- Regra Mangle
+ Responder ao Tópico
-
Regras- Mangle-simple queue-queue tree-queue types
OLA A TODOS COLOCO AS MINHAS REGRAS AQUI AO PESSOAL QUE QUEIRE DEIXAR SEU SERVE UM POUCO MAIS EFICIENTE
[eniak@MikroTik] ip firewall mangle>
Flags: X - disabled, I - invalid, D - dynamic
0 ;;; Ajuste de Bloqueio SSH e Telnet
chain=prerouting protocol=tcp dst-port=20-23
action=add-src-to-address-list address-list=drop_port_22_23
address-list-timeout=0s
1 ;;; Marca Todo Trafego p2p
chain=prerouting src-address=10.10.10.0/24 p2p=all-p2p
action=mark-connection new-connection-mark=p2p_conn passthrough=yes
2 chain=prerouting connection-mark=p2p_conn action=mark-packet
new-packet-mark=allp2p passthrough=yes
3 ;;; HTTP
chain=prerouting protocol=tcp dst-port=80 action=mark-connection
new-connection-mark=http-down passthrough=yes
4 chain=prerouting connection-mark=http-down action=mark-packet
new-packet-mark=HTTP passthrough=yes
5 ;;; SSL
chain=prerouting protocol=tcp dst-port=443 action=mark-connection
new-connection-mark=443_conn passthrough=yes
6 chain=prerouting connection-mark=443_conn action=mark-packet
new-packet-mark=HTTP passthrough=yes
7 ;;; MSN-IN
chain=prerouting protocol=tcp dst-port=1863 action=mark-connection
new-connection-mark=msn_in passthrough=yes
8 chain=prerouting connection-mark=msn_in action=mark-packet
new-packet-mark=MSN_IN passthrough=yes
9 ;;; MSN-OUT
chain=prerouting protocol=tcp src-port=1863 action=mark-connection
new-connection-mark=msn_out passthrough=yes
10 chain=prerouting connection-mark=msn_out action=mark-packet
new-packet-mark=MSN_OUT passthrough=yes
11 ;;; VOIP-IN
chain=prerouting protocol=udp dst-port=5060 action=mark-connection
new-connection-mark=voip_in passthrough=yes
12 chain=prerouting connection-mark=voip_in action=mark-packet
new-packet-mark=VOIP_IN passthrough=yes
13 ;;; VOIP-OUT
chain=prerouting protocol=udp src-port=5060 action=mark-connection
new-connection-mark=voip_out passthrough=yes
14 ;;; Protocol classifier
chain=prerouting protocol=tcp connection-state=new action=jump
jump-target=tcp-services
15 chain=prerouting protocol=udp connection-state=new action=jump
jump-target=udp-services
16 chain=prerouting connection-state=new action=jump
jump-target=other-services
17 chain=tcp-services protocol=tcp src-port=1024-65535 dst-port=20-21
action=mark-connection new-connection-mark=ftp passthrough=no
18 chain=tcp-services protocol=tcp src-port=513-65535 dst-port=22
action=mark-connection new-connection-mark=ssh passthrough=no
19 chain=tcp-services protocol=tcp src-port=1024-65535 dst-port=23
action=mark-connection new-connection-mark=telnet passthrough=no
20 chain=tcp-services protocol=tcp src-port=1024-65535 dst-port=25
action=mark-connection new-connection-mark=smtp passthrough=no
21 chain=tcp-services protocol=tcp src-port=53 dst-port=53
action=mark-connection new-connection-mark=dns passthrough=no
22 chain=tcp-services protocol=tcp src-port=1024-65535 dst-port=53
action=mark-connection new-connection-mark=dns passthrough=no
23 chain=tcp-services protocol=tcp src-port=1024-65535 dst-port=80
action=mark-connection new-connection-mark=http passthrough=no
24 chain=tcp-services protocol=tcp src-port=1024-65535 dst-port=110
action=mark-connection new-connection-mark=pop3 passthrough=no
25 chain=tcp-services protocol=tcp src-port=1024-65535 dst-port=113
action=mark-connection new-connection-mark=auth passthrough=no
26 chain=tcp-services protocol=tcp src-port=1024-65535 dst-port=119
action=mark-connection new-connection-mark=nntp passthrough=no
27 chain=tcp-services protocol=tcp src-port=1024-65535 dst-port=143
action=mark-connection new-connection-mark=imap passthrough=no
28 chain=tcp-services protocol=tcp src-port=1024-65535 dst-port=161-162
action=mark-connection new-connection-mark=snmp passthrough=no
29 chain=tcp-services protocol=tcp src-port=1024-65535 dst-port=443
action=mark-connection new-connection-mark=https passthrough=no
30 chain=tcp-services protocol=tcp src-port=1024-65535 dst-port=465
action=mark-connection new-connection-mark=smtps passthrough=no
31 chain=tcp-services protocol=tcp src-port=1024-65535 dst-port=993
action=mark-connection new-connection-mark=imaps passthrough=no
32 chain=tcp-services protocol=tcp src-port=1024-65535 dst-port=995
action=mark-connection new-connection-mark=pop3s passthrough=no
33 chain=tcp-services protocol=tcp src-port=1024-65535 dst-port=1723
action=mark-connection new-connection-mark=pptp passthrough=no
34 chain=tcp-services protocol=tcp src-port=1024-65535 dst-port=2379
action=mark-connection new-connection-mark=kgs passthrough=no
35 chain=tcp-services protocol=tcp src-port=1024-65535 dst-port=3126
action=mark-connection new-connection-mark=proxy passthrough=no
36 chain=tcp-services protocol=tcp src-port=1024-65535 dst-port=3987
action=mark-connection new-connection-mark=win-ts passthrough=no
37 chain=tcp-services protocol=tcp src-port=1024-65535 dst-port=4242-4243
action=mark-connection new-connection-mark=emule passthrough=no
38 chain=tcp-services protocol=tcp src-port=4661-4662 dst-port=1024-65535
action=mark-connection new-connection-mark=overnet passthrough=no
39 chain=tcp-services protocol=tcp src-port=4711 dst-port=1024-65535
action=mark-connection new-connection-mark=emule passthrough=no
40 chain=tcp-services protocol=tcp src-port=1024-65535 dst-port=5900-5901
action=mark-connection new-connection-mark=vnc passthrough=no
41 chain=tcp-services protocol=tcp src-port=1024-65535 dst-port=6667-6669
action=mark-connection new-connection-mark=irc passthrough=no
42 chain=tcp-services protocol=tcp src-port=1024-65535 dst-port=6881-6889
action=mark-connection new-connection-mark=bittorrent passthrough=no
43 chain=tcp-services protocol=tcp src-port=1024-65535 dst-port=8080
action=mark-connection new-connection-mark=http passthrough=no
44 chain=tcp-services protocol=tcp src-port=1024-65535 dst-port=8291
action=mark-connection new-connection-mark=winbox passthrough=no
45 chain=tcp-services protocol=tcp action=mark-connection
new-connection-mark=other-tcp passthrough=no
46 chain=udp-services protocol=udp src-port=1024-65535 dst-port=53
action=mark-connection new-connection-mark=dns passthrough=no
47 chain=udp-services protocol=udp src-port=1024-65535 dst-port=123
action=mark-connection new-connection-mark=ntp passthrough=no
48 chain=udp-services protocol=udp src-port=1024-65535 dst-port=1701
action=mark-connection new-connection-mark=l2tp passthrough=no
49 chain=udp-services protocol=udp src-port=1024-65535 dst-port=4665
action=mark-connection new-connection-mark=emule passthrough=no
50 chain=udp-services protocol=udp src-port=1024-65535 dst-port=4672
action=mark-connection new-connection-mark=emule passthrough=no
51 chain=udp-services protocol=udp src-port=4672 dst-port=1024-65535
action=mark-connection new-connection-mark=emule passthrough=no
52 chain=udp-services protocol=udp src-port=1024-65535 dst-port=12053
action=mark-connection new-connection-mark=overnet passthrough=no
53 chain=udp-services protocol=udp src-port=12053 dst-port=1024-65535
action=mark-connection new-connection-mark=overnet passthrough=no
54 chain=udp-services protocol=udp src-port=36725 dst-port=1024-65535
action=mark-connection new-connection-mark=skype passthrough=no
55 chain=udp-services protocol=udp connection-state=new
action=mark-connection new-connection-mark=other-udp passthrough=no
56 chain=other-services protocol=icmp icmp-options=8:0-255
action=mark-connection new-connection-mark=ping passthrough=no
57 chain=other-services protocol=gre action=mark-connection
new-connection-mark=gre passthrough=no
58 chain=other-services action=mark-connection new-connection-mark=other
passthrough=no
59 chain=prerouting in-interface=wlan1 action=mark-packet
new-packet-mark=nat-traversal passthrough=no
TA MARCANDO TUDO CERTO
Última edição por eniak; 15-06-2007 às 18:49.
-
SIMPLES QUEUE
name="REGRA P2P DONW" dst-address=10.10.10.0/24 interface=all parent=none direction=both priority=8
queue=P2P_UP/P2P_DONW limit-at=0/0 max-limit=128000/256000 total-queue=default-small
QUEUE TREE
0 name="P2P-Down" parent=global-in packet-mark=allp2p limit-at=250000 queue=P2P_DONW priority=7 max-limit=250000
burst-limit=0 burst-threshold=0 burst-time=0s
1 name="P2P-UP" parent=global-out packet-mark=allp2p limit-at=250000 queue=P2P_UP priority=7 max-limit=250000
burst-limit=0 burst-threshold=0 burst-time=0s
2 name="msn-in" parent=global-in packet-mark=MSN_IN limit-at=1024000 queue=MSN-IN priority=1 max-limit=3072000
burst-limit=0 burst-threshold=0 burst-time=0s
3 name="msn-out" parent=global-out packet-mark=MSN_OUT limit-at=1024000 queue=MSN-OUT priority=1 max-limit=3072000
burst-limit=0 burst-threshold=0 burst-time=0s
4 name="http_down" parent=global-in packet-mark=HTTP limit-at=500000 queue=HTTP_DONW priority=2 max-limit=500000
burst-limit=0 burst-threshold=0 burst-time=0s
5 name="voip-in" parent=global-in packet-mark=VOIP_IN limit-at=1024000 queue=default priority=8 max-limit=1024000
burst-limit=0 burst-threshold=0 burst-time=0s
6 name="voip-out" parent=global-out packet-mark=VOIP_OUT limit-at=1024000 queue=default priority=8 max-limit=1024000
burst-limit=0 burst-threshold=0 burst-time=0s
QUEUES TYPES
5 name="P2P_DONW" kind=pcq pcq-rate=250000 pcq-limit=50 pcq-classifier=dst-address pcq-total-limit=2000
6 name="P2P_UP" kind=pcq pcq-rate=250000 pcq-limit=50 pcq-classifier=src-address pcq-total-limit=2000
7 name="HTTP_DONW" kind=sfq sfq-perturb=5 sfq-allot=1514
8 name="MSN-IN" kind=sfq sfq-perturb=5 sfq-allot=2000
9 name="MSN-OUT" kind=sfq sfq-perturb=5 sfq-allot=2000
Última edição por eniak; 15-06-2007 às 19:25.
-
filter
Flags: X - disabled, I - invalid, D - dynamic
0 ;;; 0:0 and limit for 5pac/s
chain=ICMP protocol=icmp icmp-options=0:0-255 limit=5,5 action=accept
1 ;;; 3:3 and limit for 5pac/s
chain=ICMP protocol=icmp icmp-options=3:3 limit=5,5 action=accept
2 ;;; 3:4 and limit for 5pac/s
chain=ICMP protocol=icmp icmp-options=3:4 limit=5,5 action=accept
3 ;;; 8:0 and limit for 5pac/s
chain=ICMP protocol=icmp icmp-options=8:0-255 limit=5,5 action=accept
4 ;;; 11:0 and limit for 5pac/s
chain=ICMP protocol=icmp icmp-options=11:0-255 limit=5,5 action=accept
5 ;;; accept localhost
chain=services src-address=127.0.0.1 dst-address=127.0.0.1 action=accept
6 ;;; allow http, webbox
chain=services protocol=tcp dst-port=8081 action=accept
7 ;;; Allow winbox
chain=services protocol=tcp dst-port=8291 action=accept
8 ;;; allow MACwinbox
chain=services protocol=udp dst-port=20561 action=accept
9 ;;; MT Discovery Protocol
chain=services protocol=udp dst-port=5678 action=accept
10 ;;; allow DNS request
chain=services protocol=tcp dst-port=53 action=accept
11 ;;; Allow DNS request
chain=services protocol=udp dst-port=53 action=accept
12 ;;; allow Web Proxy
chain=services protocol=tcp dst-port=3126 action=accept
13 ;;; allow ftp
chain=services protocol=tcp dst-port=20-21 action=accept
14 ;;; allow sftp, ssh
chain=services protocol=tcp dst-port=22 action=accept
15 ;;; allow telnet
chain=services protocol=tcp dst-port=23 action=accept
16 ;;; allow NTP
chain=services protocol=tcp dst-port=123 action=accept
17 ;;; allow SNMP
chain=services protocol=tcp dst-port=161 action=accept
18 chain=virus protocol=udp src-port=1900 action=drop
19 chain=virus protocol=udp dst-port=1900 action=drop
20 ;;; Drop Blaster Worm
chain=virus protocol=tcp dst-port=135-139 action=drop
21 ;;; Drop Messenger Worm
chain=virus protocol=udp dst-port=135-139 action=drop
22 ;;; Drop Blaster Worm
chain=virus protocol=tcp dst-port=445 action=drop
23 ;;; Drop Blaster Worm
chain=virus protocol=udp dst-port=445 action=drop
24 ;;; ________
chain=virus protocol=tcp dst-port=593 action=drop
25 ;;; ________
chain=virus protocol=tcp dst-port=1024-1030 action=drop
26 ;;; Drop MyDoom
chain=virus protocol=tcp dst-port=1080 action=drop
27 ;;; ________
chain=virus protocol=tcp dst-port=1214 action=drop
28 ;;; ndm requester
chain=virus protocol=tcp dst-port=1363 action=drop
29 ;;; ndm server
chain=virus protocol=tcp dst-port=1364 action=drop
30 ;;; screen cast
chain=virus protocol=tcp dst-port=1368 action=drop
31 ;;; hromgrafx
chain=virus protocol=tcp dst-port=1373 action=drop
32 ;;; cichlid
chain=virus protocol=tcp dst-port=1377 action=drop
33 ;;; Worm
chain=virus protocol=tcp dst-port=1433-1434 action=drop
34 ;;; Bagle Virus
chain=virus protocol=tcp dst-port=2745 action=drop
35 ;;; Drop Dumaru.Y
chain=virus protocol=tcp dst-port=2283 action=drop
36 ;;; Drop Beagle
chain=virus protocol=tcp dst-port=2535 action=drop
37 ;;; Drop Beagle.C-K
chain=virus protocol=tcp dst-port=2745 action=drop
38 ;;; Drop MyDoom
chain=virus protocol=tcp dst-port=3127-3128 action=drop
39 ;;; Drop Backdoor OptixPro
chain=virus protocol=tcp dst-port=3410 action=drop
40 ;;; Worm
chain=virus protocol=tcp dst-port=4444 action=drop
41 ;;; Worm
chain=virus protocol=udp dst-port=4444 action=drop
42 ;;; Drop Sasser
chain=virus protocol=tcp dst-port=5554 action=drop
43 ;;; Drop Beagle.B
chain=virus protocol=tcp dst-port=8866 action=drop
44 ;;; Drop Dabber.A-B
chain=virus protocol=tcp dst-port=9898 action=drop
45 ;;; Drop Dumaru.Y
chain=virus protocol=tcp dst-port=10000 action=drop
46 ;;; Drop MyDoom.B
chain=virus protocol=tcp dst-port=10080 action=drop
47 ;;; Drop NetBus
chain=virus protocol=tcp dst-port=12345 action=drop
48 ;;; Drop Kuang2
chain=virus protocol=tcp dst-port=17300 action=drop
49 ;;; Drop SubSeven
chain=virus protocol=tcp dst-port=27374 action=drop
50 ;;; Drop PhatBot, Gaobot
chain=virus protocol=tcp dst-port=65506 action=drop
51 ;;; drop invalid packets
chain=output connection-state=invalid action=drop
52 ;;; accept related packets
chain=output connection-state=related action=accept
53 ;;; accept established packets
chain=output connection-state=established action=accept
54 chain=input protocol=udp dst-port=1900 action=drop
55 ;;; drop invalid packets
chain=input connection-state=invalid action=drop
56 ;;; accept related packets
chain=input connection-state=related action=accept
57 ;;; accept established packets
chain=input connection-state=established action=accept
58 ;;; Drop SSH, FTP, TELNET
chain=input protocol=tcp dst-port=20-23 action=drop
59 ;;; detect and drop port scan connections
chain=input protocol=tcp psd=21,3s,3,1 action=drop
60 ;;; jump to chain virus
chain=input action=jump jump-target=virus
61 ;;; jump to chain ICMP
chain=input protocol=icmp action=jump jump-target=ICMP
62 ;;; jump to chain services
chain=input action=jump jump-target=services
63 ;;; NetBius
chain=forward protocol=tcp dst-port=135-139 action=drop
64 chain=forward protocol=tcp dst-port=445 action=drop
65 chain=forward protocol=udp dst-port=445 action=drop
66 chain=forward protocol=udp dst-port=1900 action=drop
67 chain=forward protocol=udp src-port=1900 action=drop
68 ;;; tratamento de p2p
chain=forward p2p=all-p2p action=jump jump-target=P2P
69 ;;; drop invalid packets
chain=forward connection-state=invalid action=drop
70 ;;; accept related packets
chain=forward connection-state=related action=accept
71 X ;;; connlimit 20
chain=forward protocol=tcp tcp-flags=syn connection-limit=30,32 action=jump jump-target=connlimit
72 ;;; accept established packets
chain=forward connection-state=established action=accept
73 ;;; drop all that is not from unicast
chain=forward src-address-type=!unicast action=drop
74 ;;; jump to chain ICMP
chain=forward protocol=icmp action=jump jump-target=ICMP
75 ;;; jump to virus chain
chain=forward action=jump jump-target=virus
76 ;;; SSL
chain=connlimit protocol=tcp dst-port=443 action=accept
77 chain=connlimit protocol=tcp src-port=443 action=accept
78 ;;; MSN
chain=connlimit protocol=tcp dst-port=1863 action=accept
79 chain=connlimit protocol=tcp src-port=1863 action=accept
80 ;;; MSN
chain=connlimit protocol=tcp dst-port=80 action=accept
-
continuando filter
81 chain=connlimit protocol=tcp src-port=80 action=accept
82 X ;;; connlimit 20
chain=connlimit protocol=tcp tcp-flags=syn connection-limit=!30,24 action=drop
83 ;;; allow ping
chain=forward protocol=icmp action=accept
84 ;;; allow udp
chain=forward protocol=udp action=accept
85 chain=input protocol=tcp psd=21,3s,3,1 action=add-src-to-address-list address-list=port scanners
address-list-timeout=0s
86 chain=input protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg action=accept
87 chain=forward protocol=tcp action=jump jump-target=restrict-tcp
88 chain=forward protocol=udp action=jump jump-target=restrict-udp
89 chain=forward action=jump jump-target=restrict-ip
90 chain=smtp-first-drop src-address-list=first-smtp action=add-src-to-address-list address-list=approved-smtp
address-list-timeout=0s
91 chain=smtp-first-drop src-address-list=approved-smtp action=return
92 chain=smtp-first-drop action=add-src-to-address-list address-list=first-smtp address-list-timeout=0s
93 chain=smtp-first-drop action=reject reject-with=icmp-network-unreachable
94 chain=restrict-tcp connection-mark=other-tcp action=jump jump-target=drop
95 chain=restrict-ip connection-mark=other action=jump jump-target=drop
96 ;;; Allow local traffic (between router applications)
chain=input src-address-type=local dst-address-type=local action=accept
97 ;;; Sanity Check
chain=input action=jump jump-target=sanity-check
98 ;;; Dropping packets not destined to the router itself, including all broadcast traffic
chain=input dst-address-type=!local action=jump jump-target=drop
99 ;;; Allow pings, but at a very limited rate (5 per sec)
chain=input connection-mark=ping limit=5,5 action=accept
100 chain=input action=jump jump-target=drop
101 ;;; SSH (22/TCP)
chain=local-services connection-mark=ssh action=accept
102 ;;; DNS
chain=local-services connection-mark=dns action=accept
103 ;;; HTTP Proxy (3126/TCP)
chain=local-services connection-mark=proxy action=accept
104 ;;; Winbox (8291/TCP)
chain=local-services connection-mark=winbox action=accept
105 ;;; Drop Other Local Services
chain=local-services action=drop
106 ;;; SSH (22/TCP)
chain=public-services connection-mark=ssh action=accept
107 ;;; Drop Other Public Services
chain=public-services action=drop
108 ;;; Sanity Check
chain=forward action=jump jump-target=sanity-check
109 ;;; Deny illegal NAT traversal
chain=sanity-check packet-mark=nat-traversal action=jump jump-target=drop
110 ;;; Block port scans
chain=sanity-check protocol=tcp psd=20,3s,3,1 action=add-src-to-address-list address-list=blocked-addr
address-list-timeout=1d
111 ;;; Block TCP Null scan
chain=sanity-check protocol=tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack action=add-src-to-address-list
address-list=blocked-addr address-list-timeout=1d
112 ;;; Block TCP Xmas scan
chain=sanity-check protocol=tcp tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg action=add-src-to-address-list
address-list=blocked-addr address-list-timeout=1d
113 chain=sanity-check protocol=tcp src-address-list=blocked-addr action=jump jump-target=drop
114 ;;; Drop TCP RST
chain=sanity-check protocol=tcp tcp-flags=rst action=jump jump-target=drop
115 ;;; Drop TCP SYN+FIN
chain=sanity-check protocol=tcp tcp-flags=fin,syn action=jump jump-target=drop
116 ;;; Dropping invalid connections at once
chain=sanity-check connection-state=invalid action=jump jump-target=drop
117 ;;; Accepting already established connections
chain=sanity-check connection-state=established action=accept
118 ;;; Also accepting related connections
chain=sanity-check connection-state=related action=accept
119 ;;; Drop all traffic that goes to multicast or broadcast addresses
chain=sanity-check dst-address-type=broadcast,multicast action=jump jump-target=drop
120 chain=forward protocol=tcp action=jump jump-target=restrict-tcp
121 chain=forward protocol=udp action=jump jump-target=restrict-udp
122 chain=forward action=jump jump-target=restrict-ip
123 chain=restrict-tcp connection-mark=auth action=reject reject-with=icmp-network-unreachable
124 ;;; anti-spam policy
chain=restrict-tcp connection-mark=smtp action=jump jump-target=smtp-first-drop
125 chain=restrict-udp connection-mark=other-udp action=jump jump-target=drop
126 chain=forward protocol=tcp dst-port=25 src-address-list=spammer action=accept
127 chain=forward protocol=tcp dst-port=25 connection-limit=30,32 limit=50,5 action=add-src-to-address-list
address-list="" address-list-timeout=0s
128 chain=forward protocol=tcp dst-port=25 src-address-list=spammer action=accept
129 chain=forward protocol=tcp dst-port=25 connection-limit=30,32 limit=50,5 action=add-src-to-address-list
address-list="" address-list-timeout=0s
130 chain=forward protocol=tcp dst-port=25 src-address-list=spammer action=accept
Citação