para que serve essas tres regras
As 3 ÚLTIMAS regras:
chain=input action=drop
chain=forward action=drop
chain=output action=drop[/QUOTE]
Versão Imprimível
para que serve essas tres regras
As 3 ÚLTIMAS regras:
chain=input action=drop
chain=forward action=drop
chain=output action=drop[/QUOTE]
ola, em se falando em firewall nao consigo redirecionar ip do cliente para pagina de bloqueio, nao uso hotspot, nao tenho servidor proxy, em uma maquina na rede configurei um servidor web com apache e coloquei minha pagina de bloqueio, quando aplico as regras de ip/firewall/nat, até bloqueia o cliente mas a pagina de bloqueio nao aparece, mas se la no cliente eu digito o ip da maquina onde ta a pagina de bloqueio a pagina aparece. gostaria de ajuda nesse problema, o q faço?
/ip firewall nat
add action=dst-nat chain=dstnat comment="REDIRECIONA CLIENTES DEBITO-AVISO" disabled=no \
protocol=tcp src-address=192.168.10.222 to-addresses=\
192.168.10.232 to-ports=8888
Onde em azul, é o IP do devedor lazarento
Em vermelho, é o ip e porta do servidor
TESTADO E FUNFANDO!!!
aqui vai o meu, foi um maluko aqui de juazeiro-ba que configurou, pra minha rede ta funcionando blz.
ñ esquece de agradecer.
/ip firewall filter
add action=passthrough chain=unused-hs-chain comment=\
"place hotspot rules here" disabled=yes
add action=drop chain=input comment="Bloqueia Proxy" disabled=no dst-port=\
3128 in-interface=velox- protocol=tcp
add action=drop chain=input comment="Descarta invalidas" connection-state=\
invalid disabled=no
add action=add-src-to-address-list address-list=temp1 address-list-timeout=\
10s chain=input comment="" disabled=no dst-port= protocol=tcp
add action=add-src-to-address-list address-list=temp2 address-list-timeout=\
10s chain=input comment="" disabled=no dst-port= protocol=tcp \
src-address-list=temp1
add action=add-src-to-address-list address-list=liberado \
address-list-timeout=2h chain=input comment="" disabled=no dst-port=\
protocol=tcp src-address-list=temp2
add action=accept chain=input comment="Aceita winbox da lista liberado" \
disabled=no dst-port=8291 protocol=tcp src-address-list=liberado
add action=drop chain=input comment="nega acesso winbox" disabled=no \
dst-port=8291 protocol=tcp
add action=accept chain=input comment="Aceita ftp" disabled=no dst-port=21 \
protocol=tcp src-address-list=liberado
add action=add-src-to-address-list address-list=bloqueado \
address-list-timeout=1d chain=input comment="" disabled=no dst-port=21 \
protocol=tcp
add action=drop chain=input comment="" disabled=no dst-port=21 protocol=tcp
add action=accept chain=input comment="Aceita SSH" disabled=no dst-port=4142 \
protocol=tcp src-address-list=liberado
add action=add-src-to-address-list address-list=bloqueado \
address-list-timeout=1d chain=input comment="" disabled=no dst-port=22 \
protocol=tcp
add action=drop chain=input comment="" disabled=no dst-port=22 protocol=tcp \
src-address-list=bloqueado-por-SSH
add action=accept chain=input comment="Aceita telnet" disabled=no dst-port=23 \
protocol=tcp src-address-list=liberado
add action=add-src-to-address-list address-list=bloqueado \
address-list-timeout=1d chain=input comment="" disabled=no dst-port=23 \
protocol=tcp
add action=drop chain=input comment="" disabled=no dst-port=23 protocol=tcp \
src-address-list=bloqueado-por-SSH
add action=drop chain=input comment="Log quem Pinga" disabled=no limit=0/0s,0 \
protocol=icmp
add action=drop chain=input comment="aceitando 1 ping a cada 5 segundos" \
disabled=no limit=1/5s,1 protocol=icmp
add action=drop chain=input comment="bloqueando o excesso" disabled=no \
protocol=icmp
add action=jump chain=input comment="Salta para canal icmp" disabled=no \
jump-target=ICMP protocol=icmp
add action=jump chain=input comment="Salta para o canal virus" disabled=no \
jump-target=VIRUS
add action=accept chain=input comment="Aceita estabelecidas" \
connection-state=established disabled=no
add action=accept chain=input comment="Aceita relacionadas" connection-state=\
related disabled=no
add action=accept chain=input comment="Aceita redes internas" disabled=no \
in-interface=bridge1
add action=accept chain=input comment="Aceita winbox Externo" disabled=no \
dst-port=8291 in-interface=ether2 protocol=tcp
add action=drop chain=forward comment="Descarta Invalidas" connection-state=\
invalid disabled=no
add action=drop chain=forward comment="" disabled=no src-address-list=\
bloqueado
add action=jump chain=forward comment="Salta para canal icmp" disabled=no \
jump-target=ICMP
add action=jump chain=forward comment="Salta para o canal virus" disabled=no \
jump-target=VIRUS
add action=drop chain=VIRUS comment="Drop Blaster Worm" disabled=no protocol=\
udp src-port=445
add action=accept chain=forward comment="Aceita estabelecidas" \
connection-state=established disabled=no
add action=accept chain=forward comment="Aceita relacionadas" \
connection-state=related disabled=no
add action=drop chain=VIRUS comment="" disabled=no protocol=tcp src-port=445
add action=drop chain=VIRUS comment="" disabled=no dst-port=445 protocol=tcp
add action=drop chain=VIRUS comment="Drop Blaster Worm" disabled=no dst-port=\
445 protocol=udp
add action=drop chain=VIRUS comment="" disabled=no protocol=tcp src-port=\
135-139
add action=drop chain=VIRUS comment="" disabled=no protocol=udp src-port=\
135-139
add action=drop chain=VIRUS comment="" disabled=no dst-port=135-139 protocol=\
tcp
add action=drop chain=VIRUS comment="" disabled=no dst-port=135-139 protocol=\
udp
add action=drop chain=VIRUS comment=________ disabled=no dst-port=593 \
protocol=tcp
add action=drop chain=VIRUS comment=________ disabled=no dst-port=1024-1030 \
protocol=tcp
add action=drop chain=VIRUS comment="Drop MyDoom" disabled=no dst-port=1080 \
protocol=tcp
add action=drop chain=VIRUS comment=________ disabled=no dst-port=1214 \
protocol=tcp
add action=drop chain=VIRUS comment="ndm requester" disabled=no dst-port=1363 \
protocol=tcp
add action=drop chain=VIRUS comment="ndm server" disabled=no dst-port=1364 \
protocol=tcp
add action=drop chain=VIRUS comment="screen cast" disabled=no dst-port=1368 \
protocol=tcp
add action=drop chain=VIRUS comment=hromgrafx disabled=no dst-port=1373 \
protocol=tcp
add action=drop chain=VIRUS comment=cichlid disabled=no dst-port=1377 \
protocol=tcp
add action=drop chain=VIRUS comment="Bagle VIRUS" disabled=no dst-port=2745 \
protocol=tcp
add action=drop chain=VIRUS comment="Drop Dumaru.Y" disabled=no dst-port=2283 \
protocol=tcp
add action=drop chain=VIRUS comment="Drop Beagle" disabled=no dst-port=2535 \
protocol=tcp
add action=drop chain=VIRUS comment="Drop Beagle.C-K" disabled=no dst-port=\
2745 protocol=tcp
add action=drop chain=VIRUS comment="Drop MyDoom" disabled=no dst-port=3127 \
protocol=tcp
add action=drop chain=VIRUS comment="Drop Backdoor OptixPro" disabled=no \
dst-port=3410 protocol=tcp
add action=drop chain=VIRUS comment=Worm disabled=no dst-port=4444 protocol=\
tcp
add action=drop chain=VIRUS comment=Worm disabled=no dst-port=4444 protocol=\
udp
add action=drop chain=VIRUS comment="Drop Sasser" disabled=no dst-port=5554 \
protocol=tcp
add action=drop chain=VIRUS comment="Drop Beagle.B" disabled=no dst-port=8866 \
protocol=tcp
add action=drop chain=VIRUS comment="Drop Dabber.A-B" disabled=no dst-port=\
9898 protocol=tcp
add action=drop chain=VIRUS comment="Drop Dumaru.Y" disabled=no dst-port=\
10000 protocol=tcp
add action=drop chain=VIRUS comment="Drop MyDoom.B" disabled=no dst-port=\
10080 protocol=tcp
add action=drop chain=VIRUS comment="Drop NetBus" disabled=no dst-port=12345 \
protocol=tcp
add action=drop chain=VIRUS comment="Drop Kuang2" disabled=no dst-port=17300 \
protocol=tcp
add action=drop chain=VIRUS comment="Drop SubSeven" disabled=no dst-port=\
27374 protocol=tcp
add action=drop chain=VIRUS comment="Drop PhatBot, Agobot, Gaobot" disabled=\
no dst-port=65506 protocol=tcp
add action=drop chain=VIRUS comment="" disabled=no dst-port=513 protocol=tcp
add action=drop chain=VIRUS comment="" disabled=no dst-port=513 protocol=udp
add action=drop chain=VIRUS comment="" disabled=no dst-port=525 protocol=tcp
add action=drop chain=VIRUS comment="" disabled=no dst-port=525 protocol=udp
add action=drop chain=VIRUS comment="" disabled=no dst-port=568-569 protocol=\
tcp
add action=drop chain=VIRUS comment="" disabled=no dst-port=568-569 protocol=\
udp
add action=drop chain=VIRUS comment="" disabled=no dst-port=1512 protocol=tcp
add action=drop chain=VIRUS comment="" disabled=no dst-port=1512 protocol=udp
add action=drop chain=VIRUS comment="" disabled=no dst-port=396 protocol=tcp
add action=drop chain=VIRUS comment="" disabled=no dst-port=396 protocol=udp
add action=drop chain=VIRUS comment="" disabled=no dst-port=1366 protocol=tcp
add action=drop chain=VIRUS comment="" disabled=no dst-port=1366 protocol=udp
add action=drop chain=VIRUS comment="" disabled=no dst-port=1416 protocol=tcp
add action=drop chain=VIRUS comment="" disabled=no dst-port=1416 protocol=udp
add action=drop chain=VIRUS comment="" disabled=no dst-port=201-209 protocol=\
tcp
add action=drop chain=VIRUS comment="" disabled=no dst-port=201-209 protocol=\
udp
add action=drop chain=VIRUS comment="" disabled=no dst-port=545 protocol=tcp
add action=drop chain=VIRUS comment="" disabled=no dst-port=545 protocol=udp
add action=drop chain=VIRUS comment="" disabled=no dst-port=1381 protocol=udp
add action=drop chain=VIRUS comment="" disabled=no dst-port=1381 protocol=tcp
add action=drop chain=VIRUS comment="" disabled=no dst-port=3031 protocol=tcp
add action=drop chain=VIRUS comment="" disabled=no dst-port=3031 protocol=udp
add action=accept chain=ICMP comment="" disabled=no icmp-options=0:0 \
protocol=icmp
add action=accept chain=ICMP comment="" disabled=no icmp-options=8:0 \
protocol=icmp
add action=accept chain=ICMP comment="" disabled=no icmp-options=11:0 \
protocol=icmp
add action=accept chain=ICMP comment="" disabled=no icmp-options=3:3 \
protocol=icmp
add action=accept chain=ICMP comment="" disabled=no icmp-options=3:4 \
protocol=icmp
add action=drop chain=ICMP comment="" disabled=no protocol=icmp
add action=drop chain=input comment="Descarta Restante" disabled=yes
add action=drop chain=input comment="" disabled=yes dst-address=10.0.0.254 \
dst-port=3128 in-interface="(unknown)" protocol=tcp
Bom talvez alguem aqui poderia me dizer uma coisa que esta dificeil de eu conseguir me localizar no firewall do mikrotik , bom ja testei varias regras e quase todas deram alguma dor de cabeça , pois usei o velho cvtrl+c ctrl+v , bom ja passei desta face e quero crescer e aprender,bom minha pergunta ,
so tenho que saber uma coisa o principal , coloco a parte de liberação no inicio do firewall ou no fim exmplos
bloqueo varios portas tcp com drop e na ultima linha coloco para liberar o resto , ou isso é vice versa
coloco primeiro liberar e depois drop o resto
:banghead::banghead::banghead::banghead::banghead::banghead::banghead::banghead::banghead::banghead::banghead::banghead::banghead::banghead::banghead::banghead: ja olhei milhoes de post e nao consegui acimilar o fulcoinamento de forma clara .