ogin ke Ubuntu server dengan user “root” menggunakan putty. Lakukan Update dan install paket pendukung pada Ubuntu server: #sudo -i isikan password :
1 2
apt-get update apt-get install devscripts -y
Download Squid installer lalu lakukan configure dan install, disini saya menggunakan squid versi 3.5.12, anda bisa lihat Disini untuk versi yang lain.
1 2 3 4 5
wget http://www.squid-cache.org/Versions/v3/3.5/squid-3.5.12.tar.gz tar.gz tar zxvf squid-3.5.12.tar squid-3.5.12.tar.gz .gz cd squid-3.5.12 ./configure --prefix=/usr --bindir=/usr/bin --sbindir=/usr/sbin --libexecdir=/usr/lib/ localstatedir=/var --libdir=/usr/lib --with-default-user=proxy --with-logdir=/var/log/s pidfile=/var/run/squid.pid sudo make && make install
Sampai disini langkah pertama selesai, jika saat Instalasi tidak terjadi error maka dipastikan squid anda sudah terinstall dengan benar. Untuk cek squid versi yang terinstall anda bisa melakukan perintah berikut pada putty:
1
squid -v -v
Langkah Ke Dua :
Masukan Script di bawah ini pada file “squid.conf” yang ada di directory “/etc/squid/squid.conf”, namun sebelum anda masukan terlebih dulu anda edit baris yang sudah saya kasih komentar . komentar . Copy script di bawah ini lalu pastekan ke dalam notepad++ terlebih dulu dan edit yang sudah saya kasih komentar, lalu buka file squid.conf yang ada di “/etc/squid/squid.conf” menggunakan “winscp” lalu hapus isinya kemudian masukan script yang ada di notepad++ , kemudian simpan. Warning!! jangan Warning!! jangan sampai salah ketika anda edit dan memasukan “squid.conf” salah sedikit dapat mengakibatkan mengakibatkan squid tidak bisa berjalan.
Setting Squid.conf # nano /etc/squid/squid.conf masukan scipt squid.cof : 1. 2. 3. 4. 5.
acl acl acl acl acl
localnet localnet localnet localnet localnet
src src src src src
10.0.0.0 /8 # RFC1918 possible internal network 172.16.0.0 /12 # RFC1918 possible internal network 1 192.168.1.0 92.168.1.0/ /24 # RFC1918 possible internal network fc00:: /7 # RFC 4193 local private network range fe80:: /10 # RFC 4291 link-local (directly plugged) machines
acl acl acl acl acl acl acl acl acl acl acl acl acl acl acl
SSL_ports port 443 Safe_ports port 80 # http Safe_ports port 21 # ftp Safe_ports port 443 # https Safe_ports port 70 # gopher Safe_ports port 210 # wais Safe_ports port 1025 1025-65535 # unregistered ports Safe_ports port 280 # http-mgmt Safe_ports port 488 # gss-http Safe_ports port 591 # filemaker Safe_ports port 777 # multiling http CONNECT method CONNECT ipblacklist dst "/etc/squid/ipblacklist/ip-blacklist.txt" noipblacklist dst "/etc/squid/noipblacklist/noip-blacklist.txt" situsblacklist url_regex -i "/etc/squid/situsblacklist/situs-blacklist.txt"
6.
7. 8. 9. 10. 11. 12. 13. 14. 15. 16. 17. 18. 19.
20. 21. 22. 23. 24. 25. 26. 27.
http_access http_access http_access deny situsblacklist situsblacklist http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access allow localhost manager http_access deny manager http_access allow localnet http_access allow localhost http_access deny all http_port 3128
28.
29. # BAGIAN YANG PERLU DI SESUAIKAN
allow deny
noipblacklist ipblacklist
30. # DISINI SAYA MENGGUNAKAN PARTISI /cache untuk cache_dir, jika nama partisi anda berbeda silahkan sesuaikan 31. # UNTUK UKURAN cache_dir sesuaikan juga, disini yang mencontohkan 100gb, 32. cache_mgr
Administrator
33. cache_dir aufs /cache 100000 100 256 34.
35. 36. 37. 38.
refresh_pattern refresh_pattern refresh_pattern refresh_pattern refresh_pattern
^ftp: 1440 20 20% % 10080 ^gopher: 1440 0% 1440 -i (/ (/cgi-bin cgi-bin/| /|\? \?) ) 0 0% 0 . 0 20 20% % 4320
39.
40. # END
Agar Squid Berjalan secara otomatis ketika komputer ubuntu-server di restart, maka kita butuh scrip untuk menjalankan proses tersebut. Pertama yang kita lakukan adalah membuat file bernama “squid” dan menyimpannyaa pada directory “/etc/init.d/”. menyimpanny “/etc/init.d/”. berikut car a membuatnya dan lakukan perintahnya dengan putty
1
touch /etc/init.d/squid
Sekarang buka file tersebut menggukan winscp yang ada di directory “/etc/init.d/squid” lalu copy script di bawah ini kemudian kemudian masukan scriptnya pada file tersebut. tersebut.
#! /bin/sh # # squid32012 Startup script for the SQUID HTTP proxy-cache. # # Version: @(#)squid3.rc 1.0 07-Jul-2006 luigi@debian.
[email protected] org # ### BEGIN INIT INFO # Provides: Squid 3.X # File-Locat File-Location: ion: /etc/init.d/squi /etc/init.d/squid3 d3 # Required-Sta Required-Start: rt: $network $remote_fs $syslog # Required-Stop: $network $remote_fs $syslog # Should-Start: $named # Should-Stop: $named # Default-Sta Default-Start: rt: 2 3 4 5 # Default-Stop Default-Stop:: 016 # Short-Description: Squid HTTP Proxy version 3.2.0.12 ### END INIT INFO NAME="By www.dokter-squid.com" www.dokter-squid.com" DESC="HTTP/HTTPS Proxy" DAEMON=/usr/sbin/squid PIDFILE=/var/run/$NAME.pid CONFIG=/etc/squid/squid.conf SQUID_ARGS="-YC -f $CONFIG" # RAMFS=/script RAMFS=/scripts/ramcache s/ramcache [ ! -f /etc/default/squid ] || . /etc/default /etc/default/squid /squid . /lib/lsb/init/lib/lsb/init-functions functions PATH=/bin:/usr/bin:/sbin:/usr/sbin [ -x $DAEMON ] || exit 0 ulimit -n 65535
find_cache_dir () { w=" " # space tab res=`sed -ne ' s/^'$1'['"$w"']\+[^'"$w"']\+['"$w"']\+\([^'"$w"']\+\).*$/\1/p; t end; d; :end q' < $CONFIG` [ -n "$res" ] || res=$2 echo "$res" } find_cache_type () { w=" " # space tab res=`sed -ne ' s/^'$1'['"$w"']\+\([^'"$w"']\+\).*$/\1/p; t end; d; :end q' < $CONFIG` [ -n "$res" ] || res=$2 echo "$res" } start () { # $RAMFS clean # $RAMFS mount # $RAMFS restore cache_dir=`find_cache_dir cache_dir /var/spool/squid/cache` cache_type=`find_cache_type cache_dir ufs` # # Create spool dirs if they don't exist. # if [ "$cache_type" = "coss" -a -d "$cache_dir" -a ! -f "$cache_dir/stripe" ] || [ "$cache_type" != "coss" -a d"$cache_dir" -a ! -d "$cache_dir/00" ] then log_warning_msg "Creating $DESC cache structure" $DAEMON -z fi umask 027 ulimit -n 65535
cd $cache_dir start-stop-daemon --quiet --start \ --pidfile $PIDFILE \ --exec $DAEMON -- $SQUID_ARGS < /dev/null return $? } stop () {
PID=`cat $PIDFILE 2>/dev/null` start-stop-daemon --stop --quiet --pidfile $PIDFILE --exec $DAEMON # # Now we have to wait until squid has _really_ stopped. # sleep 2 if test -n "$PID" && kill -0 $PID 2>/dev/null then log_action_begin_msg " Waiting" cnt=0 while kill -0 $PID 2>/dev/null do cnt=`expr $cnt + 1` if [ $cnt -gt 24 ] then log_action_end_msg 1 return 1 fi sleep 5 log_action_cont_msg "" done log_action_end_msg 0 return 0 else return 0 fi } case "$1" in start) log_daemon_msg "Starting $DESC" "$NAME" if start ; then log_end_msg $? else log_end_msg $? fi ;; stop) log_daemon_msg "Stopping $DESC" "$NAME"
# # #
if stop ; then log_end_msg $? else log_end_msg $? fi $RAMFS dump $RAMFS umount $RAMFS clean ;; reload|force-reload)
log_action_msg "Reloading $DESC configuration files" start-stop-daemon --stop --signal 1 \ --pidfile $PIDFILE --quiet --exec $DAEMON log_action_end_msg 0 ;; restart) log_daemon_msg "Restarting $DESC" "$NAME" stop if start ; then log_end_msg $? else log_end_msg $? fi ;; *) echo "Usage: /etc/init.d/$NAME {start|stop|reload|force-reload|restart}" exit 3 ;; esac exit 0 # END Lakukan perintah di bawah ini menggunakan putty, bertujuan agar file “squid” yang tadi kita buat bisa di proses secara default:
1 2
chmod 755 /etc/init.d/squid update-rc.d squid defaults
Sampai disini untuk langkah yang kedua selesai, tinggal ke langkah berikutnya Langkah Ke Tiga : Beri Permision pada beberapa file :
1 2 3
chown -R proxy:proxy /var/log/squid
mkdir /cache chown-R proxy:proxy /cache
chmod 777 /cache
Membuat directory cache squid -z 1
langsung tekan [enter] jika saat bikin directory selesai, ciri-cirinya sudah tidak ada gerakan.
Sekarang kita restart ubuntu
1
jika ubuntu sudah running kembali, silahkan login kembali putty nya. Terakhir adalah mengecek, apakah squid sudah berjalan atau belum, caranya lakukan perintah berikut dengan putty.
1
reboot
squid -k check
2. squid -k reconfigure jika tidak ada info error atau “no running service” maka sudah di pastikan squid anda sudah berjalan dengan baik.
Selamat, sekarang anda sudah berhasil install squid3 dengan mudah. Sekarang kita test squid yang barusan kita install. karna proxy yang barusan kita buat belum bisa transparant, maka untuk meneruskan traffic http ke proxy kita harus setting manual di browser. caranya sangat mudah, saya contohkan pada browser firefox lihat gambar berikut:
Untuk melihat log lewat putty, caranya lakukan perintah berikut:
1
tail -f /var/log/squid/access.log | ccze
Contoh log nya:
Jika menggunakan mikrotik : Setting redirect ke proxy : /ip firewall nat add chain=dstnat comment="Redirect-Proxy" dst-port=80 protocol=tcp srcaddress=!192.168.1.89 action=redirect to-ports=3128 Setting bypass akses internet tanpa proxy : /ip firewall nat add chain=srcnat commet=bypass-proxy port=80 list=!boleh action=accept
protocol=tcp
src-address-
Membuat addresslist untuk bypass proxy :
ip firewall address-list add list=boleh
comment="Wifi KAM" address=192.168.1.4
ip firewall address-list add list=boleh
comment="Pak BS" address=192.168.1.7
ip firewall address-list add list=boleh
comment="Wifi MM" address=192.168.1.8
ip firewall address-list add list=boleh
comment="Wifi Meeting Direksi" address=192.168.1.9
ip firewall address-list add list=boleh ip firewall address-list add list=boleh
comment="Wifi Direksi" address=192.168.1.10 comment=Axell address=192.168.1.16
Umber : https://dokter-squid.com/install-squid3/ Posted by syahril safarosidi on 9:10 PM
Dengan Router Mikrotik di tambah Squid ProxyExternal seperti ubuntu,ClearOs,IpCop Dll…Performa akan menjadi mantab,apalagi menggunakan Squid Lusca…Cache semua pada di telan…Ok berikut ini saya post Cara Setting Hit,Queues Tree,Mangle Mikrotik + Squid Proxy External,Untuk Setting Squid nya nggak saya post karena…Ini Label Mikrotik,Untuk Setting squid lihat di label Squid,,,
Ip Addess MengarahMikrotik =192.168.0.5 Ke Modem (internet) Ip Address Mengarah Local =192.168.34.1 Ke Client Ip Address Mengarah Squid Proxy =192.168.35.1 Ke Squid Proxy Ip Address Squid Proxy
=192.168.35.2
Ip Squid Proxy External
Terobosan….:
1. 2. 3.
4. 5.
Total bandwidth dari Modem (internet) 4 MB Client Download dari Modem dilimit dengan queue tree,jika file datanya telah tersimpan di Squid Proxy maka otomatis tidak terlimit alias lepas Loss Untuk client yang download file seperti .flv .exe .rar .zip youtube dll…..dilimit 1 MB untuk semua file bagi rata,kecuali yang berbau bokep….bokep saya kasih 128 aja bagi rata…..nah…jika extention seperti .flv .exe .rar .zip youtube dll tersebut pernah di download…otomatis tersimpan di Squid proxy ..dan otomatis tidak terlimit extention tersebut…alias lepas loss…. Untuk ping ….ini perlu….bagi bagi client yang main poker,pointblank,atau game lainnya..saya gunakan queue tree juga…tapi tidak di limit… Untuk Upload…tidak perlu di limit…demi kenyamanan pemain game
Berikut langkahnya dari awal…dari Router Mikrotik belum berisi..alias kosong…: Kita mainkan di new terminal semua:
1. Set interface: /interface set 0 name=public \ ;/interface set 1 name=local \ ;/interface set 2 name=proxy
2. Set Ip address (Sesuaikan Ip address dgn jaringan anda): /ip address add address=192.168.0.5 \ netmask=255.255.255.0 \ interface=public \ ;/ip address add address=192.168.34.1 \ netmask=255.255.255.0 \ interface=local \ ;/ip address add address=192.168.35.1 \ netmask=255.255.255.0 \ interface=proxy
3. Set Gateway (Sesuaikan Gateway dengan gateway jaringan anda): /ip route add gateway=192.168.0.1
4. Set DNS (sesuaikan DNS sengan jaringan anda): A. Cara set DNS Untuk RB Os versi 4.XX kebawah: /ip dns set primary-dns=203.130.208.18 \ ;/ip dns set secondary-dns=203.130.193.74 \ allow-remote-requests=yes B. Cara set DNS untuk RB Os versi 4.XX keatas: /ip dns set servers=203.130.208.18,203.130.193.74 \ allow-remote-requests=yes
5. Set Ip Firewall Nat …..termasuk nat untuk redirect ke proxy…saya gunakan port 3128 pada squid saya (ip addressnya sesuaikan dengan jaringan anda): /ip firewall nat add chain=srcnat out-interface=public src-address=192.168.2.0/24 action=masquerade src-address-list="wirelessrouterprox y.blogspot.com client" comment="LOCAL NAT MASQUERADE" /ip firewall nat add chain=srcnat out-interface=public src-address=192.168.3.0/24 action=masquerade src-address-list="wirelessrouterproxy.blogspot.com proxy" comment="PROXY NAT MASQUERADE" /ip firewall nat add action=dst-nat chain=dstnat comment="REDIRECT KE PROXY" disabled=no dstport=80,8080,3128 in-interface=local protocol=tcp src-address=!192.168.3.0/24 toaddresses=192.168.3.2 to-ports=3128 /ip firewall nat add action=dst-nat \ chain=dstnat comment="TRANSPARENT DNS UDP LOCAL" \ disabled=no dst-port=53 in-interface=local \ protocol=udp to-ports=53 /ip firewall nat add action=dst-nat \ chain=dstnat disabled=no dst-port=53 in-interface=local \ protocol=tcp to-ports=53 comment="TRANSPARENT DNS TCP LOCAL" /ip firewall nat add action=dst-nat \ chain=dstnat disabled=no dst-port=53 in-interface=proxy \ protocol=udp to-ports=53 comment="TRANSPARENT DNS UDP PROXY" /ip firewall nat add action=dst-nat \ chain=dstnat disabled=no dst-port=53 in-interface=proxy \ protocol=tcp to-ports=53 comment="TRANSPARENT DNS TCP PROXY"
6. Selanjutnya Keamanan jaringan : /ip firewall filter add action=add-src-to-address-list \ address-list="PORT SCANNER1" \ address-list-timeout=2w chain=input \ comment="PORT SCANNER2 KE ADDRESS \ LIST " disabled=no protocol=tcp psd=21,3s,3,1 /ip firewall filter add action=add-src-to-address-list \
address-list="PORT SCANNER2" address-list-timeout=2w \ chain=input comment="NMAP FIN Stealth scan" disabled=no \ protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg /ip firewall filter add action=add-src-to-address-list \ address-list="PORT SCANNER3" address-list-timeout=2w \ chain=input comment="SYN/FIN scan" disabled=no \ protocol=tcp tcp-flags=fin,syn /ip firewall filter add action=add-src-to-address-list \ address-list="PORT SCANNER4" address-list-timeout=2w \ chain=input comment="SYN/RST scan" disabled=no \ protocol=tcp tcp-flags=syn,rst /ip firewall filter add action=add-src-to-address-list \ address-list="PORT SCANNER5" address-list-timeout=2w \ chain=input comment="FIN/PSH/URG scan" disabled=no \ protocol=tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack /ip firewall filter add action=add-src-to-address-list \ address-list="PORT SCANNER6" address-list-timeout=2w \ chain=input comment="ALL/ALL scan" disabled=no \ protocol=tcp tcp-flags=fin,syn,rst,psh,ack,urg /ip firewall filter add action=add-src-to-address-list \ address-list="PORT SCANNER7" address-list-timeout=2w \ chain=input comment="NMAP NULL scan" disabled=no \ protocol=tcp tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg /ip firewall filter add action=drop chain=input \ comment="BLOK PORT SCANNER" disabled=no \ src-address-list="PORT SCANNER1" /ip firewall filter add action=accept chain=input \ comment="IZINKAN MENDIRIKAN KONEKSI" \ connection-state=established disabled=no /ip firewall filter add action=accept chain=input \ comment="IZINKAN KONEKSI TERKAIT" \ connection-state=related disabled=no /ip firewall filter add action=accept chain=input \ comment="IZINKAN PING LOCAL" \ disabled=no protocol=icmp \ src-address-list=\ "wirelessrouterproxy.blogspot.com client" /ip firewall filter add action=accept chain=input \ comment="IZINKAN PING PROXY" disabled=no \ protocol=icmp src-address-list=\ "wirelessrouterproxy.blogspot.com proxy" /ip firewall filter add action=accept chain=input \ comment="IZINKAN INPUT DARI LOCAL" disabled=no \ src-address-list="wirelessrouterproxy.blogspot.com client"
/ip firewall filter add action=accept chain=input \ comment="IZINKAN INPUT DARI PROXY" disabled=no \ src-address-list="wirelessrouterproxy.blogspot.com proxy" /ip firewall filter add action=jump chain=forward \ comment="FILTER PAKET YANG JELEK" disabled=no \ jump-target=tcp protocol=tcp /ip firewall filter add action=jump \ chain=forward disabled=no jump-target=udp \ protocol=udp /ip firewall filter add action=jump \ chain=forward disabled=no jump-target=icmp protocol=icmp /ip firewall filter add action=drop chain=tcp \ comment="TOLAK SMTP" disabled=no dst-port=25 \ protocol=tcp /ip firewall filter add action=drop chain=tcp \ comment="TOLAK RPC2portmapper" disabled=no \ dst-port=135 protocol=tcp /ip firewall filter add action=drop chain=tcp \ comment="TOLAK NBT" disabled=no dst-port=137-139 \ protocol=tcp /ip firewall filter add action=drop \ chain=tcp comment="TOLAK CIFS" disabled=no \ dst-port=445 protocol=tcp /ip firewall filter add action=drop chain=tcp \ comment="TOLAK NFS" disabled=no dst-port=2049 \ protocol=tcp /ip firewall filter add action=drop chain=tcp \ comment="TOLAK NETBUS" disabled=no dst-port=20034 \ protocol=tcp /ip firewall filter add action=drop chain=tcp \ comment="TOLAK BackOriffice" disabled=no dst-port=\ 3133 protocol=tcp /ip firewall filter add action=drop chain=tcp \ comment="BLOK DHCP" disabled=no dst-port=67-68 \ protocol=tcp /ip firewall filter add action=drop chain=tcp \ comment="TOLAK P2P" disabled=no p2p=all-p2p /ip firewall filter add action=drop chain=udp \ comment="TOLAK TFTP" disabled=no dst-port=69 \ protocol=udp /ip firewall filter add action=drop chain=udp \ comment="TOLAK PRC portmapper" disabled=no \ dst-port=111 protocol=udp
/ip firewall filter add action=drop chain=udp \ comment="TOLAK PRC portmapper" disabled=no \ dst-port=135 protocol=udp /ip firewall filter add action=drop chain=tcp \ comment="TOLAK NETBUS" disabled=no \ dst-port=12345-12346 protocol=tcp /ip firewall filter add action=drop chain=udp \ comment="BLOK NBT" disabled=no dst-port=137-139 \ protocol=udp /ip firewall filter add action=drop chain=udp \ comment="BLOK NFS" disabled=no dst-port=2049 \ protocol=udp /ip firewall filter add action=drop \ chain=udp comment="TOLAK BackOriffice" \ disabled=no dst-port=3133 protocol=udp /ip firewall filter add action=accept chain=icmp \ comment="limit packets 5/secs" disabled=no \ icmp-options=0:0-255 limit=5,5 protocol=icmp /ip firewall filter add action=accept chain=icmp \ comment="limit packets 5/secs" disabled=no \ icmp-options=3:0 protocol=icmp /ip firewall filter add action=accept \ chain=icmp comment="limit packets 5/secs" \ disabled=no icmp-options=3:3 limit=5,5 protocol=icmp /ip firewall filter add action=accept chain=icmp \ comment="limit packets 5/secs" disabled=no \ icmp-options=3:4 limit=5,5 protocol=icmp /ip firewall filter add action=accept chain=icmp \ comment="limit packets 5/secs" disabled=no \ icmp-options=8:0-255 limit=5,5 protocol=icmp /ip firewall filter add action=accept \ chain=icmp comment="limit packets 5/secs" \ disabled=no icmp-options=11:0-255 limit=5,5 protocol=icmp /ip firewall filter add action=accept chain=forward \ comment="Allow Established connections" \ connection-state=established disabled=no /ip firewall filter add action=accept chain=forward \ comment="Allow Forward from LOCAL Network" \ disabled=no src-address-list=\ "wirelessrouterproxy.blogspot.com client" /ip firewall filter add action=accept chain=forward \ comment="Allow Forward from PROXY Network" \
disabled=no src-address-list=\ "wirelessrouterproxy.blogspot.com proxy"
7. Selanjutnya buat address list untuk client anda…tujuannya hanya ip address yang di buat ini yang bisa terkoneksi ke internet…jika client anda melebihi sebanayak yang terdaftar di bawah ini…silahkan di tambah..sesuai dgn jumlah client anda….(Sesuaikan ip addresnya dengan jaringan anda): /ip firewall address-list \ add address=192.168.35.2 \ comment="SQUID PROXY EXTERNAL" \ disabled=no list=\ "wirelessrouterproxy.blogspot.com proxy" /ip firewall address-list \ add address=192.168.34.2 \ comment="CLIENT1" \ disabled=no list=\ "wirelessrouterproxy.blogspot.com client" /ip firewall address-list \ add address=192.168.34.3 \ comment="CLIENT2" \ disabled=no list=\ "wirelessrouterproxy.blogspot.com client" /ip firewall address-list \ add address=192.168.34.4 \ comment="CLIENT3" \ disabled=no list=\ "wirelessrouterproxy.blogspot.com client" /ip firewall address-list \ add address=192.168.34.5 \ comment="CLIENT4" \ disabled=no list=\ "wirelessrouterproxy.blogspot.com client" /ip firewall address-list \ add address=192.168.34.6 \ comment="CLIENT5" \ disabled=no list=\ "wirelessrouterproxy.blogspot.com client" /ip firewall address-list \ add address=192.168.34.7 \ comment="CLIENT6" \ disabled=no list=\ "wirelessrouterproxy.blogspot.com client" /ip firewall address-list \ add address=192.168.34.8 \
comment="CLIENT7" \ disabled=no list=\ "wirelessrouterproxy.blogspot.com client" /ip firewall address-list \ add address=192.168.34.9 \ comment="CLIENT8" \ disabled=no list=\ "wirelessrouterproxy.blogspot.com client" /ip firewall address-list \ add address=192.168.34.10 \ comment="CLIENT9" \ disabled=no list=\ "wirelessrouterproxy.blogspot.com client" /ip firewall address-list \ add address=192.168.34.11 \ comment="CLIENT10" \ disabled=no list=\ "wirelessrouterproxy.blogspot.com client" /ip firewall address-list \ add address=192.168.34.12 \ comment="CLIENT11" \ disabled=no list=\ "wirelessrouterproxy.blogspot.com client"
8. Selanjutnya Firwall layer7,yang nanti nya untuk limit .exe .zip .rar dll: /ip firewall layer7-protocol add name=YOUTUBE regexp="http/(0\\.9|1\\.0|1\\.1)[\\x09-\\x0d ][1-5][0-9][0\ -9][\\x09-\\x0d -~]*(content-type: video)" /ip firewall layer7-protocol add name="EXE" \ regexp="\\.(exe)" /ip firewall layer7-protocol add name="RAR" \ regexp="\\.(rar)" /ip firewall layer7-protocol add name="7z" \ regexp="\\.(7z)" /ip firewall layer7-protocol add name="CAB" \ regexp="\\.(cab)" /ip firewall layer7-protocol add name="ASF" \ regexp="\\.(asf)" /ip firewall layer7-protocol add name="MOV" \ regexp="\\.(mov)" /ip firewall layer7-protocol add name="WMV" \ regexp="\\.(wmv)" /ip firewall layer7-protocol add name="MPG" \
regexp="\\.(mpg)" /ip firewall layer7-protocol add name="MPEG" \ regexp="\\.(mpeg)" /ip firewall layer7-protocol add name="MKV" \ regexp="\\.(mkv)" /ip firewall layer7-protocol add name="ZIP" \ regexp="\\.(zip)" /ip firewall layer7-protocol add name="AVI" \ regexp="\\.(avi)" /ip firewall layer7-protocol add name="FLV" \ regexp="\\.(flv)" /ip firewall layer7-protocol add name="WAV" \ regexp="\\.(wav)" /ip firewall layer7-protocol add name="RM" \ regexp="\\.(rm)" /ip firewall layer7-protocol add name="MP3" \ regexp="\\.(mp3)" /ip firewall layer7-protocol add name="MP4" \ regexp="\\.(mp4)" /ip firewall layer7-protocol add name="RAM" \ regexp="\\.(ram)" /ip firewall layer7-protocol add name="RMVB" \ regexp="\\.(rmvb)" /ip firewall layer7-protocol add name="DAT" \ regexp="\\.(dat)" /ip firewall layer7-protocol add name="DAA" \ regexp="\\.(daa)" /ip firewall layer7-protocol add name="ISO" \ regexp="\\.(iso)" /ip firewall layer7-protocol add name="NRG" \ regexp="\\.(nrg)" /ip firewall layer7-protocol add name="BIN" \ regexp="\\.(bin)" /ip firewall layer7-protocol add name="VCD" \ regexp="\\.(vcd)"
9. Selanjutanya Mangle…….
A. Mangle Suid Hit: /ip firewall mangle add action=mark-packet \ chain=forward comment="SQUID PROXY HIT" \ disabled=no dscp=12 \ new-packet-mark="PROXY HIT" passthrough=no Mangle Squid koneksi dan squid Paket: /ip firewall mangle add action=mark-connection \ chain=prerouting comment="BROWSING SQUID" disabled=no \ dst-address-list="!wirelessrouterproxy.blogspot.com client" \ dst-port=80,443 new-connection-mark="SQUID KONEKSI" \ passthrough=yes protocol=tcp \ src-address-list="wirelessrouterproxy.blogspot.com proxy" /ip firewall mangle add action=mark-packet \ chain=forward comment="SQUID PAKET" \ connection-mark="SQUID KONEKSI" disabled=no \ new-packet-mark="SQUID PAKET" passthrough=no
B. Mangle Semua koneksi masuk dan koneksi keluar: /ip firewall mangle add action=mark-connection \ chain=prerouting comment="TANDA SEMUA KONEKSI" disabled=no \ dst-address-list="!wirelessrouterproxy.blogspot.com client" \ in-interface=local new-connection-mark="SEMUA KONEKSI MASUK" \ passthrough=yes /ip firewall mangle add action=mark-connection \ chain=forward disabled=no \ new-connection-mark="SEMUA KONEKSI KELUAR" \ out-interface=local passthrough=yes \ src-address-list="!wirelessrouterproxy.blogspot.com client" \ comment="SEMUA KONEKSI KELUAR" /ip firewall mangle add chain=prerouting \ action=mark-packet new-packet-mark="SEMUA PAKET_MASUK"\ passthrough=yes connection-mark="SEMUA KONEKSI MASUK" \ comment="SEMUA PAKET MASUK" /ip firewall mangle add chain=forward \ action=mark-packet new-packet-mark="SEMUA PAKET KELUAR" \ passthrough=yes connection-mark="SEMUA KONEKSI KELUAR" comment="SEMUA PAKET KELUAR" C. Mangle Browsing koneksi yang koneksi dari semua koneksi masuk: /ip firewall mangle add action=mark-connection chain=prerouting \ comment="BROWSING CLIENT" \ connection-mark="SEMUA KONEKSI MASUK" disabled=no \ new-connection-mark="BROWSING KONEKSI" \ passthrough=yes protocol=tcp
D. Mangle Koneksi ICMP dengan dscp1: /ip firewall mangle add action=mark-connection \ chain=postrouting disabled=no dscp=1 \ new-connection-mark="ICMP KONEKSI" passthrough=yes \ comment="ICMP KOMEKSI" E. Mangle Game koneksi yang koneksi dari semua koneksi masuk: F. Mangle Pointblank,Poker,dan RF online,jika anda ingin memasukkan game lainnya silahkan cari port game tersebut: /ip firewall mangle add action=mark-connection \ chain=prerouting comment="POINT BLANK" \ connection-mark="SEMUA KONEKSI MASUK" \ disabled=no dst-port=40000-40010 \ new-connection-mark="GAME KONEKSI" \ passthrough=yes protocol=udp /ip firewall mangle add action=mark-connection \ chain=prerouting comment="POKER" \ connection-mark="SEMUA KONEKSI MASUK" \ disabled=no dst-port=9339,843 \ new-connection-mark="GAME KONEKSI" \ passthrough=yes protocol=tcp /ip firewall mangle add action=mark-connection \ chain=prerouting comment="RF ONLINE" \ connection-mark="SEMUA KONEKSI MASUK" disabled=no \ dst-port=10001,10002,10003,10004,10005,10006,10007 \ new-connection-mark="GAME KONEKSI" \ passthrough=yes protocol=udp G. Mangle ICMP PAKET: /ip firewall mangle add action=mark-packet \ chain=postrouting connection-mark="ICMP KONEKSI" \ disabled=no new-packet-mark="ICMP PAKET" passthrough=no \ comment="ICMP PAKET" H. Selanjutnya mangle Game Paket: /ip firewall mangle add action=mark-packet \ chain=forward comment="SEMUA GAME DIPAKETKAN" \ connection-mark="GAME KONEKSI" disabled=no \ new-packet-mark="GAME PAKET" passthrough=no I.
Selanjutnya Bowsing paket: /ip firewall mangle add action=mark-packet \ chain=forward comment="BROWSING PAKET" \ connection-bytes=0-131072 \ connection-mark="BROWSING KONEKSI" \ disabled=no new-packet-mark="BROWSING PAKET" \ passthrough=no protocol=tcp
J.
Change dscp ICMP dan Port 53:
/ip firewall mangle add action=change-dscp \ chain=postrouting comment="ICMP CHANGE DSCP" \ disabled=no new-dscp=1 protocol=icmp /ip firewall mangle add action=change-dscp \ chain=postrouting disabled=no dst-port=53 new-dscp=1 \ protocol=udp /ip firewall mangle add action=change-dscp \ chain=postrouting disabled=no dst-port=53 new-dscp=1 \ protocol=tcp K. Mangle Extention file seperti .zip .rar .flv .exe dll : /ip firewall mangle add action=mark-connection \ chain=forward comment="EXTENTION KONEKSI" \ disabled=no in-interface=local \ new-connection-mark="EXTENTION KONEKSI" \ passthrough=yes /ip firewall mangle add action=mark-packet \ chain=forward comment="YOUTUBE MARK" \ connection-mark="EXTENTION KONEKSI" disabled=no \ new-packet-mark="YOUTUBE" passthrough=no /ip firewall mangle add action=mark-packet \ chain=forward comment="WMV MARK" \ connection-mark="EXTENTION KONEKSI" disabled=no \ new-packet-mark="WMV" passthrough=no /ip firewall mangle add action=mark-packet \ chain=forward comment="EXE MARK" \ connection-mark="EXTENTION KONEKSI" disabled=no \ new-packet-mark="EXE" passthrough=no /ip firewall mangle add action=mark-packet \ chain=forward comment="ZIP MARK" \ connection-mark="EXTENTION KONEKSI" \ new-packet-mark="ZIP" passthrough=no /ip firewall mangle add action=mark-packet \ chain=forward comment="RAR MARK" \ connection-mark="EXTENTION KONEKSI" \ new-packet-mark="RAR" passthrough=no /ip firewall mangle add action=mark-packet \ chain=forward comment="MPG MARK" \ connection-mark="EXTENTION KONEKSI" \ new-packet-mark="MPG" passthrough=no /ip firewall mangle add action=mark-packet \ chain=forward comment="MPEG MARK" \ connection-mark="EXTENTION KONEKSI" \ new-packet-mark="MPEG" passthrough=no
/ip firewall mangle add action=mark-packet \ chain=forward comment="MP3 MARK" \ connection-mark="EXTENTION KONEKSI" \ new-packet-mark="MP3" passthrough=no /ip firewall mangle add action=mark-packet \ chain=forward comment="MOV MARK" \ connection-mark="EXTENTION KONEKSI" \ new-packet-mark="MOV" passthrough=no /ip firewall mangle add action=mark-packet \ chain=forward comment="ISO MARK" disabled=no \ connection-mark="EXTENTION KONEKSI" \ new-packet-mark="ISO" \ passthrough=no /ip firewall mangle add action=mark-packet \ chain=forward comment="MKV MARK" \ connection-mark="EXTENTION KONEKSI" \ new-packet-mark="MKV" passthrough=no /ip firewall mangle add action=mark-packet \ chain=forward comment="FLV MARK" \ connection-mark="EXTENTION KONEKSI" \ new-packet-mark="FLV" passthrough=no /ip firewall mangle add action=mark-packet \ chain=forward comment="AVI MARK" \ connection-mark="EXTENTION KONEKSI" \ new-packet-mark="AVI" passthrough=no /ip firewall mangle add action=mark-packet \ chain=forward comment="CAB MARK" \ connection-mark="EXTENTION KONEKSI" \ new-packet-mark="CAB" passthrough=no /ip firewall mangle add action=mark-packet \ chain=forward comment="ASF MARK" \ connection-mark="EXTENTION KONEKSI" \ new-packet-mark="ASF" passthrough=no /ip firewall mangle add action=mark-packet \ chain=forward comment="WAV MARK" \ connection-mark="EXTENTION KONEKSI" \ new-packet-mark="WAV" passthrough=no /ip firewall mangle add action=mark-packet \ chain=forward comment="RM MARK" \ connection-mark="EXTENTION KONEKSI" \ new-packet-mark="RM" passthrough=no /ip firewall mangle add action=mark-packet \ chain=forward comment="RAM MARK" \ connection-mark="EXTENTION KONEKSI" \ new-packet-mark="RAM" passthrough=no
/ip firewall mangle add action=mark-packet \ chain=forward comment="RMVB MARK" \ connection-mark="EXTENTION KONEKSI" \ new-packet-mark="RMVB" passthrough=no /ip firewall mangle add action=mark-packet \ chain=forward comment="DAT MARK" \ connection-mark="EXTENTION KONEKSI" \ new-packet-mark="DAT" passthrough=no /ip firewall mangle add action=mark-packet \ chain=forward comment="DAA MARK" \ connection-mark="EXTENTION KONEKSI" \ new-packet-mark="DAA" passthrough=no /ip firewall mangle add action=mark-packet \ chain=forward comment="NRG MARK" \ connection-mark="EXTENTION KONEKSI" \ new-packet-mark="NRG" passthrough=no /ip firewall mangle add action=mark-packet \ chain=forward comment="BIN MARK" \ connection-mark="EXTENTION KONEKSI" \ new-packet-mark="BIN" passthrough=no /ip firewall mangle add action=mark-packet \ chain=forward comment="VCD MARK" \ connection-mark="EXTENTION KONEKSI" \ new-packet-mark="VCD" passthrough=no L. Mangle Paket client (sesuaikan Ip addressnya dengan ip address client jaringan anda): /ip firewall mangle add action=mark-packet \ chain=forward comment="CLIENT1" \ connection-mark="SEMUA KONEKSI KELUAR" \ disabled=no dst-address=192.168.34.2 \ new-packet-mark="CLIENT1" \ passthrough=no protocol=tcp /ip firewall mangle add action=mark-packet \ chain=forward comment="CLIENT2" \ connection-mark="SEMUA KONEKSI KELUAR" \ disabled=no dst-address=192.168.34.3 \ new-packet-mark="CLIENT2" \ passthrough=no protocol=tcp /ip firewall mangle add action=mark-packet \ chain=forward comment="CLIENT3" \ connection-mark="SEMUA KONEKSI KELUAR" \ disabled=no dst-address=192.168.34.4 \ new-packet-mark="CLIENT3" \ passthrough=no protocol=tcp /ip firewall mangle add action=mark-packet \ chain=forward comment="CLIENT4" \ connection-mark="SEMUA KONEKSI KELUAR" \
disabled=no dst-address=192.168.34.5 \ new-packet-mark="CLIENT4" \ passthrough=no protocol=tcp /ip firewall mangle add action=mark-packet \ chain=forward comment="CLIENT5" \ connection-mark="SEMUA KONEKSI KELUAR" \ disabled=no dst-address=192.168.34.6 \ new-packet-mark="CLIENT5" \ passthrough=no protocol=tcp /ip firewall mangle add action=mark-packet \ chain=forward comment="CLIENT6" \ connection-mark="SEMUA KONEKSI KELUAR" \ disabled=no dst-address=192.168.34.7 \ new-packet-mark="CLIENT6" \ passthrough=no protocol=tcp /ip firewall mangle add action=mark-packet \ chain=forward comment="CLIENT7" \ connection-mark="SEMUA KONEKSI KELUAR" \ disabled=no dst-address=192.168.34.8 \ new-packet-mark="CLIENT7" \ passthrough=no protocol=tcp /ip firewall mangle add action=mark-packet \ chain=forward comment="CLIENT8" \ connection-mark="SEMUA KONEKSI KELUAR" \ disabled=no dst-address=192.168.34.9 \ new-packet-mark="CLIENT8" \ passthrough=no protocol=tcp /ip firewall mangle add action=mark-packet \ chain=forward comment="CLIENT9" \ connection-mark="SEMUA KONEKSI KELUAR" \ disabled=no dst-address=192.168.34.10 \ new-packet-mark="CLIENT9" \ passthrough=no protocol=tcp /ip firewall mangle add action=mark-packet \ chain=forward comment="CLIENT10" \ connection-mark="SEMUA KONEKSI KELUAR" \ disabled=no dst-address=192.168.34.11 \ new-packet-mark="CLIENT10" \ passthrough=no protocol=tcp /ip firewall mangle add action=mark-packet \ chain=forward comment="CLIENT11" \ connection-mark="SEMUA KONEKSI KELUAR" \ disabled=no dst-address=192.168.34.12 \ new-packet-mark="CLIENT11" \ passthrough=no protocol=tcp
10. Queue Tree
A. Queue tree ICMP prioritas ke 1: /queue tree add burst-limit=0 \ burst-threshold=0 burst-time=0s disabled=no \ limit-at=0 max-limit=0 name="ICMP PING" \ packet-mark="ICMP PAKET" parent=public priority=1 \ queue="default" B. Queue Squid Hit Prioritas ke 2: /queue tree add burst-limit=0 \ burst-threshold=0 burst-time=0s disabled=no \ limit-at=0 max-limit=0 name="SQUID HIT" \ packet-mark="PROXY HIT" parent=local priority=2 \ queue=default C. Queue Limit Extention prioritas ke 3 (jika anda ingin melimit yang berbeda silahkan ubah maxlimitnya): /queue tree add burst-limit=0 \ burst-threshold=0 burst-time=0s \ disabled=no limit-at=0 max-limit=1000000 \ name="LIMIT FILE EXTENTION" parent=global-out priority=3 /queue tree add burst-limit=0 \ burst-threshold=0 burst-time=0s \ disabled=no limit-at=0 max-limit=128000 \ name="AVI" packet-mark=AVI parent="LIMIT FILE EXTENTION" \ priority=3 queue=default /queue tree add burst-limit=0 \ burst-threshold=0 burst-time=0s \ disabled=no limit-at=0 max-limit=0 \ name="EXE" packet-mark="EXE" parent="LIMIT FILE EXTENTION" \ priority=3 queue=default /queue tree add burst-limit=0 \ burst-threshold=0 burst-time=0s \ disabled=no limit-at=0 max-limit=128000 \ name="FLV" packet-mark="FLV" parent="LIMIT FILE EXTENTION" \ priority=3 queue=default /queue tree add burst-limit=0 \ burst-threshold=0 burst-time=0s \ disabled=no limit-at=0 max-limit=0 \ name="YOUTUBE" packet-mark="YOUTUBE" \ parent="LIMIT FILE EXTENTION" priority=3 queue=default /queue tree add burst-limit=0 \ burst-threshold=0 burst-time=0s \ disabled=no limit-at=0 max-limit=0 \ name="ISO" packet-mark=iso parent="LIMIT FILE EXTENTION" \ priority=3 queue=default /queue tree add burst-limit=0 \ burst-threshold=0 burst-time=0s \
disabled=no limit-at=0 max-limit=0 name="MP3" \ packet-mark="MP3" parent="LIMIT FILE EXTENTION" \ priority=3 queue=default /queue tree add burst-limit=0 \ burst-threshold=0 burst-time=0s \ disabled=no limit-at=0 max-limit=0 name="MP4" \ packet-mark="MP4" parent="LIMIT FILE EXTENTION" \ priority=3 queue=default /queue tree add burst-limit=0 \ burst-threshold=0 burst-time=0s \ disabled=no limit-at=0 max-limit=128000 \ name="MPEG" packet-mark="MPEG" parent="LIMIT FILE EXTENTION" \ priority=3 queue=default /queue tree add burst-limit=0 \ burst-threshold=0 burst-time=0s \ disabled=no limit-at=0 max-limit=128000 \ name="MPG" packet-mark="MPG" parent="LIMIT FILE EXTENTION" \ priority=3 queue=default /queue tree add burst-limit=0 \ burst-threshold=0 burst-time=0s \ disabled=no limit-at=0 max-limit=0 \ name="RAR" packet-mark="RAR" parent="LIMIT FILE EXTENTION" \ priority=3 queue=default /queue tree add burst-limit=0 \ burst-threshold=0 burst-time=0s \ disabled=no limit-at=0 max-limit=128000 \ name="WMV" packet-mark="WMV" \ parent="LIMIT FILE EXTENTION" priority=3 queue=default /queue tree add burst-limit=0 \ burst-threshold=0 burst-time=0s \ disabled=no limit-at=0 max-limit=0 \ name="ZIP" packet-mark="ZIP" parent="LIMIT FILE EXTENTION" \ priority=3 queue=default /queue tree add burst-limit=0 \ burst-threshold=0 burst-time=0s \ disabled=no limit-at=0 max-limit=0 \ name="CAB" packet-mark="CAB" parent="LIMIT FILE EXTENTION" \ priority=3 queue=default /queue tree add burst-limit=0 \ burst-threshold=0 burst-time=0s \ disabled=no limit-at=0 max-limit=0 \ name="ASF" packet-mark="ASF" parent="LIMIT FILE EXTENTION" \ priority=3 queue=default /queue tree add burst-limit=0 \ burst-threshold=0 burst-time=0s \ disabled=no limit-at=0 max-limit=0 \ name="MOV" packet-mark="MOV" parent="LIMIT FILE EXTENTION" \
priority=3 queue=default /queue tree add burst-limit=0 \ burst-threshold=0 burst-time=0s \ disabled=no limit-at=0 max-limit=0 \ name="MKV" packet-mark="MKV" parent="LIMIT FILE EXTENTION" \ priority=3 queue=default /queue tree add burst-limit=0 \ burst-threshold=0 burst-time=0s \ disabled=no limit-at=0 max-limit=0 \ name="WAV" packet-mark="WAV" parent="LIMIT FILE EXTENTION" \ priority=3 queue=default /queue tree add burst-limit=0 \ burst-threshold=0 burst-time=0s \ disabled=no limit-at=0 max-limit=0 \ name="RM" packet-mark="RM" parent="LIMIT FILE EXTENTION" \ priority=3 queue=default /queue tree add burst-limit=0 \ burst-threshold=0 burst-time=0s \ disabled=no limit-at=0 max-limit=0 \ name="RAM" packet-mark="RAM" parent="LIMIT FILE EXTENTION" \ priority=3 queue=default /queue tree add burst-limit=0 \ burst-threshold=0 burst-time=0s \ disabled=no limit-at=0 max-limit=0 \ name="RMVB" packet-mark="RMVB" parent="LIMIT FILE EXTENTION" \ priority=3 queue=default /queue tree add burst-limit=0 \ burst-threshold=0 burst-time=0s \ disabled=no limit-at=0 max-limit=0 \ name="DAT" packet-mark="DAT" parent="LIMIT FILE EXTENTION" \ priority=3 queue=default /queue tree add burst-limit=0 \ burst-threshold=0 burst-time=0s \ disabled=no limit-at=0 max-limit=0 \ name="DAA" packet-mark="DAA" parent="LIMIT FILE EXTENTION" \ priority=3 queue=default /queue tree add burst-limit=0 \ burst-threshold=0 burst-time=0s \ disabled=no limit-at=0 max-limit=0 \ name="NRG" packet-mark="NRG" parent="LIMIT FILE EXTENTION" \ priority=3 queue=default /queue tree add burst-limit=0 \ burst-threshold=0 burst-time=0s \ disabled=no limit-at=0 max-limit=0 \ name="BIN" packet-mark="BIN" parent="LIMIT FILE EXTENTION" \ priority=3 queue=default
/queue tree add burst-limit=0 \ burst-threshold=0 burst-time=0s \ disabled=no limit-at=0 max-limit=0 \ name="VCD" packet-mark="VCD" parent="LIMIT FILE EXTENTION" \ priority=3 queue=default D. Queue tree Semua Upload Prioritas ke 4 : /queue tree add burst-limit=0 \ burst-threshold=0 burst-time=0s \ disabled=no limit-at=0 max-limit=0 \ name="+++TOTAL UPLOAD+++" \ packet-mark="SEMUA PAKET MASUK" \ parent=public priority=4 queue=default E. Total download Prioritas ke 5 : /queue tree add burst-limit=0 \ burst-threshold=0 burst-time=0s \ disabled=no limit-at=0 max-limit=0 \ name="+++TOTAL DOWNLOAD+++" packet-mark="SEMUA PAKET KELUAR" \ parent=global-out priority=5 F.
Game download Prioritas ke 6 : /queue tree add burst-limit=0 \ burst-threshold=0 burst-time=0s \ disabled=no limit-at=0 max-limit=0 \ name="GAME DOWNLOAD" packet-mark="GAME PAKET" \ parent="+++TOTAL DOWNLOAD+++" priority=6 \ queue=default
G. Queue Browsing Paket Priority ke 7 /queue tree add burst-limit=0 \ burst-threshold=0 burst-time=0s \ disabled=no limit-at=0 max-limit=0 \ name="BROWSING PAKET" packet-mark="BROWSING PAKET" \ parent="+++TOTAL DOWNLOAD+++" priority=7 queue=default Queue tree Total download client priority8 /queue tree add burst-limit=0 \ burst-threshold=0 burst-time=0s disabled=no \ limit-at=0 max-limit=0 name="+++TOTAL DOWNLOAD CLIENT+++" \ parent="+++TOTAL DOWNLOAD+++" priority=8 H. Queue tree client priority8 /queue tree add burst-limit=0 \ burst-threshold=0 burst-time=0s disabled=no limit-at=0 \ max-limit=0 name="CLIENT1" packet-mark="CLIENT1" \ parent="+++TOTAL DOWNLOAD CLIENT+++" priority=8 queue=default /queue tree add burst-limit=0 \ burst-threshold=0 burst-time=0s disabled=no limit-at=0 \