SlideShare ist ein Scribd-Unternehmen logo

Mikro tik

Als DOC, PDF herunterladen
G
guest8423a64e
1 von 13
‫‪MikroTik‬‬ ‫‪ MikroTik‬یک سرور مبتنی بر ‪ kernel‬لینوکس است که بر روی یک ‪ pc‬معمولی قابل‬ ‫نصب و سرویس دهی به صورت کامل پایدار است.‬ ‫‪ MikroTik‬ویژگی های زیادی دارد که برخی از آنها را ذکر میکنیم.‬ ‫یکی از ویژگی های ‪ MikroTik‬این است که اکثر سرویسهای آن مانند , ‪NAT‬‬ ‫‪ Bandwidth Manager , Filtering‬و ... بر روی 3‪ Layer‬انجام می پذیرد و به همین‬ ‫دلیل نیازی به لیه های بالتر ندارد که این خود مقدار قابل توجهی در بال بردن کیفیت‬ ‫و ‪ performance‬سیستم تاثیر دارد. این امر به ما این امکان را می دهد که بر روی یک‬ ‫‪ pc‬معمولی به عنوان مثال یک کامپیوتر 2 ‪ Pentium‬با ‪ 64M‬فضای ‪ RAM‬مقدار زیادی‬ ‫پهنای باند را رد کرده و اعمالی مثل ‪ NAT‬و ‪ Filtering‬روی آنها انجام دهیم.‬ ‫در واقع ‪ MikroTik‬از ‪ pc‬های ما یک ‪ router‬کارآمد می سازد و این امکان را به ما‬ ‫می دهد که به آسانی بر روی آن پورتهای مختلف را اضافه و کم کنیم.‬ ‫یکی دیگر از ویژگی های ‪ MikroTik‬پایداری آن است. ‪ MikroTik‬همانند یک روتر قوی‬ ‫از سرعت بوت بال و عملکرد خودکار بدون نیاز به هیچ گونه ‪ login‬یا استارت کردن هر‬ ‫نوع سرویس بر خوردار است.‬ ‫علوه بر دسترسی محلی می توان ‪ MikroTik‬را به وسیله ‪ Telnet‬و ‪ SSH‬و ‪Web‬‬ ‫‪ server‬داخلی آن و رابط ویندوزی ارائه شده به همراه ‪ MikroTik‬به نام ‪Winbox‬‬ ‫تنظیم کرد.‬ ‫دیگر قابلیت قابل توجه ‪ MikroTik‬سرعت نصب و سرعت تنظیمات آن است. ‪MikroTik‬‬ ‫در عرض چند دقیقه نصب و براحتی تنظیم میشود و این قابلیت در آن وجود دارد که‬ ‫بتوان تنظیمات آن را ‪ Import‬و ‪ Export‬کرد.‬ ‫دیگر نقطه قوت ‪ MikroTik‬به صرفه بودن آن نسبت به نمونه های مشابه سخت‬ ‫افزاری است. با خرید یک عدد ‪ RouterOs‬و یک سرور با قدرتی متناسب با کار ما‬ ‫میتوانیم کارایی گرانفیمت ترین سخت افزارهارا با چندین برابر هزینه کمتر داشته‬ ‫باشیم. البته بماند که ما اکثرا از ورژن های کرک شده استفاده کرده و آنچنان پهنای‬ ‫باندی نداریم که بیشتر از یک کامپیوتر 3‪ P‬نیاز شود.‬ ‫در ادامه بعد از توضیح و آموزش ‪ NAT, Filtering‬توسط ‪ MikroTik‬به یک مثال برای‬ ‫یادگیری بیشتر خواهیم پرداحت.‬ ‫‪:NAT‬‬ ‫‪ NAT‬یا ‪ Network Address Translation‬یک استاندارد در اینترنت است که به کامپیوتر‬ ‫های داحل یک شبکه این اجازه را می دهد که از یک رنج ‪ IP‬برای ارتباط داخلی و از‬ ‫یک رنج دیکر برای ارتباط خارجی استفاده کنند. به شبکه داحلی که از ‪ NAT‬استفاده‬ ‫می کند اصطلحا ‪ Natted Network‬می گویند. برای ایجاد ‪ NAT‬باید در شبکه داخلی‬ ‫یک عدد ‪ NAT gateway‬داشته باشیم که ترجمه آدرسها در آن صورت گیرد.‬ ‫در کل 2 نوع ‪ NAT‬وجود دارد‬ ‫•‪ SRCNAT‬یا ‪: Source Nat‬‬ ‫از این فرم ‪ Nat‬وقتی استفاده میکنیم که می خواهیم ‪ IP‬های ‪ Invalid‬یک شبکه‬ ‫داخلی یا ‪ Natted Network‬را به یک ‪ Valid IP‬ترجمه کنیم.در این حالت هر پکتی که‬ ‫به ‪ gateway‬برسد ‪ IP‬آن به یک ‪ Valid IP‬ترجمه گشته و بر روی اینترنت ارسال می‬
‫ می شوند صادق‬Reply ‫شود. عکس این عمل برای پکت هایی که به پکت های قبلی‬ .‫است و عکس این عمل صورت میگیرد‬ : Destination Nat ‫ یا‬DSTNAT• ‫ را برای شبکه‬private ‫ را وقتی انجام می دهیم که بخواهیم یک شبکه‬NAT ‫این فرم‬ Invalid IP ‫ خود را به‬Valid IP ‫ خود قابل دسترسی قرار دهیم. در این عمل‬public .‫ترجمه میکنیم‬ Masquerade ‫ و‬Redirect ‫ یک نوع از‬Redirect .‫ است‬srcnat ‫ و‬dstnat ‫ یک نوع خاص‬Masquerade ‫ و‬Redirect ‫ ندارد و تنها شناساندن اینترفیس ورودی‬to-address ‫ است که نیازی به تعریف‬dstnat to-address ‫ است که نیازی به تعریف‬srcnat ‫ یک نوع‬Masquerade ‫کافی است و‬ ‫ندارد و تنها معرفی یک اینترفیس خروجی کافی است. در این حالت دیگر فرقی ندارد‬ ‫ شده به اینترفیس‬add ‫ های‬IP ‫ در رنج‬IP ‫ به اینترفیس ها متصل میگردد هر‬IP ‫که چه‬ ‫ برای فرستادن کل ترافیک به یک پورت خاص‬to-port ‫ فیلد‬Redirect ‫عمل می کند. در‬ .‫ استفاده می شود‬web-proxy ‫است که بیشتر برای اعمالی نظیر‬ Property Description action (accept | add-dst-to-address-list | add-src-to-address-list | dst-nat | jump | log | masquerade | netmap | passthrough | redirect | return | same | src-nat; default: accept) - action to undertake if the packet matches the rule accept - accepts the packet. No action is taken, i.e. the packet is passed through and no more rules are applied to it add-dst-to-address-list - adds destination address of an IP packet to the address list specified by address-list parameter add-src-to-address-list - adds source address of an IP packet to the address list specified by address-list parameter dst-nat - replaces destination address of an IP packet to values specified by to-addresses and to-ports parameters jump - jump to the chain specified by the value of the jump-target parameter log - each match with this action will add a message to the system log masquerade - replaces source address of an IP packet to an automatically determined by the routing facility IP address netmap - creates a static 1:1 mapping of one set of IP addresses to another one. Often used to distribute public IP addresses to hosts on private networks passthrough - ignores this rule goes on to the next one redirect - replaces destination address of an IP packet to one of the router's local addresses return - passes control back to the chain from where the jump took place same - gives a particular client the same source/destination IP address from supplied range for each connection. This is most frequently used for services that expect the same client address for multiple connections from the same client src-nat - replaces source address of an IP packet to values specified by to-addresses and to- ports parameters address-list (name) - specifies the name of the address list to collect IP addresses from rules having action=add-dst-to-address-list or action=add- src-to-address-list actions. These address lists could be later used for packet matching address-list-timeout (time; default: 00:00:00) - time interval after which the address will be removed from the address list specified by address-list
parameter. Used in conjunction with add-dst-to-address-list or add-src-to- address-list actions 00:00:00 - leave the address in the address list forever chain (dstnat | srcnat | name) - specifies the chain to put a particular rule into. As the different traffic is passed through different chains, always be careful in choosing the right chain for a new rule. If the input does not match the name of an already defined chain, a new chain will be created dstnat - a rule placed in this chain is applied before routing. The rules that replace destination addresses of IP packets should be placed there srcnat - a rule placed in this chain is applied after routing. The rules that replace the source addresses of IP packets should be placed there comment (text) - a descriptive comment for the rule. A comment can be used to identify rules form scripts connection-bytes (integer-integer) - matches packets only if a given amount of bytes has been transfered through the particular connection 0 - means infinity, exempli gratia: connection-bytes=2000000-0 means that the rule matches if more than 2MB has been transfered through the relevant connection connection-limit (integer,netmask) - restrict connection limit per address or address block connection-mark (name) - matches packets marked via mangle facility with particular connection mark connection-type (ftp | gre | h323 | irc | mms | pptp | quake3 | tftp) - matches packets from related connections based on information from their connection tracking helpers. A relevant connection helper must be enabled under /ip firewall service-port content (text) - the text packets should contain in order to match the rule dst-address (IP address/netmask | IP address-IP address) - specifies the address range an IP packet is destined to. Note that console converts entered address/netmask value to a valid network address, i.e.:1.1.1.1/24 is converted to 1.1.1.0/24 dst-address-list (name) - matches destination address of a packet against user- defined address list dst-address-type (unicast | local | broadcast | multicast) - matches destination address type of the IP packet, one of the: unicast - IP addresses used for one point to another point transmission. There is only one sender and one receiver in this case local - matches addresses assigned to router's interfaces broadcast - the IP packet is sent from one point to all other points in the IP subnetwork multicast - this type of IP addressing is responsible for transmission from one or more points to a set of other points dst-limit (integer/time{0,1},integer,dst-address | dst-port | src- address{+},time{0,1}) - limits the packet per second (pps) rate on a per destination IP or per destination port base. As opposed to the limit match, every destination IP address / destination port has it's own limit. The options are as follows (in order of appearance): Count - maximum average packet rate, measured in packets per second (pps), unless followed by Time option Time - specifies the time interval over which the packet rate is measured Burst - number of packets to match in a burst Mode - the classifier(-s) for packet rate limiting Expire - specifies interval after which recorded IP addresses / ports will be deleted dst-port (integer: 0..65535-integer: 0..65535{*}) - destination port number or range hotspot (multiple choice: from-client | auth | local-dst) - matches packets received from clients against various Hot-Spot. All values can be negated from-client - true, if a packet comes from HotSpot client auth - true, if a packet comes from authenticted client local-dst - true, if a packet has local destination IP address icmp-options (integer:integer) - matches ICMP Type:Code fields in-interface (name) - interface the packet has entered the router through
ipv4-options (any | loose-source-routing | no-record-route | no-router-alert | no-source-routing | no-timestamp | none | record-route | router-alert | strict- source-routing | timestamp) - match ipv4 header options any - match packet with at least one of the ipv4 options loose-source-routing - match packets with loose source routing option. This option is used to route the internet datagram based on information supplied by the source no-record-route - match packets with no record route option. This option is used to route the internet datagram based on information supplied by the source no-router-alert - match packets with no router alter option no-source-routing - match packets with no source routing option no-timestamp - match packets with no timestamp option record-route - match packets with record route option router-alert - match packets with router alter option strict-source-routing - match packets with strict source routing option timestamp - match packets with timestamp jump-target (dstnat | srcnatname) - name of the target chain to jump to, if the action=jump is used limit (integer/time{0,1},integer) - restricts packet match rate to a given limit. Usefull to reduce the amount of log messages Count - maximum average packet rate, measured in packets per second (pps), unless followed by Time option Time - specifies the time interval over which the packet rate is measured Burst - number of packets to match in a burst log-prefix (text) - all messages written to logs will contain the prefix specified herein. Used in conjunction with action=log nth (integer,integer: 0..15,integer{0,1}) - match a particular Nth packet received by the rule. One of 16 available counters can be used to count packets Every - match every Every+1th packet. For example, if Every=1 then the rule matches every 2nd packet Counter - specifies which counter to use. A counter increments each time the rule containing nth match matches Packet - match on the given packet number. The value by obvious reasons must be between 0 and Every. If this option is used for a given counter, then there must be at least Every+1 rules with this option, covering all values between 0 and Every inclusively. out-interface (name) - interface the packet is leaving the router through packet-mark (text) - matches packets marked via mangle facility with particular packet mark packet-size (integer: 0..65535-integer: 0..65535{0,1}) - matches packet of the specified size or size range in bytes Min - specifies lower boundary of the size range or a standalone value Max - specifies upper boundary of the size range phys-in-interface (name) - matches the bridge port physical input device added to a bridge device. It is only useful if the packet has arrived through the bridge phys-out-interface (name) - matches the bridge port physical output device added to a bridge device. It is only useful if the packet will leave the router through the bridge protocol (ddp | egp | encap | ggp | gre | hmp | icmp | idrp-cmtp | igmp | ipencap | ipip | ipsec-ah | ipsec-esp | iso-tp4 | ospf | pup | rdp | rspf | st | tcp | udp | vmtp | xns-idp | xtp | integer) - matches particular IP protocol specified by protocol name or number. You should specify this setting if you want to specify ports psd (integer,time,integer,integer) - attempts to detect TCP and UDP scans. It is advised to assign lower weight to ports with high numbers to reduce the frequency of false positives, such as from passive mode FTP transfers WeightThreshold - total weight of the latest TCP/UDP packets with different destination ports coming from the same host to be treated as port scan sequence DelayThreshold - delay for the packets with different destination ports coming from the same host to be treated as possible port scan subsequence LowPortWeight - weight of the packets with privileged (<=1024) destination port HighPortWeight - weight of the packet with non-priviliged destination port random (integer) - match packets randomly with given propability
routing-mark (name) - matches packets marked by mangle facility with particular routing mark same-not-by-dst (yes | no) - specifies whether to account or not to account for destination IP address when selecting a new source IP address for packets matched by rules with action=same src-address (IP address/netmask | IP address-IP address) - specifies the address range an IP packet is originated from. Note that console converts entered address/netmask value to a valid network address, i.e.:1.1.1.1/24 is converted to 1.1.1.0/24 src-address-list (name) - matches source address of a packet against user- defined address list src-address-type (unicast | local | broadcast | multicast) - matches source address type of the IP packet, one of the: unicast - IP addresses used for one point to another point transmission. There is only one sender and one receiver in this case local - matches addresses assigned to router's interfaces broadcast - the IP packet is sent from one point to all other points in the IP subnetwork multicast - this type of IP addressing is responsible for transmission from one or more points to a set of other points src-mac-address (MAC address) - source MAC address src-port (integer: 0..65535-integer: 0..65535{*}) - source port number or range tcp-mss (integer: 0..65535) - matches TCP MSS value of an IP packet time (time-time,sat | fri | thu | wed | tue | mon | sun{+}) - allows to create filter based on the packets' arrival time and date or, for locally generated packets, departure time and date to-addresses (IP address-IP address{0,1}; default: 0.0.0.0) - address or address range to replace original address of an IP packet with to-ports (integer: 0..65535-integer: 0..65535{0,1}) - port or port range to replace original port of an IP packet with tos (max-reliability | max-throughput | min-cost | min-delay | normal) - specifies a match to the value of Type of Service (ToS) field of IP header max-reliability - maximize reliability (ToS=4) max-throughput - maximize throughput (ToS=8) min-cost - minimize monetary cost (ToS=2) min-delay - minimize delay (ToS=16) normal - normal service (ToS=0) Filter .‫ یک بخش از فایروال است‬Filter ‫فایروال چیست؟‬ ‫فایروال در لغت به معنی دیواره آتش است اما در مفهوم مانند یک دیوار است که دور‬ ‫یک شهر کشیده شده و معابری مانند دروازه های شهر در آن وجود دارد که نگهبانانی‬ .‫در آنها وجود دارند که عبور و مرور را کنترل می نمایند‬ ‫ نصب می شوند و تمامی عبور و مرور ها را‬gateway ‫در شبکه فایروال ها معمول روی‬ ‫کنترل می نمایند. که معمول کار حفاظت اطلعات داخلی را از هجوم های خارجی را‬ .‫بر عهده دارد‬ l ‫فایروالها ممکن است استراتژی های مختلفی داشته باشند.که به نوع شبکه و نوع و‬ .‫ حفاظت بستگی دارد‬evel ‫ قوی است که ویژگی های آن در زیر آورده شده‬packet filter ‫ دارای یک‬MikroTik .‫است‬
• stateful packet filtering • peer-to-peer protocols filtering • traffic classification by: o source MAC address o IP addresses (network or list) and address types (broadcast, local, multicast, unicast) o port or port range o IP protocols o protocol options (ICMP type and code fields, TCP flags, IP options and MSS) o interface the packet arrived from or left through o internal flow and connection marks o ToS (DSCP) byte o packet content o rate at which packets arrive and sequence numbers o packet size o packet arrival time o and much more! Filtering ‫قائده کلی‬ ‫فایروال بر پایه رول های آن بنا شده است یعنی فایروال و روتر کاری را انجام می دهد‬ ‫که رول ها بگویند. هر رول از 2 قسمت تشکیل شده است قسمت اول مشخص می‬ ‫ میشود و قسمت دوم عملی که روی پکت باید‬match ‫کند که کدام پکت با رول ما‬ .‫انجام بگیرد را مشخص می کند‬ 3 ‫ آنها برای مدیریت بهتر دسته بندی می شوند. هر رول‬chain ‫رول ها بر اساس‬ ‫ که به‬output ‫ و‬forward ‫ و‬Input .‫حالت به صورت پیش فرض میتواند داشته باشد‬ ‫معنی پکت هایی که به مقصد روتر می آیند و پکت هایی که از روتر رد می شوند و‬ ‫پکت هایی که از مبدا روتر خارج می شوند هستند. حالتهایی هم به صورت دستی‬ .‫می توان برای فایروال تعریف کرد‬ Property Description action (accept | add-dst-to-address-list | add-src-to-address-list | drop | jump | log | passthrough | reject | return | tarpit; default: accept) - action to undertake if the packet matches the rule accept - accept the packet. No action is taken, i.e. the packet is passed through and no more rules are applied to it add-dst-to-address-list - adds destination address of an IP packet to the address list specified by address-list parameter add-src-to-address-list - adds source address of an IP packet to the address list specified by address-list parameter drop - silently drop the packet (without sending the ICMP reject message) jump - jump to the chain specified by the value of the jump-target parameter log - each match with this action will add a message to the system log passthrough - ignores this rule and goes on to the next one reject - reject the packet and send an ICMP reject message return - passes control back to the chain from where the jump took place
tarpit - captures and holds incoming TCP connections (replies with SYN/ACK to the inbound TCP SYN packet) address-list (name) - specifies the name of the address list to collect IP addresses from rules having action=add-dst-to-address-list or action=add- src-to-address-list actions. These address lists could be later used for packet matching address-list-timeout (time; default: 00:00:00) - time interval after which the address will be removed from the address list specified by address-list parameter. Used in conjunction with add-dst-to-address-list or add-src-to- address-list actions 00:00:00 - leave the address in the address list forever chain (forward | input | output | name) - specifies the chain to put a particular rule into. As the different traffic is passed through different chains, always be careful in choosing the right chain for a new rule. If the input does not match the name of an already defined chain, a new chain will be created comment (text) - a descriptive comment for the rule. A comment can be used to identify rules form scripts connection-bytes (integer-integer) - matches packets only if a given amount of bytes has been transfered through the particular connection 0 - means infinity, exempli gratia: connection-bytes=2000000-0 means that the rule matches if more than 2MB has been transfered through the relevant connection connection-limit (integer,netmask) - restrict connection limit per address or address block connection-mark (name) - matches packets marked via mangle facility with particular connection mark connection-state (estabilished | invalid | new | related) - interprets the connection tracking analysis data for a particular packet estabilished - a packet which belongs to an existing connection, exempli gratia a reply packet or a packet which belongs to already replied connection invalid - a packet which could not be identified for some reason. This includes out of memory condition and ICMP errors which do not correspond to any known connection. It is generally advised to drop these packets new - a packet which begins a new TCP connection related - a packet which is related to, but not part of an existing connection, such as ICMP errors or a packet which begins FTP data connection (the later requires enabled FTP connection tracking helper under /ip firewall service-port) connection-type (ftp | gre | h323 | irc | mms | pptp | quake3 | tftp) - matches packets from related connections based on information from their connection tracking helpers. A relevant connection helper must be enabled under /ip firewall service-port content (text) - the text packets should contain in order to match the rule dst-address (IP address/netmask | IP address-IP address) - specifies the address range an IP packet is destined to. Note that console converts entered address/netmask value to a valid network address, i.e.:1.1.1.1/24 is converted to 1.1.1.0/24 dst-address-list (name) - matches destination address of a packet against user- defined address list dst-address-type (unicast | local | broadcast | multicast) - matches destination address type of the IP packet, one of the: unicast - IP addresses used for one point to another point transmission. There is only one sender and one receiver in this case local - matches addresses assigned to router's interfaces broadcast - the IP packet is sent from one point to all other points in the IP subnetwork multicast - this type of IP addressing is responsible for transmission from one or more points to a set of other points dst-limit (integer/time{0,1},integer,dst-address | dst-port | src- address{+},time{0,1}) - limits the packet per second (pps) rate on a per destination IP or per destination port base. As opposed to the limit match, every destination IP address / destination port has it's own limit. The options are as follows (in order of appearance):
Count - maximum average packet rate, measured in packets per second (pps), unless followed by Time option Time - specifies the time interval over which the packet rate is measured Burst - number of packets to match in a burst Mode - the classifier(-s) for packet rate limiting Expire - specifies interval after which recorded IP addresses / ports will be deleted dst-port (integer: 0..65535-integer: 0..65535{*}) - destination port number or range hotspot (multiple choice: from-client | auth | local-dst | http) - matches packets received from clients against various Hot-Spot. All values can be negated from-client - true, if a packet comes from HotSpot client auth - true, if a packet comes from authenticted client local-dst - true, if a packet has local destination IP address hotspot - true, if it is a TCP packet from client and either the transparent proxy on port 80 is enabled or the client has a proxy address configured and this address is equal to the address:port pair of the IP packet icmp-options (integer:integer) - matches ICMP Type:Code fields in-interface (name) - interface the packet has entered the router through ipv4-options (any | loose-source-routing | no-record-route | no-router-alert | no-source-routing | no-timestamp | none | record-route | router-alert | strict- source-routing | timestamp) - match ipv4 header options any - match packet with at least one of the ipv4 options loose-source-routing - match packets with loose source routing option. This option is used to route the internet datagram based on information supplied by the source no-record-route - match packets with no record route option. This option is used to route the internet datagram based on information supplied by the source no-router-alert - match packets with no router alter option no-source-routing - match packets with no source routing option no-timestamp - match packets with no timestamp option record-route - match packets with record route option router-alert - match packets with router alter option strict-source-routing - match packets with strict source routing option timestamp - match packets with timestamp jump-target (forward | input | output | name) - name of the target chain to jump to, if the action=jump is used limit (integer/time{0,1},integer) - restricts packet match rate to a given limit. Usefull to reduce the amount of log messages Count - maximum average packet rate, measured in packets per second (pps), unless followed by Time option Time - specifies the time interval over which the packet rate is measured Burst - number of packets to match in a burst log-prefix (text) - all messages written to logs will contain the prefix specified herein. Used in conjunction with action=log nth (integer,integer: 0..15,integer{0,1}) - match a particular Nth packet received by the rule. One of 16 available counters can be used to count packets Every - match every Every+1th packet. For example, if Every=1 then the rule matches every 2nd packet Counter - specifies which counter to use. A counter increments each time the rule containing nth match matches Packet - match on the given packet number. The value by obvious reasons must be between 0 and Every. If this option is used for a given counter, then there must be at least Every+1 rules with this option, covering all values between 0 and Every inclusively. out-interface (name) - interface the packet will leave the router through p2p (all-p2p | bit-torrent | blubster | direct-connect | edonkey | fasttrack | gnutella | soulseek | warez | winmx) - matches packets from various peer-to- peer (P2P) protocols packet-mark (text) - matches packets marked via mangle facility with particular packet mark packet-size (integer: 0..65535-integer: 0..65535{0,1}) - matches packet of the specified size or size range in bytes Min - specifies lower boundary of the size range or a standalone value Max - specifies upper boundary of the size range
phys-in-interface (name) - matches the bridge port physical input device added to a bridge device. It is only useful if the packet has arrived through the bridge phys-out-interface (name) - matches the bridge port physical output device added to a bridge device. It is only useful if the packet will leave the router through the bridge protocol (ddp | egp | encap | ggp | gre | hmp | icmp | idrp-cmtp | igmp | ipencap | ipip | ipsec-ah | ipsec-esp | iso-tp4 | ospf | pup | rdp | rspf | st | tcp | udp | vmtp | xns-idp | xtp | integer) - matches particular IP protocol specified by protocol name or number. You should specify this setting if you want to specify ports psd (integer,time,integer,integer) - attempts to detect TCP and UDP scans. It is advised to assign lower weight to ports with high numbers to reduce the frequency of false positives, such as from passive mode FTP transfers WeightThreshold - total weight of the latest TCP/UDP packets with different destination ports coming from the same host to be treated as port scan sequence DelayThreshold - delay for the packets with different destination ports coming from the same host to be treated as possible port scan subsequence LowPortWeight - weight of the packets with privileged (<=1024) destination port HighPortWeight - weight of the packet with non-priviliged destination port random (integer: 1..99) - matches packets randomly with given propability reject-with (icmp-admin-prohibited | icmp-echo-reply | icmp-host-prohibited | icmp-host-unreachable | icmp-net-prohibited | icmp-network-unreachable | icmp- port-unreachable | icmp-protocol-unreachable | tcp-reset | integer) - alters the reply packet of reject action routing-mark (name) - matches packets marked by mangle facility with particular routing mark src-address (IP address/netmask | IP address-IP address) - specifies the address range an IP packet is originated from. Note that console converts entered address/netmask value to a valid network address, i.e.:1.1.1.1/24 is converted to 1.1.1.0/24 src-address-list (name) - matches source address of a packet against user- defined address list src-address-type (unicast | local | broadcast | multicast) - matches source address type of the IP packet, one of the: unicast - IP addresses used for one point to another point transmission. There is only one sender and one receiver in this case local - matches addresses assigned to router's interfaces broadcast - the IP packet is sent from one point to all other points in the IP subnetwork multicast - this type of IP addressing is responsible for transmission from one or more points to a set of other points src-mac-address (MAC address) - source MAC address src-port (integer: 0..65535-integer: 0..65535{*}) - source port number or range tcp-flags (ack | cwr | ece | fin | psh | rst | syn | urg) - tcp flags to match ack - acknowledging data cwr - congestion window reduced ece - ECN-echo flag (explicit congestion notification) fin - close connection psh - push function rst - drop connection syn - new connection urg - urgent data tcp-mss (integer: 0..65535) - matches TCP MSS value of an IP packet time (time-time,sat | fri | thu | wed | tue | mon | sun{+}) - allows to create filter based on the packets' arrival time and date or, for locally generated packets, departure time and date tos (max-reliability | max-throughput | min-cost | min-delay | normal) - specifies a match for the value of Type of Service (ToS) field of an IP header max-reliability - maximize reliability (ToS=4) max-throughput - maximize throughput (ToS=8)
‫)2=‪min-cost - minimize monetary cost (ToS‬‬ ‫)61=‪min-delay - minimize delay (ToS‬‬ ‫)0=‪normal - normal service (ToS‬‬ ‫نصب ‪MikroTik‬‬ ‫برای نصب ‪ MikroTik‬ابتدا باید ‪ minimum hardware requirment‬آن را بررسی کنیم‬ ‫که داخل سایت رسمی ‪ www.MikroTik.com‬نوشته شده است. اما به طور تجربی‬ ‫برای ‪ 1Mbps‬پهنای باند و سرویسهایی مثل , ‪NAT , Filtering , Bandwidth manager‬‬ ‫‪ DNS‬حد افل یک کامپیوتر 2 ‪ pentium‬به همراه ‪ 64MB‬فضای ‪ RAM‬و یک هارد دیسک‬ ‫‪ 2.1GB‬یا کمتر و 2 عدد کارت شبکه کافی است.‬ ‫برای نصب از روی ‪ CD‬باید ابتدا ‪ image‬آن را از لینکی که در آخر مقاله آمده دانلود کرده‬ ‫و بر روی ‪ CD‬به صورت ‪ image‬رایت کرده به صورتی که ‪ CD‬پس از ‪ write‬کردن‬ ‫‪ bootable‬باشد.‬ ‫‪ CD‬را داخل ‪ cd-rom‬سیستمس که میخواهید ‪ MikroTik‬روی آن نصب کنید قرار دهید.‬ ‫و ‪ first boot device‬کامپیوتر خود را روی ‪ cd-rom‬قرار دهید. بعد از بوت شدن از روی‬ ‫‪ CD‬یک صفحه باز خواهد شد که لیست ‪ service‬ها را نشان میدهد که می توان با‬ ‫‪ spacebar‬آنها را انتخاب و یا از انتخاب خارح کرد. بعد از انتخاب ‪ package‬های مربوطه‬ ‫کلید "‪ "i‬را فشار می دهیم. 2 عدد سوال از شما پرسیده می شود 1- سیستم به‬ ‫شما می گوید که با نصب ‪ MikroTik‬تمامی اطلعات روی هارد دیسک شما پاک‬ ‫خواهد شد 2-از شما سوال می شود که اگر قبل روی سیستم شما ‪ MikroTik‬نصب‬ ‫شده است آیا می خواهید تنظیمات قبلی نگهداری شوند؟ که اگر در دو حالت حرف "‬ ‫‪ "y‬را وارد کرده و کلید ‪ ENTER‬را فشار دهیم سیستم شروع به نصب می کند.‬ ‫بعد از کامل شدن نصب یک پیغام ظاهر می شود که نصب شما به پایان رسیده است‬ ‫و کلید‪ ENTER‬را برای ‪ Reboot‬شدن سیستم خود فشار دهید.‬ ‫سپس سیستم ‪ Reboot‬شده و روتر شما آماده استفاده است.‬ ‫تنظیمات ‪MikroTik‬‬ ‫اختصاص ‪ IP address‬به کارت های شبکه:‬ ‫ما یک ‪ LAN‬را در نظر می گیریم که از طریق ‪ MikroTik‬به یک روتر متصل و از همین‬ ‫طریق به اینترنت متصل است. فرض می کنیم که ‪ IP‬روتر ما 1.001.912.712‬ ‫821.552.552.552 و ‪ IP‬شبکه داخلی ما 0.0.61.271 0.552.552.552 بنابر این ‪IP‬‬ ‫کارت شبکه خارجی ما 2.001.912.712 821.552.552.552 و ‪ IP‬کارت شبکه داخلی‬ ‫ما 1.0.61.271 0.552.552.552 و ‪ default gateway‬ما 1.001.912.712 می شود.‬ ‫برای انجام دادن تنظیمات روتر ابتدا باید به آن ‪ login‬کنیم. ‪ Username‬و ‪ password‬روتر‬ ‫به صورت پیش فرض ‪ admin‬با پسورد ‪) blank‬خالی( است. یوزر و پسورد را وارد می‬ ‫کنیم و وارد میشویم.‬ ‫ابتدا باید ‪ IP‬ها را ‪ set‬کنیم. برای اینکار ‪ command‬های زیر را وارد می کنیم:‬
[admin@MikroTik] ip address> add address=217.219.100.2/25 interface=ether0 [admin@MikroTik] ip address> add address=172.16.0.1/24 interface=ether1 [admin@MikroTik] ip address> print Flags: X - disabled, I - invalid, D - dynamic # ADDRESS NETWORK BROADCAST INTERFACE 0 217.219.100.2/25 217.219.100.0 217.219.100.127 ether0 1 172.16.0.1 172.16.0.0 172.16.0.255 ether1 [admin@MikroTik] ip address> ‫ برای روتر مشخص‬default gateway ‫ شده اند. برای اینکه یک‬add ‫ های ما‬IP ‫اکنون‬ ‫ های زیر را وارد‬command ‫ برای آن بنویسیم. برای این کار‬static route ‫کنیم باید یک‬ :‫می نمائیم‬ [admin@MikroTik] ip route> add gateway=217.219.100.1 [admin@MikroTik] ip route> print Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf # DST-ADDRESS G GATEWAY DISTANCE INTERFACE 1 ADC 217.219.100.0/25 ether0 2 ADC 172.16.0.0/24 ether1 3 A S 0.0.0.0/0 r 217.219.100.1 ether0 [admin@MikroTik] ip route> ‫ داخل اینترنت را‬IP ‫اکنون روتر شما به اینترنت متصل است برای تست آن میتوانید یک‬ :‫پینگ کنید به ترتیب زیر‬ [admin@MikroTik] > ping 4.2.2.1 4.2.2.1 64 byte ping: ttl=237 time=256 ms 4.2.2.1 64 byte ping: ttl=237 time=413 ms 4.2.2.1 64 byte ping: ttl=237 time=311 ms 4.2.2.1 64 byte ping: ttl=237 time=283 ms 5 packets transmitted, 4 packets received, 20% packet loss round-trip min/avg/max = 256/315.7/413 ms [admin@MikroTik] > :‫ در روتر‬NAT ‫تنظیم‬ ‫در اینجا ما فقط می خواهیم آدرس های شبکه داخلی به یک آدرس خارجی و معتبر‬ ‫ استفاده کنیم. که هم می توان از‬srcnat ‫در اینترنت ترجمه شود. پس باید از‬ ‫ به همراه وارد کردن آدرس شبکه‬srcnat ‫ استفاده کرد هم می توان از‬masquerade ‫ استفاده کرد. ما اینجا هر دو روش را توضیح خواهیم‬to-address ‫داخلی از طریق فیلد‬ .‫داد‬ Masquerade
‫در این حالت فقط کافی است اینترفیس خروجی را مشخص کنیم که به ترتیب زیر‬ ‫عمل می کنیم:‬ ‫0‪/ip firewall nat add chain=srcnat action=masquerade out-interface=ether‬‬ ‫به این ترتیب کلیه ‪ IP‬هایی که در شبکه ما هستند از هر اینترفیسی که باشند اگر‬ ‫روتر را ‪ default gateway‬خود قرار دهند به اینترنت متصل می گردند.‬ ‫‪Srcnat‬‬ ‫در این حالت ما یک یا چند ‪ IP‬خاص را به یک ‪ IP‬ولید ‪ NAT‬می کنیم. در این حالت‬ ‫امنیت و کنترل بیشتری روی شبکه خود داریم.‬ ‫-‪/ip firewall nat add chain=srcnat src-address=172.16.0.0/24 action=src‬‬ ‫ ‪nat‬‬ ‫2.001.912.712=‪to-addresses‬‬ ‫در حالت فوق هر کامپیوتر با ‪ IP‬در رنج 0.0.61.271 0.552.552.552 و ‪default‬‬ ‫1.0.61.271 ‪ gateway‬می تواند از اینترنت استفاده کند. ما میتوانیم به جای یک رنج‬ ‫‪ IP‬یک ‪ IP‬خاص یا یک رنج مخدود ت را انتخاب کنیم.‬ ‫تنظیمات ‪Filter‬‬ ‫رول های ‪ Filter‬بسته به نیاز ما باید ساخته شوند . ما فعل فرض میگیریم که می‬ ‫خواهیم ابتدا تنها به 3 کامپیوتر اجازه استفاده از اینترنت را بدهیم و برای همه پورت‬ ‫531 را ببندیم و برای کلیه کامپیوتر ها ‪ ping‬بسته باشد و پورت ‪ telnet‬روتر برای همه‬ ‫بسته باشد. برای اعمال فوق الذکر به این ترتیب عمل می کنیم.‬ ‫ما قصد بستن پورت 531 برای کلیه ‪ IP‬ها را داریم پس رول زیر را می نویسیم:‬ ‫‪/ip firewall filter add chain=forward dst-port=135 protocol=tcp‬‬ ‫‪action=drop‬‬ ‫به این ترتیب تمام درخواستها به این پورت ‪ drop‬می شوند.‬ ‫حال باید رولی را ایجاد کنیم که ‪ ping‬بسته شود این رول نیز مانند رول قبل است:‬ ‫‪/ip firewall filter add chain=forward protocol=icmp action=drop‬‬
‫و اما رول بعد بستن پورت ‪ telnet‬به روتر:‬ ‫در این حالت باید ‪ chain‬را ‪ input‬قرار دهیم به معنی تمام پکت های ورودی به مقصد‬ ‫روتر.‬ ‫32=‪/ip firewall filter add chain=input protocol=tcp dst-port‬‬ ‫‪action=drop‬‬ ‫اکنون ما می خواهیم تنها 3 کامپیوتر به اینترنت دسترسی داشته باشند پس باید هر‬ ‫پکتی که قصد عبور از روتر را دارد و از این 3 کامپیوتر خاص صادر شده است اجازه عبور‬ ‫داده شده و بقیه پکت ها که قصد عبور از روتر را دارند ‪ drop‬شوند. پس اول باید رول‬ ‫های دسترسی سپس رول عدم دسترسی بقیه نوشته شود. در ‪ filtering‬ترتیب رول‬ ‫ها بسیار مهم است چون روتر به ترتیب از بال به پائین رول ها را خوانده و عمل می‬ ‫کند.‬ ‫‪/ip firewall filter‬‬ ‫2.0.61.271=‪add chain=forward src-address‬‬ ‫‪action=accept‬‬ ‫‪/ip firewall filter‬‬ ‫3.0.61.271=‪add chain=forward src-address‬‬ ‫‪action=accept‬‬ ‫‪/ip firewall filter‬‬ ‫4.0.61.271=‪add chain=forward src-address‬‬ ‫‪action=accept‬‬ ‫‪/ip firewall filter‬‬ ‫61/0.0.61.271=‪add chain=forward src-address‬‬ ‫‪action=drop‬‬ ‫ما با رول های بال دسترسی سه ‪ IP‬را باز و دسترسی کلیه پکت های دیگر را محدود‬ ‫کرده ایم.‬ ‫اکنون تنظیمات ما به پایان رسیده است. ما یه روتر داریم که میان شبکه داخلی و‬ ‫خارجی ما قرار دارد روی روتر ما یک ‪ IP‬ولید به یک رنج ‪ IP‬اینولید ‪ NAT‬شده است. ما‬ ‫روی روتر به وسیله ‪ packet filtering‬از شبکه داخلی خود و روتر حفاظت می کنیم. و‬ ‫این امکان را داریم که دسترسی کلینت های را به اینترنت کنترل کنیم.‬ ‫امیدوارم مطلب نوشته شده مفید واقع شود.‬ ‫برای هر گونه سوال میتوانید با ‪ shahin@admins.ir‬تماس خاصل فرموده یا همینجا‬ ‫سوال خود را مطرح نمائید.‬

Empfohlen

Network tunneling techniques
Network tunneling techniquesNetwork tunneling techniques
Network tunneling techniques
inbroker
 
Real-Time Streaming Protocol -QOS
Real-Time Streaming Protocol -QOSReal-Time Streaming Protocol -QOS
Real-Time Streaming Protocol -QOS
Jayaprakash Nagaruru
 
CloudStackユーザ会〜仮想ルータの謎に迫る
CloudStackユーザ会〜仮想ルータの謎に迫るCloudStackユーザ会〜仮想ルータの謎に迫る
CloudStackユーザ会〜仮想ルータの謎に迫る
samemoon
 
Basicsofmulticastinganditsimplementationonethernetnetworks
Basicsofmulticastinganditsimplementationonethernetnetworks Basicsofmulticastinganditsimplementationonethernetnetworks
Basicsofmulticastinganditsimplementationonethernetnetworks
Sasank Chaitanya
 
Basics of multicasting and its implementation on ethernet networks
Basics of multicasting and its implementation on ethernet networksBasics of multicasting and its implementation on ethernet networks
Basics of multicasting and its implementation on ethernet networks
Reliance Comm
 
Solving QoS multicast routing problem using aco algorithm
Solving QoS multicast routing problem using aco algorithm Solving QoS multicast routing problem using aco algorithm
Solving QoS multicast routing problem using aco algorithm
Abdullaziz Tagawy
 
Internet standard routing protocols
Internet standard routing protocolsInternet standard routing protocols
Internet standard routing protocols
Online
 
Investigation of dhcp packets using wireshark
Investigation of dhcp packets using wiresharkInvestigation of dhcp packets using wireshark
Investigation of dhcp packets using wireshark
jpratt59
 

Empfohlen

Network tunneling techniques
Network tunneling techniquesNetwork tunneling techniques
Network tunneling techniques
inbroker
 
Real-Time Streaming Protocol -QOS
Real-Time Streaming Protocol -QOSReal-Time Streaming Protocol -QOS
Real-Time Streaming Protocol -QOS
Jayaprakash Nagaruru
 
CloudStackユーザ会〜仮想ルータの謎に迫る
CloudStackユーザ会〜仮想ルータの謎に迫るCloudStackユーザ会〜仮想ルータの謎に迫る
CloudStackユーザ会〜仮想ルータの謎に迫る
samemoon
 
Basicsofmulticastinganditsimplementationonethernetnetworks
Basicsofmulticastinganditsimplementationonethernetnetworks Basicsofmulticastinganditsimplementationonethernetnetworks
Basicsofmulticastinganditsimplementationonethernetnetworks
Sasank Chaitanya
 
Basics of multicasting and its implementation on ethernet networks
Basics of multicasting and its implementation on ethernet networksBasics of multicasting and its implementation on ethernet networks
Basics of multicasting and its implementation on ethernet networks
Reliance Comm
 
Solving QoS multicast routing problem using aco algorithm
Solving QoS multicast routing problem using aco algorithm Solving QoS multicast routing problem using aco algorithm
Solving QoS multicast routing problem using aco algorithm
Abdullaziz Tagawy
 
Internet standard routing protocols
Internet standard routing protocolsInternet standard routing protocols
Internet standard routing protocols
Online
 
Investigation of dhcp packets using wireshark
Investigation of dhcp packets using wiresharkInvestigation of dhcp packets using wireshark
Investigation of dhcp packets using wireshark
jpratt59
 
MTU (maximum transmission unit) & MRU (maximum receive unit)
MTU (maximum transmission unit) & MRU (maximum receive unit)MTU (maximum transmission unit) & MRU (maximum receive unit)
MTU (maximum transmission unit) & MRU (maximum receive unit)
NetProtocol Xpert
 
Final Report(Routing_Misbehavior)
Final Report(Routing_Misbehavior)Final Report(Routing_Misbehavior)
Final Report(Routing_Misbehavior)
Ambreen Zafar
 
Dotnet network prog_chap07
Dotnet network prog_chap07Dotnet network prog_chap07
Dotnet network prog_chap07
Truong NGUYEN
 
Introduction to IGMP for IPTV Networks
Introduction to IGMP for IPTV NetworksIntroduction to IGMP for IPTV Networks
Introduction to IGMP for IPTV Networks
Johnson Liu
 
Npppd: easy vpn with OpenBSD
Npppd: easy vpn with OpenBSDNpppd: easy vpn with OpenBSD
Npppd: easy vpn with OpenBSD
Giovanni Bechis
 
CCNA Interview questions - Networking
CCNA Interview questions - NetworkingCCNA Interview questions - Networking
CCNA Interview questions - Networking
Rahul E
 
Ns2
Ns2Ns2
Ns2
varsha mohite
 
Tunnel & vpn1
Tunnel & vpn1Tunnel & vpn1
Tunnel & vpn1
ariesubagyo
 
internetworking operation
internetworking operationinternetworking operation
internetworking operation
Srinivasa Rao
 
TCP vs UDP / Sumiet23
TCP vs UDP / Sumiet23TCP vs UDP / Sumiet23
TCP vs UDP / Sumiet23
Sumiet Talekar
 
EIGRP Project Report
EIGRP Project ReportEIGRP Project Report
EIGRP Project Report
Zahid Hasan Zinnah
 
IPv6
IPv6IPv6
IPv6
Ravi Shairaywal
 
Multicast
MulticastMulticast
Multicast
Sagar Surve
 
Lan Network with Redundancy.ppt
Lan Network with Redundancy.pptLan Network with Redundancy.ppt
Lan Network with Redundancy.ppt
Santanu Mukhopadhyay
 
Udp Programming
Udp ProgrammingUdp Programming
Udp Programming
leminhvuong
 
Udp Programming
Udp ProgrammingUdp Programming
Udp Programming
phanleson
 
Day 5.6 routerconfiguring interfaces
Day 5.6 routerconfiguring interfacesDay 5.6 routerconfiguring interfaces
Day 5.6 routerconfiguring interfaces
CYBERINTELLIGENTS
 
Multicast eng
Multicast engMulticast eng
Multicast eng
Ivan Ivanovich Ivanov
 
GRE (Generic Routing Encapsulation)
GRE (Generic Routing Encapsulation)GRE (Generic Routing Encapsulation)
GRE (Generic Routing Encapsulation)
NetProtocol Xpert
 
IP multicast
IP multicastIP multicast
IP multicast
Aqique Kazi
 
Pppoe mikrotik
Pppoe mikrotikPppoe mikrotik
Pppoe mikrotik
guest8423a64e
 
Mikrotik
MikrotikMikrotik
Mikrotik
guest8423a64e
 

Weitere ähnliche Inhalte

Was ist angesagt?

Final Report(Routing_Misbehavior)
Final Report(Routing_Misbehavior)Final Report(Routing_Misbehavior)
Final Report(Routing_Misbehavior)
Ambreen Zafar
 
Udp Programming
Udp ProgrammingUdp Programming
Udp Programming
phanleson
 

Was ist angesagt? (20)

MTU (maximum transmission unit) & MRU (maximum receive unit)
MTU (maximum transmission unit) & MRU (maximum receive unit)MTU (maximum transmission unit) & MRU (maximum receive unit)
MTU (maximum transmission unit) & MRU (maximum receive unit)
 
Final Report(Routing_Misbehavior)
Final Report(Routing_Misbehavior)Final Report(Routing_Misbehavior)
Final Report(Routing_Misbehavior)
 
Dotnet network prog_chap07
Dotnet network prog_chap07Dotnet network prog_chap07
Dotnet network prog_chap07
 
Introduction to IGMP for IPTV Networks
Introduction to IGMP for IPTV NetworksIntroduction to IGMP for IPTV Networks
Introduction to IGMP for IPTV Networks
 
Npppd: easy vpn with OpenBSD
Npppd: easy vpn with OpenBSDNpppd: easy vpn with OpenBSD
Npppd: easy vpn with OpenBSD
 
CCNA Interview questions - Networking
CCNA Interview questions - NetworkingCCNA Interview questions - Networking
CCNA Interview questions - Networking
 
Ns2
Ns2Ns2
Ns2
 
Tunnel & vpn1
Tunnel & vpn1Tunnel & vpn1
Tunnel & vpn1
 
internetworking operation
internetworking operationinternetworking operation
internetworking operation
 
TCP vs UDP / Sumiet23
TCP vs UDP / Sumiet23TCP vs UDP / Sumiet23
TCP vs UDP / Sumiet23
 
EIGRP Project Report
EIGRP Project ReportEIGRP Project Report
EIGRP Project Report
 
IPv6
IPv6IPv6
IPv6
 
Multicast
MulticastMulticast
Multicast
 
Lan Network with Redundancy.ppt
Lan Network with Redundancy.pptLan Network with Redundancy.ppt
Lan Network with Redundancy.ppt
 
Udp Programming
Udp ProgrammingUdp Programming
Udp Programming
 
Udp Programming
Udp ProgrammingUdp Programming
Udp Programming
 
Day 5.6 routerconfiguring interfaces
Day 5.6 routerconfiguring interfacesDay 5.6 routerconfiguring interfaces
Day 5.6 routerconfiguring interfaces
 
Multicast eng
Multicast engMulticast eng
Multicast eng
 
GRE (Generic Routing Encapsulation)
GRE (Generic Routing Encapsulation)GRE (Generic Routing Encapsulation)
GRE (Generic Routing Encapsulation)
 
IP multicast
IP multicastIP multicast
IP multicast
 

Andere mochten auch

Mikrotik hwa 5500-cpe_connection
Mikrotik hwa 5500-cpe_connectionMikrotik hwa 5500-cpe_connection
Mikrotik hwa 5500-cpe_connection
guest8423a64e
 
An Immune Algorithm for Protein Structure Prediction on Lattice Models
An Immune Algorithm for Protein Structure Prediction on Lattice ModelsAn Immune Algorithm for Protein Structure Prediction on Lattice Models
An Immune Algorithm for Protein Structure Prediction on Lattice Models
Mario Pavone
 
Immunological Multiple Sequence Alignments
Immunological Multiple Sequence AlignmentsImmunological Multiple Sequence Alignments
Immunological Multiple Sequence Alignments
Mario Pavone
 
Robust Immunological Algorithms for High-Dimensional Global Optimization
Robust Immunological Algorithms for High-Dimensional Global OptimizationRobust Immunological Algorithms for High-Dimensional Global Optimization
Robust Immunological Algorithms for High-Dimensional Global Optimization
Mario Pavone
 
O-BEE-COL: Optimal BEEs for COLoring Graphs
O-BEE-COL: Optimal BEEs for COLoring GraphsO-BEE-COL: Optimal BEEs for COLoring Graphs
O-BEE-COL: Optimal BEEs for COLoring Graphs
Mario Pavone
 

Andere mochten auch (20)

Pppoe mikrotik
Pppoe mikrotikPppoe mikrotik
Pppoe mikrotik
 
Mikrotik
MikrotikMikrotik
Mikrotik
 
Mikrotik hwa 5500-cpe_connection
Mikrotik hwa 5500-cpe_connectionMikrotik hwa 5500-cpe_connection
Mikrotik hwa 5500-cpe_connection
 
An Immune Algorithm for Protein Structure Prediction on Lattice Models
An Immune Algorithm for Protein Structure Prediction on Lattice ModelsAn Immune Algorithm for Protein Structure Prediction on Lattice Models
An Immune Algorithm for Protein Structure Prediction on Lattice Models
 
Immunological Multiple Sequence Alignments
Immunological Multiple Sequence AlignmentsImmunological Multiple Sequence Alignments
Immunological Multiple Sequence Alignments
 
Joco pavone
Joco pavoneJoco pavone
Joco pavone
 
Module6
Module6Module6
Module6
 
Robust Immunological Algorithms for High-Dimensional Global Optimization
Robust Immunological Algorithms for High-Dimensional Global OptimizationRobust Immunological Algorithms for High-Dimensional Global Optimization
Robust Immunological Algorithms for High-Dimensional Global Optimization
 
O-BEE-COL: Optimal BEEs for COLoring Graphs
O-BEE-COL: Optimal BEEs for COLoring GraphsO-BEE-COL: Optimal BEEs for COLoring Graphs
O-BEE-COL: Optimal BEEs for COLoring Graphs
 
Mikrotik qos
Mikrotik qosMikrotik qos
Mikrotik qos
 
Mik fir
Mik firMik fir
Mik fir
 
Hotspot
HotspotHotspot
Hotspot
 
Getting started with IPv6
Getting started with IPv6Getting started with IPv6
Getting started with IPv6
 
MUM Madrid 2016 - Mikrotik y Suricata
MUM Madrid 2016 - Mikrotik y SuricataMUM Madrid 2016 - Mikrotik y Suricata
MUM Madrid 2016 - Mikrotik y Suricata
 
Multivendor MPLS L3VPN
Multivendor MPLS L3VPNMultivendor MPLS L3VPN
Multivendor MPLS L3VPN
 
BGP Security (Mum presentation 2016)
BGP Security (Mum presentation 2016) BGP Security (Mum presentation 2016)
BGP Security (Mum presentation 2016)
 
Dvb
DvbDvb
Dvb
 
MTCWE
MTCWEMTCWE
MTCWE
 
Cisco CSR1000V, VMware, and RESTful APIs
Cisco CSR1000V, VMware, and RESTful APIsCisco CSR1000V, VMware, and RESTful APIs
Cisco CSR1000V, VMware, and RESTful APIs
 
GLC webinar: limiting bandwidth using mikrotik
GLC webinar: limiting bandwidth using mikrotikGLC webinar: limiting bandwidth using mikrotik
GLC webinar: limiting bandwidth using mikrotik
 

Ähnlich wie Mikro tik

Cisco Router As A Vpn Server
Cisco Router As A Vpn ServerCisco Router As A Vpn Server
Cisco Router As A Vpn Server
mmoizuddin
 
Basic ccna interview questions and answers ~ sysnet notes
Basic ccna interview questions and answers ~ sysnet notesBasic ccna interview questions and answers ~ sysnet notes
Basic ccna interview questions and answers ~ sysnet notes
Vamsi Krishna Kalavala
 
Network And Network Address Translation
Network And Network Address TranslationNetwork And Network Address Translation
Network And Network Address Translation
Erin Moore
 
Understanding i pv6 2
Understanding i pv6 2Understanding i pv6 2
Understanding i pv6 2
srmanjuskp
 

Ähnlich wie Mikro tik (20)

Training Day Slides
Training Day SlidesTraining Day Slides
Training Day Slides
 
TCP/IP 3RD SEM.2012 AUG.ASSIGNMENT
TCP/IP 3RD SEM.2012 AUG.ASSIGNMENTTCP/IP 3RD SEM.2012 AUG.ASSIGNMENT
TCP/IP 3RD SEM.2012 AUG.ASSIGNMENT
 
NAT_Final
NAT_FinalNAT_Final
NAT_Final
 
Cisco Router As A Vpn Server
Cisco Router As A Vpn ServerCisco Router As A Vpn Server
Cisco Router As A Vpn Server
 
CCN CEP.pptx
CCN CEP.pptxCCN CEP.pptx
CCN CEP.pptx
 
Routing of netwok protocls and how .pptx
Routing of netwok protocls and how .pptxRouting of netwok protocls and how .pptx
Routing of netwok protocls and how .pptx
 
BASIC TO ADVANCED NETWORKING TUTORIALS
BASIC TO ADVANCED NETWORKING TUTORIALSBASIC TO ADVANCED NETWORKING TUTORIALS
BASIC TO ADVANCED NETWORKING TUTORIALS
 
Introduction to tcp ip linux networking
Introduction to tcp ip linux networkingIntroduction to tcp ip linux networking
Introduction to tcp ip linux networking
 
Basic ccna interview questions and answers ~ sysnet notes
Basic ccna interview questions and answers ~ sysnet notesBasic ccna interview questions and answers ~ sysnet notes
Basic ccna interview questions and answers ~ sysnet notes
 
ccna summer training ppt ( Cisco certified network analysis) ppt. by Traun k...
ccna summer training ppt ( Cisco certified network analysis) ppt. by Traun k...ccna summer training ppt ( Cisco certified network analysis) ppt. by Traun k...
ccna summer training ppt ( Cisco certified network analysis) ppt. by Traun k...
 
All About Routers: Types Of Routers, Routing Table And IP Routing : Notes
All About Routers: Types Of Routers, Routing Table And IP Routing : NotesAll About Routers: Types Of Routers, Routing Table And IP Routing : Notes
All About Routers: Types Of Routers, Routing Table And IP Routing : Notes
 
Presentation on mcts & ccna
Presentation on mcts & ccnaPresentation on mcts & ccna
Presentation on mcts & ccna
 
QoS Classification on Cisco IOS Router
QoS Classification on Cisco IOS RouterQoS Classification on Cisco IOS Router
QoS Classification on Cisco IOS Router
 
MTCNA Show.pptx
MTCNA Show.pptxMTCNA Show.pptx
MTCNA Show.pptx
 
Introduction 140318015826-phpapp01
Introduction 140318015826-phpapp01Introduction 140318015826-phpapp01
Introduction 140318015826-phpapp01
 
Network And Network Address Translation
Network And Network Address TranslationNetwork And Network Address Translation
Network And Network Address Translation
 
Understanding i pv6 2
Understanding i pv6 2Understanding i pv6 2
Understanding i pv6 2
 
NAT
NATNAT
NAT
 
MPLS ppt
MPLS pptMPLS ppt
MPLS ppt
 
CCNA 1
CCNA 1CCNA 1
CCNA 1
 

Mikro tik

  • 1. ‫‪MikroTik‬‬ ‫‪ MikroTik‬یک سرور مبتنی بر ‪ kernel‬لینوکس است که بر روی یک ‪ pc‬معمولی قابل‬ ‫نصب و سرویس دهی به صورت کامل پایدار است.‬ ‫‪ MikroTik‬ویژگی های زیادی دارد که برخی از آنها را ذکر میکنیم.‬ ‫یکی از ویژگی های ‪ MikroTik‬این است که اکثر سرویسهای آن مانند , ‪NAT‬‬ ‫‪ Bandwidth Manager , Filtering‬و ... بر روی 3‪ Layer‬انجام می پذیرد و به همین‬ ‫دلیل نیازی به لیه های بالتر ندارد که این خود مقدار قابل توجهی در بال بردن کیفیت‬ ‫و ‪ performance‬سیستم تاثیر دارد. این امر به ما این امکان را می دهد که بر روی یک‬ ‫‪ pc‬معمولی به عنوان مثال یک کامپیوتر 2 ‪ Pentium‬با ‪ 64M‬فضای ‪ RAM‬مقدار زیادی‬ ‫پهنای باند را رد کرده و اعمالی مثل ‪ NAT‬و ‪ Filtering‬روی آنها انجام دهیم.‬ ‫در واقع ‪ MikroTik‬از ‪ pc‬های ما یک ‪ router‬کارآمد می سازد و این امکان را به ما‬ ‫می دهد که به آسانی بر روی آن پورتهای مختلف را اضافه و کم کنیم.‬ ‫یکی دیگر از ویژگی های ‪ MikroTik‬پایداری آن است. ‪ MikroTik‬همانند یک روتر قوی‬ ‫از سرعت بوت بال و عملکرد خودکار بدون نیاز به هیچ گونه ‪ login‬یا استارت کردن هر‬ ‫نوع سرویس بر خوردار است.‬ ‫علوه بر دسترسی محلی می توان ‪ MikroTik‬را به وسیله ‪ Telnet‬و ‪ SSH‬و ‪Web‬‬ ‫‪ server‬داخلی آن و رابط ویندوزی ارائه شده به همراه ‪ MikroTik‬به نام ‪Winbox‬‬ ‫تنظیم کرد.‬ ‫دیگر قابلیت قابل توجه ‪ MikroTik‬سرعت نصب و سرعت تنظیمات آن است. ‪MikroTik‬‬ ‫در عرض چند دقیقه نصب و براحتی تنظیم میشود و این قابلیت در آن وجود دارد که‬ ‫بتوان تنظیمات آن را ‪ Import‬و ‪ Export‬کرد.‬ ‫دیگر نقطه قوت ‪ MikroTik‬به صرفه بودن آن نسبت به نمونه های مشابه سخت‬ ‫افزاری است. با خرید یک عدد ‪ RouterOs‬و یک سرور با قدرتی متناسب با کار ما‬ ‫میتوانیم کارایی گرانفیمت ترین سخت افزارهارا با چندین برابر هزینه کمتر داشته‬ ‫باشیم. البته بماند که ما اکثرا از ورژن های کرک شده استفاده کرده و آنچنان پهنای‬ ‫باندی نداریم که بیشتر از یک کامپیوتر 3‪ P‬نیاز شود.‬ ‫در ادامه بعد از توضیح و آموزش ‪ NAT, Filtering‬توسط ‪ MikroTik‬به یک مثال برای‬ ‫یادگیری بیشتر خواهیم پرداحت.‬ ‫‪:NAT‬‬ ‫‪ NAT‬یا ‪ Network Address Translation‬یک استاندارد در اینترنت است که به کامپیوتر‬ ‫های داحل یک شبکه این اجازه را می دهد که از یک رنج ‪ IP‬برای ارتباط داخلی و از‬ ‫یک رنج دیکر برای ارتباط خارجی استفاده کنند. به شبکه داحلی که از ‪ NAT‬استفاده‬ ‫می کند اصطلحا ‪ Natted Network‬می گویند. برای ایجاد ‪ NAT‬باید در شبکه داخلی‬ ‫یک عدد ‪ NAT gateway‬داشته باشیم که ترجمه آدرسها در آن صورت گیرد.‬ ‫در کل 2 نوع ‪ NAT‬وجود دارد‬ ‫•‪ SRCNAT‬یا ‪: Source Nat‬‬ ‫از این فرم ‪ Nat‬وقتی استفاده میکنیم که می خواهیم ‪ IP‬های ‪ Invalid‬یک شبکه‬ ‫داخلی یا ‪ Natted Network‬را به یک ‪ Valid IP‬ترجمه کنیم.در این حالت هر پکتی که‬ ‫به ‪ gateway‬برسد ‪ IP‬آن به یک ‪ Valid IP‬ترجمه گشته و بر روی اینترنت ارسال می‬
  • 2. ‫ می شوند صادق‬Reply ‫شود. عکس این عمل برای پکت هایی که به پکت های قبلی‬ .‫است و عکس این عمل صورت میگیرد‬ : Destination Nat ‫ یا‬DSTNAT• ‫ را برای شبکه‬private ‫ را وقتی انجام می دهیم که بخواهیم یک شبکه‬NAT ‫این فرم‬ Invalid IP ‫ خود را به‬Valid IP ‫ خود قابل دسترسی قرار دهیم. در این عمل‬public .‫ترجمه میکنیم‬ Masquerade ‫ و‬Redirect ‫ یک نوع از‬Redirect .‫ است‬srcnat ‫ و‬dstnat ‫ یک نوع خاص‬Masquerade ‫ و‬Redirect ‫ ندارد و تنها شناساندن اینترفیس ورودی‬to-address ‫ است که نیازی به تعریف‬dstnat to-address ‫ است که نیازی به تعریف‬srcnat ‫ یک نوع‬Masquerade ‫کافی است و‬ ‫ندارد و تنها معرفی یک اینترفیس خروجی کافی است. در این حالت دیگر فرقی ندارد‬ ‫ شده به اینترفیس‬add ‫ های‬IP ‫ در رنج‬IP ‫ به اینترفیس ها متصل میگردد هر‬IP ‫که چه‬ ‫ برای فرستادن کل ترافیک به یک پورت خاص‬to-port ‫ فیلد‬Redirect ‫عمل می کند. در‬ .‫ استفاده می شود‬web-proxy ‫است که بیشتر برای اعمالی نظیر‬ Property Description action (accept | add-dst-to-address-list | add-src-to-address-list | dst-nat | jump | log | masquerade | netmap | passthrough | redirect | return | same | src-nat; default: accept) - action to undertake if the packet matches the rule accept - accepts the packet. No action is taken, i.e. the packet is passed through and no more rules are applied to it add-dst-to-address-list - adds destination address of an IP packet to the address list specified by address-list parameter add-src-to-address-list - adds source address of an IP packet to the address list specified by address-list parameter dst-nat - replaces destination address of an IP packet to values specified by to-addresses and to-ports parameters jump - jump to the chain specified by the value of the jump-target parameter log - each match with this action will add a message to the system log masquerade - replaces source address of an IP packet to an automatically determined by the routing facility IP address netmap - creates a static 1:1 mapping of one set of IP addresses to another one. Often used to distribute public IP addresses to hosts on private networks passthrough - ignores this rule goes on to the next one redirect - replaces destination address of an IP packet to one of the router's local addresses return - passes control back to the chain from where the jump took place same - gives a particular client the same source/destination IP address from supplied range for each connection. This is most frequently used for services that expect the same client address for multiple connections from the same client src-nat - replaces source address of an IP packet to values specified by to-addresses and to- ports parameters address-list (name) - specifies the name of the address list to collect IP addresses from rules having action=add-dst-to-address-list or action=add- src-to-address-list actions. These address lists could be later used for packet matching address-list-timeout (time; default: 00:00:00) - time interval after which the address will be removed from the address list specified by address-list
  • 3. parameter. Used in conjunction with add-dst-to-address-list or add-src-to- address-list actions 00:00:00 - leave the address in the address list forever chain (dstnat | srcnat | name) - specifies the chain to put a particular rule into. As the different traffic is passed through different chains, always be careful in choosing the right chain for a new rule. If the input does not match the name of an already defined chain, a new chain will be created dstnat - a rule placed in this chain is applied before routing. The rules that replace destination addresses of IP packets should be placed there srcnat - a rule placed in this chain is applied after routing. The rules that replace the source addresses of IP packets should be placed there comment (text) - a descriptive comment for the rule. A comment can be used to identify rules form scripts connection-bytes (integer-integer) - matches packets only if a given amount of bytes has been transfered through the particular connection 0 - means infinity, exempli gratia: connection-bytes=2000000-0 means that the rule matches if more than 2MB has been transfered through the relevant connection connection-limit (integer,netmask) - restrict connection limit per address or address block connection-mark (name) - matches packets marked via mangle facility with particular connection mark connection-type (ftp | gre | h323 | irc | mms | pptp | quake3 | tftp) - matches packets from related connections based on information from their connection tracking helpers. A relevant connection helper must be enabled under /ip firewall service-port content (text) - the text packets should contain in order to match the rule dst-address (IP address/netmask | IP address-IP address) - specifies the address range an IP packet is destined to. Note that console converts entered address/netmask value to a valid network address, i.e.:1.1.1.1/24 is converted to 1.1.1.0/24 dst-address-list (name) - matches destination address of a packet against user- defined address list dst-address-type (unicast | local | broadcast | multicast) - matches destination address type of the IP packet, one of the: unicast - IP addresses used for one point to another point transmission. There is only one sender and one receiver in this case local - matches addresses assigned to router's interfaces broadcast - the IP packet is sent from one point to all other points in the IP subnetwork multicast - this type of IP addressing is responsible for transmission from one or more points to a set of other points dst-limit (integer/time{0,1},integer,dst-address | dst-port | src- address{+},time{0,1}) - limits the packet per second (pps) rate on a per destination IP or per destination port base. As opposed to the limit match, every destination IP address / destination port has it's own limit. The options are as follows (in order of appearance): Count - maximum average packet rate, measured in packets per second (pps), unless followed by Time option Time - specifies the time interval over which the packet rate is measured Burst - number of packets to match in a burst Mode - the classifier(-s) for packet rate limiting Expire - specifies interval after which recorded IP addresses / ports will be deleted dst-port (integer: 0..65535-integer: 0..65535{*}) - destination port number or range hotspot (multiple choice: from-client | auth | local-dst) - matches packets received from clients against various Hot-Spot. All values can be negated from-client - true, if a packet comes from HotSpot client auth - true, if a packet comes from authenticted client local-dst - true, if a packet has local destination IP address icmp-options (integer:integer) - matches ICMP Type:Code fields in-interface (name) - interface the packet has entered the router through
  • 4. ipv4-options (any | loose-source-routing | no-record-route | no-router-alert | no-source-routing | no-timestamp | none | record-route | router-alert | strict- source-routing | timestamp) - match ipv4 header options any - match packet with at least one of the ipv4 options loose-source-routing - match packets with loose source routing option. This option is used to route the internet datagram based on information supplied by the source no-record-route - match packets with no record route option. This option is used to route the internet datagram based on information supplied by the source no-router-alert - match packets with no router alter option no-source-routing - match packets with no source routing option no-timestamp - match packets with no timestamp option record-route - match packets with record route option router-alert - match packets with router alter option strict-source-routing - match packets with strict source routing option timestamp - match packets with timestamp jump-target (dstnat | srcnatname) - name of the target chain to jump to, if the action=jump is used limit (integer/time{0,1},integer) - restricts packet match rate to a given limit. Usefull to reduce the amount of log messages Count - maximum average packet rate, measured in packets per second (pps), unless followed by Time option Time - specifies the time interval over which the packet rate is measured Burst - number of packets to match in a burst log-prefix (text) - all messages written to logs will contain the prefix specified herein. Used in conjunction with action=log nth (integer,integer: 0..15,integer{0,1}) - match a particular Nth packet received by the rule. One of 16 available counters can be used to count packets Every - match every Every+1th packet. For example, if Every=1 then the rule matches every 2nd packet Counter - specifies which counter to use. A counter increments each time the rule containing nth match matches Packet - match on the given packet number. The value by obvious reasons must be between 0 and Every. If this option is used for a given counter, then there must be at least Every+1 rules with this option, covering all values between 0 and Every inclusively. out-interface (name) - interface the packet is leaving the router through packet-mark (text) - matches packets marked via mangle facility with particular packet mark packet-size (integer: 0..65535-integer: 0..65535{0,1}) - matches packet of the specified size or size range in bytes Min - specifies lower boundary of the size range or a standalone value Max - specifies upper boundary of the size range phys-in-interface (name) - matches the bridge port physical input device added to a bridge device. It is only useful if the packet has arrived through the bridge phys-out-interface (name) - matches the bridge port physical output device added to a bridge device. It is only useful if the packet will leave the router through the bridge protocol (ddp | egp | encap | ggp | gre | hmp | icmp | idrp-cmtp | igmp | ipencap | ipip | ipsec-ah | ipsec-esp | iso-tp4 | ospf | pup | rdp | rspf | st | tcp | udp | vmtp | xns-idp | xtp | integer) - matches particular IP protocol specified by protocol name or number. You should specify this setting if you want to specify ports psd (integer,time,integer,integer) - attempts to detect TCP and UDP scans. It is advised to assign lower weight to ports with high numbers to reduce the frequency of false positives, such as from passive mode FTP transfers WeightThreshold - total weight of the latest TCP/UDP packets with different destination ports coming from the same host to be treated as port scan sequence DelayThreshold - delay for the packets with different destination ports coming from the same host to be treated as possible port scan subsequence LowPortWeight - weight of the packets with privileged (<=1024) destination port HighPortWeight - weight of the packet with non-priviliged destination port random (integer) - match packets randomly with given propability
  • 5. routing-mark (name) - matches packets marked by mangle facility with particular routing mark same-not-by-dst (yes | no) - specifies whether to account or not to account for destination IP address when selecting a new source IP address for packets matched by rules with action=same src-address (IP address/netmask | IP address-IP address) - specifies the address range an IP packet is originated from. Note that console converts entered address/netmask value to a valid network address, i.e.:1.1.1.1/24 is converted to 1.1.1.0/24 src-address-list (name) - matches source address of a packet against user- defined address list src-address-type (unicast | local | broadcast | multicast) - matches source address type of the IP packet, one of the: unicast - IP addresses used for one point to another point transmission. There is only one sender and one receiver in this case local - matches addresses assigned to router's interfaces broadcast - the IP packet is sent from one point to all other points in the IP subnetwork multicast - this type of IP addressing is responsible for transmission from one or more points to a set of other points src-mac-address (MAC address) - source MAC address src-port (integer: 0..65535-integer: 0..65535{*}) - source port number or range tcp-mss (integer: 0..65535) - matches TCP MSS value of an IP packet time (time-time,sat | fri | thu | wed | tue | mon | sun{+}) - allows to create filter based on the packets' arrival time and date or, for locally generated packets, departure time and date to-addresses (IP address-IP address{0,1}; default: 0.0.0.0) - address or address range to replace original address of an IP packet with to-ports (integer: 0..65535-integer: 0..65535{0,1}) - port or port range to replace original port of an IP packet with tos (max-reliability | max-throughput | min-cost | min-delay | normal) - specifies a match to the value of Type of Service (ToS) field of IP header max-reliability - maximize reliability (ToS=4) max-throughput - maximize throughput (ToS=8) min-cost - minimize monetary cost (ToS=2) min-delay - minimize delay (ToS=16) normal - normal service (ToS=0) Filter .‫ یک بخش از فایروال است‬Filter ‫فایروال چیست؟‬ ‫فایروال در لغت به معنی دیواره آتش است اما در مفهوم مانند یک دیوار است که دور‬ ‫یک شهر کشیده شده و معابری مانند دروازه های شهر در آن وجود دارد که نگهبانانی‬ .‫در آنها وجود دارند که عبور و مرور را کنترل می نمایند‬ ‫ نصب می شوند و تمامی عبور و مرور ها را‬gateway ‫در شبکه فایروال ها معمول روی‬ ‫کنترل می نمایند. که معمول کار حفاظت اطلعات داخلی را از هجوم های خارجی را‬ .‫بر عهده دارد‬ l ‫فایروالها ممکن است استراتژی های مختلفی داشته باشند.که به نوع شبکه و نوع و‬ .‫ حفاظت بستگی دارد‬evel ‫ قوی است که ویژگی های آن در زیر آورده شده‬packet filter ‫ دارای یک‬MikroTik .‫است‬
  • 6. stateful packet filtering • peer-to-peer protocols filtering • traffic classification by: o source MAC address o IP addresses (network or list) and address types (broadcast, local, multicast, unicast) o port or port range o IP protocols o protocol options (ICMP type and code fields, TCP flags, IP options and MSS) o interface the packet arrived from or left through o internal flow and connection marks o ToS (DSCP) byte o packet content o rate at which packets arrive and sequence numbers o packet size o packet arrival time o and much more! Filtering ‫قائده کلی‬ ‫فایروال بر پایه رول های آن بنا شده است یعنی فایروال و روتر کاری را انجام می دهد‬ ‫که رول ها بگویند. هر رول از 2 قسمت تشکیل شده است قسمت اول مشخص می‬ ‫ میشود و قسمت دوم عملی که روی پکت باید‬match ‫کند که کدام پکت با رول ما‬ .‫انجام بگیرد را مشخص می کند‬ 3 ‫ آنها برای مدیریت بهتر دسته بندی می شوند. هر رول‬chain ‫رول ها بر اساس‬ ‫ که به‬output ‫ و‬forward ‫ و‬Input .‫حالت به صورت پیش فرض میتواند داشته باشد‬ ‫معنی پکت هایی که به مقصد روتر می آیند و پکت هایی که از روتر رد می شوند و‬ ‫پکت هایی که از مبدا روتر خارج می شوند هستند. حالتهایی هم به صورت دستی‬ .‫می توان برای فایروال تعریف کرد‬ Property Description action (accept | add-dst-to-address-list | add-src-to-address-list | drop | jump | log | passthrough | reject | return | tarpit; default: accept) - action to undertake if the packet matches the rule accept - accept the packet. No action is taken, i.e. the packet is passed through and no more rules are applied to it add-dst-to-address-list - adds destination address of an IP packet to the address list specified by address-list parameter add-src-to-address-list - adds source address of an IP packet to the address list specified by address-list parameter drop - silently drop the packet (without sending the ICMP reject message) jump - jump to the chain specified by the value of the jump-target parameter log - each match with this action will add a message to the system log passthrough - ignores this rule and goes on to the next one reject - reject the packet and send an ICMP reject message return - passes control back to the chain from where the jump took place
  • 7. tarpit - captures and holds incoming TCP connections (replies with SYN/ACK to the inbound TCP SYN packet) address-list (name) - specifies the name of the address list to collect IP addresses from rules having action=add-dst-to-address-list or action=add- src-to-address-list actions. These address lists could be later used for packet matching address-list-timeout (time; default: 00:00:00) - time interval after which the address will be removed from the address list specified by address-list parameter. Used in conjunction with add-dst-to-address-list or add-src-to- address-list actions 00:00:00 - leave the address in the address list forever chain (forward | input | output | name) - specifies the chain to put a particular rule into. As the different traffic is passed through different chains, always be careful in choosing the right chain for a new rule. If the input does not match the name of an already defined chain, a new chain will be created comment (text) - a descriptive comment for the rule. A comment can be used to identify rules form scripts connection-bytes (integer-integer) - matches packets only if a given amount of bytes has been transfered through the particular connection 0 - means infinity, exempli gratia: connection-bytes=2000000-0 means that the rule matches if more than 2MB has been transfered through the relevant connection connection-limit (integer,netmask) - restrict connection limit per address or address block connection-mark (name) - matches packets marked via mangle facility with particular connection mark connection-state (estabilished | invalid | new | related) - interprets the connection tracking analysis data for a particular packet estabilished - a packet which belongs to an existing connection, exempli gratia a reply packet or a packet which belongs to already replied connection invalid - a packet which could not be identified for some reason. This includes out of memory condition and ICMP errors which do not correspond to any known connection. It is generally advised to drop these packets new - a packet which begins a new TCP connection related - a packet which is related to, but not part of an existing connection, such as ICMP errors or a packet which begins FTP data connection (the later requires enabled FTP connection tracking helper under /ip firewall service-port) connection-type (ftp | gre | h323 | irc | mms | pptp | quake3 | tftp) - matches packets from related connections based on information from their connection tracking helpers. A relevant connection helper must be enabled under /ip firewall service-port content (text) - the text packets should contain in order to match the rule dst-address (IP address/netmask | IP address-IP address) - specifies the address range an IP packet is destined to. Note that console converts entered address/netmask value to a valid network address, i.e.:1.1.1.1/24 is converted to 1.1.1.0/24 dst-address-list (name) - matches destination address of a packet against user- defined address list dst-address-type (unicast | local | broadcast | multicast) - matches destination address type of the IP packet, one of the: unicast - IP addresses used for one point to another point transmission. There is only one sender and one receiver in this case local - matches addresses assigned to router's interfaces broadcast - the IP packet is sent from one point to all other points in the IP subnetwork multicast - this type of IP addressing is responsible for transmission from one or more points to a set of other points dst-limit (integer/time{0,1},integer,dst-address | dst-port | src- address{+},time{0,1}) - limits the packet per second (pps) rate on a per destination IP or per destination port base. As opposed to the limit match, every destination IP address / destination port has it's own limit. The options are as follows (in order of appearance):
  • 8. Count - maximum average packet rate, measured in packets per second (pps), unless followed by Time option Time - specifies the time interval over which the packet rate is measured Burst - number of packets to match in a burst Mode - the classifier(-s) for packet rate limiting Expire - specifies interval after which recorded IP addresses / ports will be deleted dst-port (integer: 0..65535-integer: 0..65535{*}) - destination port number or range hotspot (multiple choice: from-client | auth | local-dst | http) - matches packets received from clients against various Hot-Spot. All values can be negated from-client - true, if a packet comes from HotSpot client auth - true, if a packet comes from authenticted client local-dst - true, if a packet has local destination IP address hotspot - true, if it is a TCP packet from client and either the transparent proxy on port 80 is enabled or the client has a proxy address configured and this address is equal to the address:port pair of the IP packet icmp-options (integer:integer) - matches ICMP Type:Code fields in-interface (name) - interface the packet has entered the router through ipv4-options (any | loose-source-routing | no-record-route | no-router-alert | no-source-routing | no-timestamp | none | record-route | router-alert | strict- source-routing | timestamp) - match ipv4 header options any - match packet with at least one of the ipv4 options loose-source-routing - match packets with loose source routing option. This option is used to route the internet datagram based on information supplied by the source no-record-route - match packets with no record route option. This option is used to route the internet datagram based on information supplied by the source no-router-alert - match packets with no router alter option no-source-routing - match packets with no source routing option no-timestamp - match packets with no timestamp option record-route - match packets with record route option router-alert - match packets with router alter option strict-source-routing - match packets with strict source routing option timestamp - match packets with timestamp jump-target (forward | input | output | name) - name of the target chain to jump to, if the action=jump is used limit (integer/time{0,1},integer) - restricts packet match rate to a given limit. Usefull to reduce the amount of log messages Count - maximum average packet rate, measured in packets per second (pps), unless followed by Time option Time - specifies the time interval over which the packet rate is measured Burst - number of packets to match in a burst log-prefix (text) - all messages written to logs will contain the prefix specified herein. Used in conjunction with action=log nth (integer,integer: 0..15,integer{0,1}) - match a particular Nth packet received by the rule. One of 16 available counters can be used to count packets Every - match every Every+1th packet. For example, if Every=1 then the rule matches every 2nd packet Counter - specifies which counter to use. A counter increments each time the rule containing nth match matches Packet - match on the given packet number. The value by obvious reasons must be between 0 and Every. If this option is used for a given counter, then there must be at least Every+1 rules with this option, covering all values between 0 and Every inclusively. out-interface (name) - interface the packet will leave the router through p2p (all-p2p | bit-torrent | blubster | direct-connect | edonkey | fasttrack | gnutella | soulseek | warez | winmx) - matches packets from various peer-to- peer (P2P) protocols packet-mark (text) - matches packets marked via mangle facility with particular packet mark packet-size (integer: 0..65535-integer: 0..65535{0,1}) - matches packet of the specified size or size range in bytes Min - specifies lower boundary of the size range or a standalone value Max - specifies upper boundary of the size range
  • 9. phys-in-interface (name) - matches the bridge port physical input device added to a bridge device. It is only useful if the packet has arrived through the bridge phys-out-interface (name) - matches the bridge port physical output device added to a bridge device. It is only useful if the packet will leave the router through the bridge protocol (ddp | egp | encap | ggp | gre | hmp | icmp | idrp-cmtp | igmp | ipencap | ipip | ipsec-ah | ipsec-esp | iso-tp4 | ospf | pup | rdp | rspf | st | tcp | udp | vmtp | xns-idp | xtp | integer) - matches particular IP protocol specified by protocol name or number. You should specify this setting if you want to specify ports psd (integer,time,integer,integer) - attempts to detect TCP and UDP scans. It is advised to assign lower weight to ports with high numbers to reduce the frequency of false positives, such as from passive mode FTP transfers WeightThreshold - total weight of the latest TCP/UDP packets with different destination ports coming from the same host to be treated as port scan sequence DelayThreshold - delay for the packets with different destination ports coming from the same host to be treated as possible port scan subsequence LowPortWeight - weight of the packets with privileged (<=1024) destination port HighPortWeight - weight of the packet with non-priviliged destination port random (integer: 1..99) - matches packets randomly with given propability reject-with (icmp-admin-prohibited | icmp-echo-reply | icmp-host-prohibited | icmp-host-unreachable | icmp-net-prohibited | icmp-network-unreachable | icmp- port-unreachable | icmp-protocol-unreachable | tcp-reset | integer) - alters the reply packet of reject action routing-mark (name) - matches packets marked by mangle facility with particular routing mark src-address (IP address/netmask | IP address-IP address) - specifies the address range an IP packet is originated from. Note that console converts entered address/netmask value to a valid network address, i.e.:1.1.1.1/24 is converted to 1.1.1.0/24 src-address-list (name) - matches source address of a packet against user- defined address list src-address-type (unicast | local | broadcast | multicast) - matches source address type of the IP packet, one of the: unicast - IP addresses used for one point to another point transmission. There is only one sender and one receiver in this case local - matches addresses assigned to router's interfaces broadcast - the IP packet is sent from one point to all other points in the IP subnetwork multicast - this type of IP addressing is responsible for transmission from one or more points to a set of other points src-mac-address (MAC address) - source MAC address src-port (integer: 0..65535-integer: 0..65535{*}) - source port number or range tcp-flags (ack | cwr | ece | fin | psh | rst | syn | urg) - tcp flags to match ack - acknowledging data cwr - congestion window reduced ece - ECN-echo flag (explicit congestion notification) fin - close connection psh - push function rst - drop connection syn - new connection urg - urgent data tcp-mss (integer: 0..65535) - matches TCP MSS value of an IP packet time (time-time,sat | fri | thu | wed | tue | mon | sun{+}) - allows to create filter based on the packets' arrival time and date or, for locally generated packets, departure time and date tos (max-reliability | max-throughput | min-cost | min-delay | normal) - specifies a match for the value of Type of Service (ToS) field of an IP header max-reliability - maximize reliability (ToS=4) max-throughput - maximize throughput (ToS=8)
  • 10. ‫)2=‪min-cost - minimize monetary cost (ToS‬‬ ‫)61=‪min-delay - minimize delay (ToS‬‬ ‫)0=‪normal - normal service (ToS‬‬ ‫نصب ‪MikroTik‬‬ ‫برای نصب ‪ MikroTik‬ابتدا باید ‪ minimum hardware requirment‬آن را بررسی کنیم‬ ‫که داخل سایت رسمی ‪ www.MikroTik.com‬نوشته شده است. اما به طور تجربی‬ ‫برای ‪ 1Mbps‬پهنای باند و سرویسهایی مثل , ‪NAT , Filtering , Bandwidth manager‬‬ ‫‪ DNS‬حد افل یک کامپیوتر 2 ‪ pentium‬به همراه ‪ 64MB‬فضای ‪ RAM‬و یک هارد دیسک‬ ‫‪ 2.1GB‬یا کمتر و 2 عدد کارت شبکه کافی است.‬ ‫برای نصب از روی ‪ CD‬باید ابتدا ‪ image‬آن را از لینکی که در آخر مقاله آمده دانلود کرده‬ ‫و بر روی ‪ CD‬به صورت ‪ image‬رایت کرده به صورتی که ‪ CD‬پس از ‪ write‬کردن‬ ‫‪ bootable‬باشد.‬ ‫‪ CD‬را داخل ‪ cd-rom‬سیستمس که میخواهید ‪ MikroTik‬روی آن نصب کنید قرار دهید.‬ ‫و ‪ first boot device‬کامپیوتر خود را روی ‪ cd-rom‬قرار دهید. بعد از بوت شدن از روی‬ ‫‪ CD‬یک صفحه باز خواهد شد که لیست ‪ service‬ها را نشان میدهد که می توان با‬ ‫‪ spacebar‬آنها را انتخاب و یا از انتخاب خارح کرد. بعد از انتخاب ‪ package‬های مربوطه‬ ‫کلید "‪ "i‬را فشار می دهیم. 2 عدد سوال از شما پرسیده می شود 1- سیستم به‬ ‫شما می گوید که با نصب ‪ MikroTik‬تمامی اطلعات روی هارد دیسک شما پاک‬ ‫خواهد شد 2-از شما سوال می شود که اگر قبل روی سیستم شما ‪ MikroTik‬نصب‬ ‫شده است آیا می خواهید تنظیمات قبلی نگهداری شوند؟ که اگر در دو حالت حرف "‬ ‫‪ "y‬را وارد کرده و کلید ‪ ENTER‬را فشار دهیم سیستم شروع به نصب می کند.‬ ‫بعد از کامل شدن نصب یک پیغام ظاهر می شود که نصب شما به پایان رسیده است‬ ‫و کلید‪ ENTER‬را برای ‪ Reboot‬شدن سیستم خود فشار دهید.‬ ‫سپس سیستم ‪ Reboot‬شده و روتر شما آماده استفاده است.‬ ‫تنظیمات ‪MikroTik‬‬ ‫اختصاص ‪ IP address‬به کارت های شبکه:‬ ‫ما یک ‪ LAN‬را در نظر می گیریم که از طریق ‪ MikroTik‬به یک روتر متصل و از همین‬ ‫طریق به اینترنت متصل است. فرض می کنیم که ‪ IP‬روتر ما 1.001.912.712‬ ‫821.552.552.552 و ‪ IP‬شبکه داخلی ما 0.0.61.271 0.552.552.552 بنابر این ‪IP‬‬ ‫کارت شبکه خارجی ما 2.001.912.712 821.552.552.552 و ‪ IP‬کارت شبکه داخلی‬ ‫ما 1.0.61.271 0.552.552.552 و ‪ default gateway‬ما 1.001.912.712 می شود.‬ ‫برای انجام دادن تنظیمات روتر ابتدا باید به آن ‪ login‬کنیم. ‪ Username‬و ‪ password‬روتر‬ ‫به صورت پیش فرض ‪ admin‬با پسورد ‪) blank‬خالی( است. یوزر و پسورد را وارد می‬ ‫کنیم و وارد میشویم.‬ ‫ابتدا باید ‪ IP‬ها را ‪ set‬کنیم. برای اینکار ‪ command‬های زیر را وارد می کنیم:‬
  • 11. [admin@MikroTik] ip address> add address=217.219.100.2/25 interface=ether0 [admin@MikroTik] ip address> add address=172.16.0.1/24 interface=ether1 [admin@MikroTik] ip address> print Flags: X - disabled, I - invalid, D - dynamic # ADDRESS NETWORK BROADCAST INTERFACE 0 217.219.100.2/25 217.219.100.0 217.219.100.127 ether0 1 172.16.0.1 172.16.0.0 172.16.0.255 ether1 [admin@MikroTik] ip address> ‫ برای روتر مشخص‬default gateway ‫ شده اند. برای اینکه یک‬add ‫ های ما‬IP ‫اکنون‬ ‫ های زیر را وارد‬command ‫ برای آن بنویسیم. برای این کار‬static route ‫کنیم باید یک‬ :‫می نمائیم‬ [admin@MikroTik] ip route> add gateway=217.219.100.1 [admin@MikroTik] ip route> print Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf # DST-ADDRESS G GATEWAY DISTANCE INTERFACE 1 ADC 217.219.100.0/25 ether0 2 ADC 172.16.0.0/24 ether1 3 A S 0.0.0.0/0 r 217.219.100.1 ether0 [admin@MikroTik] ip route> ‫ داخل اینترنت را‬IP ‫اکنون روتر شما به اینترنت متصل است برای تست آن میتوانید یک‬ :‫پینگ کنید به ترتیب زیر‬ [admin@MikroTik] > ping 4.2.2.1 4.2.2.1 64 byte ping: ttl=237 time=256 ms 4.2.2.1 64 byte ping: ttl=237 time=413 ms 4.2.2.1 64 byte ping: ttl=237 time=311 ms 4.2.2.1 64 byte ping: ttl=237 time=283 ms 5 packets transmitted, 4 packets received, 20% packet loss round-trip min/avg/max = 256/315.7/413 ms [admin@MikroTik] > :‫ در روتر‬NAT ‫تنظیم‬ ‫در اینجا ما فقط می خواهیم آدرس های شبکه داخلی به یک آدرس خارجی و معتبر‬ ‫ استفاده کنیم. که هم می توان از‬srcnat ‫در اینترنت ترجمه شود. پس باید از‬ ‫ به همراه وارد کردن آدرس شبکه‬srcnat ‫ استفاده کرد هم می توان از‬masquerade ‫ استفاده کرد. ما اینجا هر دو روش را توضیح خواهیم‬to-address ‫داخلی از طریق فیلد‬ .‫داد‬ Masquerade
  • 12. ‫در این حالت فقط کافی است اینترفیس خروجی را مشخص کنیم که به ترتیب زیر‬ ‫عمل می کنیم:‬ ‫0‪/ip firewall nat add chain=srcnat action=masquerade out-interface=ether‬‬ ‫به این ترتیب کلیه ‪ IP‬هایی که در شبکه ما هستند از هر اینترفیسی که باشند اگر‬ ‫روتر را ‪ default gateway‬خود قرار دهند به اینترنت متصل می گردند.‬ ‫‪Srcnat‬‬ ‫در این حالت ما یک یا چند ‪ IP‬خاص را به یک ‪ IP‬ولید ‪ NAT‬می کنیم. در این حالت‬ ‫امنیت و کنترل بیشتری روی شبکه خود داریم.‬ ‫-‪/ip firewall nat add chain=srcnat src-address=172.16.0.0/24 action=src‬‬ ‫ ‪nat‬‬ ‫2.001.912.712=‪to-addresses‬‬ ‫در حالت فوق هر کامپیوتر با ‪ IP‬در رنج 0.0.61.271 0.552.552.552 و ‪default‬‬ ‫1.0.61.271 ‪ gateway‬می تواند از اینترنت استفاده کند. ما میتوانیم به جای یک رنج‬ ‫‪ IP‬یک ‪ IP‬خاص یا یک رنج مخدود ت را انتخاب کنیم.‬ ‫تنظیمات ‪Filter‬‬ ‫رول های ‪ Filter‬بسته به نیاز ما باید ساخته شوند . ما فعل فرض میگیریم که می‬ ‫خواهیم ابتدا تنها به 3 کامپیوتر اجازه استفاده از اینترنت را بدهیم و برای همه پورت‬ ‫531 را ببندیم و برای کلیه کامپیوتر ها ‪ ping‬بسته باشد و پورت ‪ telnet‬روتر برای همه‬ ‫بسته باشد. برای اعمال فوق الذکر به این ترتیب عمل می کنیم.‬ ‫ما قصد بستن پورت 531 برای کلیه ‪ IP‬ها را داریم پس رول زیر را می نویسیم:‬ ‫‪/ip firewall filter add chain=forward dst-port=135 protocol=tcp‬‬ ‫‪action=drop‬‬ ‫به این ترتیب تمام درخواستها به این پورت ‪ drop‬می شوند.‬ ‫حال باید رولی را ایجاد کنیم که ‪ ping‬بسته شود این رول نیز مانند رول قبل است:‬ ‫‪/ip firewall filter add chain=forward protocol=icmp action=drop‬‬
  • 13. ‫و اما رول بعد بستن پورت ‪ telnet‬به روتر:‬ ‫در این حالت باید ‪ chain‬را ‪ input‬قرار دهیم به معنی تمام پکت های ورودی به مقصد‬ ‫روتر.‬ ‫32=‪/ip firewall filter add chain=input protocol=tcp dst-port‬‬ ‫‪action=drop‬‬ ‫اکنون ما می خواهیم تنها 3 کامپیوتر به اینترنت دسترسی داشته باشند پس باید هر‬ ‫پکتی که قصد عبور از روتر را دارد و از این 3 کامپیوتر خاص صادر شده است اجازه عبور‬ ‫داده شده و بقیه پکت ها که قصد عبور از روتر را دارند ‪ drop‬شوند. پس اول باید رول‬ ‫های دسترسی سپس رول عدم دسترسی بقیه نوشته شود. در ‪ filtering‬ترتیب رول‬ ‫ها بسیار مهم است چون روتر به ترتیب از بال به پائین رول ها را خوانده و عمل می‬ ‫کند.‬ ‫‪/ip firewall filter‬‬ ‫2.0.61.271=‪add chain=forward src-address‬‬ ‫‪action=accept‬‬ ‫‪/ip firewall filter‬‬ ‫3.0.61.271=‪add chain=forward src-address‬‬ ‫‪action=accept‬‬ ‫‪/ip firewall filter‬‬ ‫4.0.61.271=‪add chain=forward src-address‬‬ ‫‪action=accept‬‬ ‫‪/ip firewall filter‬‬ ‫61/0.0.61.271=‪add chain=forward src-address‬‬ ‫‪action=drop‬‬ ‫ما با رول های بال دسترسی سه ‪ IP‬را باز و دسترسی کلیه پکت های دیگر را محدود‬ ‫کرده ایم.‬ ‫اکنون تنظیمات ما به پایان رسیده است. ما یه روتر داریم که میان شبکه داخلی و‬ ‫خارجی ما قرار دارد روی روتر ما یک ‪ IP‬ولید به یک رنج ‪ IP‬اینولید ‪ NAT‬شده است. ما‬ ‫روی روتر به وسیله ‪ packet filtering‬از شبکه داخلی خود و روتر حفاظت می کنیم. و‬ ‫این امکان را داریم که دسترسی کلینت های را به اینترنت کنترل کنیم.‬ ‫امیدوارم مطلب نوشته شده مفید واقع شود.‬ ‫برای هر گونه سوال میتوانید با ‪ shahin@admins.ir‬تماس خاصل فرموده یا همینجا‬ ‫سوال خود را مطرح نمائید.‬