Planning Internet Cafe With Speedy Internet Connection

Planning Internet Cafe With Speedy internet Connection Using PC LINUX and router Mikrotik Network Schema 192.168.1.2/29 Modem 4 Port ———-Mikrotik —Hub——-Client 192.168.0.0/24 192.168.1.1/29 192.168.0.254/24 Linux proxy 192.168.1.3/29 A. Router Mikrotik Configuration a. Interface / interface ethernet set Local name=”Local” mtu=1500 mac-address=00:50:DA:5F:AB:16 arp=enabled \ disable-running-check=yes auto-negotiation=yes full-duplex=yes \ cable-settings=default speed=100Mbps comment=”" disabled=no set Public name=”Public” mtu=1500 mac-address=00:A0:D2:11:C2:79 arp=enabled \ disable-running-check=yes auto-negotiation=yes full-duplex=yes \ cable-settings=default speed=100Mbps comment=”" disabled=no b. ARP / ip arp add address=192.168.0.7 mac-address=00:19:21:14:4A:E7 interface=Local \ comment=”" disabled=no add address=192.168.0.4 mac-address=00:E0:4D:2F:81:6E interface=Local \ comment=”" disabled=no add address=192.168.0.1 mac-address=00:1B:B9:57:79:75 interface=Local \ comment=”" disabled=no add address=192.168.0.6 mac-address=00:E0:4D:2F:4D:F3 interface=Local \ comment=”" disabled=no add address=192.168.0.11 mac-address=00:1B:B9:57:7E:31 interface=Local \ comment=”" disabled=no add address=192.168.0.2 mac-address=00:E0:4D:2F:81:6D interface=Local \ comment=”" disabled=no add address=192.168.0.5 mac-address=00:19:21:DD:90:F4 interface=Local \ comment=”" disabled=no add address=192.168.0.10 mac-address=00:1B:B9:95:EB:6D interface=Local \ comment=”" disabled=no

add address=192.168.0.253 mac-address=00:1A:92:56:79:5E interface=Local \ comment=”" disabled=no add address=192.168.1.1 mac-address=00:18:6E:CA:4F:2E interface=Public \ comment=”" disabled=no add address=192.168.1.3 mac-address=00:1B:11:66:2A:69 interface=Public \ comment=”" disabled=no c. DNS ISP / ip dns set primary-dns=192.168.1.3 secondary-dns=202.134.0.155 \ allow-remote-requests=yes cache-size=2048KiB cache-max-ttl=1w d. IP address / ip address add address=192.168.1.2/29 network=192.168.1.0 broadcast=192.168.1.7 \ interface=Public comment=”" disabled=no add address=192.168.0.254/24 network=192.168.0.0 broadcast=192.168.0.255 \ interface=Local comment=”" disabled=no e. Mangle / ip firewall mangle add chain=prerouting src-address=192.168.0.0/24 protocol=icmp \ action=mark-connection new-connection-mark=ICMP-CM passthrough=yes \ comment=”ToS” disabled=no add chain=prerouting connection-mark=ICMP-CM action=mark-packet \ new-packet-mark=ICMP-PM passthrough=yes comment=”" disabled=no add chain=prerouting packet-mark=ICMP-PM action=change-tos new-tos=min-delay \ comment=”" disabled=no add chain=prerouting src-address=192.168.0.0/24 protocol=tcp dst-port=53 \ action=mark-connection new-connection-mark=DNS-CM passthrough=yes \ comment=”" disabled=no add chain=prerouting src-address=192.168.0.0/24 protocol=udp dst-port=53 \ action=mark-connection new-connection-mark=DNS-CM passthrough=yes \ comment=”" disabled=no add chain=prerouting connection-mark=DNS-CM action=mark-packet \ new-packet-mark=DNS-PM passthrough=yes comment=”" disabled=no add chain=prerouting packet-mark=DNS-PM action=change-tos new-tos=min-delay \ comment=”" disabled=no add chain=prerouting protocol=tcp dst-port=80 action=mark-connection \ new-connection-mark=http_conn passthrough=yes comment=”Services” \ disabled=no add chain=prerouting protocol=tcp dst-port=443 action=mark-connection \ new-connection-mark=http_conn passthrough=yes comment=”" disabled=no add chain=prerouting protocol=tcp dst-port=8080 action=mark-connection \ new-connection-mark=http_conn passthrough=yes comment=”" disabled=no

add chain=prerouting protocol=tcp dst-port=3128 action=mark-connection \ new-connection-mark=http_conn passthrough=yes comment=”" disabled=no add chain=prerouting connection-mark=http_conn action=mark-packet \ new-packet-mark=http passthrough=no comment=”" disabled=no add chain=prerouting protocol=tcp dst-port=5050-5061 action=mark-connection \ new-connection-mark=ym_conn passthrough=yes comment=”" disabled=no add chain=prerouting connection-mark=ym_conn action=mark-packet \ new-packet-mark=ym passthrough=no comment=”" disabled=no add chain=prerouting protocol=udp dst-port=27015 action=mark-connection \ new-connection-mark=cs_conn passthrough=yes comment=”" disabled=no add chain=prerouting connection-mark=cs_conn action=mark-packet \ new-packet-mark=cs passthrough=no comment=”" disabled=no add chain=prerouting protocol=tcp dst-port=6667-7000 action=mark-connection \ new-connection-mark=irc_conn passthrough=yes comment=”" disabled=no add chain=prerouting connection-mark=irc_conn action=mark-packet \ new-packet-mark=irc passthrough=no comment=”" disabled=no add chain=prerouting protocol=tcp dst-port=8291 action=mark-connection \ new-connection-mark=mt_conn passthrough=yes comment=”" disabled=no add chain=prerouting connection-mark=mt_conn action=mark-packet \ new-packet-mark=mt passthrough=no comment=”" disabled=no add chain=prerouting protocol=tcp dst-port=110 action=mark-connection \ new-connection-mark=email_conn passthrough=yes comment=”" disabled=no add chain=prerouting protocol=tcp dst-port=25 action=mark-connection \ new-connection-mark=email_conn passthrough=yes comment=”" disabled=no add chain=prerouting connection-mark=email_conn action=mark-packet \ new-packet-mark=email passthrough=no comment=”" disabled=no add chain=prerouting protocol=tcp dst-port=22 action=mark-connection \ new-connection-mark=ssh_conn passthrough=yes comment=”" disabled=no add chain=prerouting connection-mark=ssh_conn action=mark-packet \ new-packet-mark=ssh passthrough=no comment=”" disabled=no add chain=prerouting protocol=tcp dst-port=500-3127 action=mark-connection \ new-connection-mark=games_conn passthrough=yes comment=”" disabled=no add chain=prerouting protocol=tcp dst-port=3129-6665 action=mark-connection \ new-connection-mark=games_conn passthrough=yes comment=”" disabled=no add chain=prerouting protocol=tcp dst-port=7001-65535 action=mark-connection \ new-connection-mark=games_conn passthrough=yes comment=”" disabled=no add chain=prerouting protocol=udp dst-port=500-3127 action=mark-connection \ new-connection-mark=games_conn passthrough=yes comment=”" disabled=no add chain=prerouting protocol=udp dst-port=3129-6665 action=mark-connection \ new-connection-mark=games_conn passthrough=yes comment=”" disabled=no add chain=prerouting protocol=udp dst-port=7001-65535 action=mark-connection \ new-connection-mark=games_conn passthrough=yes comment=”" disabled=no add chain=prerouting connection-mark=games_conn action=mark-packet \ new-packet-mark=games passthrough=no comment=”" disabled=no add chain=prerouting src-address=192.168.0.0/24 action=mark-packet \ new-packet-mark=Naik passthrough=no comment=”Up Traffic” disabled=no

add chain=forward src-address=192.168.0.0/24 action=mark-connection \ new-connection-mark=Koneksi passthrough=yes comment=”Conn-Mark” \ disabled=no add chain=forward in-interface=Public connection-mark=Koneksi \ action=mark-packet new-packet-mark=Turun passthrough=no \ comment=”Down-Direct Connection” disabled=no add chain=output out-interface=Local dst-address=192.168.0.0/24 \ action=mark-packet new-packet-mark=Turun passthrough=no comment=”Down-Via \ Proxy” disabled=no f. ip nat / ip firewall nat add chain=srcnat out-interface=Public action=masquerade comment=”" disabled=no add chain=dstnat src-address=192.168.0.0/24 protocol=tcp dst-port=80 \ dst-address-list=!servergames action=dst-nat to-addresses=192.168.1.3 \ to-ports=8080 comment=”Pakai Proxy Linux” disabled=no add chain=dstnat src-address=192.168.0.0/24 protocol=tcp dst-port=3128 \ dst-address-list=!servergames action=dst-nat to-addresses=192.168.1.3 \ to-ports=8080 comment=”" disabled=no add chain=dstnat src-address=192.168.0.0/24 protocol=tcp dst-port=8080 \ dst-address-list=!servergames action=dst-nat to-addresses=192.168.1.3 \ to-ports=8080 comment=”" disabled=no add chain=dstnat src-address=192.168.0.0/24 protocol=tcp dst-port=80 \ action=redirect to-ports=8080 comment=”Tanpa proxy Linux” disabled=yes add chain=dstnat src-address=192.168.0.0/24 protocol=tcp dst-port=3128 \ action=redirect to-ports=8080 comment=”" disabled=yes add chain=dstnat src-address=192.168.0.0/24 protocol=tcp dst-port=8080 \ action=redirect to-ports=8080 comment=”" disabled=yes g. filter / ip firewall filter add chain=input connection-state=invalid action=drop comment=”Drop invalid \ connections” disabled=no add chain=input connection-state=established action=accept comment=”Allow \ esatblished connections” disabled=no add chain=input connection-state=related action=accept comment=”Allow related \ connections” disabled=no add chain=input protocol=udp action=accept comment=”Allow UDP” disabled=no add chain=input protocol=icmp action=accept comment=”Allow ICMP” disabled=no add chain=input in-interface=!Public action=accept comment=”Allow connection \ to router from local network” disabled=no add chain=input action=drop comment=”Drop everything else” disabled=no add chain=input protocol=tcp dst-port=1337 action=add-src-to-address-list \ address-list=knock address-list-timeout=15s comment=”" disabled=no add chain=input protocol=tcp dst-port=7331 src-address-list=knock \

action=add-src-to-address-list address-list=safe address-list-timeout=15m \ comment=”" disabled=no add chain=input connection-state=established action=accept comment=”accept \ established connection packets” disabled=no add chain=input connection-state=related action=accept comment=”accept related \ connection packets” disabled=no add chain=input connection-state=invalid action=drop comment=”drop invalid \ packets” disabled=no add chain=input protocol=tcp psd=21,3s,3,1 action=drop comment=”detect and \ drop port scan connections” disabled=no add chain=input protocol=tcp connection-limit=3,32 src-address-list=black_list \ action=tarpit comment=”suppress DoS attack” disabled=no add chain=input protocol=tcp connection-limit=10,32 \ action=add-src-to-address-list address-list=black_list \ address-list-timeout=1d comment=”detect DoS attack” disabled=no add chain=input protocol=icmp action=jump jump-target=ICMP comment=”jump to \ chain ICMP” disabled=no add chain=input action=jump jump-target=services comment=”jump to chain \ services” disabled=no add chain=input dst-address-type=broadcast action=accept comment=”Allow \ Broadcast Traffic” disabled=no add chain=input action=log log-prefix=”Filter:” comment=”" disabled=no add chain=input action=accept comment=”Allow access to router from known \ network” disabled=no add chain=input src-address=192.168.0.0/24 action=accept comment=”" \ disabled=no add chain=input src-address=192.168.5.0/29 action=accept comment=”" \ disabled=no add chain=input src-address=192.168.4.0/29 action=accept comment=”" \ disabled=no add chain=input src-address=63.219.6.0/24 action=accept comment=”" disabled=no add chain=input src-address=125.0.0.0/8 action=accept comment=”" disabled=no add chain=input action=drop comment=”drop everything else” disabled=no add chain=ICMP protocol=icmp icmp-options=0:0-255 limit=5,5 action=accept \ comment=”0:0 and limit for 5pac/s” disabled=no add chain=ICMP protocol=icmp icmp-options=3:3 limit=5,5 action=accept \ comment=”3:3 and limit for 5pac/s” disabled=no add chain=ICMP protocol=icmp icmp-options=3:4 limit=5,5 action=accept \ comment=”3:4 and limit for 5pac/s” disabled=no add chain=ICMP protocol=icmp icmp-options=8:0-255 limit=5,5 action=accept \ comment=”8:0 and limit for 5pac/s” disabled=no add chain=ICMP protocol=icmp icmp-options=11:0-255 limit=5,5 action=accept \ comment=”11:0 and limit for 5pac/s” disabled=no add chain=ICMP protocol=icmp action=drop comment=”Drop everything else” \ disabled=no add chain=input protocol=tcp psd=21,3s,3,1 action=add-src-to-address-list \

address-list=”port scanners” address-list-timeout=2w comment=”Port \ scanners to list ” disabled=no add chain=input protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg \ action=add-src-to-address-list address-list=”port scanners” \ address-list-timeout=2w comment=”NMAP FIN Stealth scan” disabled=no add chain=input protocol=tcp tcp-flags=fin,syn action=add-src-to-address-list \ address-list=”port scanners” address-list-timeout=2w comment=”SYN/FIN \ scan” disabled=no add chain=input protocol=tcp tcp-flags=syn,rst action=add-src-to-address-list \ address-list=”port scanners” address-list-timeout=2w comment=”SYN/RST \ scan” disabled=no add chain=input protocol=tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack \ action=add-src-to-address-list address-list=”port scanners” \ address-list-timeout=2w comment=”FIN/PSH/URG scan” disabled=no add chain=input protocol=tcp tcp-flags=fin,syn,rst,psh,ack,urg \ action=add-src-to-address-list address-list=”port scanners” \ address-list-timeout=2w comment=”ALL/ALL scan” disabled=no add chain=input protocol=tcp tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg \ action=add-src-to-address-list address-list=”port scanners” \ address-list-timeout=2w comment=”NMAP NULL scan” disabled=no add chain=input src-address-list=”port scanners” action=drop comment=”dropping \ port scanners” disabled=no add chain=forward connection-state=established action=accept comment=”allow \ established connections” disabled=no add chain=forward connection-state=related action=accept comment=”allow \ related connections” disabled=no add chain=forward connection-state=invalid action=drop comment=”drop invalid \ connections” disabled=no add chain=virus protocol=tcp dst-port=135-139 action=drop comment=”Drop \ Blaster Worm” disabled=no add chain=virus protocol=udp dst-port=135-139 action=drop comment=”Drop \ Messenger Worm” disabled=no add chain=virus protocol=tcp dst-port=445 action=drop comment=”Drop Blaster \ Worm” disabled=no add chain=virus protocol=udp dst-port=445 action=drop comment=”Drop Blaster \ Worm” disabled=no add chain=virus protocol=tcp dst-port=593 action=drop comment=”________” \ disabled=no add chain=virus protocol=tcp dst-port=1024-1030 action=drop comment=”________” \ disabled=no add chain=virus protocol=tcp dst-port=1080 action=drop comment=”Drop MyDoom” \ disabled=no add chain=virus protocol=tcp dst-port=1214 action=drop comment=”________” \ disabled=no add chain=virus protocol=tcp dst-port=1363 action=drop comment=”ndm requester” \ disabled=no

add chain=virus protocol=tcp dst-port=1364 action=drop comment=”ndm server” \ disabled=no add chain=virus protocol=tcp dst-port=1368 action=drop comment=”screen cast” \ disabled=no add chain=virus protocol=tcp dst-port=1373 action=drop comment=”hromgrafx” \ disabled=no add chain=virus protocol=tcp dst-port=1377 action=drop comment=”cichlid” \ disabled=no add chain=virus protocol=tcp dst-port=1433-1434 action=drop comment=”Worm” \ disabled=no add chain=virus protocol=tcp dst-port=2745 action=drop comment=”Bagle Virus” \ disabled=no add chain=virus protocol=tcp dst-port=2283 action=drop comment=”Drop Dumaru.Y” \ disabled=no add chain=virus protocol=tcp dst-port=2535 action=drop comment=”Drop Beagle” \ disabled=no add chain=virus protocol=tcp dst-port=2745 action=drop comment=”Drop \ Beagle.C-K” disabled=no add chain=virus protocol=tcp dst-port=3127 action=drop comment=”Drop MyDoom” \ disabled=no add chain=virus protocol=tcp dst-port=3410 action=drop comment=”Drop Backdoor \ OptixPro” disabled=no add chain=virus protocol=tcp dst-port=4444 action=drop comment=”Worm” \ disabled=no add chain=virus protocol=udp dst-port=4444 action=drop comment=”Worm” \ disabled=no add chain=virus protocol=tcp dst-port=5554 action=drop comment=”Drop Sasser” \ disabled=no add chain=virus protocol=tcp dst-port=8866 action=drop comment=”Drop Beagle.B” \ disabled=no add chain=virus protocol=tcp dst-port=9898 action=drop comment=”Drop \ Dabber.A-B” disabled=no add chain=virus protocol=tcp dst-port=10000 action=drop comment=”Drop \ Dumaru.Y” disabled=no add chain=virus protocol=tcp dst-port=10080 action=drop comment=”Drop \ MyDoom.B” disabled=no add chain=virus protocol=tcp dst-port=12345 action=drop comment=”Drop NetBus” \ disabled=no add chain=virus protocol=tcp dst-port=17300 action=drop comment=”Drop Kuang2″ \ disabled=no add chain=virus protocol=tcp dst-port=27374 action=drop comment=”Drop \ SubSeven” disabled=no add chain=virus protocol=tcp dst-port=65506 action=drop comment=”Drop PhatBot, \ Agobot, Gaobot” disabled=no add chain=forward action=jump jump-target=virus comment=”jump to the virus \ chain” disabled=no

add chain=input connection-state=invalid action=drop comment=”Drop Invalid \ connections” disabled=no add chain=input connection-state=established action=accept comment=”Allow \ Established connections” disabled=no add chain=input protocol=udp action=accept comment=”Allow UDP” disabled=no add chain=input protocol=icmp action=accept comment=”Allow ICMP” disabled=no add chain=input action=drop comment=”Drop anything else” disabled=no add chain=forward protocol=tcp connection-state=invalid action=drop \ comment=”drop invalid connections” disabled=no add chain=forward connection-state=established action=accept comment=”allow \ already established connections” disabled=no add chain=forward connection-state=related action=accept comment=”allow \ related connections” disabled=no add chain=forward src-address=0.0.0.0/8 action=drop comment=”" disabled=no add chain=forward dst-address=0.0.0.0/8 action=drop comment=”" disabled=no add chain=forward src-address=127.0.0.0/8 action=drop comment=”" disabled=no add chain=forward dst-address=127.0.0.0/8 action=drop comment=”" disabled=no add chain=forward src-address=224.0.0.0/3 action=drop comment=”" disabled=no add chain=forward dst-address=224.0.0.0/3 action=drop comment=”" disabled=no add chain=forward protocol=tcp action=jump jump-target=tcp comment=”" \ disabled=no add chain=forward protocol=udp action=jump jump-target=udp comment=”" \ disabled=no add chain=forward protocol=icmp action=jump jump-target=icmp comment=”" \ disabled=no add chain=tcp protocol=tcp dst-port=69 action=drop comment=”deny TFTP” \ disabled=no add chain=tcp protocol=tcp dst-port=111 action=drop comment=”deny RPC \ portmapper” disabled=no add chain=tcp protocol=tcp dst-port=135 action=drop comment=”deny RPC \ portmapper” disabled=no add chain=tcp protocol=tcp dst-port=137-139 action=drop comment=”deny NBT” \ disabled=no add chain=tcp protocol=tcp dst-port=445 action=drop comment=”deny cifs” \ disabled=no add chain=tcp protocol=tcp dst-port=2049 action=drop comment=”deny NFS” \ disabled=no add chain=tcp protocol=tcp dst-port=12345-12346 action=drop comment=”deny \ NetBus” disabled=no add chain=tcp protocol=tcp dst-port=20034 action=drop comment=”deny NetBus” \ disabled=no add chain=tcp protocol=tcp dst-port=3133 action=drop comment=”deny \ BackOriffice” disabled=no add chain=tcp protocol=tcp dst-port=67-68 action=drop comment=”deny DHCP” \ disabled=no add chain=udp protocol=udp dst-port=69 action=drop comment=”deny TFTP” \

disabled=no add chain=udp protocol=udp dst-port=111 action=drop comment=”deny PRC \ portmapper” disabled=no add chain=udp protocol=udp dst-port=135 action=drop comment=”deny PRC \ portmapper” disabled=no add chain=udp protocol=udp dst-port=137-139 action=drop comment=”deny NBT” \ disabled=no add chain=udp protocol=udp dst-port=2049 action=drop comment=”deny NFS” \ disabled=no add chain=udp protocol=udp dst-port=3133 action=drop comment=”deny \ BackOriffice” disabled=no add chain=icmp protocol=icmp icmp-options=0:0 action=accept comment=”drop \ invalid connections” disabled=no add chain=icmp protocol=icmp icmp-options=3:0 action=accept comment=”allow \ established connections” disabled=no add chain=icmp protocol=icmp icmp-options=3:1 action=accept comment=”allow \ already established connections” disabled=no add chain=icmp protocol=icmp icmp-options=4:0 action=accept comment=”allow \ source quench” disabled=no add chain=icmp protocol=icmp icmp-options=8:0 action=accept comment=”allow \ echo request” disabled=no add chain=icmp protocol=icmp icmp-options=11:0 action=accept comment=”allow \ time exceed” disabled=no add chain=icmp protocol=icmp icmp-options=12:0 action=accept comment=”allow \ parameter bad” disabled=no add chain=icmp action=drop comment=”deny all other types” disabled=no add chain=input connection-state=established action=accept comment=”Accept \ established connections” disabled=no add chain=input connection-state=related action=accept comment=”Accept related \ connections” disabled=no add chain=input connection-state=invalid action=drop comment=”Drop invalid \ connections” disabled=no add chain=input protocol=udp action=accept comment=”UDP” disabled=no add chain=input protocol=icmp limit=50/5s,2 action=accept comment=”Allow \ limited pings” disabled=no add chain=input protocol=icmp action=drop comment=”Drop excess pings” \ disabled=no add chain=input protocol=tcp dst-port=22 action=accept comment=”SSH for secure \ shell” disabled=no add chain=input protocol=tcp dst-port=8291 action=accept comment=”winbox” \ disabled=no add chain=input src-address=159.148.172.192/28 action=accept comment=”From \ Mikrotikls network” disabled=no add chain=input src-address=192.168.0.0/24 action=accept comment=”From our \ private LAN” disabled=no add chain=input action=log log-prefix=”DROP INPUT” comment=”Log everything \

else” disabled=no add chain=tcp protocol=tcp p2p=all-p2p action=drop comment=”deny DHCP” \ disabled=no add chain=tcp src-address=192.168.0.2 protocol=tcp dst-port=3133 p2p=all-p2p \ action=drop comment=”deny BackOriffice” disabled=no h. ip firewaal address list / ip firewall address-list add list=servergames address=202.93.20.201 comment=”" disabled=no i.queue type / queue type set default name=”default” kind=pfifo pfifo-limit=50 set ethernet-default name=”ethernet-default” kind=pfifo pfifo-limit=50 set wireless-default name=”wireless-default” kind=sfq sfq-perturb=5 \ sfq-allot=1514 set synchronous-default name=”synchronous-default” kind=red red-limit=60 \ red-min-threshold=10 red-max-threshold=50 red-burst=20 red-avg-packet=1000 set hotspot-default name=”hotspot-default” kind=sfq sfq-perturb=5 \ sfq-allot=1514 add name=”PFIFO-64″ kind=pfifo pfifo-limit=64 add name=”default-small” kind=pfifo pfifo-limit=10 add name=”pcq-download” kind=pcq pcq-rate=384000 pcq-limit=50 \ pcq-classifier=dst-address pcq-total-limit=2000 add name=”pcq-upload” kind=pcq pcq-rate=64000 pcq-limit=50 \ pcq-classifier=src-address pcq-total-limit=2000 j.queue tree / queue tree add name=”ICMP” parent=global-in packet-mark=ICMP-PM limit-at=8000 \ queue=PFIFO-64 priority=1 max-limit=16000 burst-limit=0 burst-threshold=0 \ burst-time=0s disabled=no add name=”DNS” parent=global-in packet-mark=DNS-PM limit-at=8000 \ queue=PFIFO-64 priority=1 max-limit=16000 burst-limit=0 burst-threshold=0 \ burst-time=0s disabled=no add name=”downstream” parent=Local packet-mark=Turun limit-at=0 \ queue=pcq-download priority=1 max-limit=0 burst-limit=0 burst-threshold=0 \ burst-time=0s disabled=no add name=”upstream” parent=global-in packet-mark=Naik limit-at=0 \ queue=pcq-upload priority=1 max-limit=0 burst-limit=0 burst-threshold=0 \ burst-time=0s disabled=no k. queue simple / queue simple add name=”Fantasy.net” dst-address=0.0.0.0/0 interface=Local parent=none \ priority=1 queue=default/default limit-at=0/786000 max-limit=0/786000 \

total-queue=default disabled=no add name=”01″ target-addresses=192.168.0.1/32 dst-address=0.0.0.0/0 \ interface=Local parent=Fantasy.net priority=8 \ queue=ethernet-default/ethernet-default limit-at=0/16000 \ max-limit=8000/48000 total-queue=default time=0s-0s, p2p=fasttrack \ disabled=no add name=”02″ target-addresses=192.168.0.2/32 dst-address=0.0.0.0/0 \ interface=Local parent=Fantasy.net priority=8 \ queue=ethernet-default/ethernet-default limit-at=0/16000 \ max-limit=8000/48000 total-queue=default disabled=no add name=”03″ target-addresses=192.168.0.3/32 dst-address=0.0.0.0/0 \ interface=Local parent=Fantasy.net priority=8 \ queue=ethernet-default/ethernet-default limit-at=0/16000 \ max-limit=8000/48000 total-queue=default disabled=no add name=”04″ target-addresses=192.168.0.4/32 dst-address=0.0.0.0/0 \ interface=Local parent=Fantasy.net priority=8 \ queue=ethernet-default/ethernet-default limit-at=0/16000 \ max-limit=8000/48000 total-queue=default time=0s-0s, disabled=no add name=”06″ target-addresses=192.168.0.6/32 dst-address=0.0.0.0/0 \ interface=Local parent=Fantasy.net priority=8 \ queue=ethernet-default/ethernet-default limit-at=0/16000 \ max-limit=8000/48000 total-queue=default p2p=fasttrack disabled=no add name=”05″ target-addresses=192.168.0.5/32 dst-address=0.0.0.0/0 \ interface=Local parent=Fantasy.net priority=8 \ queue=ethernet-default/ethernet-default limit-at=0/16000 \ max-limit=8000/60000 total-queue=default disabled=no add name=”07″ target-addresses=192.168.0.7/32 dst-address=0.0.0.0/0 \ interface=Local parent=Fantasy.net priority=8 \ queue=ethernet-default/ethernet-default limit-at=0/16000 \ max-limit=8000/48000 total-queue=default disabled=no add name=”08″ target-addresses=192.168.0.8/32 dst-address=0.0.0.0/0 \ interface=Local parent=Fantasy.net priority=8 \ queue=ethernet-default/ethernet-default limit-at=0/16000 \ max-limit=8000/48000 total-queue=default disabled=no add name=”09″ target-addresses=192.168.0.9/32 dst-address=0.0.0.0/0 \ interface=Local parent=Fantasy.net priority=8 \ queue=ethernet-default/ethernet-default limit-at=0/16000 \ max-limit=8000/48000 total-queue=default disabled=no add name=”10″ target-addresses=192.168.0.10/32 dst-address=0.0.0.0/0 \ interface=Local parent=Fantasy.net priority=8 queue=default/default \ limit-at=0/16000 max-limit=8000/48000 total-queue=default disabled=no add name=”11″ target-addresses=192.168.0.11/32 dst-address=0.0.0.0/0 \ interface=Local parent=Fantasy.net priority=8 \ queue=ethernet-default/ethernet-default limit-at=0/16000 \ max-limit=8000/48000 total-queue=default p2p=all-p2p disabled=no add name=”Server” target-addresses=192.168.0.253/32 dst-address=0.0.0.0/0 \

interface=Local parent=Fantasy.net priority=8 \ queue=ethernet-default/ethernet-default limit-at=0/16000 \ max-limit=8000/120000 total-queue=default disabled=yes B. LINUX Proxy a. vi /etc/sysconfig/network-scripts/ifcfg-eth0 DEVICE=eth0 BOOTPROTO=static BROADCAST=192.168.1.255 HWADDR=00:1B:11:66:2A:69 IPADDR=192.168.1.3 NETMASK=255.255.255.0 NETWORK=192.168.1.0 ONBOOT=yes TYPE=Ethernet b. Routing Proxy Ke Modem [root@proxies squid]# netstat -r Kernel IP routing table Destination Gateway Genmask Flags MSS Window irtt Iface 192.168.1.0 * 255.255.255.0 U 0 0 0 eth0 169.254.0.0 * 255.255.0.0 U 0 0 0 eth0 default . 192.168.1.1 UG 0 0 0 eth0 c. named.conf tambahkan opsi fowarder di named.conf // query-source address * port 53; forwarders { 203.130.193.74; 202.134.0.155; 202.134.2.5; }; }; d. resolve.conf

[root@proxies squid]# cat /etc/resolv.conf nameserver 192.168.1.1 nameserver 203.130.193.74 nameserver 202.134.0.155 nameserver 202.134.2.5 e. Squid.conf http_port 8080 #icp_port 3130 icp_query_timeout 0 maximum_icp_query_timeout 5000 mcast_icp_query_timeout 2000 dead_peer_timeout 10 seconds hierarchy_stoplist cgi-bin ? localhost acl QUERY urlpath_regex cgi-bin \? localhost ### Opsi Cache cache_mem 6 MB cache_swap_low 98 cache_swap_high 99 maximum_object_size 128 MB minimum_object_size 0 KB maximum_object_size_in_memory 32 KB ipcache_size 10240 ipcache_low 98 ipcache_high 99 fqdncache_size 256 cache_replacement_policy heap LFUDA memory_replacement_policy heap GDSF ### Opsi Tuning Squid refresh_pattern -i \.(swfpngjpgjpegbmptiffpnggif) 43200 90% 129600 reload-into-ims override-lastmod refresh_pattern -i \.(movmpgmpegflvavimp33gpsiswma) 43200 90% 129600 reload-intoims override-lastmod refresh_pattern -i \.(zipraracebzbz2targzexe) 43200 90% 129600 reload-into-ims override-lastmod refresh_pattern -i (.*html$.*htm.*shtml.*aspx.*asp) 43200 90% 1440 reload-into-ims override-lastmod refresh_pattern -i \.(classcssjsgifjpg)$ 10080 100% 43200 override-expire refresh_pattern -i \.(jpejpegpngbmptif)$ 10080 100% 43200 override-expire refresh_pattern -i \.(tiffmovaviqtmpeg)$ 10080 100% 43200 override-expire refresh_pattern -i \.(mpgmpewavaumid)$ 10080 100% 43200 override-expire refresh_pattern -i \.(zipgzarjlhalzh)$ 10080 100% 43200 override-expire

refresh_pattern -i \.(rartgztarexebin)$ 10080 100% 43200 override-expire refresh_pattern -i \.(hqxpdfrtfdocswf)$ 10080 100% 43200 override-expire refresh_pattern -i \.(inccabadtxtdll)$ 10080 100% 43200 override-expire refresh_pattern -i \.(aspacgiplshtmlphp3php)$ 2 20% 4320 reload-into-ims refresh_pattern ^http://*.google.*/.* 720 100% 4320 reload-into-ims override-lastmod refresh_pattern ^http://*korea.*/.* 720 100% 4320 reload-into-ims override-lastmod refresh_pattern ^http://*.akamai.*/.* 720 100% 4320 reload-into-ims override-lastmod refresh_pattern ^http://*.windowsmedia.*/.* 720 100% 4320 reload-into-ims overridelastmod refresh_pattern ^http://*.googlesyndication.*/.* 720 100% 4320 reload-into-ims overridelastmod refresh_pattern ^http://*.plasa.*/.* 720 100% 4320 reload-into-ims override-lastmod refresh_pattern ^http://*.telkom.*/.* 720 100% 4320 reload-into-ims override-lastmod refresh_pattern ^http://www.friendster.com/.* 720 100% 4320 reload-into-ims overridelastmod refresh_pattern ^http://mail.yahoo.com/.* 720 100% 4320 reload-into-ims overridelastmod refresh_pattern ^http://*.yahoo.*/.* 720 100% 4320 reload-into-ims override-lastmod refresh_pattern ^http://*.yimg.*/.* 720 100% 4320 reload-into-ims override-lastmod refresh_pattern ^http://*.gmail.*/.* 720 100% 4320 reload-into-ims override-lastmod refresh_pattern ^http://*.detik.*/.* 720 100% 4320 reload-into-ims override-lastmod refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern ^ftp: 43200 90% 129600 reload-into-ims override-expire #refresh_pattern ^ftp: 1440 20% 10080 #refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern . 0 20% 4320 #refresh_pattern . 180 95% 120960 reload-into-ims override-lastmod ### Direktori cache #cache_dir aufs /cache 20000 16 256 #cache_dir diskd /cache 7000 16 256 Q1=72 Q2=88 cache_dir aufs /cache 50000 16 256 ### Log cache_access_log /var/log/squid/access.log logfile_rotate 1 cache_log none cache_store_log none emulate_httpd_log off log_ip_on_direct on log_fqdn off log_icp_queries off ### DNS server dns_nameservers 127.0.0.1

quick_abort_min 0 quick_abort_max 0 quick_abort_pct 98% negative_ttl 15 minute positive_dns_ttl 24 hours negative_dns_ttl 5 minutes range_offset_limit 0 KB ### Opsi Timeout connect_timeout 1 minute peer_connect_timeout 5 seconds read_timeout 30 minute request_timeout 1 minute #client_lifetime 10 hour half_closed_clients off pconn_timeout 15 second shutdown_lifetime 15 second ### Opsi ACL acl manager proto cache_object acl all src 0.0.0.0/0.0.0.0 acl client src 192.168.1.0/29 acl tidakbebasdownload time 08:00-22:00 acl porn url_regex -i /usr/local/squid/etc/bokep.txt time 08:00-22:00 acl noporn url_regex -i /usr/local/squid/etc/nobokep.txt time 08:00-22:00 acl file_terlarang url_regex -i hot_indonesia.exe acl file_terlarang url_regex -i hotsurprise_id.exe acl file_terlarang url_regex -i best-mp3-download.exe acl file_terlarang url_regex -i R32.exe acl file_terlarang url_regex -i rb32.exe acl file_terlarang url_regex -i mp3.exe acl file_terlarang url_regex -i HOTSEX.exe acl file_terlarang url_regex -i Browser_Plugin.exe acl file_terlarang url_regex -i DDialer.exe acl file_terlarang url_regex -i od-teen acl file_terlarang url_regex -i URLDownload.exe acl file_terlarang url_regex -i od-stnd67.exe acl file_terlarang url_regex -i Download_Plugin.exe acl file_terlarang url_regex -i od-teen52.exe acl file_terlarang url_regex -i malaysex acl file_terlarang url_regex -i edita.html acl file_terlarang url_regex -i info.exe acl file_terlarang url_regex -i run.exe acl file_terlarang url_regex -i Lovers2Go acl file_terlarang url_regex -i GlobalDialer acl file_terlarang url_regex -i WebDialer

acl file_terlarang url_regex -i britneynude acl file_terlarang url_regex -i download.exe acl file_terlarang url_regex -i backup.exe acl file_terlarang url_regex -i GnoOS2003 acl file_terlarang url_regex -i wintrim.exe acl file_terlarang url_regex -i MPREXE.EXE acl file_terlarang url_regex -i exengd.EXE acl file_terlarang url_regex -i xxxvideo.exe acl file_terlarang url_regex -i Save.exe acl file_terlarang url_regex -i ATLBROWSER.DLL acl file_terlarang url_regex -i NawaL_rm acl file_terlarang url_regex -i Socks32.dll acl file_terlarang url_regex -i Sc32Lnch.exe acl file_terlarang url_regex -i dat0.exe acl IIX dst_as 7713 4622 4795 7597 4787 4795 4800 acl block url_regex -i \.(aiffasfavidifdivxmovmoviemp3mpe?g?mpv2oggra?msndqtwavwmfwmv)$ acl local-domain dstdomain localhost acl Bad_ports port 7 9 11 19 22 23 25 53 110 119 513 514 acl Safe_ports port 21 70 80 210 443 488 563 591 777 1025-65535 acl Virus urlpath_regex winnt/system32/cmd.exe? acl connect method CONNECT acl post method POST acl ssl method CONNECT acl purge method PURGE acl IpAddrProbeUA browser ^Mozilla/4.0.\(compatible;.MSIE.5.5;.Windows.98\)$ acl IpAddrProbeURL url_regex //[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+/$ no_cache deny QUERY manager http_access allow manager IIX Safe_ports http_access allow client http_access deny porn !noporn http_access deny Bad_ports Virus IpAddrProbeUA IpAddrProbeURL http_access deny file_terlarang http_access deny all ### Paramater Administratif cache_mgr [email protected] cache_effective_user squid cache_effective_group squid visible_hostname proxy.fantasy.war.net.id ### Opsi Akselerator memory_pools off forwarded_for on log_icp_queries off

icp_hit_stale on minimum_direct_hops 4 minimum_direct_rtt 400 store_avg_object_size 13 KB store_objects_per_bucket 20 client_db on netdb_low 9900 netdb_high 10000 netdb_ping_period 30 seconds query_icmp off pipeline_prefetch on reload_into_ims on pipeline_prefetch on vary_ignore_expire on max_open_disk_fds 100 nonhierarchical_direct on prefer_direct off ### Pendukung Transparan Proxy httpd_accel_host virtual httpd_accel_port 80 httpd_accel_with_proxy on httpd_accel_uses_host_header on ### Membatasi Besar File untuk download reply_body_max_size 3512000 allow client block tidakbebasdownload ### SNMP #snmp_port 3401 #acl snmppublic snmp_community public #snmp_access allow all header_access User-Agent deny all header_replace User-Agent Mozilla/5.0 (compatible; MSIE 6.0) header_access Accept deny all header_replace Accept */* header_access Accept-Language deny all header_replace Accept-Language id, en f. firewall tambahan di proxy #05-12-05 /sbin/iptables -I INPUT -p tcp -s 0/0 -d 0/0 –destination-port 12 -j DROP /sbin/iptables -A FORWARD -p tcp -s 0/0 -d 0/0 –destination-port 12 -j REJECT /sbin/iptables -I INPUT -p tcp -s 192.168.0.0/32 -d 0/0 –destination-port 12 -j DROP /sbin/iptables -A FORWARD -p tcp -s 192.168.0.0/32 -d 0/0 –destination-port 12 -j

REJECT /sbin/iptables -I INPUT -p tcp -s 0/0 -d 0/0 –destination-port 16 -j DROP /sbin/iptables -A FORWARD -p tcp -s 0/0 -d 0/0 –destination-port 16 -j REJECT /sbin/iptables -I INPUT -p tcp -s 192.168.0.0/32 -d 0/0 –destination-port 16 -j DROP /sbin/iptables -A FORWARD -p tcp -s 192.168.0.0/32 -d 0/0 –destination-port 16 -j REJECT /sbin/iptables -I INPUT -p tcp -s 0/0 -d 0/0 –destination-port 17 -j DROP /sbin/iptables -A FORWARD -p tcp -s 0/0 -d 0/0 –destination-port 17 -j REJECT /sbin/iptables -I INPUT -p tcp -s 192.168.0.0/32 -d 0/0 –destination-port 17 -j DROP /sbin/iptables -A FORWARD -p tcp -s 192.168.0.0/32 -d 0/0 –destination-port 17 -j REJECT /sbin/iptables -I INPUT -p tcp -s 0/0 -d 0/0 –destination-port 12:20 -j DROP /sbin/iptables -A FORWARD -p tcp -s 0/0 -d 0/0 –destination-port 12:20 -j REJECT /sbin/iptables -I INPUT -p tcp -s 192.168.0.0/32 -d 0/0 –destination-port 12:20 -j DROP /sbin/iptables -A FORWARD -p tcp -s 192.168.0.0/32 -d 0/0 –destination-port 12:20 -j REJECT /sbin/iptables -I INPUT -p tcp -s 0/0 -d 0/0 –destination-port 110 -j DROP /sbin/iptables -A FORWARD -p tcp -s 0/0 -d 0/0 –destination-port 110 -j REJECT /sbin/iptables -I INPUT -p tcp -s 192.168.0.0/32 -d 0/0 –destination-port 110 -j DROP /sbin/iptables -A FORWARD -p tcp -s 192.168.0.0/32 -d 0/0 –destination-port 110 -j REJECT /sbin/iptables -I INPUT -p tcp -s 192.168.0.0/32 -d 0/0 –destination-port 25 -j DROP /sbin/iptables -A FORWARD -p tcp -s 192.168.0.0/32 -d 0/0 –destination-port 25 -j REJECT /sbin/iptables -I INPUT -p tcp -s 0/0 -d 0/0 –destination-port 25 -j DROP /sbin/iptables -A FORWARD -p tcp -s 0/0 -d 0/0 –destination-port 25 -j REJECT /sbin/iptables -I INPUT -p tcp -s 192.168.0.0/32 -d 0/0 –destination-port 24 -j DROP /sbin/iptables -A FORWARD -p tcp -s 192.168.0.0/32 -d 0/0 –destination-port 24 -j REJECT /sbin/iptables -I INPUT -p tcp -s 0/0 -d 0/0 –destination-port 123 -j DROP /sbin/iptables -A FORWARD -p tcp -s 0/0 -d 0/0 –destination-port 123 -j REJECT /sbin/iptables -I INPUT -p tcp -s 192.168.0.0/32 -d 0/0 –destination-port 123 -j DROP /sbin/iptables -A FORWARD -p tcp -s 192.168.0.0/32 -d 0/0 –destination-port 123 -j REJECT /sbin/iptables -I INPUT -p tcp -s 0/0 -d 0/0 –destination-port 24 -j DROP /sbin/iptables -A FORWARD -p tcp -s 0/0 -d 0/0 –destination-port 24 -j REJECT /sbin/iptables -I INPUT -p tcp -s 192.168.0.0/32 -d 0/0 –destination-port 24 -j DROP /sbin/iptables -A FORWARD -p tcp -s 192.168.0.0/32 -d 0/0 –destination-port 24 -j REJECT /sbin/iptables -I INPUT -p tcp -s 192.168.0.0/32 -d 0/0 –destination-port 23 -j DROP /sbin/iptables -A FORWARD -p tcp -s 192.168.0.0/32 -d 0/0 –destination-port 23 -j REJECT /sbin/iptables -N syn-flood /sbin/iptables -A INPUT -i input_interface -p tcp –syn -j syn-flood

/sbin/iptables -A syn-flood -m limit –limit 1/s –limit-burst 4 -j RETURN /sbin/iptables -A syn-flood -j DROP /sbin/iptables -I INPUT -p tcp -s 0/0 -d 0/0 –destination-port 199 -j DROP /sbin/iptables -I INPUT -p udp -s 0/0 -d 0/0 –destination-port 199 -j DROP /sbin/iptables -A FORWARD -p tcp -s 0/0 -d 0/0 –destination-port 199 -j REJECT /sbin/iptables -A FORWARD -p udp -s 0/0 -d 0/0 –destination-port 199 -j REJECT /sbin/iptables -I INPUT -p tcp -s 0/0 -d 0/0 –destination-port 119 -j DROP /sbin/iptables -I INPUT -p udp -s 0/0 -d 0/0 –destination-port 119 -j DROP /sbin/iptables -A FORWARD -p tcp -s 0/0 -d 0/0 –destination-port 119 -j REJECT /sbin/iptables -A FORWARD -p udp -s 0/0 -d 0/0 –destination-port 119 -j REJECT /sbin/iptables -I INPUT -p tcp -s 0/0 -d 0/0 –destination-port 111 -j DROP /sbin/iptables -I INPUT -p udp -s 0/0 -d 0/0 –destination-port 111 -j DROP /sbin/iptables -A FORWARD -p tcp -s 0/0 -d 0/0 –destination-port 111 -j REJECT /sbin/iptables -A FORWARD -p udp -s 0/0 -d 0/0 –destination-port 111 -j REJECT /sbin/iptables -I INPUT -p tcp -s 0/0 -d 0/0 –destination-port 411 -j DROP /sbin/iptables -I INPUT -p udp -s 0/0 -d 0/0 –destination-port 411 -j DROP /sbin/iptables -A FORWARD -p tcp -s 0/0 -d 0/0 –destination-port 67:68 -j REJECT /sbin/iptables -A FORWARD -p udp -s 0/0 -d 0/0 –destination-port 67:68 -j REJECT