[root@localhost cbq]# iptables-save
# Generated by iptables-save v1.2.3 on Sat Nov 12 07:10:00 2005
*mangle
:PREROUTING ACCEPT [10114098:3764899788]
:OUTPUT ACCEPT [171716:34847887]
COMMIT
# Completed on Sat Nov 12 07:10:00 2005
# Generated by iptables-save v1.2.3 on Sat Nov 12 07:10:00 2005
*nat
:PREROUTING ACCEPT [472294:27304776]
:POSTROUTING ACCEPT [157:9079]
:OUTPUT ACCEPT [173:10177]
-A PREROUTING -s 192.168.2.22 -p tcp -m tcp –dport 80 -j DNAT –to-destination 192.168.2.113
-A PREROUTING -s 192.168.2.242 -p tcp -m tcp –dport 80 -j DNAT –to-destination 192.168.2.113
-A PREROUTING -s 192.168.2.201 -p tcp -m tcp –dport 80 -j DNAT –to-destination 192.168.2.113
-A PREROUTING -s 192.168.2.42 -p tcp -m tcp –dport 80 -j DNAT –to-destination 192.168.2.113
-A PREROUTING -s 192.168.2.111 -p tcp -m tcp –dport 80 -j DNAT –to-destination 192.168.2.113
-A PREROUTING -s 192.168.2.173 -p tcp -m tcp –dport 80 -j DNAT –to-destination 192.168.2.113
-A PREROUTING -s 192.168.2.40 -p tcp -m tcp –dport 80 -j DNAT –to-destination 192.168.2.113
-A PREROUTING -s 192.168.2.178 -p tcp -j DROP
-A POSTROUTING -s 192.168.2.0/255.255.255.0 -d 202.0.0.0/255.0.0.0 -j SNAT –to-source 202.152.55.210
-A POSTROUTING -s 192.168.2.0/255.255.255.0 -d 203.0.0.0/255.0.0.0 -j SNAT –to-source 202.152.55.210
-A POSTROUTING -s 192.168.2.0/255.255.255.0 -d 219.0.0.0/255.0.0.0 -j SNAT –to-source 202.152.55.210
-A POSTROUTING -s 192.168.2.0/255.255.255.0 -d 222.0.0.0/255.0.0.0 -j SNAT –to-source 202.152.55.210
-A POSTROUTING -s 192.168.2.0/255.255.255.0 -j SNAT –to-source 69.88.24.37
-A POSTROUTING -s 192.168.2.178 -j DROP
COMMIT
# Completed on Sat Nov 12 07:10:00 2005
# Generated by iptables-save v1.2.3 on Sat Nov 12 07:10:00 2005
*filter
:INPUT ACCEPT [434997:82489618]
:FORWARD ACCEPT [9678268:3682351211]
:OUTPUT ACCEPT [166295:33653931]
-A INPUT -p tcp -m tcp –dport 8080 -j ACCEPT
COMMIT
# Completed on Sat Nov 12 07:10:00 2005
[root@localhost cbq]#
[root@localhost cbq]# ip r
202.152.55.208/29 dev eth1 scope link
69.88.24.32/29 dev eth1 proto kernel scope link src 69.88.24.37
192.168.2.0/24 dev eth0 scope link
127.0.0.0/8 dev lo scope link
default via 202.152.55.209 dev eth1
[root@localhost cbq]
[root@localhost cbq]# netstat -rn
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
202.152.55.208 0.0.0.0 255.255.255.248 U 40 0 0 eth1
69.88.24.32 0.0.0.0 255.255.255.248 U 40 0 0 eth1
192.168.2.0 0.0.0.0 255.255.255.0 U 40 0 0 eth0
127.0.0.0 0.0.0.0 255.0.0.0 U 40 0 0 lo
0.0.0.0 202.152.55.209 0.0.0.0 UG 40 0 0 eth1
[root@localhost cbq]#
[root@localhost cbq]# cat /etc/resolv.conf
nameserver 202.152.0.2
nameserver 168.215.210.50
nameserver 207.170.210.16
#search localdomain
[root@localhost cbq]#
[root@localhost cbq]# cat /etc/rc.d/rc.local
#!/bin/sh
#
# This script will be executed *after* all the other init scripts.
# You can put your own initialization stuff in here if you don’t
# want to do the full Sys V style init stuff.
/sbin/cbq start
#touch /var/lock/subsys/local
[root@localhost cbq]#
[root@localhost root]# ps aux
USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND
root 1 0.0 0.4 1416 508 ? S Nov08 0:04 init [3]
root 2 0.0 0.0 0 0 ? SW Nov08 0:00 [keventd]
root 3 0.0 0.0 0 0 ? SW Nov08 0:00 [kapm-idled]
root 4 0.0 0.0 0 0 ? RWN Nov08 0:00 [ksoftirqd_CPU0]
root 5 0.0 0.0 0 0 ? SW Nov08 0:00 [kswapd]
root 6 0.0 0.0 0 0 ? SW Nov08 0:00 [kreclaimd]
root 7 0.0 0.0 0 0 ? SW Nov08 0:00 [bdflush]
root 8 0.0 0.0 0 0 ? SW Nov08 0:00 [kupdated]
root 9 0.0 0.0 0 0 ? SW< Nov08 0:00 [mdrecoveryd]
root 13 0.0 0.0 0 0 ? SW Nov08 0:02 [kjournald]
root 89 0.0 0.0 0 0 ? SW Nov08 0:00 [khubd]
root 686 0.0 0.0 0 0 ? SW Nov08 0:00 [eth1]
root 787 0.0 0.5 1476 584 ? S Nov08 0:01 syslogd -m 0
root 792 0.0 1.0 2108 1192 ? S Nov08 0:00 klogd -2
rpc 812 0.0 0.5 1556 568 ? S Nov08 0:00 portmap
rpcuser 840 0.0 0.6 1608 760 ? S Nov08 0:00 rpc.statd
root 952 0.0 0.4 1400 516 ? S Nov08 0:00 /usr/sbin/apmd -p
ident 1008 0.0 0.8 26932 964 ? S Nov08 0:00 identd -e -o
ident 1014 0.0 0.8 26932 964 ? S Nov08 0:00 identd -e -o
ident 1015 0.0 0.8 26932 964 ? S Nov08 0:02 identd -e -o
ident 1019 0.0 0.8 26932 964 ? S Nov08 0:02 identd -e -o
ident 1026 0.0 0.8 26932 964 ? S Nov08 0:00 identd -e -o
root 1030 0.0 2.1 4064 2348 ? S Nov08 0:00 /usr/sbin/snmpd -
named 1047 0.0 3.1 11576 3436 ? S Nov08 0:00 named -u named
named 1065 0.0 3.1 11576 3436 ? S Nov08 0:00 named -u named
named 1066 0.0 3.1 11576 3436 ? S Nov08 0:00 named -u named
named 1067 0.0 3.1 11576 3436 ? S Nov08 0:00 named -u named
named 1068 0.0 3.1 11576 3436 ? S Nov08 0:00 named -u named
root 1072 0.0 1.1 2672 1272 ? S Nov08 0:16 /usr/sbin/sshd
root 1106 0.0 0.8 2272 928 ? S Nov08 0:00 xinetd -stayalive
lp 1125 0.0 0.8 2580 976 ? S Nov08 0:00 lpd Waiting
root 1234 0.0 0.5 1592 656 ? S Nov08 0:00 crond
daemon 1270 0.0 0.4 1448 552 ? S Nov08 0:00 /usr/sbin/atd
root 2161 0.0 0.3 1388 440 tty1 S Nov08 0:00 /sbin/mingetty tt
root 2162 0.0 0.3 1388 440 tty2 S Nov08 0:00 /sbin/mingetty tt
root 2163 0.0 0.3 1388 440 tty3 S Nov08 0:00 /sbin/mingetty tt
root 2164 0.0 0.3 1388 440 tty4 S Nov08 0:00 /sbin/mingetty tt
root 2165 0.0 0.3 1388 440 tty5 S Nov08 0:00 /sbin/mingetty tt
root 2166 0.0 0.3 1388 440 tty6 S Nov08 0:00 /sbin/mingetty tt
root 15152 0.1 1.8 3692 2032 ? S 05:11 0:11 /usr/sbin/sshd
root 15153 0.0 1.2 2552 1372 pts/0 S 05:11 0:00 -bash
root 15299 0.0 1.8 3648 2032 ? S 05:23 0:01 /usr/sbin/sshd
root 15300 0.0 1.2 2560 1396 pts/1 S 05:24 0:00 -bash
root 17576 0.0 1.4 2756 1588 pts/1 S 07:15 0:00 ssh -l root 192.1
root 17582 0.0 0.6 2648 716 pts/0 R 07:20 0:00 ps aux
[root@localhost root]#
Sabtu, 17 November 2007
2 way downlink uplink conf
[root@dvb root]# iptables-save
# Generated by iptables-save v1.2.3 on Fri Nov 11 23:44:29 2005
*nat
:PREROUTING ACCEPT [2187862:160340692]
:POSTROUTING ACCEPT [2055830:143406338]
:OUTPUT ACCEPT [232:17698]
-A POSTROUTING -s 192.168.2.0/255.255.255.0 -d 200.0.0.0/252.0.0.0 -j SNAT –to-source 202.152.55.211
-A POSTROUTING -s 192.168.2.0/255.255.255.0 -d 220.0.0.0/252.0.0.0 -j SNAT –to-source 202.152.55.211
-A POSTROUTING -s 192.168.2.0/255.255.255.0 -d 200.0.0.0/252.0.0.0 -j SNAT –to-source 202.152.55.211
-A POSTROUTING -s 192.168.2.0/255.255.255.0 -d 216.0.0.0/252.0.0.0 -j SNAT –to-source 202.152.55.211
-A POSTROUTING -s 192.168.2.0/255.255.255.0 -j SNAT –to-source 69.88.24.34
-A POSTROUTING -s 192.168.2.0/255.255.255.0 -d 200.0.0.0/252.0.0.0 -j SNAT –to-source 202.152.55.211
-A POSTROUTING -s 192.168.2.0/255.255.255.0 -d 220.0.0.0/252.0.0.0 -j SNAT –to-source 202.152.55.211
-A POSTROUTING -s 192.168.2.0/255.255.255.0 -d 200.0.0.0/252.0.0.0 -j SNAT –to-source 202.152.55.211
-A POSTROUTING -s 192.168.2.0/255.255.255.0 -d 216.0.0.0/252.0.0.0 -j SNAT –to-source 202.152.55.211
-A POSTROUTING -s 192.168.2.0/255.255.255.0 -j SNAT –to-source 69.88.24.34
COMMIT
# Completed on Fri Nov 11 23:44:29 2005
[root@dvb root]#
[root@dvb root]# ip addr
1: lo: mtu 16436 qdisc noqueue
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 brd 127.255.255.255 scope host lo
2: eth0: mtu 1500 qdisc pfifo_fast qlen 100
link/ether 00:00:0e:b8:bd:aa brd ff:ff:ff:ff:ff:ff
inet 202.152.55.211/29 brd 202.152.55.215 scope global eth0:0
inet 192.168.2.222/24 brd 192.168.2.255 scope global eth0:1
inet 69.88.24.34/29 brd 69.88.24.39 scope global eth0
3: aba_0: mtu 1500 qdisc noqueue
link/ether 00:d0:72:01:42:0a brd ff:ff:ff:ff:ff:ff
inet 10.2.0.1/24 brd 10.255.255.255 scope global aba_0
[root@dvb root]#
[root@dvb root]# ip r
202.152.55.208/29 dev eth0 proto kernel scope link src 202.152.55.211
69.88.24.32/29 dev eth0 scope link
10.2.0.0/24 dev aba_0 proto kernel scope link src 10.2.0.1
192.168.2.0/24 dev eth0 proto kernel scope link src 192.168.2.222
127.0.0.0/8 dev lo scope link
default via 202.152.55.209 dev eth0
[root@dvb root]#
[root@dvb root]# netstat -rn
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
202.152.55.208 0.0.0.0 255.255.255.248 U 40 0 0 eth0
69.88.24.32 0.0.0.0 255.255.255.248 U 40 0 0 eth0
10.2.0.0 0.0.0.0 255.255.255.0 U 40 0 0 aba_0
192.168.2.0 0.0.0.0 255.255.255.0 U 40 0 0 eth0
127.0.0.0 0.0.0.0 255.0.0.0 U 40 0 0 lo
0.0.0.0 202.152.55.209 0.0.0.0 UG 40 0 0 eth0
[root@dvb root]#
[root@dvb root]# cat /etc/resolv.conf
nameserver 202.152.0.2
nameserver 168.215.210.50
nameserver 207.170.210.16
[root@dvb root]#
[root@dvb root]# cat /etc/rc.d/rc.local
#!/bin/sh
#
# This script will be executed *after* all the other init scripts.
# You can put your own initialization stuff in here if you don’t
# want to do the full Sys V style init stuff.
#!/bin/sh
#
# This script will be executed *after* all the other init scripts.
# You can put your own initialization stuff in here if you don’t
# want to do the full Sys V style init stuff.###ini utk dvb
################
#ip route add 69.88.24.33 via 202.152.55.210
route add default gw 202.152.55.209
# touch /var/lock/subsys/local
#arahkan situs dalam ke LA
iptables -t nat -A POSTROUTING -s 192.168.2.200/24 -d 202.0.0.0/6 -j SNAT –to 202.152.55.211
iptables -t nat -A POSTROUTING -s 192.168.2.200/24 -d 222.0.0.0/6 -j SNAT –to 202.152.55.211
iptables -t nat -A POSTROUTING -s 192.168.2.200/24 -d 203.0.0.0/6 -j SNAT –to 202.152.55.211
iptables -t nat -A POSTROUTING -s 192.168.2.200/24 -d 219.0.0.0/6 -j SNAT –to 202.152.55.211
iptables -t nat -A POSTROUTING -s 192.168.2.0/24 -d 0.0.0.0/0 -j SNAT –to 69.88.24.34
#modprobe ipt_LOG
#modprobe ipt_REJECT
#modprobe ipt_MASQUERADE
#/sbin/depmod -a
#echo “1″ > /proc/sys/net/ipv4/ip_forward
#iptables -F
#iptables -t nat -F
#iptables -X
#iptables -t nat -X
##iptables NEW
#iptables -t nat -A POSTROUTING -d 202.0.0.0/255.0.0.0 -p tcp -m tcp –dport 80 -j SNAT –to-source 202.152.55.210
#iptables -t nat -A POSTROUTING -d 203.130.0.0/255.255.0.0 -p tcp -m tcp –dport 80 -j SNAT –to-source 202.152.55.210
#iptables -t nat -A POSTROUTING -d 203.134.0.0/255.255.0.0 -p tcp -m tcp –dport 80 -j SNAT –to-source 202.152.55.210
#iptables -t nat -A POSTROUTING -d 61.94.0.0/255.255.0.0 -p tcp -m tcp –dport 80 -j SNAT –to-source 202.152.55.210
#iptables -t nat -A POSTROUTING -d 61.5.0.0/255.255.0.0 -p tcp -m tcp –dport 80 -j SNAT –to-source 202.152.55.210
#iptables -t nat -A POSTROUTING -p tcp -m tcp –dport 6000:7000 -j SNAT –to-source 202.152.55.211
#iptables -t nat -A POSTROUTING -p tcp -m tcp –dport 80 -j SNAT –to-source 69.88.3.241
#iptables -t nat -A POSTROUTING -s 0.0.0.0/0 -d 0.0.0.0/0 -j MASQUERADE
##routing web local
#iptables -t nat -A POSTROUTING -d 202.0.0.0/8 -j SNAT –to 202.152.55.210
##routing web luar
#iptables -t nat -A POSTROUTING -d 203.130.242.0/24 -j SNAT –to 202.152.55.210
###routing irc
#iptables -t nat -A POSTROUTING -p tcp –dport 6667 -j SNAT –to 69.88.3.243
#iptables -t nat -A POSTROUTING -j SNAT –to 69.88.3.241
##cakrawala HPT
#iptables -t nat -A POSTROUTING -d 202.0.0.0/8 -j SNAT –to 202.152.55.210
#iptables -t nat -A POSTROUTING -p tcp –dport 6667 -j SNAT –to 69.88.3.241
##digital
#iptables -t nat -A POSTROUTING -s 192.168.2.34 -o eth0 -p tcp -j SNAT –to 202.174.154.103
#iptables -t nat -A POSTROUTING -s 192.168.2.34 -o eth0 -p udp -j SNAT –to 202.174.154.103
#iptables -t nat -A POSTROUTING -s 192.168.2.34 -o eth0 -d 0/0 -j MASQUERADE
# buka port
#iptables -A INPUT -j ACCEPT -p tcp –dport 80
#iptables -A INPUT -j ACCEPT -p tcp –dport 21
#iptables -A INPUT -j ACCEPT -p tcp –dport 110
#iptables -A INPUT -j ACCEPT -p tcp –dport 25
#iptables -A INPUT -j ACCEPT -p tcp –dport 22
####traffic shapping
#/etc/rc.d/cbq start
#touch /var/lock/subsys/local
#touch /var/lock/subsys/local
[root@dvb root]#
[root@dvb root]# ps aux
USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND
root 1 0.0 0.0 1412 52 ? S Nov04 0:03 init [3]
root 2 0.0 0.0 0 0 ? SW Nov04 0:00 [keventd]
root 3 0.0 0.0 0 0 ? SW Nov04 0:00 [kapm-idled]
root 4 0.0 0.0 0 0 ? SWN Nov04 0:00 [ksoftirqd_CPU0]
root 5 0.0 0.0 0 0 ? SW Nov04 0:01 [kswapd]
root 6 0.0 0.0 0 0 ? SW Nov04 0:00 [kreclaimd]
root 7 0.0 0.0 0 0 ? SW Nov04 0:00 [bdflush]
root 8 0.0 0.0 0 0 ? SW Nov04 0:00 [kupdated]
root 9 0.0 0.0 0 0 ? SW< Nov04 0:00 [mdrecoveryd]
root 13 0.0 0.0 0 0 ? SW Nov04 0:05 [kjournald]
root 99 0.0 0.0 0 0 ? SW Nov04 0:00 [khubd]
root 581 0.0 0.2 1696 160 ? S Nov04 0:05 syslogd -m 0
root 586 0.0 0.0 2108 0 ? SW Nov04 0:00 klogd -2
rpc 607 0.0 0.0 1548 0 ? SW Nov04 0:00 portmap
root 718 0.0 0.0 4272 0 ? SW Nov04 0:00 /usr/sbin/snmpd -
root 736 0.0 0.4 2676 296 ? S Nov04 0:52 /usr/sbin/sshd
root 769 0.0 0.0 2264 0 ? SW Nov04 0:00 xinetd -stayalive
root 787 0.0 0.1 1584 108 ? S Nov04 0:00 crond
root 865 0.0 0.1 18148 120 ? S Nov04 0:00 /usr/local/bin/ab
root 866 0.0 0.1 18148 124 ? S Nov04 0:00 /usr/local/bin/ab
root 867 0.0 0.1 18148 124 ? S Nov04 0:00 /usr/local/bin/ab
root 868 0.0 0.1 18148 124 ? S Nov04 0:00 /usr/local/bin/ab
root 898 0.0 0.0 1384 0 tty2 SW Nov04 0:00 /sbin/mingetty tt
root 899 0.0 0.0 1384 0 tty3 SW Nov04 0:00 /sbin/mingetty tt
root 900 0.0 0.0 1384 0 tty4 SW Nov04 0:00 /sbin/mingetty tt
root 901 0.0 0.0 1384 0 tty5 SW Nov04 0:00 /sbin/mingetty tt
root 902 0.0 0.0 1384 0 tty6 SW Nov04 0:00 /sbin/mingetty tt
root 2286 0.0 0.0 1384 0 tty1 SW Nov04 0:00 /sbin/mingetty tt
root 18668 0.0 2.8 3536 1748 ? S Nov11 0:00 /usr/sbin/sshd
root 18669 0.0 2.1 2520 1360 pts/0 S Nov11 0:00 -bash
root 18729 0.0 1.1 2636 724 pts/0 R 00:03 0:00 ps aux
[root@dvb root]#
# Generated by iptables-save v1.2.3 on Fri Nov 11 23:44:29 2005
*nat
:PREROUTING ACCEPT [2187862:160340692]
:POSTROUTING ACCEPT [2055830:143406338]
:OUTPUT ACCEPT [232:17698]
-A POSTROUTING -s 192.168.2.0/255.255.255.0 -d 200.0.0.0/252.0.0.0 -j SNAT –to-source 202.152.55.211
-A POSTROUTING -s 192.168.2.0/255.255.255.0 -d 220.0.0.0/252.0.0.0 -j SNAT –to-source 202.152.55.211
-A POSTROUTING -s 192.168.2.0/255.255.255.0 -d 200.0.0.0/252.0.0.0 -j SNAT –to-source 202.152.55.211
-A POSTROUTING -s 192.168.2.0/255.255.255.0 -d 216.0.0.0/252.0.0.0 -j SNAT –to-source 202.152.55.211
-A POSTROUTING -s 192.168.2.0/255.255.255.0 -j SNAT –to-source 69.88.24.34
-A POSTROUTING -s 192.168.2.0/255.255.255.0 -d 200.0.0.0/252.0.0.0 -j SNAT –to-source 202.152.55.211
-A POSTROUTING -s 192.168.2.0/255.255.255.0 -d 220.0.0.0/252.0.0.0 -j SNAT –to-source 202.152.55.211
-A POSTROUTING -s 192.168.2.0/255.255.255.0 -d 200.0.0.0/252.0.0.0 -j SNAT –to-source 202.152.55.211
-A POSTROUTING -s 192.168.2.0/255.255.255.0 -d 216.0.0.0/252.0.0.0 -j SNAT –to-source 202.152.55.211
-A POSTROUTING -s 192.168.2.0/255.255.255.0 -j SNAT –to-source 69.88.24.34
COMMIT
# Completed on Fri Nov 11 23:44:29 2005
[root@dvb root]#
[root@dvb root]# ip addr
1: lo: mtu 16436 qdisc noqueue
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 brd 127.255.255.255 scope host lo
2: eth0: mtu 1500 qdisc pfifo_fast qlen 100
link/ether 00:00:0e:b8:bd:aa brd ff:ff:ff:ff:ff:ff
inet 202.152.55.211/29 brd 202.152.55.215 scope global eth0:0
inet 192.168.2.222/24 brd 192.168.2.255 scope global eth0:1
inet 69.88.24.34/29 brd 69.88.24.39 scope global eth0
3: aba_0: mtu 1500 qdisc noqueue
link/ether 00:d0:72:01:42:0a brd ff:ff:ff:ff:ff:ff
inet 10.2.0.1/24 brd 10.255.255.255 scope global aba_0
[root@dvb root]#
[root@dvb root]# ip r
202.152.55.208/29 dev eth0 proto kernel scope link src 202.152.55.211
69.88.24.32/29 dev eth0 scope link
10.2.0.0/24 dev aba_0 proto kernel scope link src 10.2.0.1
192.168.2.0/24 dev eth0 proto kernel scope link src 192.168.2.222
127.0.0.0/8 dev lo scope link
default via 202.152.55.209 dev eth0
[root@dvb root]#
[root@dvb root]# netstat -rn
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
202.152.55.208 0.0.0.0 255.255.255.248 U 40 0 0 eth0
69.88.24.32 0.0.0.0 255.255.255.248 U 40 0 0 eth0
10.2.0.0 0.0.0.0 255.255.255.0 U 40 0 0 aba_0
192.168.2.0 0.0.0.0 255.255.255.0 U 40 0 0 eth0
127.0.0.0 0.0.0.0 255.0.0.0 U 40 0 0 lo
0.0.0.0 202.152.55.209 0.0.0.0 UG 40 0 0 eth0
[root@dvb root]#
[root@dvb root]# cat /etc/resolv.conf
nameserver 202.152.0.2
nameserver 168.215.210.50
nameserver 207.170.210.16
[root@dvb root]#
[root@dvb root]# cat /etc/rc.d/rc.local
#!/bin/sh
#
# This script will be executed *after* all the other init scripts.
# You can put your own initialization stuff in here if you don’t
# want to do the full Sys V style init stuff.
#!/bin/sh
#
# This script will be executed *after* all the other init scripts.
# You can put your own initialization stuff in here if you don’t
# want to do the full Sys V style init stuff.###ini utk dvb
################
#ip route add 69.88.24.33 via 202.152.55.210
route add default gw 202.152.55.209
# touch /var/lock/subsys/local
#arahkan situs dalam ke LA
iptables -t nat -A POSTROUTING -s 192.168.2.200/24 -d 202.0.0.0/6 -j SNAT –to 202.152.55.211
iptables -t nat -A POSTROUTING -s 192.168.2.200/24 -d 222.0.0.0/6 -j SNAT –to 202.152.55.211
iptables -t nat -A POSTROUTING -s 192.168.2.200/24 -d 203.0.0.0/6 -j SNAT –to 202.152.55.211
iptables -t nat -A POSTROUTING -s 192.168.2.200/24 -d 219.0.0.0/6 -j SNAT –to 202.152.55.211
iptables -t nat -A POSTROUTING -s 192.168.2.0/24 -d 0.0.0.0/0 -j SNAT –to 69.88.24.34
#modprobe ipt_LOG
#modprobe ipt_REJECT
#modprobe ipt_MASQUERADE
#/sbin/depmod -a
#echo “1″ > /proc/sys/net/ipv4/ip_forward
#iptables -F
#iptables -t nat -F
#iptables -X
#iptables -t nat -X
##iptables NEW
#iptables -t nat -A POSTROUTING -d 202.0.0.0/255.0.0.0 -p tcp -m tcp –dport 80 -j SNAT –to-source 202.152.55.210
#iptables -t nat -A POSTROUTING -d 203.130.0.0/255.255.0.0 -p tcp -m tcp –dport 80 -j SNAT –to-source 202.152.55.210
#iptables -t nat -A POSTROUTING -d 203.134.0.0/255.255.0.0 -p tcp -m tcp –dport 80 -j SNAT –to-source 202.152.55.210
#iptables -t nat -A POSTROUTING -d 61.94.0.0/255.255.0.0 -p tcp -m tcp –dport 80 -j SNAT –to-source 202.152.55.210
#iptables -t nat -A POSTROUTING -d 61.5.0.0/255.255.0.0 -p tcp -m tcp –dport 80 -j SNAT –to-source 202.152.55.210
#iptables -t nat -A POSTROUTING -p tcp -m tcp –dport 6000:7000 -j SNAT –to-source 202.152.55.211
#iptables -t nat -A POSTROUTING -p tcp -m tcp –dport 80 -j SNAT –to-source 69.88.3.241
#iptables -t nat -A POSTROUTING -s 0.0.0.0/0 -d 0.0.0.0/0 -j MASQUERADE
##routing web local
#iptables -t nat -A POSTROUTING -d 202.0.0.0/8 -j SNAT –to 202.152.55.210
##routing web luar
#iptables -t nat -A POSTROUTING -d 203.130.242.0/24 -j SNAT –to 202.152.55.210
###routing irc
#iptables -t nat -A POSTROUTING -p tcp –dport 6667 -j SNAT –to 69.88.3.243
#iptables -t nat -A POSTROUTING -j SNAT –to 69.88.3.241
##cakrawala HPT
#iptables -t nat -A POSTROUTING -d 202.0.0.0/8 -j SNAT –to 202.152.55.210
#iptables -t nat -A POSTROUTING -p tcp –dport 6667 -j SNAT –to 69.88.3.241
##digital
#iptables -t nat -A POSTROUTING -s 192.168.2.34 -o eth0 -p tcp -j SNAT –to 202.174.154.103
#iptables -t nat -A POSTROUTING -s 192.168.2.34 -o eth0 -p udp -j SNAT –to 202.174.154.103
#iptables -t nat -A POSTROUTING -s 192.168.2.34 -o eth0 -d 0/0 -j MASQUERADE
# buka port
#iptables -A INPUT -j ACCEPT -p tcp –dport 80
#iptables -A INPUT -j ACCEPT -p tcp –dport 21
#iptables -A INPUT -j ACCEPT -p tcp –dport 110
#iptables -A INPUT -j ACCEPT -p tcp –dport 25
#iptables -A INPUT -j ACCEPT -p tcp –dport 22
####traffic shapping
#/etc/rc.d/cbq start
#touch /var/lock/subsys/local
#touch /var/lock/subsys/local
[root@dvb root]#
[root@dvb root]# ps aux
USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND
root 1 0.0 0.0 1412 52 ? S Nov04 0:03 init [3]
root 2 0.0 0.0 0 0 ? SW Nov04 0:00 [keventd]
root 3 0.0 0.0 0 0 ? SW Nov04 0:00 [kapm-idled]
root 4 0.0 0.0 0 0 ? SWN Nov04 0:00 [ksoftirqd_CPU0]
root 5 0.0 0.0 0 0 ? SW Nov04 0:01 [kswapd]
root 6 0.0 0.0 0 0 ? SW Nov04 0:00 [kreclaimd]
root 7 0.0 0.0 0 0 ? SW Nov04 0:00 [bdflush]
root 8 0.0 0.0 0 0 ? SW Nov04 0:00 [kupdated]
root 9 0.0 0.0 0 0 ? SW< Nov04 0:00 [mdrecoveryd]
root 13 0.0 0.0 0 0 ? SW Nov04 0:05 [kjournald]
root 99 0.0 0.0 0 0 ? SW Nov04 0:00 [khubd]
root 581 0.0 0.2 1696 160 ? S Nov04 0:05 syslogd -m 0
root 586 0.0 0.0 2108 0 ? SW Nov04 0:00 klogd -2
rpc 607 0.0 0.0 1548 0 ? SW Nov04 0:00 portmap
root 718 0.0 0.0 4272 0 ? SW Nov04 0:00 /usr/sbin/snmpd -
root 736 0.0 0.4 2676 296 ? S Nov04 0:52 /usr/sbin/sshd
root 769 0.0 0.0 2264 0 ? SW Nov04 0:00 xinetd -stayalive
root 787 0.0 0.1 1584 108 ? S Nov04 0:00 crond
root 865 0.0 0.1 18148 120 ? S Nov04 0:00 /usr/local/bin/ab
root 866 0.0 0.1 18148 124 ? S Nov04 0:00 /usr/local/bin/ab
root 867 0.0 0.1 18148 124 ? S Nov04 0:00 /usr/local/bin/ab
root 868 0.0 0.1 18148 124 ? S Nov04 0:00 /usr/local/bin/ab
root 898 0.0 0.0 1384 0 tty2 SW Nov04 0:00 /sbin/mingetty tt
root 899 0.0 0.0 1384 0 tty3 SW Nov04 0:00 /sbin/mingetty tt
root 900 0.0 0.0 1384 0 tty4 SW Nov04 0:00 /sbin/mingetty tt
root 901 0.0 0.0 1384 0 tty5 SW Nov04 0:00 /sbin/mingetty tt
root 902 0.0 0.0 1384 0 tty6 SW Nov04 0:00 /sbin/mingetty tt
root 2286 0.0 0.0 1384 0 tty1 SW Nov04 0:00 /sbin/mingetty tt
root 18668 0.0 2.8 3536 1748 ? S Nov11 0:00 /usr/sbin/sshd
root 18669 0.0 2.1 2520 1360 pts/0 S Nov11 0:00 -bash
root 18729 0.0 1.1 2636 724 pts/0 R 00:03 0:00 ps aux
[root@dvb root]#
proxy conf
[root@router root]# iptables-save
# Generated by iptables-save v1.2.6a on Sat Nov 12 07:38:57 2005
*filter
:INPUT ACCEPT [108975:87806451]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [120593:91453581]
COMMIT
# Completed on Sat Nov 12 07:38:57 2005
[root@router root]#
[root@router root]# ip r
192.168.2.0/24 dev eth1 scope link
192.168.2.0/24 dev eth1 proto kernel scope link src 192.168.2.113
127.0.0.0/8 dev lo scope link
default via 192.168.2.1 dev eth1
[root@router root]#
[root@router root]# netstat -rn
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
192.168.2.0 0.0.0.0 255.255.255.0 U 40 0 0 eth1
192.168.2.0 0.0.0.0 255.255.255.0 U 40 0 0 eth1
127.0.0.0 0.0.0.0 255.0.0.0 U 40 0 0 lo
0.0.0.0 192.168.2.1 0.0.0.0 UG 40 0 0 eth1
[root@router root]#
[root@router root]# cat /etc/resolv.conf
nameserver 202.152.0.2
[root@router root]#
[root@router root]# cat /etc/rc.d/rc.local
#!/bin/sh
#
# This script will be executed *after* all the other init scripts.
# You can put your own initialization stuff in here if you don’t
# want to do the full Sys V style init stuff.
touch /var/lock/subsys/local
[root@router root]#
[root@router root]# ps aux
USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND
root 1 0.0 0.2 1336 480 ? S 05:44 0:03 init
root 2 0.0 0.0 0 0 ? SW 05:44 0:00 [keventd]
root 3 0.0 0.0 0 0 ? SW 05:44 0:00 [kapmd]
root 4 0.0 0.0 0 0 ? SWN 05:44 0:00 [ksoftirqd_CPU0]
root 5 0.0 0.0 0 0 ? SW 05:44 0:00 [kswapd]
root 6 0.0 0.0 0 0 ? SW 05:44 0:00 [bdflush]
root 7 0.0 0.0 0 0 ? SW 05:44 0:00 [kupdated]
root 8 0.0 0.0 0 0 ? SW 05:44 0:00 [mdrecoveryd]
root 12 0.0 0.0 0 0 ? SW 05:44 0:00 [kjournald]
root 68 0.0 0.0 0 0 ? SW 05:45 0:00 [khubd]
root 160 0.0 0.0 0 0 ? SW 05:45 0:00 [kjournald]
root 410 0.0 0.0 0 0 ? SW 05:46 0:00 [eth0]
root 526 0.0 0.3 1748 756 ? S 05:46 0:00 syslogd -m 0
root 531 0.0 0.2 1336 428 ? S 05:46 0:00 klogd -x
rpc 548 0.0 0.2 1484 532 ? S 05:46 0:00 portmap
rpcuser 567 0.0 0.4 1744 828 ? S 05:46 0:00 rpc.statd
root 648 0.0 0.2 1328 476 ? S 05:46 0:00 /usr/sbin/apmd -p
root 686 0.0 0.7 3276 1468 ? S 05:46 0:01 /usr/sbin/sshd
root 700 0.0 0.4 2092 896 ? S 05:46 0:00 xinetd -stayalive
root 723 0.0 1.2 5056 2384 ? S 05:47 0:00 sendmail: accepti
smmsp 733 0.0 1.1 4868 2152 ? S 05:47 0:00 sendmail: Queue r
root 743 0.0 0.2 1372 428 ? S 05:47 0:00 gpm -t ps/2 -m /d
root 752 0.0 0.3 1512 612 ? S 05:47 0:00 crond
root 765 0.0 0.5 3976 1080 ? S 05:47 0:00 squid -D
squid 768 0.3 4.9 11332 9416 ? S 05:47 0:20 (squid) -D
squid 770 0.0 0.1 1304 248 ? S 05:47 0:00 (unlinkd)
daemon 794 0.0 0.2 1368 520 ? S 05:47 0:00 /usr/sbin/atd
root 803 0.0 0.2 1316 404 tty1 S 05:47 0:00 /sbin/mingetty tt
root 804 0.0 0.2 1316 404 tty2 S 05:47 0:00 /sbin/mingetty tt
root 805 0.0 0.2 1316 404 tty3 S 05:47 0:00 /sbin/mingetty tt
root 806 0.0 0.2 1316 404 tty4 S 05:47 0:00 /sbin/mingetty tt
root 807 0.0 0.2 1316 404 tty5 S 05:47 0:00 /sbin/mingetty tt
root 808 0.0 0.2 1316 404 tty6 S 05:47 0:00 /sbin/mingetty tt
root 912 0.0 1.1 6708 2124 ? S 07:38 0:00 /usr/sbin/sshd
root 914 0.0 0.7 4128 1404 pts/0 S 07:38 0:00 -bash
root 959 0.0 0.3 2556 640 pts/0 R 07:41 0:00 ps aux
[root@router root]#
# Generated by iptables-save v1.2.6a on Sat Nov 12 07:38:57 2005
*filter
:INPUT ACCEPT [108975:87806451]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [120593:91453581]
COMMIT
# Completed on Sat Nov 12 07:38:57 2005
[root@router root]#
[root@router root]# ip r
192.168.2.0/24 dev eth1 scope link
192.168.2.0/24 dev eth1 proto kernel scope link src 192.168.2.113
127.0.0.0/8 dev lo scope link
default via 192.168.2.1 dev eth1
[root@router root]#
[root@router root]# netstat -rn
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
192.168.2.0 0.0.0.0 255.255.255.0 U 40 0 0 eth1
192.168.2.0 0.0.0.0 255.255.255.0 U 40 0 0 eth1
127.0.0.0 0.0.0.0 255.0.0.0 U 40 0 0 lo
0.0.0.0 192.168.2.1 0.0.0.0 UG 40 0 0 eth1
[root@router root]#
[root@router root]# cat /etc/resolv.conf
nameserver 202.152.0.2
[root@router root]#
[root@router root]# cat /etc/rc.d/rc.local
#!/bin/sh
#
# This script will be executed *after* all the other init scripts.
# You can put your own initialization stuff in here if you don’t
# want to do the full Sys V style init stuff.
touch /var/lock/subsys/local
[root@router root]#
[root@router root]# ps aux
USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND
root 1 0.0 0.2 1336 480 ? S 05:44 0:03 init
root 2 0.0 0.0 0 0 ? SW 05:44 0:00 [keventd]
root 3 0.0 0.0 0 0 ? SW 05:44 0:00 [kapmd]
root 4 0.0 0.0 0 0 ? SWN 05:44 0:00 [ksoftirqd_CPU0]
root 5 0.0 0.0 0 0 ? SW 05:44 0:00 [kswapd]
root 6 0.0 0.0 0 0 ? SW 05:44 0:00 [bdflush]
root 7 0.0 0.0 0 0 ? SW 05:44 0:00 [kupdated]
root 8 0.0 0.0 0 0 ? SW 05:44 0:00 [mdrecoveryd]
root 12 0.0 0.0 0 0 ? SW 05:44 0:00 [kjournald]
root 68 0.0 0.0 0 0 ? SW 05:45 0:00 [khubd]
root 160 0.0 0.0 0 0 ? SW 05:45 0:00 [kjournald]
root 410 0.0 0.0 0 0 ? SW 05:46 0:00 [eth0]
root 526 0.0 0.3 1748 756 ? S 05:46 0:00 syslogd -m 0
root 531 0.0 0.2 1336 428 ? S 05:46 0:00 klogd -x
rpc 548 0.0 0.2 1484 532 ? S 05:46 0:00 portmap
rpcuser 567 0.0 0.4 1744 828 ? S 05:46 0:00 rpc.statd
root 648 0.0 0.2 1328 476 ? S 05:46 0:00 /usr/sbin/apmd -p
root 686 0.0 0.7 3276 1468 ? S 05:46 0:01 /usr/sbin/sshd
root 700 0.0 0.4 2092 896 ? S 05:46 0:00 xinetd -stayalive
root 723 0.0 1.2 5056 2384 ? S 05:47 0:00 sendmail: accepti
smmsp 733 0.0 1.1 4868 2152 ? S 05:47 0:00 sendmail: Queue r
root 743 0.0 0.2 1372 428 ? S 05:47 0:00 gpm -t ps/2 -m /d
root 752 0.0 0.3 1512 612 ? S 05:47 0:00 crond
root 765 0.0 0.5 3976 1080 ? S 05:47 0:00 squid -D
squid 768 0.3 4.9 11332 9416 ? S 05:47 0:20 (squid) -D
squid 770 0.0 0.1 1304 248 ? S 05:47 0:00 (unlinkd)
daemon 794 0.0 0.2 1368 520 ? S 05:47 0:00 /usr/sbin/atd
root 803 0.0 0.2 1316 404 tty1 S 05:47 0:00 /sbin/mingetty tt
root 804 0.0 0.2 1316 404 tty2 S 05:47 0:00 /sbin/mingetty tt
root 805 0.0 0.2 1316 404 tty3 S 05:47 0:00 /sbin/mingetty tt
root 806 0.0 0.2 1316 404 tty4 S 05:47 0:00 /sbin/mingetty tt
root 807 0.0 0.2 1316 404 tty5 S 05:47 0:00 /sbin/mingetty tt
root 808 0.0 0.2 1316 404 tty6 S 05:47 0:00 /sbin/mingetty tt
root 912 0.0 1.1 6708 2124 ? S 07:38 0:00 /usr/sbin/sshd
root 914 0.0 0.7 4128 1404 pts/0 S 07:38 0:00 -bash
root 959 0.0 0.3 2556 640 pts/0 R 07:41 0:00 ps aux
[root@router root]#
wrt54g as a gateway ISP back up
here is /etc/rc.d/rc.local on dvb
#!/bin/sh
###ini utk dvb
################
#ip route add 69.88.24.33 via 202.152.55.210
route add default gw 202.152.55.209
# touch /var/lock/subsys/local
#arahkan situs dalam ke LA
iptables -t nat -A POSTROUTING -s 192.168.2.100/24 -d 202.0.0.0/6 -j SNAT –to 202.152.55.211
iptables -t nat -A POSTROUTING -s 192.168.2.100/24 -d 222.0.0.0/6 -j SNAT –to 202.152.55.211
iptables -t nat -A POSTROUTING -s 192.168.2.100/24 -d 203.0.0.0/6 -j SNAT –to 202.152.55.211
iptables -t nat -A POSTROUTING -s 192.168.2.100/24 -d 219.0.0.0/6 -j SNAT –to 202.152.55.211
iptables -t nat -A POSTROUTING -s 192.168.2.0/24 -d 0.0.0.0/0 -j SNAT –to 69.88.24.34
=================================
ini ip ro dvb
=============
[root@dvb root]# ip ro
202.152.55.208/29 dev eth0 proto kernel scope link src 202.152.55.211
69.88.24.32/29 dev eth0 scope link
10.2.0.0/24 dev aba_0 proto kernel scope link src 10.2.0.1
192.168.2.0/24 dev eth0 proto kernel scope link src 192.168.2.100
127.0.0.0/8 dev lo scope link
default via 202.152.55.209 dev eth0
—————————-
======
[root@dvb root]# ip addr
1: lo: mtu 16436 qdisc noqueue
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 brd 127.255.255.255 scope host lo
2: eth0: mtu 1500 qdisc pfifo_fast qlen 100
link/ether 00:00:0e:b8:bd:aa brd ff:ff:ff:ff:ff:ff
inet 202.152.55.211/29 brd 202.152.55.215 scope global eth0:0
inet 192.168.2.100/24 brd 192.168.2.255 scope global eth0:1
inet 69.88.24.34/29 brd 69.88.24.39 scope global eth0
3: aba_0: mtu 1500 qdisc noqueue
link/ether 00:d0:72:01:42:0a brd ff:ff:ff:ff:ff:ff
inet 10.2.0.1/24 brd 10.255.255.255 scope global aba_0
#!/bin/sh
###ini utk dvb
################
#ip route add 69.88.24.33 via 202.152.55.210
route add default gw 202.152.55.209
# touch /var/lock/subsys/local
#arahkan situs dalam ke LA
iptables -t nat -A POSTROUTING -s 192.168.2.100/24 -d 202.0.0.0/6 -j SNAT –to 202.152.55.211
iptables -t nat -A POSTROUTING -s 192.168.2.100/24 -d 222.0.0.0/6 -j SNAT –to 202.152.55.211
iptables -t nat -A POSTROUTING -s 192.168.2.100/24 -d 203.0.0.0/6 -j SNAT –to 202.152.55.211
iptables -t nat -A POSTROUTING -s 192.168.2.100/24 -d 219.0.0.0/6 -j SNAT –to 202.152.55.211
iptables -t nat -A POSTROUTING -s 192.168.2.0/24 -d 0.0.0.0/0 -j SNAT –to 69.88.24.34
=================================
ini ip ro dvb
=============
[root@dvb root]# ip ro
202.152.55.208/29 dev eth0 proto kernel scope link src 202.152.55.211
69.88.24.32/29 dev eth0 scope link
10.2.0.0/24 dev aba_0 proto kernel scope link src 10.2.0.1
192.168.2.0/24 dev eth0 proto kernel scope link src 192.168.2.100
127.0.0.0/8 dev lo scope link
default via 202.152.55.209 dev eth0
—————————-
======
[root@dvb root]# ip addr
1: lo: mtu 16436 qdisc noqueue
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 brd 127.255.255.255 scope host lo
2: eth0: mtu 1500 qdisc pfifo_fast qlen 100
link/ether 00:00:0e:b8:bd:aa brd ff:ff:ff:ff:ff:ff
inet 202.152.55.211/29 brd 202.152.55.215 scope global eth0:0
inet 192.168.2.100/24 brd 192.168.2.255 scope global eth0:1
inet 69.88.24.34/29 brd 69.88.24.39 scope global eth0
3: aba_0: mtu 1500 qdisc noqueue
link/ether 00:d0:72:01:42:0a brd ff:ff:ff:ff:ff:ff
inet 10.2.0.1/24 brd 10.255.255.255 scope global aba_0
proxy transparent
install squid yg incl. di RH 7.2
edit file /etc/squid/squid.conf
http_port 8080
cache_mem 80 MB
#Recommended minimum configuration:
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl localnet src 192.168.2.0/255.255.255.0
acl SSL_ports port 443 563
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 563 # https, snews
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
# Only allow cachemgr access from localhost
http_access allow manager localhost
http_access deny manager
# And finally deny all other access to this proxy
http_access allow localhost
http_access allow localnet
http_access deny all
cache_mgr info@cakrawalamultimedia.com
visible_hostname www.cakrawalamultimedia.com
#setting utk transparent proxy
httpd_accel_host virtual
httpd_accel_port 80
httpd_accel_with_proxy on
httpd_accel_uses_host_header on
##lalu setting di file /etc/rc.d/rc.local
#iptables
/sbin/modprobe ipt_LOG
/sbin/modprobe ipt_REJECT
/sbin/modprobe ipt_MASQUERADE
#menjalankan ip forward
echo “1″ > /proc/sys/net/ipv4/ip_forward
echo “1″ > /proc/sys/net/ipv4/ip_dynaddr
#hapus filter lama
/sbin/iptables -P INPUT ACCEPT
/sbin/iptables -P FORWARD ACCEPT
/sbin/iptables -P OUTPUT ACCEPT
#hapus aturan lama
/sbin/iptables -t nat -P PREROUTING ACCEPT
/sbin/iptables -t nat -P POSTROUTING ACCEPT
/sbin/iptables -t nat -P OUTPUT ACCEPT
#batalkan semua filter dan nat
/sbin/iptables -F
/sbin/iptables -t nat -F
#jalankan forward dan masguerading
/sbin/iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
#jalankan proxy transparan
iptables -t nat -A PREROUTING -i eth0 -p tcp –dport 80 -j REDIRECT –to-port 8080
#JALANKAN MASQUERADE
#jika tidak pake proxy maka ini di uncomment
#/sbin/iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -d 0/0 -j MASQUERADE
#touch /var/lock/subsys/local
####
## make a squid swap file
squid -z
start the squid with this comand
squid start
#### coba jalankan ####
sudah berjalan di server gili trawangan burnoc dan di superstart senggigi the fastest internet
edit file /etc/squid/squid.conf
http_port 8080
cache_mem 80 MB
#Recommended minimum configuration:
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl localnet src 192.168.2.0/255.255.255.0
acl SSL_ports port 443 563
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 563 # https, snews
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
# Only allow cachemgr access from localhost
http_access allow manager localhost
http_access deny manager
# And finally deny all other access to this proxy
http_access allow localhost
http_access allow localnet
http_access deny all
cache_mgr info@cakrawalamultimedia.com
visible_hostname www.cakrawalamultimedia.com
#setting utk transparent proxy
httpd_accel_host virtual
httpd_accel_port 80
httpd_accel_with_proxy on
httpd_accel_uses_host_header on
##lalu setting di file /etc/rc.d/rc.local
#iptables
/sbin/modprobe ipt_LOG
/sbin/modprobe ipt_REJECT
/sbin/modprobe ipt_MASQUERADE
#menjalankan ip forward
echo “1″ > /proc/sys/net/ipv4/ip_forward
echo “1″ > /proc/sys/net/ipv4/ip_dynaddr
#hapus filter lama
/sbin/iptables -P INPUT ACCEPT
/sbin/iptables -P FORWARD ACCEPT
/sbin/iptables -P OUTPUT ACCEPT
#hapus aturan lama
/sbin/iptables -t nat -P PREROUTING ACCEPT
/sbin/iptables -t nat -P POSTROUTING ACCEPT
/sbin/iptables -t nat -P OUTPUT ACCEPT
#batalkan semua filter dan nat
/sbin/iptables -F
/sbin/iptables -t nat -F
#jalankan forward dan masguerading
/sbin/iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
#jalankan proxy transparan
iptables -t nat -A PREROUTING -i eth0 -p tcp –dport 80 -j REDIRECT –to-port 8080
#JALANKAN MASQUERADE
#jika tidak pake proxy maka ini di uncomment
#/sbin/iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -d 0/0 -j MASQUERADE
#touch /var/lock/subsys/local
####
## make a squid swap file
squid -z
start the squid with this comand
squid start
#### coba jalankan ####
sudah berjalan di server gili trawangan burnoc dan di superstart senggigi the fastest internet
firewalling
edit /etc/rc.d/rc.local
#!/bin/sh
#
# This script will be executed *after* all the other init scripts.
# You can put your own initialization stuff in here if you don’t
# want to do the full Sys V style init stuff.
# touch /var/lock/subsys/local
modprobe ipt_LOG
modprobe ipt_REJECT
modprobe ipt_MASQUERADE
/sbin/depmod -a
echo “1″ > /proc/sys/net/ipv4/ip_forward
iptables -F
iptables -t nat -F
iptables -X
iptables -t nat -X
LAN_IF=”eth0″
EXT_IF=”eth1″
#######
# warnet client
iptables -t nat -A POSTROUTING -s 192.168.2.42 -o $EXT_IF -p tcp -j SNAT –to-source 202.75.101.126
iptables -t nat -A POSTROUTING -s 192.168.2.42 -o $EXT_IF -p udp -j SNAT –to-source 202.75.101.126
iptables -t nat -A POSTROUTING -s 192.168.2.42 -o $EXT_IF -d 0/0 -j MASQUERADE
# buka port
iptables -A INPUT -j ACCEPT -p tcp –dport 80
iptables -A INPUT -j ACCEPT -p tcp –dport 21
iptables -A INPUT -j ACCEPT -p tcp –dport 110
iptables -A INPUT -j ACCEPT -p tcp –dport 25
iptables -A INPUT -j ACCEPT -p tcp –dport 22
#####
# bandwidth limiter
/etc/rc.d/cbq.init-v0.7
#!/bin/sh
#
# This script will be executed *after* all the other init scripts.
# You can put your own initialization stuff in here if you don’t
# want to do the full Sys V style init stuff.
# touch /var/lock/subsys/local
modprobe ipt_LOG
modprobe ipt_REJECT
modprobe ipt_MASQUERADE
/sbin/depmod -a
echo “1″ > /proc/sys/net/ipv4/ip_forward
iptables -F
iptables -t nat -F
iptables -X
iptables -t nat -X
LAN_IF=”eth0″
EXT_IF=”eth1″
#######
# warnet client
iptables -t nat -A POSTROUTING -s 192.168.2.42 -o $EXT_IF -p tcp -j SNAT –to-source 202.75.101.126
iptables -t nat -A POSTROUTING -s 192.168.2.42 -o $EXT_IF -p udp -j SNAT –to-source 202.75.101.126
iptables -t nat -A POSTROUTING -s 192.168.2.42 -o $EXT_IF -d 0/0 -j MASQUERADE
# buka port
iptables -A INPUT -j ACCEPT -p tcp –dport 80
iptables -A INPUT -j ACCEPT -p tcp –dport 21
iptables -A INPUT -j ACCEPT -p tcp –dport 110
iptables -A INPUT -j ACCEPT -p tcp –dport 25
iptables -A INPUT -j ACCEPT -p tcp –dport 22
#####
# bandwidth limiter
/etc/rc.d/cbq.init-v0.7
Installing Fedora Core 4 Linux
Fedora Core 4:
Install Linux, enable ftp, enable telnet, allow www access.
Boot from the first CD - use text mode by typing
linux text
follow the prompts ..
Using Disk Druid, set up
Mount Points, ext3 (except for swap)
/ 400 mb
/tmp 2Xmemory, swap
/var 1000 mb +
/home 500 mb +
/usr 4000 mb
/usr/src 1000 mb
/web 1000 mb
/opt 1000 mb
/data 1000 mb
/app 1000 mb
/backup 1000 mb
/usr/local 1000 mb
The next set of instructions assumes you’ve set up the server,
and have rebooted into text-console mode.
Log in as root.
0) Common commands required:
service xinetd restart
1) Change run level to 3, starting in graphical mode is for wussies.
/etc/inittab
2) optional FTP daemon.
cd /etc/init.d
./vsftpd start
3) Replace with custom script.
/etc/sysctl.conf
4a) Enable FTP
/etc/xinetd.d/gssftp
Remove -a
disable = no
4b) Enable telnet (also need to install this via yum)
/etc/xinetd.d/krbs.telnet
disable = no
4c) Disable SSH root login. There are asswipes in Scandinavia who
will try to hack into your system; it is best to
disable this setting.
/etc/ssh/sshd_config.conf
AllowRootLogin no
4d) Set up sendmail
Edit sendmail.cf in /etc/mail, alter SMTP setting
make the sendmail.mc file
4e) Edit the hosts file
Add your hosts, with the eth0 address. This prevents the
telnet and FTP hang issue.
5) Add a nice message for login screen.
/etc/motd
6) Add call to /opt/scripts/autostart.sh
/etc/rc.d/rc.local
7) Setup gateway definition, routes.
/opt/scripts/autostart.sh
Add routes:
route add -host 192.168.1.64 dev eth0
route add default gw 192.168.1.64
route del default gw 192.168.1.254
8) Check network config.
/etc/sysconfig/network-scripts
Edit eth0 file, add default gatway: GATEWAY=
Change boot setting: ONBOOT=no
Edit resolv.conf .. add DNS settings
9) Customize init settings.
/etc/init.d
Disable sendmail, kudzu, apmd, ???
For internal server, disable iptables
10) Set up autostart, firewall setup.
/opt/scripts/firewall30.sh
- Add ifup eth0 to autostart.sh
- Add to autostart.sh: call to /opt/scripts/firewall.sh
- Create firewall.sh with custom script
11) Use YUM to update C libraries
- add Yum repository
- yum update gcc
- yum update glibc
11) Install compat libraries (Fedora CD #3)
compat-libstdc++*.rpm
12) Install Java
java.sun.com/j2se/1.4.2/download.html
13) Optional: update LD config
/etc/ld.so.conf (add library dirs for Sybase lib)
/sbin/ldconfig
Notes
————————————————————-
Telnet Server Install
yum install xinetd telnet-server
chkconfig xinetd on
chkconfig telnet on
service xinetd start
** Additionally, you must open port 23 in the firewall (iptables)
yum commands:
yum list xxxxxxx e.g. tnsclient-0.2.3
yum search xxxxxxx e.g. PalmPilot
yum install xxxxxx
yum groupinstall xxxxxxx
yum update xxxxxx
yum groupupdate xxxxxxx
yum update # Full System Update
# Daily, 4am update
/sbin/chkconfig –level 345 yum on; /sbin/service yum start
There is no separate yum service that runs on your system. The command
given above enables the control script /etc/rc.d/init.d/yum.
This control script activates the script /etc/cron.daily/yum.cron,
which causes the cron service to perform the system update automatically
at 4am each day.
Set up RHN Key
rpm –import /usr/share/rhn/RPM-GPG-KEY-fedora
Set up special repository key
rpm –import http://www.therepository.com/GPG-PUB-KEY.asc
Simple local install
yum localinstall tsclient-0.132-4.i386.rpm
Cleanup
yum clean headers
yum clean headers
Redhat 7.X Notes
————————————————————-
telnet
Edit the file /etc/xinetd.d/telnetd
changing the two lines to:
# default: on
disabled = no
then try doing this
/etc/rc.d/init.d/xinetd restart
ftp
Edit the file /etc/xinetd.d/wu-ftpd
changing the two lines to:
# default: on
disabled = no
then run the command
/etc/rc.d/init.d/xinetd restart
GLIBC
———————————————–
ldd –version
/lib/libc.so.6 | head -1
rpm2cpio ../libstdc++-3.2.2-5.i386.rpm | cpio -idv
LANG=C
LD_ASSUME_KERNEL=2.4.1
Install Linux, enable ftp, enable telnet, allow www access.
Boot from the first CD - use text mode by typing
linux text
follow the prompts ..
Using Disk Druid, set up
Mount Points, ext3 (except for swap)
/ 400 mb
/tmp 2Xmemory, swap
/var 1000 mb +
/home 500 mb +
/usr 4000 mb
/usr/src 1000 mb
/web 1000 mb
/opt 1000 mb
/data 1000 mb
/app 1000 mb
/backup 1000 mb
/usr/local 1000 mb
The next set of instructions assumes you’ve set up the server,
and have rebooted into text-console mode.
Log in as root.
0) Common commands required:
service xinetd restart
1) Change run level to 3, starting in graphical mode is for wussies.
/etc/inittab
2) optional FTP daemon.
cd /etc/init.d
./vsftpd start
3) Replace with custom script.
/etc/sysctl.conf
4a) Enable FTP
/etc/xinetd.d/gssftp
Remove -a
disable = no
4b) Enable telnet (also need to install this via yum)
/etc/xinetd.d/krbs.telnet
disable = no
4c) Disable SSH root login. There are asswipes in Scandinavia who
will try to hack into your system; it is best to
disable this setting.
/etc/ssh/sshd_config.conf
AllowRootLogin no
4d) Set up sendmail
Edit sendmail.cf in /etc/mail, alter SMTP setting
make the sendmail.mc file
4e) Edit the hosts file
Add your hosts, with the eth0 address. This prevents the
telnet and FTP hang issue.
5) Add a nice message for login screen.
/etc/motd
6) Add call to /opt/scripts/autostart.sh
/etc/rc.d/rc.local
7) Setup gateway definition, routes.
/opt/scripts/autostart.sh
Add routes:
route add -host 192.168.1.64 dev eth0
route add default gw 192.168.1.64
route del default gw 192.168.1.254
8) Check network config.
/etc/sysconfig/network-scripts
Edit eth0 file, add default gatway: GATEWAY=
Change boot setting: ONBOOT=no
Edit resolv.conf .. add DNS settings
9) Customize init settings.
/etc/init.d
Disable sendmail, kudzu, apmd, ???
For internal server, disable iptables
10) Set up autostart, firewall setup.
/opt/scripts/firewall30.sh
- Add ifup eth0 to autostart.sh
- Add to autostart.sh: call to /opt/scripts/firewall.sh
- Create firewall.sh with custom script
11) Use YUM to update C libraries
- add Yum repository
- yum update gcc
- yum update glibc
11) Install compat libraries (Fedora CD #3)
compat-libstdc++*.rpm
12) Install Java
java.sun.com/j2se/1.4.2/download.html
13) Optional: update LD config
/etc/ld.so.conf (add library dirs for Sybase lib)
/sbin/ldconfig
Notes
————————————————————-
Telnet Server Install
yum install xinetd telnet-server
chkconfig xinetd on
chkconfig telnet on
service xinetd start
** Additionally, you must open port 23 in the firewall (iptables)
yum commands:
yum list xxxxxxx e.g. tnsclient-0.2.3
yum search xxxxxxx e.g. PalmPilot
yum install xxxxxx
yum groupinstall xxxxxxx
yum update xxxxxx
yum groupupdate xxxxxxx
yum update # Full System Update
# Daily, 4am update
/sbin/chkconfig –level 345 yum on; /sbin/service yum start
There is no separate yum service that runs on your system. The command
given above enables the control script /etc/rc.d/init.d/yum.
This control script activates the script /etc/cron.daily/yum.cron,
which causes the cron service to perform the system update automatically
at 4am each day.
Set up RHN Key
rpm –import /usr/share/rhn/RPM-GPG-KEY-fedora
Set up special repository key
rpm –import http://www.therepository.com/GPG-PUB-KEY.asc
Simple local install
yum localinstall tsclient-0.132-4.i386.rpm
Cleanup
yum clean headers
yum clean headers
Redhat 7.X Notes
————————————————————-
telnet
Edit the file /etc/xinetd.d/telnetd
changing the two lines to:
# default: on
disabled = no
then try doing this
/etc/rc.d/init.d/xinetd restart
ftp
Edit the file /etc/xinetd.d/wu-ftpd
changing the two lines to:
# default: on
disabled = no
then run the command
/etc/rc.d/init.d/xinetd restart
GLIBC
———————————————–
ldd –version
/lib/libc.so.6 | head -1
rpm2cpio ../libstdc++-3.2.2-5.i386.rpm | cpio -idv
LANG=C
LD_ASSUME_KERNEL=2.4.1
Useful UNIX commands
In this tutorial we’re going to look at some useful things you can do with your Web server using UNIX commands and Telnet. If you’ve never used Telnet or UNIX commands, try reading our Telnet and basic commands tutorial first, then come back here and carry on reading!
Advanced use of the ls command
In Telnet and basic commands, we showed you how to use ls to obtain a listing of all files in the current directory. By placing various letters after ls (known as switches, options or command line arguments, depending on the UNIX guru you talk to!), you can get it to give you a lot more information about the current directory. For example:
[username@mysite]$ ls -l
will produce a long listing format that includes the permissions, owner, group, size and modified date of each file:
drwxrwxr-x 3 matt users 4096 Jun 27 17:17 images
-rw-rw-r– 1 matt users 228 Jun 27 19:29 index.html
-rw-rw-r– 1 matt users 272 Jun 27 19:30 index2.html
The a switch will also include hidden files (hidden files in UNIX begin with a dot (.) in the listing), as well as the current directory and parent directory entries (. and .. respectively). Also, you can combine switches by placing them one after the other, for example:
[username@mysite]$ ls -al
drwxrwxr-x 3 matt users 4096 Jun 27 19:32 .
drwxrwxr-x 5 matt users 4096 Jun 27 17:09 ..
-rw-rw-r– 1 matt users 23 Jun 27 19:31 .hidden_file
drwxrwxr-x 3 matt users 4096 Jun 27 17:17 images
-rw-rw-r– 1 matt users 228 Jun 27 19:29 index.html
-rw-rw-r– 1 matt users 272 Jun 27 19:30 index2.html
Creating folders with mkdir
mkdir (short for “make directory”) lets you create new directories (folders) on your Web server, much the same as the “New Folder” options on Windows PCs and Macs.
To create a directory in the current directory, type mkdir followed by the directory name. For example, to create a new directory in your Web site called coolstuff you might type something like:
[username@mysite]$ cd mysite.com
[username@mysite]$ cd htdocs
[username@mysite]$ mkdir coolstuff
A quick listing of your site directory would now show something like:
[username@mysite]$ ls
coolstuff images images index.html
Copying files and folders with cp
The cp (short for “copy”) command allows you to copy files to new files, or copy files and directories to new directories. For example, to copy index.html to index2.html you’d use:
[username@mysite]$ cp index.html index2.html
To copy index.html into an existing directory called coolstuff, use:
[username@mysite]$ cp index.html coolstuff
To copy a whole directory, including its contents, to a new directory, use cp -r (the -r means “recursive”):
[username@mysite]$ ls
coolstuff images index.html
[username@mysite]$ cp -r coolstuff coolstuff2
[username@mysite]$ ls
coolstuff coolstuff2 images index.html
To copy a whole directory, including its contents, into an existing directory:
[username@mysite]$ cp -r coolstuff2 coolstuff
[username@mysite]$ cd coolstuff
[username@mysite]$ ls
index.html coolstuff2
Deleting stuff with rm
rm is the UNIX command to delete files and, sometimes, directories. It’s short for “remove”. Be very careful when deleting stuff with this command, as UNIX usually has no recycle bin or trash can - once you’ve deleted something, it’s gone forever! :(
To delete a single file, use rm filename. For example, to delete index.html you’d do:
[username@mysite]$ rm index.html
To delete a directory and all its contents, use rm -r directory. For example:
[username@mysite]$ rm -r coolstuff
Note that if the directory is empty, you can also delete it using the command rmdir, as follows:
[username@mysite]$ rmdir coolstuff
Playing it safe
If you’re deleting stuff with rm, particularly if you’re using rm -r, it’s a good idea to add the -i switch too, e.g.:
[username@mysite]$ rm -ir coolstuff
This will make sure the system prompts you before deleting each file or directory.
UNIX’s online manual
Most UNIX servers come with a great online help system called man. You can use this to get help on most of the available commands by typing man followed by the command. For example, try typing:
[username@mysite]$ man ls
While reading a manual page on Linux, you can page up and down with the Page Up and Page Down keys, and scroll up and down with the Up Arrow and Down Arrow keys. To quit the manual viewer, press the q key. To search for some text, press the forward-slash (/) key and type the text you want to search for, e.g. /file, and press Return.
On non-Linux systems, you usually have to press Enter to go down a line, and the Space bar to go down a page, and you can’t scroll up. :(
Running scripts and programs
Often you’ll want to be able to run programs such as Perl scripts and executables on your Web server, in much the same way as you run a program from the Start menu in Windows.
In UNIX, running programs is easy - you usually just type the name of the program! In fact, all the commands we’ve shown you already are programs.
If you want to run a program that’s in your current directory, you’ll usually need to put a ./ in front of the program name, to tell UNIX that it should look in the current directory for the program, e.g.:
[username@mysite]$ ./myprog
If you’re having trouble with a Perl CGI script, you can often find out the exact error message by running it from the UNIX prompt in Telnet, rather than through a Web browser. Say you wanted to test a script called formmail.cgi. Run it at the prompt with the word perl before it, like this:
[username@mysite]$ cd cgi-bin
[username@mysite]$ perl formmail.cgi
The CGI script will then run as if it were called from a Web browser, but you’ll be able to see the exact output from the script appear in the Telnet window (as opposed to the browser, where you’ll probably just see something unhelpful, such as Internal Server Error!). You can find out more about troubleshooting CGI scripts in our handy tutorial.
Armed with these commands and techniques, you should be able to manage your websites and web server effectively. Good luck!
Advanced use of the ls command
In Telnet and basic commands, we showed you how to use ls to obtain a listing of all files in the current directory. By placing various letters after ls (known as switches, options or command line arguments, depending on the UNIX guru you talk to!), you can get it to give you a lot more information about the current directory. For example:
[username@mysite]$ ls -l
will produce a long listing format that includes the permissions, owner, group, size and modified date of each file:
drwxrwxr-x 3 matt users 4096 Jun 27 17:17 images
-rw-rw-r– 1 matt users 228 Jun 27 19:29 index.html
-rw-rw-r– 1 matt users 272 Jun 27 19:30 index2.html
The a switch will also include hidden files (hidden files in UNIX begin with a dot (.) in the listing), as well as the current directory and parent directory entries (. and .. respectively). Also, you can combine switches by placing them one after the other, for example:
[username@mysite]$ ls -al
drwxrwxr-x 3 matt users 4096 Jun 27 19:32 .
drwxrwxr-x 5 matt users 4096 Jun 27 17:09 ..
-rw-rw-r– 1 matt users 23 Jun 27 19:31 .hidden_file
drwxrwxr-x 3 matt users 4096 Jun 27 17:17 images
-rw-rw-r– 1 matt users 228 Jun 27 19:29 index.html
-rw-rw-r– 1 matt users 272 Jun 27 19:30 index2.html
Creating folders with mkdir
mkdir (short for “make directory”) lets you create new directories (folders) on your Web server, much the same as the “New Folder” options on Windows PCs and Macs.
To create a directory in the current directory, type mkdir followed by the directory name. For example, to create a new directory in your Web site called coolstuff you might type something like:
[username@mysite]$ cd mysite.com
[username@mysite]$ cd htdocs
[username@mysite]$ mkdir coolstuff
A quick listing of your site directory would now show something like:
[username@mysite]$ ls
coolstuff images images index.html
Copying files and folders with cp
The cp (short for “copy”) command allows you to copy files to new files, or copy files and directories to new directories. For example, to copy index.html to index2.html you’d use:
[username@mysite]$ cp index.html index2.html
To copy index.html into an existing directory called coolstuff, use:
[username@mysite]$ cp index.html coolstuff
To copy a whole directory, including its contents, to a new directory, use cp -r (the -r means “recursive”):
[username@mysite]$ ls
coolstuff images index.html
[username@mysite]$ cp -r coolstuff coolstuff2
[username@mysite]$ ls
coolstuff coolstuff2 images index.html
To copy a whole directory, including its contents, into an existing directory:
[username@mysite]$ cp -r coolstuff2 coolstuff
[username@mysite]$ cd coolstuff
[username@mysite]$ ls
index.html coolstuff2
Deleting stuff with rm
rm is the UNIX command to delete files and, sometimes, directories. It’s short for “remove”. Be very careful when deleting stuff with this command, as UNIX usually has no recycle bin or trash can - once you’ve deleted something, it’s gone forever! :(
To delete a single file, use rm filename. For example, to delete index.html you’d do:
[username@mysite]$ rm index.html
To delete a directory and all its contents, use rm -r directory. For example:
[username@mysite]$ rm -r coolstuff
Note that if the directory is empty, you can also delete it using the command rmdir, as follows:
[username@mysite]$ rmdir coolstuff
Playing it safe
If you’re deleting stuff with rm, particularly if you’re using rm -r, it’s a good idea to add the -i switch too, e.g.:
[username@mysite]$ rm -ir coolstuff
This will make sure the system prompts you before deleting each file or directory.
UNIX’s online manual
Most UNIX servers come with a great online help system called man. You can use this to get help on most of the available commands by typing man followed by the command. For example, try typing:
[username@mysite]$ man ls
While reading a manual page on Linux, you can page up and down with the Page Up and Page Down keys, and scroll up and down with the Up Arrow and Down Arrow keys. To quit the manual viewer, press the q key. To search for some text, press the forward-slash (/) key and type the text you want to search for, e.g. /file, and press Return.
On non-Linux systems, you usually have to press Enter to go down a line, and the Space bar to go down a page, and you can’t scroll up. :(
Running scripts and programs
Often you’ll want to be able to run programs such as Perl scripts and executables on your Web server, in much the same way as you run a program from the Start menu in Windows.
In UNIX, running programs is easy - you usually just type the name of the program! In fact, all the commands we’ve shown you already are programs.
If you want to run a program that’s in your current directory, you’ll usually need to put a ./ in front of the program name, to tell UNIX that it should look in the current directory for the program, e.g.:
[username@mysite]$ ./myprog
If you’re having trouble with a Perl CGI script, you can often find out the exact error message by running it from the UNIX prompt in Telnet, rather than through a Web browser. Say you wanted to test a script called formmail.cgi. Run it at the prompt with the word perl before it, like this:
[username@mysite]$ cd cgi-bin
[username@mysite]$ perl formmail.cgi
The CGI script will then run as if it were called from a Web browser, but you’ll be able to see the exact output from the script appear in the Telnet window (as opposed to the browser, where you’ll probably just see something unhelpful, such as Internal Server Error!). You can find out more about troubleshooting CGI scripts in our handy tutorial.
Armed with these commands and techniques, you should be able to manage your websites and web server effectively. Good luck!
Simple share your file with Samba
Who doesn’t know what youtube.com is. You can found any favorites music clips and video there. More than that, you can use youtube.com as your media to share your home-made video there. You can download that too, incase you want to watch your friend video and backup that to your own PC.
Here little bash script to show you how to that. You need ffmpeg if you want convert the video to mpeg format.
#!/bin/bash
# Command: sh convert filename youtubeurl
# Note: don’t use space for filename
url_asli=$2
url_baru=”http://youtube.com/get_video.php?”;
nama_baru=$1
wget $url_asli -O /tmp/$nama_baru;
temporary_file=$url_baru`grep player2.swf /tmp/$nama_baru | cut -d? -f2 | cut -d\” -f1`;
wget “$temporary_file” -O /tmp/$nama_baru.flv
# Remove ‘#’ below if you want to convert it to mpg
# ffmpeg -i /tmp/$nama_baru.flv -y -sameq $nama_baru.mpg;
# rm /tmp/$nama_baru.flv;
# rm /tmp/$nama_baru;
Here little bash script to show you how to that. You need ffmpeg if you want convert the video to mpeg format.
#!/bin/bash
# Command: sh convert filename youtubeurl
# Note: don’t use space for filename
url_asli=$2
url_baru=”http://youtube.com/get_video.php?”;
nama_baru=$1
wget $url_asli -O /tmp/$nama_baru;
temporary_file=$url_baru`grep player2.swf /tmp/$nama_baru | cut -d? -f2 | cut -d\” -f1`;
wget “$temporary_file” -O /tmp/$nama_baru.flv
# Remove ‘#’ below if you want to convert it to mpg
# ffmpeg -i /tmp/$nama_baru.flv -y -sameq $nama_baru.mpg;
# rm /tmp/$nama_baru.flv;
# rm /tmp/$nama_baru;
A Beginner’s Guide to Securing Your Server (Security Inside WHM/CPanel)
These are items inside of WHM/Cpanel that should be changed to secure your server.
Goto Server Setup =>> Tweak Settings
Check the following items…
Under Domains
Prevent users from parking/adding on common internet domains. (ie hotmail.com, aol.com)
Under Mail
Attempt to prevent pop3 connection floods
Default catch-all/default address behavior for new accounts - blackhole
Under System
Use jailshell as the default shell for all new accounts and modified accounts
Goto Server Setup =>> [/b]Tweak Security[/b]
Enable php open_basedir Protection
Enable mod_userdir Protection
Disabled Compilers for unprivileged users.
Goto Server Setup =>> Manage Wheel Group Users
Remove all users except for root and your main account from the wheel group.
Goto Server Setup =>> Shell Fork Bomb Protection
Enable Shell Fork Bomb/Memory Protection
When setting up Feature Limits for resellers in Resellers =>> Reseller Center, under Privileges always disable Allow Creation of Packages with Shell Access and enable Never allow creation of accounts with shell access; under Root Access disable All Features.
Goto Service Configuration =>> FTP Configuration
Disable Anonymous FTP
Goto Account Functions =>> Manage Shell Access
Disable Shell Access for all users (except yourself)
Goto Mysql =>> MySQL Root Password
Change root password for MySQL
Goto [b]Security[b] and run [b]Quick Security Scan[b] and [b]Scan for Trojan Horses[b] often. The following and similar items are not Trojans:
/sbin/depmod
/sbin/insmod
/sbin/insmod.static
/sbin/modinfo
/sbin/modprobe
/sbin/rmmod
These are measures that can be taken to secure your server, with SSH access.
Update OS, Apache and CPanel to the latest stable versions. This can be done from WHM/CPanel.
Restrict SSH Access
To restrict and secure SSH access, bind sshd to a single IP that is different than the main IP to the server, and on a different port than port 22.
SSH into server and login as root.
Note: You can download Putty by Clicking Here. It’s a clean running application that will not require installation on Windows-boxes.
At command prompt type: pico /etc/ssh/sshd_config
Scroll down to the section of the file that looks like this:
——————————————-
#Port 22
#Protocol 2, 1
#ListenAddress 0.0.0.0
#ListenAddress ::
——————————————-
Uncomment and change
#Port 22
to look like
Port 5678 (choose your own 4 to 5 digit port number (49151 is the highest port number)
Uncomment and change
#Protocol 2, 1
to look like
Protocol 2
Uncomment and change
#ListenAddress 0.0.0.0
to look like
ListenAddress 123.123.123.15 (use one of your own IP Addresses that has been assigned to your server)
Note 1: If you would like to disable direct Root Login, scroll down until you find
#PermitRootLogin yes
and uncomment it and make it look like
PermitRootLogin no
Save by pressing Ctrl o on your keyboard, and then exit by pressing Ctrl x on your keyboard.
Note 2: You can also create a custome nameserver specifically for your new SSH IP address. Just create one called something like ssh.xyz.com or whatever. Be sure to add an A address to your zone file for the new nameserver.
Now restart SSH
At command prompt type: [b]/etc/rc.d/init.d/sshd restart[b]
Exit out of SSH, and then re-login to SSH using the new IP or nameserver, and the new port.
Note: If you should have any problems, just Telnet into your server, fix the problem, then SSH in again. Telnet is a very unsecure protocol, so change your root password after you use it.
Disable Telnet
To disable telnet, SSH into server and login as root.
At command prompt type: pico -w /etc/xinetd.d/telnet
change disable = no to disable = yes
Save and Exit
At command prompt type: /etc/init.d/xinetd restart
Server e-mail everytime someone logs in as root
To have the server e-mail you everytime someone logs in as root, SSH into server and login as root.
At command prompt type: pico .bash_profile
Scroll down to the end of the file and add the following line:
echo ‘ALERT - Root Shell Access on:’ `date` `who` | mail -s “Alert: Root Access from `who | awk ‘{print $6}’`” your@email.com
Save and exit.
Set an SSH Legal Message
To an SSH legal message, SSH into server and login as root.
At command prompt type: pico /etc/motd
Enter your message, save and exit.
Note: I use the following message…
——————————————-
ALERT! You are entering a secured area! Your IP and login information
have been recorded. System administration has been notified.
This system is restricted to authorized access only. All activities on
this system are recorded and logged. Unauthorized access will be fully
investigated and reported to the appropriate law enforcement agencies.
——————————————-
Now everytime someone logs in as root, they will see this message… go ahead a try it.
Disable Shell Accounts
To disable any shell accounts hosted on your server SSH into server and login as root.
At command prompt type: locate shell.php
Also check for:
[b]locate irc
locate eggdrop
locate bnc
locate BNC
locate ptlink
locate BitchX
locate guardservices
locate psyBNC
locate .rhosts[b]
Note: There will be several listings that will be OS/CPanel related. Examples are
/home/cpapachebuild/buildapache/php-4.3.1/ext/ircg
/usr/local/cpanel/etc/sym/eggdrop.sym
/usr/local/cpanel/etc/sym/bnc.sym
/usr/local/cpanel/etc/sym/psyBNC.sym
/usr/local/cpanel/etc/sym/ptlink.sym
/usr/lib/libncurses.so
/usr/lib/libncurses.a
etc.
Disable identification output for Apache
To disable the version output for proftp, SSH into server and login as root.
At command prompt type: pico /etc/httpd/conf/httpd.conf
Scroll (way) down and change the following line to
ServerSignature Off
Restart Apache
At command prompt type: /etc/rc.d/init.d/httpd restart
These are applications that will help to secure your server.
Install chkrootkit
To install chrootkit, SSH into server and login as root.
At command prompt type: cd /root/
At command prompt type: wget ftp://ftp.pangeia.com.br/pub/seg/pac/chkrootkit.tar.gz
At command prompt type: tar xvzf chkrootkit.tar.gz
At command prompt type: cd chkrootkit-0.44
At command prompt type: make sense
To run chkrootkit
At command prompt type: /root/chkrootkit-0.44/chkrootkit
Make sure you run it on a regular basis, perhaps including it in a cron job.
Install APF Firewall
To install APF, SSH into server and login as root.
At command prompt type: cd /root/
At command prompt type: wget http://www.rfxnetworks.com/downloads/apf-current.tar.gz
At command prompt type: tar -xvzf apf-current.tar.gz
At command prompt type: rm -f apf-current.tar.gz
At command prompt type: cd apf-0.9.4-6
At command prompt type: sh ./install.sh
After APF has been installed, you need to edit the configuration file.
At command prompt type: cd /etc/apf
At command prompt type: pico -w conf.apf
Scroll down and find
USE_DS=”0″
change it to
USE_DS=”1″
Now scroll down and configure the Ports. The following ports are required for CPanel:
——————————————-
Common ingress (inbound) TCP ports
IG_TCP_CPORTS=”21,22,25,53,80,110,143,465,953,993,995,2082,2083,2084,2086,2087,2095,2096,3306,6666,7786,3000_3500″
Note: If you changed the port for SSH, be sure to include that port and remove port 22.
—–
21 FTP (TCP)
22 SSH (TCP)
25 SMTP (TCP)
53 DNS - Domain Name Server (TCP)
80 HTTP (TCP)
110 POP3 (TCP)
143 IMAP (TCP)
443 HTTPS (TCP)
465 sSMTP (TCP)
953 ??BIND??
993 IMAP4 protocol over TLS/SSL (TCP)
995 POP3 protocol over TLS/SSL (was spop3) (TCP)
2082 CPANEL (http://sitename.com:2082) (TCP)
2083 CPANEL SSL (https://sitename.com:2083) (TCP)
2084 entropychat server (disable from CPANEL service manager if not used) (TCP)
2086 WHM (http://sitename.com:2086) (TCP)
2087 WHM SSL (https://sitename.com:2087) (TCP)
2095 WebMail (http://sitename.com:2095) (TCP)
2096 WebMail SSL (https://sitename.com:2096)
3306 mySQL remote access (TCP)
6666 Melange chat Server (disable from CPANEL service manager if not used) (TCP)
7786 Interchange (TCP)
3000_3500
—–
5100 for ASP,
8080 and 8443 for JSP if you use them.
—–
——————————————-
Common ingress (inbound) UDP ports
IG_UDP_CPORTS=”53,6277
—–
53 DNS - Domain Name Server
6277 SpamAssassin / DCC (email scanning)
—–
——————————————-
Common ICMP (inbound) types
IG_ICMP_TYPES=”3,5,11,0,30,8″
—–
0 Echo Reply
3 Destination Unreachable
5 Destination Unreachable
8 Echo
11 Time Exceeded
30 Traceroute
—–
——————————————-
Common egress (outbound) TCP ports
EG_TCP_CPORTS=”21,25,37,53,80,110,113,#123,443,43,873,953,2089,2703,3306″
—–
21 FTP
25 SMTP
37 Required for CPANEL Licensing
53 DNS - Domain Name Server
80 HTTP
110 POP3 (if you have scripts that need to retrieve email via POP, e.g. HelpDesk)
113 Authentication Protocol (AUTH)
123 NTP (Network Time)
443 HTTPS
43 WHOIS
873 rsync (CPanel updates)
953 BIND ??
2089 Required for CPANEL Licensing
2703 Razor (email scanning)
3306 mySQL remote access
—–
——————————————-
Common egress (outbound) UDP ports
EG_UDP_CPORTS=”20,21,53,873,953,6277″
—–
20 ftp-data
21 FTP
53 DNS - Domain Name Server
873 rsync
953 BIND ??
6277 SpamAssassin / DCC (email scanning)
—–
——————————————-
Common ICMP (outbound) types
EG_ICMP_TYPES=”all”
——————————————-
Save the changes then exit.
To start APF
At command prompt type: /usr/local/sbin/apf -s
APF commands are:
-s start
-r restart
-f flush - stop
-l list
-st status
-a HOST allow HOST
-d HOST deny HOST
Log out of SSH and then login again.
After you are sure everything is working fine, change the DEV option
At command prompt type: cd /etc/apf
At command prompt type: pico -w conf.apf
Scroll down and find
DEVM=”1″
change it to
DEVM=”0″
Save changes, exit and then restart firewall,
At command prompt type: /usr/local/sbin/apf -r
Install BFD (Brute Force Detection)
To install BFD, SSH into server and login as root.
At command prompt type: cd /root/
At command prompt type: wget http://www.rfxnetworks.com/downloads/bfd-current.tar.gz
At command prompt type: tar -xvzf bfd-current.tar.gz
At command prompt type: cd bfd-0.4
At command prompt type: ./install.sh
After BFD has been installed, you need to edit the configuration file.
At command prompt type: pico /usr/local/bfd/conf.bfd
Under Enable brute force hack attempt alerts:
Find
ALERT_USR=”0″
and change it to
ALERT_USR=”1″
Find
EMAIL_USR=”root”
and change it to
EMAIL_USR=”your@email.com”
Save the changes then exit.
To start BFD
At command prompt type: /usr/local/sbin/bfd -s
Modify LogWatch
Logwatch is a customizable log analysis system. It parses through your system’s logs for a given period of time and creates a report analyzing areas that you specify, in as much detail as you require. Logwatch is already installed on most CPanel servers.
To modify LogWatch, SSH into server and login as root.
At command prompt type: pico -w /etc/log.d/conf/logwatch.conf
Scroll down to
MailTo = root
and change to
Mailto = your@email.com
Note: Set the e-mail address to an offsite account incase you get hacked.
Now scroll down to
Detail = Low
Change that to Medium, or High…
Detail = 5 or Detail = 10
Note: High will give you more detailed logs with all actions.
Save and exit.
What is PMON
PMON is a bash scripted network socket monitor. It is designed to track
changes to Network sockets and Unix domain sockets.
A comprehensive alert system, simple program usage & installation make PMON
ideal for deployment in any linux environment (geared for web servers). Using
a rather simple yet logical structure, PMON identifies changes in both
Network Sockets and Unix Domain Sockets. By recording a base set of what
sockets should be active then comparing the currently active socket information
to that of the base comparison files, we highlight otherwise unknown services.
To install pmon, SSH into server and login as root.
At command prompt type: cd /root/
At command prompt type: wget http://www.r-fx.org/downloads/pmon-current.tar.gz
At command prompt type: tar xvzf pmon-current.tar.gz
At command prompt type: cd lsm-0.6
At command prompt type: ./install.sh
After PMON has been installed, you need to edit the configuration file.
At command prompt type: pico /usr/local/lsm/conf.lsm
Find
USER=”root”
and change it to
USER=”your@email.com”
Save the changes then exit.
To run PMON and set the base config file
At command prompt type: /usr/local/sbin/pmon -g
Then to check for changes in sockets, use the -c argument. This will compare
the current sockets running, with the generated base comparision files. If any
changes are found you will be notified, otherwise it will note if no changes
are present.
At command prompt type: /usr/local/sbin/pmon -c
Though the cron job is already configured to run at every 10 minute intervals
Goto Server Setup =>> Tweak Settings
Check the following items…
Under Domains
Prevent users from parking/adding on common internet domains. (ie hotmail.com, aol.com)
Under Mail
Attempt to prevent pop3 connection floods
Default catch-all/default address behavior for new accounts - blackhole
Under System
Use jailshell as the default shell for all new accounts and modified accounts
Goto Server Setup =>> [/b]Tweak Security[/b]
Enable php open_basedir Protection
Enable mod_userdir Protection
Disabled Compilers for unprivileged users.
Goto Server Setup =>> Manage Wheel Group Users
Remove all users except for root and your main account from the wheel group.
Goto Server Setup =>> Shell Fork Bomb Protection
Enable Shell Fork Bomb/Memory Protection
When setting up Feature Limits for resellers in Resellers =>> Reseller Center, under Privileges always disable Allow Creation of Packages with Shell Access and enable Never allow creation of accounts with shell access; under Root Access disable All Features.
Goto Service Configuration =>> FTP Configuration
Disable Anonymous FTP
Goto Account Functions =>> Manage Shell Access
Disable Shell Access for all users (except yourself)
Goto Mysql =>> MySQL Root Password
Change root password for MySQL
Goto [b]Security[b] and run [b]Quick Security Scan[b] and [b]Scan for Trojan Horses[b] often. The following and similar items are not Trojans:
/sbin/depmod
/sbin/insmod
/sbin/insmod.static
/sbin/modinfo
/sbin/modprobe
/sbin/rmmod
These are measures that can be taken to secure your server, with SSH access.
Update OS, Apache and CPanel to the latest stable versions. This can be done from WHM/CPanel.
Restrict SSH Access
To restrict and secure SSH access, bind sshd to a single IP that is different than the main IP to the server, and on a different port than port 22.
SSH into server and login as root.
Note: You can download Putty by Clicking Here. It’s a clean running application that will not require installation on Windows-boxes.
At command prompt type: pico /etc/ssh/sshd_config
Scroll down to the section of the file that looks like this:
——————————————-
#Port 22
#Protocol 2, 1
#ListenAddress 0.0.0.0
#ListenAddress ::
——————————————-
Uncomment and change
#Port 22
to look like
Port 5678 (choose your own 4 to 5 digit port number (49151 is the highest port number)
Uncomment and change
#Protocol 2, 1
to look like
Protocol 2
Uncomment and change
#ListenAddress 0.0.0.0
to look like
ListenAddress 123.123.123.15 (use one of your own IP Addresses that has been assigned to your server)
Note 1: If you would like to disable direct Root Login, scroll down until you find
#PermitRootLogin yes
and uncomment it and make it look like
PermitRootLogin no
Save by pressing Ctrl o on your keyboard, and then exit by pressing Ctrl x on your keyboard.
Note 2: You can also create a custome nameserver specifically for your new SSH IP address. Just create one called something like ssh.xyz.com or whatever. Be sure to add an A address to your zone file for the new nameserver.
Now restart SSH
At command prompt type: [b]/etc/rc.d/init.d/sshd restart[b]
Exit out of SSH, and then re-login to SSH using the new IP or nameserver, and the new port.
Note: If you should have any problems, just Telnet into your server, fix the problem, then SSH in again. Telnet is a very unsecure protocol, so change your root password after you use it.
Disable Telnet
To disable telnet, SSH into server and login as root.
At command prompt type: pico -w /etc/xinetd.d/telnet
change disable = no to disable = yes
Save and Exit
At command prompt type: /etc/init.d/xinetd restart
Server e-mail everytime someone logs in as root
To have the server e-mail you everytime someone logs in as root, SSH into server and login as root.
At command prompt type: pico .bash_profile
Scroll down to the end of the file and add the following line:
echo ‘ALERT - Root Shell Access on:’ `date` `who` | mail -s “Alert: Root Access from `who | awk ‘{print $6}’`” your@email.com
Save and exit.
Set an SSH Legal Message
To an SSH legal message, SSH into server and login as root.
At command prompt type: pico /etc/motd
Enter your message, save and exit.
Note: I use the following message…
——————————————-
ALERT! You are entering a secured area! Your IP and login information
have been recorded. System administration has been notified.
This system is restricted to authorized access only. All activities on
this system are recorded and logged. Unauthorized access will be fully
investigated and reported to the appropriate law enforcement agencies.
——————————————-
Now everytime someone logs in as root, they will see this message… go ahead a try it.
Disable Shell Accounts
To disable any shell accounts hosted on your server SSH into server and login as root.
At command prompt type: locate shell.php
Also check for:
[b]locate irc
locate eggdrop
locate bnc
locate BNC
locate ptlink
locate BitchX
locate guardservices
locate psyBNC
locate .rhosts[b]
Note: There will be several listings that will be OS/CPanel related. Examples are
/home/cpapachebuild/buildapache/php-4.3.1/ext/ircg
/usr/local/cpanel/etc/sym/eggdrop.sym
/usr/local/cpanel/etc/sym/bnc.sym
/usr/local/cpanel/etc/sym/psyBNC.sym
/usr/local/cpanel/etc/sym/ptlink.sym
/usr/lib/libncurses.so
/usr/lib/libncurses.a
etc.
Disable identification output for Apache
To disable the version output for proftp, SSH into server and login as root.
At command prompt type: pico /etc/httpd/conf/httpd.conf
Scroll (way) down and change the following line to
ServerSignature Off
Restart Apache
At command prompt type: /etc/rc.d/init.d/httpd restart
These are applications that will help to secure your server.
Install chkrootkit
To install chrootkit, SSH into server and login as root.
At command prompt type: cd /root/
At command prompt type: wget ftp://ftp.pangeia.com.br/pub/seg/pac/chkrootkit.tar.gz
At command prompt type: tar xvzf chkrootkit.tar.gz
At command prompt type: cd chkrootkit-0.44
At command prompt type: make sense
To run chkrootkit
At command prompt type: /root/chkrootkit-0.44/chkrootkit
Make sure you run it on a regular basis, perhaps including it in a cron job.
Install APF Firewall
To install APF, SSH into server and login as root.
At command prompt type: cd /root/
At command prompt type: wget http://www.rfxnetworks.com/downloads/apf-current.tar.gz
At command prompt type: tar -xvzf apf-current.tar.gz
At command prompt type: rm -f apf-current.tar.gz
At command prompt type: cd apf-0.9.4-6
At command prompt type: sh ./install.sh
After APF has been installed, you need to edit the configuration file.
At command prompt type: cd /etc/apf
At command prompt type: pico -w conf.apf
Scroll down and find
USE_DS=”0″
change it to
USE_DS=”1″
Now scroll down and configure the Ports. The following ports are required for CPanel:
——————————————-
Common ingress (inbound) TCP ports
IG_TCP_CPORTS=”21,22,25,53,80,110,143,465,953,993,995,2082,2083,2084,2086,2087,2095,2096,3306,6666,7786,3000_3500″
Note: If you changed the port for SSH, be sure to include that port and remove port 22.
—–
21 FTP (TCP)
22 SSH (TCP)
25 SMTP (TCP)
53 DNS - Domain Name Server (TCP)
80 HTTP (TCP)
110 POP3 (TCP)
143 IMAP (TCP)
443 HTTPS (TCP)
465 sSMTP (TCP)
953 ??BIND??
993 IMAP4 protocol over TLS/SSL (TCP)
995 POP3 protocol over TLS/SSL (was spop3) (TCP)
2082 CPANEL (http://sitename.com:2082) (TCP)
2083 CPANEL SSL (https://sitename.com:2083) (TCP)
2084 entropychat server (disable from CPANEL service manager if not used) (TCP)
2086 WHM (http://sitename.com:2086) (TCP)
2087 WHM SSL (https://sitename.com:2087) (TCP)
2095 WebMail (http://sitename.com:2095) (TCP)
2096 WebMail SSL (https://sitename.com:2096)
3306 mySQL remote access (TCP)
6666 Melange chat Server (disable from CPANEL service manager if not used) (TCP)
7786 Interchange (TCP)
3000_3500
—–
5100 for ASP,
8080 and 8443 for JSP if you use them.
—–
——————————————-
Common ingress (inbound) UDP ports
IG_UDP_CPORTS=”53,6277
—–
53 DNS - Domain Name Server
6277 SpamAssassin / DCC (email scanning)
—–
——————————————-
Common ICMP (inbound) types
IG_ICMP_TYPES=”3,5,11,0,30,8″
—–
0 Echo Reply
3 Destination Unreachable
5 Destination Unreachable
8 Echo
11 Time Exceeded
30 Traceroute
—–
——————————————-
Common egress (outbound) TCP ports
EG_TCP_CPORTS=”21,25,37,53,80,110,113,#123,443,43,873,953,2089,2703,3306″
—–
21 FTP
25 SMTP
37 Required for CPANEL Licensing
53 DNS - Domain Name Server
80 HTTP
110 POP3 (if you have scripts that need to retrieve email via POP, e.g. HelpDesk)
113 Authentication Protocol (AUTH)
123 NTP (Network Time)
443 HTTPS
43 WHOIS
873 rsync (CPanel updates)
953 BIND ??
2089 Required for CPANEL Licensing
2703 Razor (email scanning)
3306 mySQL remote access
—–
——————————————-
Common egress (outbound) UDP ports
EG_UDP_CPORTS=”20,21,53,873,953,6277″
—–
20 ftp-data
21 FTP
53 DNS - Domain Name Server
873 rsync
953 BIND ??
6277 SpamAssassin / DCC (email scanning)
—–
——————————————-
Common ICMP (outbound) types
EG_ICMP_TYPES=”all”
——————————————-
Save the changes then exit.
To start APF
At command prompt type: /usr/local/sbin/apf -s
APF commands are:
-s start
-r restart
-f flush - stop
-l list
-st status
-a HOST allow HOST
-d HOST deny HOST
Log out of SSH and then login again.
After you are sure everything is working fine, change the DEV option
At command prompt type: cd /etc/apf
At command prompt type: pico -w conf.apf
Scroll down and find
DEVM=”1″
change it to
DEVM=”0″
Save changes, exit and then restart firewall,
At command prompt type: /usr/local/sbin/apf -r
Install BFD (Brute Force Detection)
To install BFD, SSH into server and login as root.
At command prompt type: cd /root/
At command prompt type: wget http://www.rfxnetworks.com/downloads/bfd-current.tar.gz
At command prompt type: tar -xvzf bfd-current.tar.gz
At command prompt type: cd bfd-0.4
At command prompt type: ./install.sh
After BFD has been installed, you need to edit the configuration file.
At command prompt type: pico /usr/local/bfd/conf.bfd
Under Enable brute force hack attempt alerts:
Find
ALERT_USR=”0″
and change it to
ALERT_USR=”1″
Find
EMAIL_USR=”root”
and change it to
EMAIL_USR=”your@email.com”
Save the changes then exit.
To start BFD
At command prompt type: /usr/local/sbin/bfd -s
Modify LogWatch
Logwatch is a customizable log analysis system. It parses through your system’s logs for a given period of time and creates a report analyzing areas that you specify, in as much detail as you require. Logwatch is already installed on most CPanel servers.
To modify LogWatch, SSH into server and login as root.
At command prompt type: pico -w /etc/log.d/conf/logwatch.conf
Scroll down to
MailTo = root
and change to
Mailto = your@email.com
Note: Set the e-mail address to an offsite account incase you get hacked.
Now scroll down to
Detail = Low
Change that to Medium, or High…
Detail = 5 or Detail = 10
Note: High will give you more detailed logs with all actions.
Save and exit.
What is PMON
PMON is a bash scripted network socket monitor. It is designed to track
changes to Network sockets and Unix domain sockets.
A comprehensive alert system, simple program usage & installation make PMON
ideal for deployment in any linux environment (geared for web servers). Using
a rather simple yet logical structure, PMON identifies changes in both
Network Sockets and Unix Domain Sockets. By recording a base set of what
sockets should be active then comparing the currently active socket information
to that of the base comparison files, we highlight otherwise unknown services.
To install pmon, SSH into server and login as root.
At command prompt type: cd /root/
At command prompt type: wget http://www.r-fx.org/downloads/pmon-current.tar.gz
At command prompt type: tar xvzf pmon-current.tar.gz
At command prompt type: cd lsm-0.6
At command prompt type: ./install.sh
After PMON has been installed, you need to edit the configuration file.
At command prompt type: pico /usr/local/lsm/conf.lsm
Find
USER=”root”
and change it to
USER=”your@email.com”
Save the changes then exit.
To run PMON and set the base config file
At command prompt type: /usr/local/sbin/pmon -g
Then to check for changes in sockets, use the -c argument. This will compare
the current sockets running, with the generated base comparision files. If any
changes are found you will be notified, otherwise it will note if no changes
are present.
At command prompt type: /usr/local/sbin/pmon -c
Though the cron job is already configured to run at every 10 minute intervals
Step by Step Guide to Setting up a New WHM cPanel Server for Web Hosting Accounts
Step by Step Guide to Setting up a New WHM cPanel Server for Web Hosting Accounts
Web Hosting Basics | cPanel | Software & Control Panels | WHM (WebHost Manager) | Tutorials
This is a guide to setting up a new WHM/cPanel Server to be used for web hosting accounts. It is intended for web hosting company administrators and dedicated server owners. For under $99 per month, it is easier than ever to manage and run your own dedicated server. You can have guaranteed uptime from your datacenter, and outsourced support starting at $30/month. All you need to do is set up the server and get going. Whether it is for a web hosting company or a couple of personal websites, an inexpensive linux server is powerful, reliable, and easy to setup.
WebHostManager(WHM) is a common linux based tool for managing websites on a server. cPanel is a common control panel to manage an individual website. It allows you to add email accounts, view stats, make backups, install programs, etc. These 2 tools are the most inexpensive set used commonly to manage hosting accounts, and you will find them very prevalent in the budget shared hosting world. It usually adds about $20/month to the cost of a dedicated server but provides most of the features of the more expensive tools.
Whenever you order a dedicated server from a datacenter, you will receive a welcome email with details of the server including the server name, ip addresses, and root password. This information will allow you to setup and configure WHM so that you can host websites and use your own custom Domain Nameserver instead of a raw IP address.
The first thing you need to do is the setup of WebHostManager(WHM). This includes configuring the default Domain nameservers, main IP address, and server contact email address.
1) Login to root WHM (http://:2086)
2) In the left margin, click Next to run the setup wizard
3) Agree to the end-user license agreement
4) Edit setup
a. Server contact email address: info@yourdomain.com
b. Default Cpanel theme: x
c. Default home directory: /home
d. Home directory prefix: home
e. Main shared virtual host IP: xx.xxx.xxx.xx (should be main IP of server)
f. Hostname: server.yourserver.com
g. Primary nameserver: dns1.yourserver.com
h. Secondary nameservers: dns2.yourserver.com
i. Leave everything else unchanged
j. Click Save
Next, you need to setup the system quota. To do this follow these instructions:
5) Click Next Step in left margin – system sets up initial quota. No need to wait for initial quota to setup…. Click Next Step again
6) DO NOT enable namesever. Click Next Step again
Now we need to setup the Resolver. This is specific to your datacenter and the information will be provided in the Welcome details for your dedicated server.
7) Resolver setup:
a. Click Continue
b. Primary Resolver: xx.xx.xx.xx (this is datacenter specific)
c. Secondary Resolver: xx.xx.xx.xx (this is datacenter specific)
d. Tertiary Resolver: leave blank
e. Click Continue
f. Click Next Step
8) Not necessary to enter a MySQL root password
9) Click Finish
Initial setup is done, and you should now be able to login to root WHM. Now you can create the accounts needed to setup the nameservers that you want to use on this dedicated server.
1) Login to root WHM again
2) “Create a New Account” (this is to be the main account: yourserver.com). Do not give this account a dedicated IP…. It will use the main server’s shared IP address.
3) Under “IP Functions”, click “Show IP address usage”. If only the main server IP is listed, that means you have to add the additional IP address to the server. Click “Add a New IP address”, and enter: xx.xx.xx.xx-xx Leave subnet mask unchanged, and click “Do It”
4) Click Show/Edit Reserved IPs, and check an IP to reserve it, and enter a reason (i.e. dns2.yourserver.com)
5) Under “DNS Functions” click “Edit DNS Zone”, then select yourserver.com and click “Edit”. Use the main IP address for the first 2 lines and the next IP address assigned to the server for the third line.
a. Under “Add new entries below this line”, enter:
server 14400 IN A xx.xx.xx.xx (leave far right box blank)
dns1 14400 IN A xx.xx.xx.xx (leave far right box blank)
dns2 14400 IN A xx.xx.xx.xx (leave far right box blank)
b. Note: The above entries are DNS entries for the two nameservers being created, and the sever name dana.hostyourself.com. Once you’ve enter the three entries, click “Save”
6) If you get an “Error reloading BIND” error, go to “Restart Services” and click “DNS Server (BIND)”, then click YES to restart Bind.
That’s it! Now the server is all setup and ready to host cPanel hosting account with the nameservers dns1.yourserver.com and dns2.yourserver.com. Of course you still need to go to your registrar and register these 2 new nameservers and wait for normal propagation of 24-48 hours until the new nameservers will work.
If this is a server being setup for a dedicated customer, be sure to tell them:
1) IP addresses of nameservers so he can register them with his registrar
2) Root login information
3) Login info of main account you created for him
4) Tell him NOT to delete the main account, since doing so will also delete the DNS zones you setup above
5) New DNS zones should be added to the old server to help with DNS propagation.
If you follow these simple instructions once you get your server from the datacenter, then you will be ready to load websites and hit the internet. With cheap outsourced support companies available and world class datacenters providing under $99 servers there is no reason not to tackle the world of dedicated servers and web hosting for yourself.
Web Hosting Basics | cPanel | Software & Control Panels | WHM (WebHost Manager) | Tutorials
This is a guide to setting up a new WHM/cPanel Server to be used for web hosting accounts. It is intended for web hosting company administrators and dedicated server owners. For under $99 per month, it is easier than ever to manage and run your own dedicated server. You can have guaranteed uptime from your datacenter, and outsourced support starting at $30/month. All you need to do is set up the server and get going. Whether it is for a web hosting company or a couple of personal websites, an inexpensive linux server is powerful, reliable, and easy to setup.
WebHostManager(WHM) is a common linux based tool for managing websites on a server. cPanel is a common control panel to manage an individual website. It allows you to add email accounts, view stats, make backups, install programs, etc. These 2 tools are the most inexpensive set used commonly to manage hosting accounts, and you will find them very prevalent in the budget shared hosting world. It usually adds about $20/month to the cost of a dedicated server but provides most of the features of the more expensive tools.
Whenever you order a dedicated server from a datacenter, you will receive a welcome email with details of the server including the server name, ip addresses, and root password. This information will allow you to setup and configure WHM so that you can host websites and use your own custom Domain Nameserver instead of a raw IP address.
The first thing you need to do is the setup of WebHostManager(WHM). This includes configuring the default Domain nameservers, main IP address, and server contact email address.
1) Login to root WHM (http://:2086)
2) In the left margin, click Next to run the setup wizard
3) Agree to the end-user license agreement
4) Edit setup
a. Server contact email address: info@yourdomain.com
b. Default Cpanel theme: x
c. Default home directory: /home
d. Home directory prefix: home
e. Main shared virtual host IP: xx.xxx.xxx.xx (should be main IP of server)
f. Hostname: server.yourserver.com
g. Primary nameserver: dns1.yourserver.com
h. Secondary nameservers: dns2.yourserver.com
i. Leave everything else unchanged
j. Click Save
Next, you need to setup the system quota. To do this follow these instructions:
5) Click Next Step in left margin – system sets up initial quota. No need to wait for initial quota to setup…. Click Next Step again
6) DO NOT enable namesever. Click Next Step again
Now we need to setup the Resolver. This is specific to your datacenter and the information will be provided in the Welcome details for your dedicated server.
7) Resolver setup:
a. Click Continue
b. Primary Resolver: xx.xx.xx.xx (this is datacenter specific)
c. Secondary Resolver: xx.xx.xx.xx (this is datacenter specific)
d. Tertiary Resolver: leave blank
e. Click Continue
f. Click Next Step
8) Not necessary to enter a MySQL root password
9) Click Finish
Initial setup is done, and you should now be able to login to root WHM. Now you can create the accounts needed to setup the nameservers that you want to use on this dedicated server.
1) Login to root WHM again
2) “Create a New Account” (this is to be the main account: yourserver.com). Do not give this account a dedicated IP…. It will use the main server’s shared IP address.
3) Under “IP Functions”, click “Show IP address usage”. If only the main server IP is listed, that means you have to add the additional IP address to the server. Click “Add a New IP address”, and enter: xx.xx.xx.xx-xx Leave subnet mask unchanged, and click “Do It”
4) Click Show/Edit Reserved IPs, and check an IP to reserve it, and enter a reason (i.e. dns2.yourserver.com)
5) Under “DNS Functions” click “Edit DNS Zone”, then select yourserver.com and click “Edit”. Use the main IP address for the first 2 lines and the next IP address assigned to the server for the third line.
a. Under “Add new entries below this line”, enter:
server 14400 IN A xx.xx.xx.xx (leave far right box blank)
dns1 14400 IN A xx.xx.xx.xx (leave far right box blank)
dns2 14400 IN A xx.xx.xx.xx (leave far right box blank)
b. Note: The above entries are DNS entries for the two nameservers being created, and the sever name dana.hostyourself.com. Once you’ve enter the three entries, click “Save”
6) If you get an “Error reloading BIND” error, go to “Restart Services” and click “DNS Server (BIND)”, then click YES to restart Bind.
That’s it! Now the server is all setup and ready to host cPanel hosting account with the nameservers dns1.yourserver.com and dns2.yourserver.com. Of course you still need to go to your registrar and register these 2 new nameservers and wait for normal propagation of 24-48 hours until the new nameservers will work.
If this is a server being setup for a dedicated customer, be sure to tell them:
1) IP addresses of nameservers so he can register them with his registrar
2) Root login information
3) Login info of main account you created for him
4) Tell him NOT to delete the main account, since doing so will also delete the DNS zones you setup above
5) New DNS zones should be added to the old server to help with DNS propagation.
If you follow these simple instructions once you get your server from the datacenter, then you will be ready to load websites and hit the internet. With cheap outsourced support companies available and world class datacenters providing under $99 servers there is no reason not to tackle the world of dedicated servers and web hosting for yourself.
Mikrotik in a Online Game
# jun/05/2007 22:47:33 by RouterOS 2.9.6
# software id = DA2N-TMT
#
/ interface ethernet
set Public name=”Public” mtu=1500 mac-address=00:0A:EB:AB:DB:5C arp=enabled \
disable-running-check=yes auto-negotiation=yes full-duplex=yes \
cable-settings=default speed=100Mbps comment=”” disabled=no
set Lan name=”Lan” mtu=1500 mac-address=00:60:97:5A:EA:94 arp=enabled \
disable-running-check=yes auto-negotiation=yes full-duplex=yes \
cable-settings=default speed=100Mbps comment=”” disabled=no
/ interface bridge port
set Public bridge=none priority=128 path-cost=10
set Lan bridge=none priority=128 path-cost=10
/ interface l2tp-server server
set enabled=no max-mtu=1460 max-mru=1460 \
authentication=pap,chap,mschap1,mschap2 default-profile=default-encryption
/ interface pptp-server server
set enabled=no max-mtu=1460 max-mru=1460 authentication=mschap1,mschap2 \
keepalive-timeout=30 default-profile=default-encryption
/ ip pool
add name=”dhcp-pool” ranges=192.168.0.1-192.168.0.29
/ ip telephony region
/ ip telephony gatekeeper
set gatekeeper=none remote-id=”” remote-address=0.0.0.0
/ ip telephony aaa
set use-radius-accounting=no interim-update=0s
/ ip telephony codec
move G.711-uLaw-64k/sw
move G.711-ALaw-64k/sw
move G.729A-8k/sw
move G.729-8k/sw
move G.723.1-6.3k/sw
move GSM-06.10-13.2k/sw
move LPC-10-2.5k/sw
/ ip accounting
set enabled=yes account-local-traffic=yes threshold=256
/ ip accounting web-access
set accessible-via-web=yes address=0.0.0.0/0
/ ip service
set telnet port=23 address=0.0.0.0/0 disabled=no
set ftp port=21 address=0.0.0.0/0 disabled=no
set www port=80 address=0.0.0.0/0 disabled=no
set ssh port=22 address=0.0.0.0/0 disabled=no
set www-ssl port=443 address=0.0.0.0/0 certificate=none disabled=no
/ ip socks
set enabled=no port=1080 connection-idle-timeout=2m max-connections=200
/ ip arp
/ ip upnp
set enabled=yes allow-disable-external-interface=no show-dummy-rule=yes
/ ip upnp interfaces
add interface=Public type=external disabled=no
add interface=Lan type=internal disabled=no
/ ip traffic-flow
set enabled=no interfaces=Lan cache-entries=4k active-flow-timeout=30m \
inactive-flow-timeout=15s
/ ip dns
set primary-dns=203.130.193.74 secondary-dns=202.134.0.155 \
allow-remote-requests=yes cache-size=2048KiB cache-max-ttl=1w
/ ip address
add address=192.168.1.2/24 network=192.168.1.0 broadcast=192.168.1.255 \
interface=Public comment=”” disabled=no
add address=192.168.0.24/24 network=192.168.0.0 broadcast=192.168.0.255 \
interface=Lan comment=”” disabled=no
/ ip proxy
set enabled=no port=8080 parent-proxy=0.0.0.0:0 maximal-client-connecions=1000 \
maximal-server-connectons=1000
/ ip proxy access
add dst-port=23-25 action=deny comment=”block telnet & spam e-mail relaying” \
disabled=no
add method=CONNECT dst-port=443 action=allow comment=”allow CONNECT only to \
SSL ports 443 \[https\] and 563 \[snews\]” disabled=no
add method=CONNECT dst-port=563 action=allow comment=”allow CONNECT only to \
SSL ports 443 \[https\] and 563 \[snews\]” disabled=no
add method=CONNECT action=deny comment=”allow CONNECT only to SSL ports 443 \
\[https\] and 563 \[snews\]” disabled=no
/ ip neighbor discovery
set Public discover=yes
set Lan discover=yes
/ ip route
add dst-address=0.0.0.0/0 gateway=192.168.1.1 scope=255 target-scope=10 \
comment=”” disabled=no
/ ip firewall mangle
add chain=prerouting protocol=tcp dst-port=80 action=mark-connection \
new-connection-mark=http_conn passthrough=yes comment=”” disabled=no
add chain=prerouting protocol=tcp dst-port=443 action=mark-connection \
new-connection-mark=http_conn passthrough=yes comment=”” disabled=no
add chain=prerouting protocol=tcp dst-port=53 action=mark-connection \
new-connection-mark=dns_conn passthrough=yes comment=”” disabled=yes
add chain=prerouting protocol=udp dst-port=53 action=mark-connection \
new-connection-mark=dns_conn passthrough=yes comment=”” disabled=yes
add chain=prerouting protocol=tcp dst-port=5050-5061 action=mark-connection \
new-connection-mark=ym_conn passthrough=yes comment=”” disabled=no
add chain=prerouting protocol=udp dst-port=27015 action=mark-connection \
new-connection-mark=cs_conn passthrough=yes comment=”” disabled=no
add chain=prerouting protocol=tcp dst-port=6000-7000 action=mark-connection \
new-connection-mark=irc_conn passthrough=yes comment=”” disabled=no
add chain=prerouting protocol=tcp dst-port=8291 action=mark-connection \
new-connection-mark=mt_conn passthrough=yes comment=”” disabled=no
add chain=prerouting protocol=tcp dst-port=110 action=mark-connection \
new-connection-mark=email_conn passthrough=yes comment=”” disabled=no
add chain=prerouting protocol=tcp dst-port=25 action=mark-connection \
new-connection-mark=email_conn passthrough=yes comment=”” disabled=no
add chain=prerouting protocol=tcp dst-port=22 action=mark-connection \
new-connection-mark=ssh_conn passthrough=yes comment=”” disabled=no
add chain=prerouting connection-mark=http_conn action=mark-packet \
new-packet-mark=http passthrough=no comment=”” disabled=no
add chain=prerouting connection-mark=dns_conn action=mark-packet \
new-packet-mark=dns passthrough=no comment=”” disabled=yes
add chain=prerouting connection-mark=ym_conn action=mark-packet \
new-packet-mark=ym passthrough=no comment=”” disabled=no
add chain=prerouting connection-mark=cs_conn action=mark-packet \
new-packet-mark=cs passthrough=no comment=”” disabled=no
add chain=prerouting connection-mark=irc_conn action=mark-packet \
new-packet-mark=irc passthrough=no comment=”” disabled=no
add chain=prerouting connection-mark=mt_conn action=mark-packet \
new-packet-mark=mt passthrough=no comment=”” disabled=no
add chain=prerouting connection-mark=email_conn action=mark-packet \
new-packet-mark=email passthrough=no comment=”” disabled=no
add chain=prerouting connection-mark=ssh_conn action=mark-packet \
new-packet-mark=ssh passthrough=no comment=”” disabled=no
add chain=prerouting src-address=192.168.0.0/24 action=mark-packet \
new-packet-mark=test-up passthrough=no comment=”UP TRAFFIC” disabled=no
add chain=forward src-address=192.168.1.0/24 action=mark-connection \
new-connection-mark=test-conn passthrough=yes comment=”CONN-MARK” \
disabled=no
add chain=forward in-interface=Public connection-mark=test-conn \
action=mark-packet new-packet-mark=test-down passthrough=no comment=” \
DOWN-DIRECT CONNECTION” disabled=no
add chain=output out-interface=Lan dst-address=192.168.0.0/24 \
action=mark-packet new-packet-mark=test-down passthrough=no \
comment=”DOWN-VIA PROXY” disabled=no
/ ip firewall nat
add chain=srcnat out-interface=Public action=masquerade comment=”” disabled=no
add chain=dstnat protocol=tcp dst-port=80 action=redirect to-ports=8080 \
comment=”” disabled=no
add chain=dstnat protocol=tcp dst-port=3128 action=redirect to-ports=8080 \
comment=”” disabled=no
add chain=dstnat protocol=tcp dst-port=8080 action=redirect to-ports=8080 \
comment=”” disabled=no
/ ip firewall connection tracking
set enabled=yes tcp-syn-sent-timeout=2m tcp-syn-received-timeout=1m \
tcp-established-timeout=5d tcp-fin-wait-timeout=2m \
tcp-close-wait-timeout=1m tcp-last-ack-timeout=30s \
tcp-time-wait-timeout=2m tcp-close-timeout=10s udp-timeout=30s \
udp-stream-timeout=3m icmp-timeout=30s generic-timeout=10m
/ ip firewall filter
add chain=input connection-state=invalid action=drop comment=”Drop invalid \
connections” disabled=no
add chain=input connection-state=established action=accept comment=”Allow \
esatblished connections” disabled=no
add chain=input connection-state=related action=accept comment=”Allow related \
connections” disabled=no
add chain=input protocol=udp action=accept comment=”Allow UDP” disabled=no
add chain=input protocol=icmp action=accept comment=”Allow ICMP” disabled=no
add chain=input in-interface=!Public action=accept comment=”Allow connection \
to router from local network” disabled=no
add chain=input action=accept comment=”” disabled=no
add chain=forward in-interface=Lan protocol=tcp dst-port=6112 \
connection-limit=100,32 action=reject reject-with=icmp-network-unreachable \
comment=”” disabled=no
add chain=input protocol=tcp psd=21,3s,3,1 action=add-src-to-address-list \
address-list=”port scanners” address-list-timeout=2w comment=”Port \
scanners to list ” disabled=no
add chain=input protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg \
action=add-src-to-address-list address-list=”port scanners” \
address-list-timeout=2w comment=”NMAP FIN Stealth scan” disabled=no
add chain=input protocol=tcp tcp-flags=fin,syn action=add-src-to-address-list \
address-list=”port scanners” address-list-timeout=2w comment=”SYN/FIN \
scan” disabled=no
add chain=input protocol=tcp tcp-flags=syn,rst action=add-src-to-address-list \
address-list=”port scanners” address-list-timeout=2w comment=”SYN/RST \
scan” disabled=no
add chain=input protocol=tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack \
action=add-src-to-address-list address-list=”port scanners” \
address-list-timeout=2w comment=”FIN/PSH/URG scan” disabled=no
add chain=input protocol=tcp tcp-flags=fin,syn,rst,psh,ack,urg \
action=add-src-to-address-list address-list=”port scanners” \
address-list-timeout=2w comment=”ALL/ALL scan” disabled=no
add chain=input protocol=tcp tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg \
action=add-src-to-address-list address-list=”port scanners” \
address-list-timeout=2w comment=”NMAP NULL scan” disabled=no
add chain=input src-address-list=”port scanners” action=drop comment=”dropping \
port scanners” disabled=no
add chain=virus protocol=tcp dst-port=135-139 action=drop comment=”Drop \
Blaster Worm” disabled=no
add chain=virus protocol=udp dst-port=135-139 action=drop comment=”Drop \
Messenger Worm” disabled=no
add chain=virus protocol=tcp dst-port=445-3000 action=drop comment=”Drop \
Blaster Worm” disabled=no
add chain=virus protocol=udp dst-port=445-3000 action=drop comment=”Drop \
Blaster Worm” disabled=no
add chain=virus protocol=tcp dst-port=593 action=drop comment=”________” \
disabled=no
add chain=virus protocol=udp dst-port=7000 action=drop comment=”Setan1? \
disabled=no
add chain=virus protocol=tcp dst-port=100-1000 action=drop comment=”Setan1? \
disabled=no
add chain=virus protocol=udp dst-port=100-1000 action=drop comment=”Drop \
Messenger Worm” disabled=no
add chain=virus protocol=tcp dst-port=1000-3000 action=drop comment=”Setan1? \
disabled=no
add chain=virus protocol=udp dst-port=1000-3000 action=drop comment=”Drop \
Messenger Worm” disabled=no
add chain=virus protocol=tcp dst-port=40000-50000 action=drop comment=”Setan1? \
disabled=no
add chain=virus protocol=udp dst-port=40000-50000 action=drop comment=”Drop \
Messenger Worm” disabled=no
add chain=virus protocol=tcp dst-port=7000 action=drop comment=”Setan1? \
disabled=no
add chain=virus protocol=udp dst-port=135-139 action=drop comment=”Drop \
Messenger Worm” disabled=no
add chain=virus protocol=tcp dst-port=7000 action=drop comment=”Setan1? \
disabled=no
add chain=virus protocol=udp dst-port=135-139 action=drop comment=”Drop \
Messenger Worm” disabled=no
add chain=virus action=return comment=”” disabled=no
/ ip firewall service-port
set ftp ports=21 disabled=no
set tftp ports=69 disabled=yes
set irc ports=6667 disabled=no
set h323 disabled=yes
set quake3 disabled=yes
set mms disabled=yes
set gre disabled=yes
set pptp disabled=yes
/ ip dhcp-server
add name=”dhcp1? interface=Lan lease-time=3d bootp-support=static add-arp=yes \
disabled=no
/ ip dhcp-server config
set store-leases-disk=5m
/ ip dhcp-server lease
add address=192.168.0.1 mac-address=00:1F:00:00:09:B4 \
client-id=”1:0:1f:0:0:9:b4? comment=”” disabled=no
add address=192.168.0.17 mac-address=00:50:BA:C3:07:A0 \
client-id=”1:0:50:ba:c3:7:a0? comment=”” disabled=no
add address=192.168.0.11 mac-address=00:50:BA:C3:07:54 \
client-id=”1:0:50:ba:c3:7:54? comment=”” disabled=no
add address=192.168.0.16 mac-address=00:50:BA:C3:07:60 \
client-id=”1:0:50:ba:c3:7:60? comment=”” disabled=no
/ ip dhcp-server network
add address=192.168.0.0/24 gateway=192.168.0.24 \
dns-server=192.168.0.24,202.134.0.155,202.134.2.5,203.130.206.250,202.155.0\
.10,202.155.0.15 comment=””
/ ip hotspot service-port
set ftp ports=21 disabled=no
/ ip hotspot profile
set default name=”default” hotspot-address=0.0.0.0 dns-name=”” \
html-directory=hotspot rate-limit=”” http-proxy=0.0.0.0:0 \
smtp-server=0.0.0.0 login-by=cookie,http-chap http-cookie-lifetime=3d \
split-user-domain=no use-radius=no
/ ip hotspot user profile
set default name=”default” idle-timeout=none keepalive-timeout=2m \
status-autorefresh=1m shared-users=1 transparent-proxy=yes \
open-status-page=always advertise=no
/ ip ipsec proposal
add name=”default” auth-algorithms=sha1 enc-algorithms=3des lifetime=30m \
lifebytes=0 pfs-group=modp1024 disabled=no
/ ip web-proxy
set enabled=yes src-address=0.0.0.0 port=8080 hostname=”proxy.dj.net” \
transparent-proxy=yes parent-proxy=0.0.0.0:0 \
cache-administrator=”webmaster.dj.net” max-object-size=4096KiB \
cache-drive=system max-cache-size=unlimited max-ram-cache-size=unlimited
/ ip web-proxy access
add dst-port=23-25 action=deny comment=”block telnet & spam e-mail relaying” \
disabled=no
/ ip web-proxy cache
add action=allow comment=”” disabled=no
/ ip web-proxy direct
add action=allow comment=”” disabled=no
/ system logging
add topics=info prefix=”” action=memory disabled=no
add topics=error prefix=”” action=memory disabled=no
add topics=warning prefix=”” action=echo disabled=no
add topics=critical prefix=”” action=echo disabled=no
add topics=firewall prefix=”” action=memory disabled=no
/ system logging action
set memory name=”memory” target=memory memory-lines=100 memory-stop-on-full=no
set disk name=”disk” target=disk disk-lines=100 disk-stop-on-full=no
set echo name=”echo” target=echo remember=yes
set remote name=”remote” target=remote remote=0.0.0.0:514
/ system upgrade mirror
set enabled=no primary-server=0.0.0.0 secondary-server=0.0.0.0 \
check-interval=1d user=””
/ system clock dst
set dst-delta=+01:00 dst-start=”jan/01/1970 00:00:00? dst-end=”jan/01/1970 \
00:00:00?
/ system watchdog
set reboot-on-failure=yes watch-address=none watchdog-timer=yes \
no-ping-delay=5m automatic-supout=yes auto-send-supout=no
/ system console
add port=serial0 term=”” disabled=no
set FIXME term=”linux” disabled=no
set FIXME term=”linux” disabled=no
set FIXME term=”linux” disabled=no
set FIXME term=”linux” disabled=no
set FIXME term=”linux” disabled=no
set FIXME term=”linux” disabled=no
set FIXME term=”linux” disabled=no
set FIXME term=”linux” disabled=no
/ system console screen
set line-count=25
/ system identity
set name=”Dj.Net”
/ system note
set show-at-login=yes note=””
/ system ntp server
set enabled=no broadcast=no multicast=no manycast=yes
/ system ntp client
set enabled=no mode=unicast primary-ntp=0.0.0.0 secondary-ntp=0.0.0.0
/ port
set serial0 name=”serial0? baud-rate=9600 data-bits=8 parity=none stop-bits=1 \
flow-control=hardware
set serial1 name=”serial1? baud-rate=9600 data-bits=8 parity=none stop-bits=1 \
flow-control=hardware
/ ppp profile
set default name=”default” use-compression=default use-vj-compression=default \
use-encryption=default only-one=default change-tcp-mss=default comment=””
set default-encryption name=”default-encryption” use-compression=default \
use-vj-compression=default use-encryption=yes only-one=default \
change-tcp-mss=default comment=””
/ ppp aaa
set use-radius=no accounting=yes interim-update=0s
/ queue type
set default name=”default” kind=pfifo pfifo-limit=50
set ethernet-default name=”ethernet-default” kind=pfifo pfifo-limit=50
set wireless-default name=”wireless-default” kind=sfq sfq-perturb=5 \
sfq-allot=1514
set synchronous-default name=”synchronous-default” kind=red red-limit=60 \
red-min-threshold=10 red-max-threshold=50 red-burst=20 red-avg-packet=1000
set hotspot-default name=”hotspot-default” kind=sfq sfq-perturb=5 \
sfq-allot=1514
add name=”pcq-download” kind=pcq pcq-rate=0 pcq-limit=50 \
pcq-classifier=dst-address pcq-total-limit=2000
add name=”pcq-upload” kind=pcq pcq-rate=0 pcq-limit=50 \
pcq-classifier=src-address pcq-total-limit=2000
/ queue simple
add name=”HTTP” target-addresses=0.0.0.0/0 dst-address=0.0.0.0/0 interface=all \
parent=none packet-marks=http priority=1 queue=default/default \
limit-at=0/8000 max-limit=0/30000 total-queue=default disabled=no
add name=”DNS” target-addresses=0.0.0.0/0 dst-address=0.0.0.0/0 interface=all \
parent=none packet-marks=dns priority=1 queue=default/default limit-at=0/0 \
max-limit=0/0 total-queue=default disabled=no
add name=”YMessenger” target-addresses=0.0.0.0/0 dst-address=0.0.0.0/0 \
interface=all parent=none packet-marks=ym priority=1 queue=default/default \
limit-at=0/0 max-limit=0/0 total-queue=default disabled=no
add name=”CounterStrike” target-addresses=0.0.0.0/0 dst-address=0.0.0.0/0 \
interface=all parent=none packet-marks=cs priority=1 queue=default/default \
limit-at=0/0 max-limit=0/0 total-queue=default disabled=no
add name=”GameOnline” target-addresses=0.0.0.0/0 dst-address=0.0.0.0/0 \
interface=all parent=none packet-marks=irc priority=1 \
queue=default/default limit-at=0/0 max-limit=0/0 total-queue=default \
disabled=no
add name=”Mikrotik” target-addresses=0.0.0.0/0 dst-address=0.0.0.0/0 \
interface=all parent=none packet-marks=mt priority=1 queue=default/default \
limit-at=0/0 max-limit=0/0 total-queue=default disabled=no
add name=”Email” target-addresses=0.0.0.0/0 dst-address=0.0.0.0/0 \
interface=all parent=none packet-marks=email priority=1 \
queue=default/default limit-at=0/0 max-limit=0/0 total-queue=default \
disabled=no
add name=”SSH” target-addresses=0.0.0.0/0 dst-address=0.0.0.0/0 interface=all \
parent=none packet-marks=ssh priority=1 queue=default/default limit-at=0/0 \
max-limit=0/0 total-queue=default disabled=no
add name=”Dj” dst-address=192.168.0.0/24 interface=Lan parent=none priority=8 \
queue=default/default limit-at=0/384000 max-limit=0/384000 \
total-queue=default disabled=no
add name=”1? target-addresses=192.168.0.1/32 dst-address=0.0.0.0/0 \
interface=Lan parent=Dj priority=8 queue=ethernet-default/ethernet-default \
limit-at=0/8000 max-limit=0/52000 total-queue=default disabled=no
add name=”2? target-addresses=192.168.0.2/32 dst-address=0.0.0.0/0 \
interface=Lan parent=Dj priority=8 queue=ethernet-default/ethernet-default \
limit-at=0/8000 max-limit=0/52000 total-queue=default disabled=no
add name=”3? target-addresses=192.168.0.3/32 dst-address=0.0.0.0/0 \
interface=Lan parent=Dj priority=8 queue=ethernet-default/ethernet-default \
limit-at=0/8000 max-limit=0/52000 total-queue=default disabled=no
add name=”4? target-addresses=192.168.0.4/32 dst-address=0.0.0.0/0 \
interface=Lan parent=Dj priority=8 queue=ethernet-default/ethernet-default \
limit-at=0/8000 max-limit=0/52000 total-queue=default disabled=no
add name=”5? target-addresses=192.168.0.5/32 dst-address=0.0.0.0/0 \
interface=Lan parent=Dj priority=8 queue=ethernet-default/ethernet-default \
limit-at=0/8000 max-limit=0/52000 total-queue=default disabled=no
add name=”6? target-addresses=192.168.0.6/32 dst-address=0.0.0.0/0 \
interface=Lan parent=Dj priority=8 queue=ethernet-default/ethernet-default \
limit-at=0/8000 max-limit=0/52000 total-queue=default disabled=no
add name=”7? target-addresses=192.168.0.7/32 dst-address=0.0.0.0/0 \
interface=Lan parent=Dj priority=8 queue=ethernet-default/ethernet-default \
limit-at=0/8000 max-limit=0/52000 total-queue=default disabled=no
add name=”8? target-addresses=192.168.0.8/32 dst-address=0.0.0.0/0 \
interface=Lan parent=Dj priority=8 queue=ethernet-default/ethernet-default \
limit-at=0/8000 max-limit=0/52000 total-queue=default disabled=no
add name=”9? target-addresses=192.168.0.9/32 dst-address=0.0.0.0/0 \
interface=Lan parent=Dj priority=8 queue=ethernet-default/ethernet-default \
limit-at=0/8000 max-limit=0/52000 total-queue=default disabled=no
add name=”10? target-addresses=192.168.0.10/32 dst-address=0.0.0.0/0 \
interface=Lan parent=Dj priority=8 queue=ethernet-default/ethernet-default \
limit-at=0/0 max-limit=0/0 total-queue=default disabled=no
add name=”11? target-addresses=192.168.0.11/32 dst-address=0.0.0.0/0 \
interface=Lan parent=Dj priority=8 queue=ethernet-default/ethernet-default \
limit-at=0/8000 max-limit=0/52000 total-queue=default disabled=no
add name=”12? target-addresses=192.168.0.12/32 dst-address=0.0.0.0/0 \
interface=Lan parent=Dj priority=8 queue=ethernet-default/ethernet-default \
limit-at=0/8000 max-limit=0/52000 total-queue=default disabled=no
add name=”13? target-addresses=192.168.0.13/32 dst-address=0.0.0.0/0 \
interface=Lan parent=Dj priority=8 queue=ethernet-default/ethernet-default \
limit-at=0/8000 max-limit=0/52000 total-queue=default disabled=no
add name=”14? target-addresses=192.168.0.14/32 dst-address=0.0.0.0/0 \
interface=Lan parent=Dj priority=8 queue=ethernet-default/ethernet-default \
limit-at=0/8000 max-limit=0/52000 total-queue=default disabled=no
add name=”15? target-addresses=192.168.0.15/32 dst-address=0.0.0.0/0 \
interface=Lan parent=Dj priority=8 queue=ethernet-default/ethernet-default \
limit-at=0/8000 max-limit=0/52000 total-queue=default disabled=no
add name=”16? target-addresses=192.168.0.16/32 dst-address=0.0.0.0/0 \
interface=Lan parent=Dj priority=8 queue=ethernet-default/ethernet-default \
limit-at=0/8000 max-limit=0/52000 total-queue=default disabled=no
add name=”17? target-addresses=192.168.0.17/32 dst-address=0.0.0.0/0 \
interface=Lan parent=Dj priority=8 queue=ethernet-default/ethernet-default \
limit-at=0/8000 max-limit=0/52000 total-queue=default disabled=no
add name=”18? target-addresses=192.168.0.18/32 dst-address=0.0.0.0/0 \
interface=Lan parent=Dj priority=8 queue=ethernet-default/ethernet-default \
limit-at=0/8000 max-limit=0/52000 total-queue=default disabled=no
add name=”19? target-addresses=192.168.0.19/32 dst-address=0.0.0.0/0 \
interface=Lan parent=Dj priority=8 queue=ethernet-default/ethernet-default \
limit-at=0/8000 max-limit=0/70000 total-queue=default disabled=no
add name=”20? target-addresses=192.168.0.20/32 dst-address=0.0.0.0/0 \
interface=Lan parent=Dj priority=8 queue=ethernet-default/ethernet-default \
limit-at=0/8000 max-limit=0/52000 total-queue=default disabled=no
add name=”21? target-addresses=192.168.0.21/32 dst-address=0.0.0.0/0 \
interface=Lan parent=Dj priority=8 queue=ethernet-default/ethernet-default \
limit-at=0/8000 max-limit=0/52000 total-queue=default disabled=no
add name=”22? target-addresses=192.168.0.22/32 dst-address=0.0.0.0/0 \
interface=Lan parent=Dj priority=8 queue=ethernet-default/ethernet-default \
limit-at=0/8000 max-limit=0/52000 total-queue=default disabled=no
add name=”23? target-addresses=192.168.0.23/32 dst-address=0.0.0.0/0 \
interface=Lan parent=Dj priority=8 queue=default/default limit-at=0/8000 \
max-limit=0/52000 total-queue=default \
time=0s-24m,sun,mon,tue,wed,thu,fri,sat disabled=no
/ queue tree
add name=”downstream” parent=Lan packet-mark=test-down limit-at=0 \
queue=pcq-download priority=8 max-limit=0 burst-limit=0 burst-threshold=0 \
burst-time=0s disabled=no
add name=”upstream” parent=global-in packet-mark=test-up limit-at=0 \
queue=pcq-upload priority=8 max-limit=0 burst-limit=0 burst-threshold=0 \
burst-time=0s disabled=no
/ user
add name=”admin” group=full address=0.0.0.0/0 comment=”system default user” \
disabled=no
add name=”op” group=write address=0.0.0.0/0 comment=”” disabled=no
/ user group
add name=”read” policy=local,telnet,ssh,reboot,read,test,winbox,password,web,!f\
tp,!write,!policy
add name=”write” policy=local,telnet,ssh,reboot,read,write,test,winbox,password\
,web,!ftp,!policy
add name=”full” policy=local,telnet,ssh,ftp,reboot,read,write,policy,test,winbo\
x,password,web
/ user aaa
set use-radius=no accounting=yes interim-update=0s default-group=read
/ radius
add service=”” called-id=”” domain=”” address=0.0.0.0 secret=”” \
authentication-port=1812 accounting-port=1813 timeout=300ms \
accounting-backup=no realm=”” comment=”” disabled=no
/ radius incoming
set accept=yes port=1700
/ driver
/ snmp
set enabled=yes contact=”admin” location=”admin”
/ snmp community
set public name=”public” address=0.0.0.0/0 read-access=yes
/ tool bandwidth-server
set enabled=yes authenticate=yes allocate-udp-ports-from=2000 max-sessions=10
/ tool mac-server ping
set enabled=yes
/ tool e-mail
set server=0.0.0.0 from=”<>”
/ tool sniffer
set interface=all only-headers=yes memory-limit=64 file-name=”” file-limit=10 \
streaming-enabled=yes streaming-server=192.168.0.24 filter-stream=yes \
filter-protocol=all-frames filter-address1=0.0.0.0/0:0-65535 \
filter-address2=0.0.0.0/0:0-65535
/ tool graphing
set store-every=5min
/ tool graphing queue
add simple-queue=all allow-address=0.0.0.0/0 store-on-disk=yes \
allow-target=yes disabled=no
add simple-queue=Dj allow-address=0.0.0.0/0 store-on-disk=yes allow-target=yes \
disabled=no
/ tool graphing resource
add allow-address=0.0.0.0/0 store-on-disk=yes disabled=no
add allow-address=0.0.0.0/0 store-on-disk=yes disabled=no
/ tool graphing interface
add interface=all allow-address=0.0.0.0/0 store-on-disk=yes disabled=no
/ tool netwatch
add host=202.134.0.155 timeout=1s interval=1s up-script=”Link Jakarta Up” \
down-script=”Jakarta Down” comment=”Link Jakarta” disabled=no
add host=202.134.2.5 timeout=1s interval=1s up-script=”Link SurabayaUp” \
down-script=”Link Surabaya Down” comment=”Link Surabaya” disabled=no
# software id = DA2N-TMT
#
/ interface ethernet
set Public name=”Public” mtu=1500 mac-address=00:0A:EB:AB:DB:5C arp=enabled \
disable-running-check=yes auto-negotiation=yes full-duplex=yes \
cable-settings=default speed=100Mbps comment=”” disabled=no
set Lan name=”Lan” mtu=1500 mac-address=00:60:97:5A:EA:94 arp=enabled \
disable-running-check=yes auto-negotiation=yes full-duplex=yes \
cable-settings=default speed=100Mbps comment=”” disabled=no
/ interface bridge port
set Public bridge=none priority=128 path-cost=10
set Lan bridge=none priority=128 path-cost=10
/ interface l2tp-server server
set enabled=no max-mtu=1460 max-mru=1460 \
authentication=pap,chap,mschap1,mschap2 default-profile=default-encryption
/ interface pptp-server server
set enabled=no max-mtu=1460 max-mru=1460 authentication=mschap1,mschap2 \
keepalive-timeout=30 default-profile=default-encryption
/ ip pool
add name=”dhcp-pool” ranges=192.168.0.1-192.168.0.29
/ ip telephony region
/ ip telephony gatekeeper
set gatekeeper=none remote-id=”” remote-address=0.0.0.0
/ ip telephony aaa
set use-radius-accounting=no interim-update=0s
/ ip telephony codec
move G.711-uLaw-64k/sw
move G.711-ALaw-64k/sw
move G.729A-8k/sw
move G.729-8k/sw
move G.723.1-6.3k/sw
move GSM-06.10-13.2k/sw
move LPC-10-2.5k/sw
/ ip accounting
set enabled=yes account-local-traffic=yes threshold=256
/ ip accounting web-access
set accessible-via-web=yes address=0.0.0.0/0
/ ip service
set telnet port=23 address=0.0.0.0/0 disabled=no
set ftp port=21 address=0.0.0.0/0 disabled=no
set www port=80 address=0.0.0.0/0 disabled=no
set ssh port=22 address=0.0.0.0/0 disabled=no
set www-ssl port=443 address=0.0.0.0/0 certificate=none disabled=no
/ ip socks
set enabled=no port=1080 connection-idle-timeout=2m max-connections=200
/ ip arp
/ ip upnp
set enabled=yes allow-disable-external-interface=no show-dummy-rule=yes
/ ip upnp interfaces
add interface=Public type=external disabled=no
add interface=Lan type=internal disabled=no
/ ip traffic-flow
set enabled=no interfaces=Lan cache-entries=4k active-flow-timeout=30m \
inactive-flow-timeout=15s
/ ip dns
set primary-dns=203.130.193.74 secondary-dns=202.134.0.155 \
allow-remote-requests=yes cache-size=2048KiB cache-max-ttl=1w
/ ip address
add address=192.168.1.2/24 network=192.168.1.0 broadcast=192.168.1.255 \
interface=Public comment=”” disabled=no
add address=192.168.0.24/24 network=192.168.0.0 broadcast=192.168.0.255 \
interface=Lan comment=”” disabled=no
/ ip proxy
set enabled=no port=8080 parent-proxy=0.0.0.0:0 maximal-client-connecions=1000 \
maximal-server-connectons=1000
/ ip proxy access
add dst-port=23-25 action=deny comment=”block telnet & spam e-mail relaying” \
disabled=no
add method=CONNECT dst-port=443 action=allow comment=”allow CONNECT only to \
SSL ports 443 \[https\] and 563 \[snews\]” disabled=no
add method=CONNECT dst-port=563 action=allow comment=”allow CONNECT only to \
SSL ports 443 \[https\] and 563 \[snews\]” disabled=no
add method=CONNECT action=deny comment=”allow CONNECT only to SSL ports 443 \
\[https\] and 563 \[snews\]” disabled=no
/ ip neighbor discovery
set Public discover=yes
set Lan discover=yes
/ ip route
add dst-address=0.0.0.0/0 gateway=192.168.1.1 scope=255 target-scope=10 \
comment=”” disabled=no
/ ip firewall mangle
add chain=prerouting protocol=tcp dst-port=80 action=mark-connection \
new-connection-mark=http_conn passthrough=yes comment=”” disabled=no
add chain=prerouting protocol=tcp dst-port=443 action=mark-connection \
new-connection-mark=http_conn passthrough=yes comment=”” disabled=no
add chain=prerouting protocol=tcp dst-port=53 action=mark-connection \
new-connection-mark=dns_conn passthrough=yes comment=”” disabled=yes
add chain=prerouting protocol=udp dst-port=53 action=mark-connection \
new-connection-mark=dns_conn passthrough=yes comment=”” disabled=yes
add chain=prerouting protocol=tcp dst-port=5050-5061 action=mark-connection \
new-connection-mark=ym_conn passthrough=yes comment=”” disabled=no
add chain=prerouting protocol=udp dst-port=27015 action=mark-connection \
new-connection-mark=cs_conn passthrough=yes comment=”” disabled=no
add chain=prerouting protocol=tcp dst-port=6000-7000 action=mark-connection \
new-connection-mark=irc_conn passthrough=yes comment=”” disabled=no
add chain=prerouting protocol=tcp dst-port=8291 action=mark-connection \
new-connection-mark=mt_conn passthrough=yes comment=”” disabled=no
add chain=prerouting protocol=tcp dst-port=110 action=mark-connection \
new-connection-mark=email_conn passthrough=yes comment=”” disabled=no
add chain=prerouting protocol=tcp dst-port=25 action=mark-connection \
new-connection-mark=email_conn passthrough=yes comment=”” disabled=no
add chain=prerouting protocol=tcp dst-port=22 action=mark-connection \
new-connection-mark=ssh_conn passthrough=yes comment=”” disabled=no
add chain=prerouting connection-mark=http_conn action=mark-packet \
new-packet-mark=http passthrough=no comment=”” disabled=no
add chain=prerouting connection-mark=dns_conn action=mark-packet \
new-packet-mark=dns passthrough=no comment=”” disabled=yes
add chain=prerouting connection-mark=ym_conn action=mark-packet \
new-packet-mark=ym passthrough=no comment=”” disabled=no
add chain=prerouting connection-mark=cs_conn action=mark-packet \
new-packet-mark=cs passthrough=no comment=”” disabled=no
add chain=prerouting connection-mark=irc_conn action=mark-packet \
new-packet-mark=irc passthrough=no comment=”” disabled=no
add chain=prerouting connection-mark=mt_conn action=mark-packet \
new-packet-mark=mt passthrough=no comment=”” disabled=no
add chain=prerouting connection-mark=email_conn action=mark-packet \
new-packet-mark=email passthrough=no comment=”” disabled=no
add chain=prerouting connection-mark=ssh_conn action=mark-packet \
new-packet-mark=ssh passthrough=no comment=”” disabled=no
add chain=prerouting src-address=192.168.0.0/24 action=mark-packet \
new-packet-mark=test-up passthrough=no comment=”UP TRAFFIC” disabled=no
add chain=forward src-address=192.168.1.0/24 action=mark-connection \
new-connection-mark=test-conn passthrough=yes comment=”CONN-MARK” \
disabled=no
add chain=forward in-interface=Public connection-mark=test-conn \
action=mark-packet new-packet-mark=test-down passthrough=no comment=” \
DOWN-DIRECT CONNECTION” disabled=no
add chain=output out-interface=Lan dst-address=192.168.0.0/24 \
action=mark-packet new-packet-mark=test-down passthrough=no \
comment=”DOWN-VIA PROXY” disabled=no
/ ip firewall nat
add chain=srcnat out-interface=Public action=masquerade comment=”” disabled=no
add chain=dstnat protocol=tcp dst-port=80 action=redirect to-ports=8080 \
comment=”” disabled=no
add chain=dstnat protocol=tcp dst-port=3128 action=redirect to-ports=8080 \
comment=”” disabled=no
add chain=dstnat protocol=tcp dst-port=8080 action=redirect to-ports=8080 \
comment=”” disabled=no
/ ip firewall connection tracking
set enabled=yes tcp-syn-sent-timeout=2m tcp-syn-received-timeout=1m \
tcp-established-timeout=5d tcp-fin-wait-timeout=2m \
tcp-close-wait-timeout=1m tcp-last-ack-timeout=30s \
tcp-time-wait-timeout=2m tcp-close-timeout=10s udp-timeout=30s \
udp-stream-timeout=3m icmp-timeout=30s generic-timeout=10m
/ ip firewall filter
add chain=input connection-state=invalid action=drop comment=”Drop invalid \
connections” disabled=no
add chain=input connection-state=established action=accept comment=”Allow \
esatblished connections” disabled=no
add chain=input connection-state=related action=accept comment=”Allow related \
connections” disabled=no
add chain=input protocol=udp action=accept comment=”Allow UDP” disabled=no
add chain=input protocol=icmp action=accept comment=”Allow ICMP” disabled=no
add chain=input in-interface=!Public action=accept comment=”Allow connection \
to router from local network” disabled=no
add chain=input action=accept comment=”” disabled=no
add chain=forward in-interface=Lan protocol=tcp dst-port=6112 \
connection-limit=100,32 action=reject reject-with=icmp-network-unreachable \
comment=”” disabled=no
add chain=input protocol=tcp psd=21,3s,3,1 action=add-src-to-address-list \
address-list=”port scanners” address-list-timeout=2w comment=”Port \
scanners to list ” disabled=no
add chain=input protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg \
action=add-src-to-address-list address-list=”port scanners” \
address-list-timeout=2w comment=”NMAP FIN Stealth scan” disabled=no
add chain=input protocol=tcp tcp-flags=fin,syn action=add-src-to-address-list \
address-list=”port scanners” address-list-timeout=2w comment=”SYN/FIN \
scan” disabled=no
add chain=input protocol=tcp tcp-flags=syn,rst action=add-src-to-address-list \
address-list=”port scanners” address-list-timeout=2w comment=”SYN/RST \
scan” disabled=no
add chain=input protocol=tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack \
action=add-src-to-address-list address-list=”port scanners” \
address-list-timeout=2w comment=”FIN/PSH/URG scan” disabled=no
add chain=input protocol=tcp tcp-flags=fin,syn,rst,psh,ack,urg \
action=add-src-to-address-list address-list=”port scanners” \
address-list-timeout=2w comment=”ALL/ALL scan” disabled=no
add chain=input protocol=tcp tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg \
action=add-src-to-address-list address-list=”port scanners” \
address-list-timeout=2w comment=”NMAP NULL scan” disabled=no
add chain=input src-address-list=”port scanners” action=drop comment=”dropping \
port scanners” disabled=no
add chain=virus protocol=tcp dst-port=135-139 action=drop comment=”Drop \
Blaster Worm” disabled=no
add chain=virus protocol=udp dst-port=135-139 action=drop comment=”Drop \
Messenger Worm” disabled=no
add chain=virus protocol=tcp dst-port=445-3000 action=drop comment=”Drop \
Blaster Worm” disabled=no
add chain=virus protocol=udp dst-port=445-3000 action=drop comment=”Drop \
Blaster Worm” disabled=no
add chain=virus protocol=tcp dst-port=593 action=drop comment=”________” \
disabled=no
add chain=virus protocol=udp dst-port=7000 action=drop comment=”Setan1? \
disabled=no
add chain=virus protocol=tcp dst-port=100-1000 action=drop comment=”Setan1? \
disabled=no
add chain=virus protocol=udp dst-port=100-1000 action=drop comment=”Drop \
Messenger Worm” disabled=no
add chain=virus protocol=tcp dst-port=1000-3000 action=drop comment=”Setan1? \
disabled=no
add chain=virus protocol=udp dst-port=1000-3000 action=drop comment=”Drop \
Messenger Worm” disabled=no
add chain=virus protocol=tcp dst-port=40000-50000 action=drop comment=”Setan1? \
disabled=no
add chain=virus protocol=udp dst-port=40000-50000 action=drop comment=”Drop \
Messenger Worm” disabled=no
add chain=virus protocol=tcp dst-port=7000 action=drop comment=”Setan1? \
disabled=no
add chain=virus protocol=udp dst-port=135-139 action=drop comment=”Drop \
Messenger Worm” disabled=no
add chain=virus protocol=tcp dst-port=7000 action=drop comment=”Setan1? \
disabled=no
add chain=virus protocol=udp dst-port=135-139 action=drop comment=”Drop \
Messenger Worm” disabled=no
add chain=virus action=return comment=”” disabled=no
/ ip firewall service-port
set ftp ports=21 disabled=no
set tftp ports=69 disabled=yes
set irc ports=6667 disabled=no
set h323 disabled=yes
set quake3 disabled=yes
set mms disabled=yes
set gre disabled=yes
set pptp disabled=yes
/ ip dhcp-server
add name=”dhcp1? interface=Lan lease-time=3d bootp-support=static add-arp=yes \
disabled=no
/ ip dhcp-server config
set store-leases-disk=5m
/ ip dhcp-server lease
add address=192.168.0.1 mac-address=00:1F:00:00:09:B4 \
client-id=”1:0:1f:0:0:9:b4? comment=”” disabled=no
add address=192.168.0.17 mac-address=00:50:BA:C3:07:A0 \
client-id=”1:0:50:ba:c3:7:a0? comment=”” disabled=no
add address=192.168.0.11 mac-address=00:50:BA:C3:07:54 \
client-id=”1:0:50:ba:c3:7:54? comment=”” disabled=no
add address=192.168.0.16 mac-address=00:50:BA:C3:07:60 \
client-id=”1:0:50:ba:c3:7:60? comment=”” disabled=no
/ ip dhcp-server network
add address=192.168.0.0/24 gateway=192.168.0.24 \
dns-server=192.168.0.24,202.134.0.155,202.134.2.5,203.130.206.250,202.155.0\
.10,202.155.0.15 comment=””
/ ip hotspot service-port
set ftp ports=21 disabled=no
/ ip hotspot profile
set default name=”default” hotspot-address=0.0.0.0 dns-name=”” \
html-directory=hotspot rate-limit=”” http-proxy=0.0.0.0:0 \
smtp-server=0.0.0.0 login-by=cookie,http-chap http-cookie-lifetime=3d \
split-user-domain=no use-radius=no
/ ip hotspot user profile
set default name=”default” idle-timeout=none keepalive-timeout=2m \
status-autorefresh=1m shared-users=1 transparent-proxy=yes \
open-status-page=always advertise=no
/ ip ipsec proposal
add name=”default” auth-algorithms=sha1 enc-algorithms=3des lifetime=30m \
lifebytes=0 pfs-group=modp1024 disabled=no
/ ip web-proxy
set enabled=yes src-address=0.0.0.0 port=8080 hostname=”proxy.dj.net” \
transparent-proxy=yes parent-proxy=0.0.0.0:0 \
cache-administrator=”webmaster.dj.net” max-object-size=4096KiB \
cache-drive=system max-cache-size=unlimited max-ram-cache-size=unlimited
/ ip web-proxy access
add dst-port=23-25 action=deny comment=”block telnet & spam e-mail relaying” \
disabled=no
/ ip web-proxy cache
add action=allow comment=”” disabled=no
/ ip web-proxy direct
add action=allow comment=”” disabled=no
/ system logging
add topics=info prefix=”” action=memory disabled=no
add topics=error prefix=”” action=memory disabled=no
add topics=warning prefix=”” action=echo disabled=no
add topics=critical prefix=”” action=echo disabled=no
add topics=firewall prefix=”” action=memory disabled=no
/ system logging action
set memory name=”memory” target=memory memory-lines=100 memory-stop-on-full=no
set disk name=”disk” target=disk disk-lines=100 disk-stop-on-full=no
set echo name=”echo” target=echo remember=yes
set remote name=”remote” target=remote remote=0.0.0.0:514
/ system upgrade mirror
set enabled=no primary-server=0.0.0.0 secondary-server=0.0.0.0 \
check-interval=1d user=””
/ system clock dst
set dst-delta=+01:00 dst-start=”jan/01/1970 00:00:00? dst-end=”jan/01/1970 \
00:00:00?
/ system watchdog
set reboot-on-failure=yes watch-address=none watchdog-timer=yes \
no-ping-delay=5m automatic-supout=yes auto-send-supout=no
/ system console
add port=serial0 term=”” disabled=no
set FIXME term=”linux” disabled=no
set FIXME term=”linux” disabled=no
set FIXME term=”linux” disabled=no
set FIXME term=”linux” disabled=no
set FIXME term=”linux” disabled=no
set FIXME term=”linux” disabled=no
set FIXME term=”linux” disabled=no
set FIXME term=”linux” disabled=no
/ system console screen
set line-count=25
/ system identity
set name=”Dj.Net”
/ system note
set show-at-login=yes note=””
/ system ntp server
set enabled=no broadcast=no multicast=no manycast=yes
/ system ntp client
set enabled=no mode=unicast primary-ntp=0.0.0.0 secondary-ntp=0.0.0.0
/ port
set serial0 name=”serial0? baud-rate=9600 data-bits=8 parity=none stop-bits=1 \
flow-control=hardware
set serial1 name=”serial1? baud-rate=9600 data-bits=8 parity=none stop-bits=1 \
flow-control=hardware
/ ppp profile
set default name=”default” use-compression=default use-vj-compression=default \
use-encryption=default only-one=default change-tcp-mss=default comment=””
set default-encryption name=”default-encryption” use-compression=default \
use-vj-compression=default use-encryption=yes only-one=default \
change-tcp-mss=default comment=””
/ ppp aaa
set use-radius=no accounting=yes interim-update=0s
/ queue type
set default name=”default” kind=pfifo pfifo-limit=50
set ethernet-default name=”ethernet-default” kind=pfifo pfifo-limit=50
set wireless-default name=”wireless-default” kind=sfq sfq-perturb=5 \
sfq-allot=1514
set synchronous-default name=”synchronous-default” kind=red red-limit=60 \
red-min-threshold=10 red-max-threshold=50 red-burst=20 red-avg-packet=1000
set hotspot-default name=”hotspot-default” kind=sfq sfq-perturb=5 \
sfq-allot=1514
add name=”pcq-download” kind=pcq pcq-rate=0 pcq-limit=50 \
pcq-classifier=dst-address pcq-total-limit=2000
add name=”pcq-upload” kind=pcq pcq-rate=0 pcq-limit=50 \
pcq-classifier=src-address pcq-total-limit=2000
/ queue simple
add name=”HTTP” target-addresses=0.0.0.0/0 dst-address=0.0.0.0/0 interface=all \
parent=none packet-marks=http priority=1 queue=default/default \
limit-at=0/8000 max-limit=0/30000 total-queue=default disabled=no
add name=”DNS” target-addresses=0.0.0.0/0 dst-address=0.0.0.0/0 interface=all \
parent=none packet-marks=dns priority=1 queue=default/default limit-at=0/0 \
max-limit=0/0 total-queue=default disabled=no
add name=”YMessenger” target-addresses=0.0.0.0/0 dst-address=0.0.0.0/0 \
interface=all parent=none packet-marks=ym priority=1 queue=default/default \
limit-at=0/0 max-limit=0/0 total-queue=default disabled=no
add name=”CounterStrike” target-addresses=0.0.0.0/0 dst-address=0.0.0.0/0 \
interface=all parent=none packet-marks=cs priority=1 queue=default/default \
limit-at=0/0 max-limit=0/0 total-queue=default disabled=no
add name=”GameOnline” target-addresses=0.0.0.0/0 dst-address=0.0.0.0/0 \
interface=all parent=none packet-marks=irc priority=1 \
queue=default/default limit-at=0/0 max-limit=0/0 total-queue=default \
disabled=no
add name=”Mikrotik” target-addresses=0.0.0.0/0 dst-address=0.0.0.0/0 \
interface=all parent=none packet-marks=mt priority=1 queue=default/default \
limit-at=0/0 max-limit=0/0 total-queue=default disabled=no
add name=”Email” target-addresses=0.0.0.0/0 dst-address=0.0.0.0/0 \
interface=all parent=none packet-marks=email priority=1 \
queue=default/default limit-at=0/0 max-limit=0/0 total-queue=default \
disabled=no
add name=”SSH” target-addresses=0.0.0.0/0 dst-address=0.0.0.0/0 interface=all \
parent=none packet-marks=ssh priority=1 queue=default/default limit-at=0/0 \
max-limit=0/0 total-queue=default disabled=no
add name=”Dj” dst-address=192.168.0.0/24 interface=Lan parent=none priority=8 \
queue=default/default limit-at=0/384000 max-limit=0/384000 \
total-queue=default disabled=no
add name=”1? target-addresses=192.168.0.1/32 dst-address=0.0.0.0/0 \
interface=Lan parent=Dj priority=8 queue=ethernet-default/ethernet-default \
limit-at=0/8000 max-limit=0/52000 total-queue=default disabled=no
add name=”2? target-addresses=192.168.0.2/32 dst-address=0.0.0.0/0 \
interface=Lan parent=Dj priority=8 queue=ethernet-default/ethernet-default \
limit-at=0/8000 max-limit=0/52000 total-queue=default disabled=no
add name=”3? target-addresses=192.168.0.3/32 dst-address=0.0.0.0/0 \
interface=Lan parent=Dj priority=8 queue=ethernet-default/ethernet-default \
limit-at=0/8000 max-limit=0/52000 total-queue=default disabled=no
add name=”4? target-addresses=192.168.0.4/32 dst-address=0.0.0.0/0 \
interface=Lan parent=Dj priority=8 queue=ethernet-default/ethernet-default \
limit-at=0/8000 max-limit=0/52000 total-queue=default disabled=no
add name=”5? target-addresses=192.168.0.5/32 dst-address=0.0.0.0/0 \
interface=Lan parent=Dj priority=8 queue=ethernet-default/ethernet-default \
limit-at=0/8000 max-limit=0/52000 total-queue=default disabled=no
add name=”6? target-addresses=192.168.0.6/32 dst-address=0.0.0.0/0 \
interface=Lan parent=Dj priority=8 queue=ethernet-default/ethernet-default \
limit-at=0/8000 max-limit=0/52000 total-queue=default disabled=no
add name=”7? target-addresses=192.168.0.7/32 dst-address=0.0.0.0/0 \
interface=Lan parent=Dj priority=8 queue=ethernet-default/ethernet-default \
limit-at=0/8000 max-limit=0/52000 total-queue=default disabled=no
add name=”8? target-addresses=192.168.0.8/32 dst-address=0.0.0.0/0 \
interface=Lan parent=Dj priority=8 queue=ethernet-default/ethernet-default \
limit-at=0/8000 max-limit=0/52000 total-queue=default disabled=no
add name=”9? target-addresses=192.168.0.9/32 dst-address=0.0.0.0/0 \
interface=Lan parent=Dj priority=8 queue=ethernet-default/ethernet-default \
limit-at=0/8000 max-limit=0/52000 total-queue=default disabled=no
add name=”10? target-addresses=192.168.0.10/32 dst-address=0.0.0.0/0 \
interface=Lan parent=Dj priority=8 queue=ethernet-default/ethernet-default \
limit-at=0/0 max-limit=0/0 total-queue=default disabled=no
add name=”11? target-addresses=192.168.0.11/32 dst-address=0.0.0.0/0 \
interface=Lan parent=Dj priority=8 queue=ethernet-default/ethernet-default \
limit-at=0/8000 max-limit=0/52000 total-queue=default disabled=no
add name=”12? target-addresses=192.168.0.12/32 dst-address=0.0.0.0/0 \
interface=Lan parent=Dj priority=8 queue=ethernet-default/ethernet-default \
limit-at=0/8000 max-limit=0/52000 total-queue=default disabled=no
add name=”13? target-addresses=192.168.0.13/32 dst-address=0.0.0.0/0 \
interface=Lan parent=Dj priority=8 queue=ethernet-default/ethernet-default \
limit-at=0/8000 max-limit=0/52000 total-queue=default disabled=no
add name=”14? target-addresses=192.168.0.14/32 dst-address=0.0.0.0/0 \
interface=Lan parent=Dj priority=8 queue=ethernet-default/ethernet-default \
limit-at=0/8000 max-limit=0/52000 total-queue=default disabled=no
add name=”15? target-addresses=192.168.0.15/32 dst-address=0.0.0.0/0 \
interface=Lan parent=Dj priority=8 queue=ethernet-default/ethernet-default \
limit-at=0/8000 max-limit=0/52000 total-queue=default disabled=no
add name=”16? target-addresses=192.168.0.16/32 dst-address=0.0.0.0/0 \
interface=Lan parent=Dj priority=8 queue=ethernet-default/ethernet-default \
limit-at=0/8000 max-limit=0/52000 total-queue=default disabled=no
add name=”17? target-addresses=192.168.0.17/32 dst-address=0.0.0.0/0 \
interface=Lan parent=Dj priority=8 queue=ethernet-default/ethernet-default \
limit-at=0/8000 max-limit=0/52000 total-queue=default disabled=no
add name=”18? target-addresses=192.168.0.18/32 dst-address=0.0.0.0/0 \
interface=Lan parent=Dj priority=8 queue=ethernet-default/ethernet-default \
limit-at=0/8000 max-limit=0/52000 total-queue=default disabled=no
add name=”19? target-addresses=192.168.0.19/32 dst-address=0.0.0.0/0 \
interface=Lan parent=Dj priority=8 queue=ethernet-default/ethernet-default \
limit-at=0/8000 max-limit=0/70000 total-queue=default disabled=no
add name=”20? target-addresses=192.168.0.20/32 dst-address=0.0.0.0/0 \
interface=Lan parent=Dj priority=8 queue=ethernet-default/ethernet-default \
limit-at=0/8000 max-limit=0/52000 total-queue=default disabled=no
add name=”21? target-addresses=192.168.0.21/32 dst-address=0.0.0.0/0 \
interface=Lan parent=Dj priority=8 queue=ethernet-default/ethernet-default \
limit-at=0/8000 max-limit=0/52000 total-queue=default disabled=no
add name=”22? target-addresses=192.168.0.22/32 dst-address=0.0.0.0/0 \
interface=Lan parent=Dj priority=8 queue=ethernet-default/ethernet-default \
limit-at=0/8000 max-limit=0/52000 total-queue=default disabled=no
add name=”23? target-addresses=192.168.0.23/32 dst-address=0.0.0.0/0 \
interface=Lan parent=Dj priority=8 queue=default/default limit-at=0/8000 \
max-limit=0/52000 total-queue=default \
time=0s-24m,sun,mon,tue,wed,thu,fri,sat disabled=no
/ queue tree
add name=”downstream” parent=Lan packet-mark=test-down limit-at=0 \
queue=pcq-download priority=8 max-limit=0 burst-limit=0 burst-threshold=0 \
burst-time=0s disabled=no
add name=”upstream” parent=global-in packet-mark=test-up limit-at=0 \
queue=pcq-upload priority=8 max-limit=0 burst-limit=0 burst-threshold=0 \
burst-time=0s disabled=no
/ user
add name=”admin” group=full address=0.0.0.0/0 comment=”system default user” \
disabled=no
add name=”op” group=write address=0.0.0.0/0 comment=”” disabled=no
/ user group
add name=”read” policy=local,telnet,ssh,reboot,read,test,winbox,password,web,!f\
tp,!write,!policy
add name=”write” policy=local,telnet,ssh,reboot,read,write,test,winbox,password\
,web,!ftp,!policy
add name=”full” policy=local,telnet,ssh,ftp,reboot,read,write,policy,test,winbo\
x,password,web
/ user aaa
set use-radius=no accounting=yes interim-update=0s default-group=read
/ radius
add service=”” called-id=”” domain=”” address=0.0.0.0 secret=”” \
authentication-port=1812 accounting-port=1813 timeout=300ms \
accounting-backup=no realm=”” comment=”” disabled=no
/ radius incoming
set accept=yes port=1700
/ driver
/ snmp
set enabled=yes contact=”admin” location=”admin”
/ snmp community
set public name=”public” address=0.0.0.0/0 read-access=yes
/ tool bandwidth-server
set enabled=yes authenticate=yes allocate-udp-ports-from=2000 max-sessions=10
/ tool mac-server ping
set enabled=yes
/ tool e-mail
set server=0.0.0.0 from=”<>”
/ tool sniffer
set interface=all only-headers=yes memory-limit=64 file-name=”” file-limit=10 \
streaming-enabled=yes streaming-server=192.168.0.24 filter-stream=yes \
filter-protocol=all-frames filter-address1=0.0.0.0/0:0-65535 \
filter-address2=0.0.0.0/0:0-65535
/ tool graphing
set store-every=5min
/ tool graphing queue
add simple-queue=all allow-address=0.0.0.0/0 store-on-disk=yes \
allow-target=yes disabled=no
add simple-queue=Dj allow-address=0.0.0.0/0 store-on-disk=yes allow-target=yes \
disabled=no
/ tool graphing resource
add allow-address=0.0.0.0/0 store-on-disk=yes disabled=no
add allow-address=0.0.0.0/0 store-on-disk=yes disabled=no
/ tool graphing interface
add interface=all allow-address=0.0.0.0/0 store-on-disk=yes disabled=no
/ tool netwatch
add host=202.134.0.155 timeout=1s interval=1s up-script=”Link Jakarta Up” \
down-script=”Jakarta Down” comment=”Link Jakarta” disabled=no
add host=202.134.2.5 timeout=1s interval=1s up-script=”Link SurabayaUp” \
down-script=”Link Surabaya Down” comment=”Link Surabaya” disabled=no
Langganan:
Komentar (Atom)