Setelah selesai menginstall router mikrotik, demi keamanan selain mengatur user dan password baru, biar lebih aman lagi kita atur juga akses ke router. Apa saja yang boleh masuk dan keluar ke router kita. Kita gak mau kan ada apa-apa dengan router kesayangan kita ini 
. Anggap saja router adalah rumah kita. Bolehkah orang masuk dengan bebas ataukah harus sesuai dengan ijin kita.
Hal-hal tersebut berkaitan sekali dengan firewall. Untuk sebuah router yang baru diinstall bisa ditambahkan kan rule-rule dasar sebagai berikut :
/ ip firewall filter
add chain=input connection-state=established action=accept comment=”accept established connection packets” disabled=no
add chain=input connection-state=related action=accept comment=”accept related connection packets” disabled=no
add chain=input connection-state=invalid action=drop comment=”drop invalid packets” disabled=no
rule tersebut hanya membolehkan koneksi yang valid saja dan men-drop koneksi yang tidak valid.
add chain=input src-address-list=ournetwork action=accept comment="Allow access from known network" disabled=no
rule tersebut membolehkan akses dari ip tertentu yang telah dimasukkan di address-list bernama ournetwork
Apakah sudah cukup dengan rule-rule diatas saja?. Banyak sekali hal-hal yang perlu diantisipasi. Seperti serangan-serangan dari luar misal ping flood, DoS dan port scanning, dll. Bila kita cari lewat search engine, banyak sekali contoh-contoh mikrotik firewall. Namun perlu hati-hat, langsung copy-paste belum tentu bisa berjalan di router kita …
referensi : wiki.mikrotik.com
Berikut contoh firewall untuk mengamankan mikrotik :
/ ip firewall filter
add chain=input protocol=tcp dst-port=1337 action= add-src-to-address-list address-list=knock address-list-timeout=15s comment=”” disabled=no
add chain=input protocol=tcp dst-port=7331 src-address-list=knock action= add-src-to-address-list address-list=safe address-list-timeout=15m comment=”” disabled=noadd chain=input connection-state=established action=accept comment=”accept established connection packets” disabled=no
add chain=input connection-state=related action=accept comment=”accept related connection packets” disabled=no
add chain=input connection-state=invalid action=drop comment=”drop invalid packets” disabled=noadd chain=input protocol=tcp psd=21,3s,3,1 action=drop comment=”detect and drop port scan connections” disabled=no
add chain=input protocol=tcp connection-limit=3,32 src-address-list=black_list action=tarpit comment=”suppress DoS attack” disabled=no
add chain=input protocol=tcp connection-limit=10,32 action= add-src-to-address-list address-list=black_list address-list-timeout=1d comment=”detect DoS attack” disabled=noadd chain=input protocol=icmp action=jump jump-target=ICMP comment=”jump to chain ICMP” disabled=no
add chain=input action=jump jump-target=services comment=”jump to chain services” disabled=noadd chain=input dst-address-type=broadcast action=accept comment=”Allow Broadcast Traffic” disabled=no
add chain=input action=log log-prefix=”Filter:” comment=”” disabled=no
add chain=input src-address=63.219.6.0/24 action=accept comment=”Allow access to router from known network”
add chain=input src-address=192.168.168.0/24 action=accept
add chain=input src-address=192.168.60.0/26 action=accept
add chain=input action=drop comment=”drop everything else” disabled=noadd chain=ICMP protocol=icmp icmp-options=0:0-255 limit=5,5 action=accept comment=”0:0 and limit for 5pac/s” disabled=no
add chain=ICMP protocol=icmp icmp-options=3:3 limit=5,5 action=accept comment=”3:3 and limit for 5pac/s” disabled=no
add chain=ICMP protocol=icmp icmp-options=3:4 limit=5,5 action=accept comment=”3:4 and limit for 5pac/s” disabled=no
add chain=ICMP protocol=icmp icmp-options=8:0-255 limit=5,5 action=accept comment=”8:0 and limit for 5pac/s” disabled=no
add chain=ICMP protocol=icmp icmp-options=11:0-255 limit=5,5 action=accept comment=”11:0 and limit for 5pac/s” disabled=no
add chain=ICMP protocol=icmp action=drop comment=”Drop everything else” disabled=noadd chain=services src-address-list=127.0.0.1 dst-address=127.0.0.1 action=accept comment=”accept localhost” disabled=no
add chain=services protocol=udp dst-port=20561 action=accept comment=”allow MACwinbox ” disabled=no
add chain=services protocol=tcp dst-port=2000 action=accept comment=”Bandwidth server” disabled=yes
add chain=services protocol=udp dst-port=5678 action=accept comment=” MT Discovery Protocol” disabled=no
add chain=services protocol=tcp dst-port=161 action=accept comment=”allow SNMP” disabled=no
add chain=services protocol=tcp dst-port=179 action=accept comment=”Allow BGP” disabled=yes
add chain=services protocol=udp dst-port=5000-5100 action=accept comment=”allow BGP” disabled=yes
add chain=services protocol=udp dst-port=123 action=accept comment=”Allow NTP” disabled=yes
add chain=services protocol=tcp dst-port=1723 action=accept comment=”Allow PPTP” disabled=yes
add chain=services protocol=gre action=accept comment=”allow PPTP and EoIP” disabled=yes
add chain=services protocol=tcp dst-port=53 action=accept comment=”allow DNS request” disabled=no
add chain=services protocol=udp dst-port=53 action=accept comment=”Allow DNS request” disabled=no
add chain=services protocol=udp dst-port=1900 action=accept comment=”UPnP” disabled=yes
add chain=services protocol=tcp dst-port=2828 action=accept comment=”UPnP” disabled=yes
add chain=services protocol=udp dst-port=67-68 action=accept comment=”allow DHCP” disabled=yes
add chain=services protocol=tcp dst-port=8080 action=accept comment=”allow Web Proxy” disabled=yes
add chain=services protocol=ipencap action=accept comment=”allow IPIP” disabled=yes
add chain=services protocol=tcp dst-port=443 action=accept comment=”allow https for Hotspot” disabled=yes
add chain=services protocol=tcp dst-port=1080 action=accept comment=”allow Socks for Hotspot” disabled=yes
add chain=services protocol=udp dst-port=500 action=accept comment=”allow IPSec connections” disabled=yes
add chain=services protocol=ipsec-esp action=accept comment=”allow IPSec” disabled=yes
add chain=services protocol=ipsec-ah action=accept comment=”allow IPSec” disabled=yes
add chain=services protocol=udp dst-port=520-521 action=accept comment=”allow RIP” disabled=yes
add chain=services protocol=ospf action=accept comment=”allow OSPF” disabled=yes
add chain=services action=return comment=”” disabled=noadd chain=forward connection-state=established comment=”allow established connections”
add chain=forward connection-state=related comment=”allow related connections”
add chain=forward connection-state=invalid action=drop comment=”drop invalid connections”add chain=virus protocol=tcp dst-port=135-139 action=drop comment=”Drop Blaster Worm”
add chain=virus protocol=udp dst-port=135-139 action=drop comment=”Drop Messenger Worm”
add chain=virus protocol=tcp dst-port=445 action=drop comment=”Drop Blaster Worm”
add chain=virus protocol=udp dst-port=445 action=drop comment=”Drop Blaster Worm”
add chain=virus protocol=tcp dst-port=593 action=drop comment=”________”
add chain=virus protocol=tcp dst-port=1024-1030 action=drop comment=”________”
add chain=virus protocol=tcp dst-port=1080 action=drop comment=”Drop MyDoom”
add chain=virus protocol=tcp dst-port=1214 action=drop comment=”________”
add chain=virus protocol=tcp dst-port=1363 action=drop comment=”ndm requester”
add chain=virus protocol=tcp dst-port=1364 action=drop comment=”ndm server”
add chain=virus protocol=tcp dst-port=1368 action=drop comment=”screen cast”
add chain=virus protocol=tcp dst-port=1373 action=drop comment=”hromgrafx”
add chain=virus protocol=tcp dst-port=1377 action=drop comment=”cichlid”
add chain=virus protocol=tcp dst-port=1433-1434 action=drop comment=”Worm”
add chain=virus protocol=tcp dst-port=2745 action=drop comment=”Bagle Virus”
add chain=virus protocol=tcp dst-port=2283 action=drop comment=”Drop Dumaru.Y”
add chain=virus protocol=tcp dst-port=2535 action=drop comment=”Drop Beagle”
add chain=virus protocol=tcp dst-port=2745 action=drop comment=”Drop Beagle.C-K”
add chain=virus protocol=tcp dst-port=3127-3128 action=drop comment=”Drop MyDoom”
add chain=virus protocol=tcp dst-port=3410 action=drop comment=”Drop Backdoor OptixPro”
add chain=virus protocol=tcp dst-port=4444 action=drop comment=”Worm”
add chain=virus protocol=udp dst-port=4444 action=drop comment=”Worm”
add chain=virus protocol=tcp dst-port=5554 action=drop comment=”Drop Sasser”
add chain=virus protocol=tcp dst-port=6881-6889 action=drop comment=”________”
add chain=virus protocol=tcp dst-port=8866 action=drop comment=”Drop Beagle.B”
add chain=virus protocol=tcp dst-port=9898 action=drop comment=”Drop Dabber.A-B”
add chain=virus protocol=tcp dst-port=10000 action=drop comment=”Drop Dumaru.Y”
add chain=virus protocol=tcp dst-port=10080 action=drop comment=”Drop MyDoom.B”
add chain=virus protocol=tcp dst-port=12345 action=drop comment=”Drop NetBus”
add chain=virus protocol=tcp dst-port=17300 action=drop comment=”Drop Kuang2″
add chain=virus protocol=tcp dst-port=27374 action=drop comment=”Drop SubSeven”
add chain=virus protocol=tcp dst-port=65506 action=drop comment=”Drop PhatBot, Agobot, Gaobot”add chain=forward action=jump jump-target=virus comment=”jump to the virus chain”
add chain=forward protocol=icmp comment=”allow ping”
add chain=forward protocol=udp comment=”allow udp”
add chain=forward src-address=63.219.6.0/24 action=accept comment=”Allow access to internet from known network”
add chain=forward src-address=192.168.60.0/26 action=accept
add chain=forward src-address=192.168.168.0/24 action=accept
add chain=forward action=drop comment=”drop everything else”
Mau tanya ni mas… saya punya router mikrotik dengan client sekitar 50han gitu… jadi saya mau semua client dapat ip dhcp-server dr mikrotik router ketika dia konek ke LAN kita.tapi clien tersebut blm bisa konek internet.. sebelum kita izinkan aksesnya ke internet.. hehehehe…dikarenakan internet tmpt kita b/w kecil jd kita batasai pemakaiannya…kalo diblok ip nya client masih bisa ganti ip manual.. ada cara tidak yaachh…. help me dunks.. bagi temen2 yg tau tolong send ke email saya yach….thanks..
Mau tanya nih mas, maksudnya srcnat atau dstnat pada opsi chain itu apa ya? fungsi / pemakaian nya untuk apa, dan kondisi bagaimana?
Thx
Maaf mbak eh mas,
Di rumah saya dapat sinyal hotspot yang unsecure.
Setelah saya scan-scan ketahuan dia pake mikrotik.
Tapi kenapa saya gak bisa konek ya ?
Bukannya kalo unsecure kita bisa konek tanpa
username dan password
Ada triknya gak ?
Thank U
waduh itumah sudah tindak ilegal..huehuehe..
maxudnya unsecure itu jaringan yang ada bisa di deteksi
dan bisa konek ke kita..tapi untuk ber internet ria butuh suatu IP khusus untuk masuk.. ( klo ngk salah sech Maklum Beginer ) Maaf jika ada salah Mohon petunjuk ….
mas mautanya kalau untuk mencegah pasword mikrotik di hack orang gimana, mungkin router rb450 ku di jebol pake brutus tuh
Mas, saya mau tanya bagaimana cara mengeset hny beberapa user/ip address yang boleh mengakses website yang telah diblok di mikrotik..? Cth : Facebook…, utk user tertentu terkait kepentingan perusahaan boleh akses…bagaimana setting hal tersebut di mikrotik. Terima kasih.
Hack your friends on Facebook ! Hack Facebook Apps : http://tinyurl.com/hghgfsd56hg