RouterOs
routeros是一個功能強大的路由軟體、硬體...

 彰化縣湖南國小  阿堯老師  筆記重點

重點

 

 固定IP設定

設IP
◇int 進入網卡設定
print檢視網卡是否啟動(網卡名字前面R,例如ether1前面R表示啟動。沒有顯示x,啟動指令en 0和en 1)。

修改名稱
set 0 name=Lan
set 1 name=Wan
輸入 /
setup
a
a
(注意,若這裡出現的不是Lan,而是Wan,你要改為Lan)

192.168.1.1/24
輸入g
設網關0.0.0.0
x 退出
x 退出

使用winbox
使用另一台電腦ip設192.168.1.3遮罩255.255.255.0,
網關192.168.1.1  dns 192.168.1.1  

設定WAN IP
固定IP
ip > address 163.23.x.x/26 (彰化縣IP)
IP-Routes  點 +
ip不必輸入0.0.0.0
gateway 設定連外網關
例如192.168.0.1 或163.x.x.254

做MASQ偽裝,區網可以上網
ip /firewall /nat/ ,+ ,chain >srcnat,
action,action>  masquerade ,apply,OK

DNS:ip > dns > settings
168.95.1.1
168.95.192.1
192.168.1.1
一定要勾 allow Remote Requsets

可以將cache稍微設置大一點,前提是你的內存要夠大

新增一個靜態dns 192.168.1.1

----------------------------

◇腳本輸出顯示
將防火牆規則輸出成1.txt檔

 /ip firewall filter print file=1.txt

 

/回到根

..回到上一層

流量 /queue

介面 /interface

網卡 ip (enter) arp

路由 ip (enter) route

代理 ip (enter) proxy

防火牆 ip (enter) fire


 

ADSL撥號設定

ADSL
Interface > PPPOE client
name 自訂
Interfaces:wan
Dial Out
user:輸入ADSL帳號
Password:輸入ADSL密碼
打勾 Add Default Route
打勾 Use Peer Dns
Allow 底下選項都勾

做MASQ偽裝,區網可以上網
ip /firewall /nat/ ,+ ,chain >srcnat,
action,action>  masquerade ,apply,OK

DNS:ip > dns > settings
168.95.1.1
168.95.192.1
192.168.1.1
一定要勾 allow Remote Requsets

可以將cache稍微設置大一點,前提是你的內存要夠大

新增一個靜態dns 192.168.1.1

禁止外網ping

◇禁止外網ping

/ ip firewall filter add chain=output src-address=!192.168.1.0/255.255.255.0 protocol=icmp action=drop comment="禁止外網ping"

內部架Server

IP -> Firewall -> NAT -> 加入一筆新的規則
dst address 59.126.216.225(adsl的IP)    port tcp 80
in interface 不選
action dst-nat 192.168.1.123(內部IP)  port 80
記得把該新建立的規則拉到masquerade的上面
若有proxy要放在其上面

新增硬碟當proxy緩衝


◇proxy到新硬碟
將硬碟裝入另一排線
system、store
+webproxy type webproxy
disk secondary-master active 

防止網頁斷流

◇防止網頁斷流

/ ip firewall connection tracking set enabled=yes tcp-syn-sent-timeout=5s tcp-syn-received-timeout=30s tcp-established-timeout=5d tcp-fin-wait-timeout=2m tcp-close-wait-timeout=0s tcp-last-ack-timeout=30s tcp-time-wait-timeout=2m tcp-close-timeout=10s udp-timeout=30s udp-stream-timeout=3m icmp-timeout=30s generic-timeout=10m

觀察位置

ip—firewall—-connections—-Tracking
◇設置為0s可以有效防止掉線。

/ ip firewall connection tracking tcp-close-timeout=0s  

◇防火牆取消限制 TCP3127-3198 或者在後面加上 connection-state=new 

◇另有一說:延長等待時間
 / ip firewall connection tracking
 set enabled=yes tcp-syn-sent-timeout=2m tcp-syn-received-timeout=1m \
 tcp-established-timeout=10m tcp-fin-wait-timeout=2m \
 tcp-close-wait-timeout=1m tcp-last-ack-timeout=30s \
 tcp-time-wait-timeout=2m tcp-close-timeout=10s udp-timeout=30s \
 udp-stream-timeout=3m icmp-timeout=30s generic-timeout=5m
 

 關閉端口

◇禁止三波端口

/ip firewall filter
add chain=forward protocol=tcp dst-port=135-139 action=drop comment="no san bu" 

拒絕掃Port

/ip firewall filter add chain=input protocol=tcp psd=21,3s,3,1 action=add-src-to-address-list address-list="port scanners" address-list-timeout=14d comment="Port scanners to list " disabled=no  

/ip firewall filter add chain=input protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg action=add-src-to-address-list address-list="port scanners" address-list-timeout=14d comment="NMAP FIN Stealth scan"  

/ip firewall filter add chain=input protocol=tcp tcp-flags=fin,syn action=add-src-to-address-list address-list="port scanners" address-list-timeout=14d comment="SYN/FIN scan"  

/ip firewall filter add chain=input protocol=tcp tcp-flags=syn,rst action=add-src-to-address-list address-list="port scanners" address-list-timeout=14d comment="SYN/RST scan"  

/ip firewall filter add chain=input protocol=tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack action=add-src-to-address-list address-list="port scanners" address-list-timeout=14d comment="FIN/PSH/URG scan"  

/ip firewall filter add chain=input protocol=tcp tcp-flags=fin,syn,rst,psh,ack,urg action=add-src-to-address-list address-list="port scanners" address-list-timeout=14d comment="ALL/ALL scan"  

/ip firewall filter add chain=input protocol=tcp tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg action=add-src-to-address-list address-list="port scanners" address-list-timeout=14d comment="NMAP NULL scan"  

/ip firewall filter add chain=input src-address-list="port scanners" action=drop comment="dropping port scanners" disabled=no

 各種協議定
timeout時間

◇各種協議定timeout時間:
icmp-closed 內定10s
icmp-connected 內定10s
icmp-started 內定10s
rawip-closed 內定10s
rawip-connected 內定300s
rawip-established 內定300s
rawip-started 內定300s 

tcp-close-wait 內定60s
tcp-closed 內定10s
tcp-established 內定1800s
tcp-fin-wait 內定60s
tcp-last-ack 內定30s
tcp-syn-receive 內定10s
tcp-syn-sent 內定10s
tcp-time-wait 內定10s 

udp-closed 內定10s
udp-connected 內定30s
udp-established 內定600s
udp-started 內定60s 

假如使用環境中流總量非常多,
可能高峰期流數量不夠用的時候,可以適當調整tcp-established和
udp-established狀態的消亡時間即可。

ip session timeout tcp-established 600
ip session timeout udp-established 300

 

測試新建連接數的時候,都是測試TCP流,為了使測試效果更好,
一般需要調整tcp-closed、tcp-close-wait、tcp-fin-wait、
tcp-syn-sent、tcp-time-wait,需要將這幾個值設置到最小。配置如下:

ip session timeout tcp-closed 5
ip session timeout tcp-close-wait 10
ip session timeout tcp-fin-wait 10
ip session timeout tcp-syn-sent 5
ip session timeout tcp-time-wait 5

如果測試時採用的是UDP流,為了使效果更好,需要調整
udp-connected、udp-closed,特別注意udp-connected是放大而非調小。
配置如下:
ip session timeout udp-closed 5
ip session timeout udp-connected 600  
-------------------------------------------------------
測試值
Tcp syn sent 7
Tcp Received 7
Tcp Established 15:00
Tcp Fin wait 7
Tcp close wait 3
Tcp last Ack 20
Tcp time wait 10
Tcp time close 10
udp 10
udp stream 3:00
Icmp 30
Generic 5:00

 

 

 

 回三本貓首頁

  本站於 89.01.10 建立
90.04.02第4次大改版
91.07.22第5次大改版
91.11.26第6大次改版
 92.12.13第7次大改版
 94.11.15第8次大改版

89.01.10 ~ 92.06.04總訪問數 1482672 人(每日不重複IP)