 action=drop 在input(联入)链中加入一条规则,丢弃所有TCP协议上的135-139端口的数据包。 add chain=forward protocol=tcp dst-port=80 action=drop 输入这个规则,则所有机器都无法访问外网的80端口,也就是基本打不开网页了。 3。ROS的管理分为本地控制台管理,远程telnet,winbox,ssh的管理。比较常用的是winbox,图形化简单易上手,推荐使用。 4。常见的ROS问题就是ARP攻击导致掉线。 ------------------------------------------------------------------------------------------------------- 防ddos攻击: add src-address=192.168.0.0/24 in-interface=X action=accept comment="ddos_X" disabled=no add in-interface=X action=drop comment="" disabled=no 限制bt等p2p的连接数(可选) add src-address=192.168.0.0/24 protocol=tcp tcp-options=syn-only p2p=all-p2p action=drop connection-limit=80 comment="limit \ p2p conn=20" disabled=no 如果你看谁不顺眼可以在防ddos前加上他的mac让他上不了网(一定在ddos前加) add src-mac-address=XX:XX:XX:XX:XX:XX action=drop disabled=no 记住,防火墙是逐行执行的,如果符合前面的规则,后面的就不执行了。 对于封的端口,你可以根据你自己的判断来增减端口,比如你不让所有的人浏览网页,就封80端口,不让所以的人上qq,就封掉qq的端口 |