1. Buat Nama Interface Public dan Local
2. Buat IP Adress untuk Local
ip address add address=192.168.2.1/24 interface=Local disabled=no
3. Buat Koneksi untuk PPOE
interface pppoe-client add name=Speedy max-mtu=1480 max-mru=1480 interface=Public user=11140xxxxx@telkom.net password=xxxxxxprofile=default add-default-route=yes dial-on-demand=no use-peer-dns=no allow=pap,chap,mschap1,mschap2 disabled=no
user=11140xxxxx@telkom.net disesuaikan dengan Username Speedy
password=xxxxxx disesuaikan dengan Password Speedy

4. Seting DNS Speedy
ip dns set primary-dns=203.130.193.74 secondary-dns=202.134.0.155 allow-remote-requests=yes cache-size=2048KiB cache-max-ttl=1w
5. Setting Routing
IP >>> Route >>> Tab Routes >>> Klik [+]
Destination 0.0.0.0/0
Gateway Interface Speedy
Distance 1

6. Setting NAT (Network Address Translation)
ip firewall nat add chain=srcnat out-interface=Speeda action=masquerade disabled=no
7. Buat Address List
ip firewall address-list add list=ournetwork address=192.168.2.0/24 comment=”LAN” disabled=no
8. Masukkan Firewall
ip firewall filter add chain=forward connection-state=established action=accept comment=”allow established connections” disabled=no
ip firewall filter add chain=forward connection-state=related action=accept comment=”allow related connections” disabled=no
ip firewall filter add chain=forward connection-state=invalid action=drop comment=”drop invalid connections” disabled=no
ip firewall filter add chain=input protocol=tcp dst-port=22 src-address-list=ssh_blacklist action=drop comment=”Drop SSH brute forcers” disabled=no
ip firewall filter add chain=input protocol=tcp dst-port=22 connection-state=new src-address-list=ssh_stage3 action=add-src-to-address-list address-list=ssh_blacklist address-list-timeout=1w3d disabled=no
ip firewall filter add chain=input protocol=tcp dst-port=22 connection-state=new src-address-list=ssh_stage2 action=add-src-to-address-list address-list=ssh_stage3 address-list-timeout=1m disabled=no
ip firewall filter add chain=input protocol=tcp dst-port=22 connection-state=new src-address-list=ssh_stage1 action=add-src-to-address-list address-list=ssh_stage2 address-list-timeout=1m comment=”" disabled=no
ip firewall filter add chain=input protocol=tcp dst-port=22 connection-state=new action=add-src-to-address-list address-list=ssh_stage1 address-list-timeout=1m disabled=no
ip firewall filter add chain=input protocol=tcp psd=21,3s,3,1 action=add-src-to-address-list address-list=”port scanners” address-list-timeout=2w comment=”Port Scanners to list” disabled=no
ip firewall filter add chain=input protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg action=add-src-to-address-list address-list=”port scanners” address-list-timeout=2w disabled=no
ip firewall filter add chain=input protocol=tcp tcp-flags=fin,syn action=add-src-to-address-list address-list=”port scanners” address-list-timeout=2w disabled=no
ip firewall filter add chain=input protocol=tcp tcp-flags=syn,rst action=add-src-to-address-list address-list=”port scanners” address-list-timeout=2w disabled=no
ip firewall filter add chain=input protocol=tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack action=add-src-to-address-list address-list=”port scanners” address-list-timeout=2w disabled=no
ip firewall filter add chain=input protocol=tcp tcp-flags=fin,syn,rst,psh,ack,urg action=add-src-to-address-list address-list=”port scanners” address-list-timeout=2w disabled=no
ip firewall filter add chain=input protocol=tcp tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg action=add-src-to-address-list address-list=”port scanners” address-list-timeout=2w disabled=no
ip firewall filter add chain=input src-address-list=”port scanners” action=drop disabled=no
ip firewall filter add chain=input protocol=tcp dst-port=21 src-address-list=ftp_blacklist action=drop comment=”Filter FTP to Box” disabled=no
ip firewall filter add chain=output protocol=tcp content=”530 Login incorrect” dst-limit=1/1m,9,dst-address/1m action=accept comment=”" disabled=no
ip firewall filter add chain=output protocol=tcp content=”530 Login incorrect” action=add-dst-to-address-list address-list=ftp_blacklist address-list-timeout=3h disabled=no
ip firewall filter add chain=forward protocol=tcp action=jump jump-target=tcp comment=”Separate Protocol into Chains” disabled=no
ip firewall filter add chain=forward protocol=udp action=jump jump-target=udp comment=”" disabled=no
ip firewall filter add chain=forward protocol=icmp action=jump jump-target=icmp comment=”" disabled=no
ip firewall filter add chain=input protocol=tcp action=jump jump-target=tcp comment=”" disabled=no
ip firewall filter add chain=input protocol=udp action=jump jump-target=udp comment=”" disabled=no
ip firewall filter add chain=udp protocol=udp dst-port=69 action=drop comment=”Blocking UDP Packet” disabled=no
ip firewall filter add chain=udp protocol=udp dst-port=111 action=drop comment=”" disabled=no
ip firewall filter add chain=virus protocol=udp dst-port=135-139 action=drop comment=”Drop Messenger Worm” disabled=no
ip firewall filter add chain=virus protocol=tcp dst-port=135-139 action=drop comment=”Drop Blaster Worm” disabled=no
ip firewall filter add chain=virus protocol=tcp dst-port=1433-1434 action=drop comment=”Worm” disabled=no
ip firewall filter add chain=virus protocol=tcp dst-port=445 action=drop comment=”Drop Blaster Worm” disabled=no
ip firewall filter add chain=virus protocol=udp dst-port=445 action=drop comment=”Drop Blaster Worm” disabled=no
ip firewall filter add chain=virus protocol=tcp dst-port=593 action=drop comment=”________” disabled=no
ip firewall filter add chain=virus protocol=tcp dst-port=1024-1030 action=drop comment=”________” disabled=no
ip firewall filter add chain=virus protocol=tcp dst-port=1080 action=drop comment=”Drop MyDoom” disabled=no
ip firewall filter add chain=virus protocol=tcp dst-port=1214 action=drop comment=”________” disabled=no
ip firewall filter add chain=virus protocol=tcp dst-port=1363 action=drop comment=”ndm requester” disabled=no
ip firewall filter add chain=virus protocol=tcp dst-port=1364 action=drop comment=”ndm server” disabled=no
ip firewall filter add chain=virus protocol=tcp dst-port=1368 action=drop comment=”screen cast” disabled=no
ip firewall filter add chain=virus protocol=tcp dst-port=1373 action=drop comment=”hromgrafx” disabled=no
ip firewall filter add chain=virus protocol=tcp dst-port=1377 action=drop comment=”cichlid” disabled=no
ip firewall filter add chain=virus protocol=tcp dst-port=2745 action=drop comment=”Bagle Virus” disabled=no
ip firewall filter add chain=virus protocol=tcp dst-port=2283 action=drop comment=”Drop Dumaru.Y” disabled=no
ip firewall filter add chain=virus protocol=tcp dst-port=2535 action=drop comment=”Drop Beagle” disabled=no
ip firewall filter add chain=virus protocol=tcp dst-port=2745 action=drop comment=”Drop Beagle.C-K” disabled=no
ip firewall filter add chain=virus protocol=tcp dst-port=3127 action=drop comment=”Drop MyDoom” disabled=no
ip firewall filter add chain=virus protocol=tcp dst-port=3410 action=drop comment=”Drop Backdoor OptixPro” disabled=no
ip firewall filter add chain=virus protocol=tcp dst-port=4444 action=drop comment=”Worm” disabled=no
ip firewall filter add chain=virus protocol=udp dst-port=4444 action=drop comment=”Worm” disabled=no
ip firewall filter add chain=virus protocol=tcp dst-port=5554 action=drop comment=”Drop Sasser” disabled=no
ip firewall filter add chain=virus protocol=tcp dst-port=8866 action=drop comment=”Drop Beagle.B” disabled=no
ip firewall filter add chain=virus protocol=tcp dst-port=9898 action=drop comment=”Drop Dabber.A-B” disabled=no
ip firewall filter add chain=virus protocol=tcp dst-port=10000 action=drop comment=”Drop Dumaru.Y,utk vpn atau webmin” disabled=yes
ip firewall filter add chain=virus protocol=tcp dst-port=10080 action=drop comment=”Drop MyDoom.B” disabled=no
ip firewall filter add chain=virus protocol=tcp dst-port=12345 action=drop comment=”Drop NetBus” disabled=no
ip firewall filter add chain=virus protocol=tcp dst-port=17300 action=drop comment=”Drop Kuang2″ disabled=no
ip firewall filter add chain=virus protocol=tcp dst-port=27374 action=drop comment=”Drop SubSeven” disabled=no
ip firewall filter add chain=virus protocol=tcp dst-port=65506 action=drop comment=”Drop PhatBot, Agobot, Gaobot” disabled=no
ip firewall filter add chain=forward action=jump jump-target=virus comment=”jump to the virus chain” disabled=no
ip firewall filter add chain=input connection-state=established action=accept comment=”Accept established connections” disabled=no
ip firewall filter add chain=input connection-state=related action=accept comment=”Accept related connections” disabled=no
ip firewall filter add chain=input connection-state=invalid action=drop comment=”Drop invalid connections” disabled=no
ip firewall filter add chain=input protocol=udp action=accept comment=”UDP” disabled=no
ip firewall filter add chain=icmp protocol=icmp icmp-options=0:0-255 limit=5,5 action=accept comment=”Limited Ping Flood” disabled=no
ip firewall filter add chain=icmp protocol=icmp icmp-options=3:3 limit=5,5 action=accept comment=”" disabled=no
ip firewall filter add chain=icmp protocol=icmp icmp-options=3:4 limit=5,5 action=accept comment=”" disabled=no
ip firewall filter add chain=icmp protocol=icmp icmp-options=8:0-255 limit=5,5 action=accept comment=”" disabled=no
ip firewall filter add chain=icmp protocol=icmp icmp-options=11:0-255 limit=5,5 action=accept comment=”" disabled=no
ip firewall filter add chain=input protocol=icmp action=drop comment=”Drop excess pings” disabled=no
ip firewall filter add chain=input protocol=tcp dst-port=21 src-address-list=ournetwork action=accept comment=”FTP” disabled=no
ip firewall filter add chain=input protocol=tcp dst-port=22 src-address-list=ournetwork action=accept comment=”SSH for secure shell” disabled=no
ip firewall filter add chain=input protocol=tcp dst-port=23 src-address-list=ournetwork action=accept comment=”Telnet” disabled=no
ip firewall filter add chain=input protocol=tcp dst-port=80 src-address-list=ournetwork action=accept comment=”Web” disabled=no
ip firewall filter add chain=input protocol=tcp dst-port=8291 src-address-list=ournetwork action=accept comment=”winbox” disabled=no
ip firewall filter add chain=input protocol=tcp dst-port=1723 action=accept comment=”pptp-server” disabled=no
ip firewall filter add chain=forward src-address=0.0.0.0/8 action=drop comment=”" disabled=no
ip firewall filter add chain=forward dst-address=0.0.0.0/8 action=drop comment=”" disabled=no
ip firewall filter add chain=forward src-address=127.0.0.0/8 action=drop comment=”" disabled=no
ip firewall filter add chain=forward dst-address=127.0.0.0/8 action=drop comment=”" disabled=no
ip firewall filter add chain=forward src-address=224.0.0.0/3 action=drop comment=”" disabled=no
ip firewall filter add chain=forward dst-address=224.0.0.0/3 action=drop comment=”" disabled=no
ip firewall filter add chain=input src-address-list=ournetwork action=accept comment=”From network” disabled=no
ip firewall filter add chain=input action=log log-prefix=”DROP INPUT” comment=”Log everything else” disabled=no
ip firewall filter add chain=input action=drop comment=”Drop everything else” disabled=no
9. Masukkan Mangle
ip firewall mangle add chain=prerouting protocol=tcp dst-port=80 action=mark-connection new-connection-mark=http_conn passthrough=yes comment=”" disabled=yes
ip firewall mangle add chain=prerouting protocol=tcp dst-port=443 action=mark-connection new-connection-mark=http_conn passthrough=yes comment=”" disabled=yes
ip firewall mangle add chain=prerouting protocol=tcp dst-port=53 action=mark-connection new-connection-mark=dns_conn passthrough=yes comment=”" disabled=yes
ip firewall mangle add chain=prerouting protocol=udp dst-port=53 action=mark-connection new-connection-mark=dns_conn passthrough=yes comment=”" disabled=yes
ip firewall mangle add chain=prerouting protocol=tcp dst-port=5050-5061 action=mark-connection new-connection-mark=ym_conn passthrough=yes comment=”" disabled=yes
ip firewall mangle add chain=prerouting protocol=udp dst-port=27015 action=mark-connection new-connection-mark=cs_conn passthrough=yes comment=”" disabled=yes
ip firewall mangle add chain=prerouting protocol=tcp dst-port=6000-7000 action=mark-connection new-connection-mark=irc_conn passthrough=yes comment=”" disabled=yes
ip firewall mangle add chain=prerouting protocol=tcp dst-port=8291 action=mark-connection new-connection-mark=mt_conn passthrough=yes comment=”" disabled=yes
ip firewall mangle add chain=prerouting protocol=tcp dst-port=110 action=mark-connection new-connection-mark=email_conn passthrough=yes comment=”" disabled=yes
ip firewall mangle add chain=prerouting protocol=tcp dst-port=25 action=mark-connection new-connection-mark=email_conn passthrough=yes comment=”" disabled=yes
ip firewall mangle add chain=prerouting protocol=tcp dst-port=22 action=mark-connection new-connection-mark=ssh_conn passthrough=yes comment=”" disabled=yes
ip firewall mangle add chain=prerouting connection-mark=http_conn action=mark-packet new-packet-mark=http passthrough=no comment=”" disabled=yes
ip firewall mangle add chain=prerouting connection-mark=dns_conn action=mark-packet new-packet-mark=dns passthrough=no comment=”" disabled=yes
ip firewall mangle add chain=prerouting connection-mark=ym_conn action=mark-packet new-packet-mark=ym passthrough=no comment=”" disabled=yes
ip firewall mangle add chain=prerouting connection-mark=irc_conn action=mark-packet new-packet-mark=irc passthrough=no comment=”" disabled=yes
ip firewall mangle add chain=prerouting connection-mark=mt_conn action=mark-packet new-packet-mark=mt passthrough=no comment=”" disabled=yes
ip firewall mangle add chain=prerouting connection-mark=email_conn action=mark-packet new-packet-mark=email passthrough=no comment=”" disabled=yes
ip firewall mangle add chain=prerouting connection-mark=ssh_conn action=mark-packet new-packet-mark=ssh passthrough=no comment=”" disabled=yes
ip firewall mangle add chain=forward src-address=192.168.2.0/24 action=mark-connection new-connection-mark=local passthrough=yes comment=”" disabled=yes
ip firewall mangle add chain=forward dst-address=192.168.2.0/24 action=mark-connection new-connection-mark=local passthrough=yes comment=”" disabled=yes
10. Buat Queue jika  diperlukan. CMIIW


Belajar di : www.indicaisp.net