Mikrotik Scripts Untuk Keamanan Jaringan Router Mikrotik

Mencegah Port Scanner

/ip firewall filter
add action=add-src-to-address-list address-list="Port Scan" address-list-timeout=4w2d chain=forward comment="Mencegah port scanner" protocol=tcp psd=21,3s,3,1
add action=add-src-to-address-list address-list="Port Scan" address-list-timeout=4w2d chain=input protocol=tcp psd=21,3s,3,1
add action=drop chain=forward src-address-list="Port Scan"
add action=drop chain=input src-address-list="Port Scan"

Mencegah UDP Flood Attack

/ip firewall raw
add action=drop chain=prerouting comment="Mencegah UDP Flood Attack" dst-port=53 in-interface=pppoe-out1 protocol=udp
add action=accept chain=prerouting dst-port=53 in-interface=!pppoe-out1 limit=100,5:packet protocol=udp
add action=drop chain=prerouting dst-port=53 in-interface=!pppoe-out1 protocol=udp


jangan Lupa Set Allow Remote Request di IP > DNS 

Mencegah TCP Syn Attack

/ip firewall filter add chain=input protocol=tcp connection-limit=32,1 action=add-src-to-address-list  address-list=blocked-addr address-list-timeout=1d 
/ip firewall filter add chain=input protocol=tcp src-address-list=blocked-addr connection-limit=3,32 action=tarpit 
/ip firewall filter add chain=forward protocol=tcp tcp-flags=syn connection-state=new action=jump jump-target=SYN-Protect comment="SYN Flood protect" disabled=no
/ip firewall filter add chain=SYN-Protect protocol=tcp tcp-flags=syn limit=400,5 connection-state=new action=accept comment="" disabled=no
/ip firewall filter add chain=SYN-Protect protocol=tcp tcp-flags=syn connection-state=new action=drop comment="" disabled=no
/ip settings set tcp-syncookies=yes

Mencegah ICMP Smurf Attack

/ip firewall raw
add action=drop chain=prerouting comment="Mencegah ICMP Smurf Attack" dst-address-type=broadcast protocol=icmp

/ip firewall filter
add action=drop chain=input comment="Block Ping dari interface WAN" in-interface=LAN-1 protocol=icmp

Mencegah Brute Force

/ip firewall filter
add action=drop chain=input comment="Drop anyone in Black List (SSH)" src-address-list="Black List (SSH)"
add action=jump chain=input comment="Jump to Black List (SSH) Chain" dst-port=22 jump-target="Black List (SSH) Chain" protocol=tcp
add action=add-src-to-address-list address-list="Black List (SSH)" address-list-timeout=4w2d chain="Black List (SSH) Chain" comment="Transfer repeated attempts from Black List (SSH) Stage 3 to Black List (SSH)" connection-state=new src-address-list="Black List (SSH) Stage 3"
add action=add-src-to-address-list address-list="Black List (SSH) Stage 3" address-list-timeout=1m chain="Black List (SSH) Chain" comment="Add Successive attempts to Black List (SSH) Stage 3" connection-state=new src-address-list="Black List (SSH) Stage 2"
add action=add-src-to-address-list address-list="Black List (SSH) Stage 2" address-list-timeout=1m chain="Black List (SSH) Chain" comment="Add Successive attempts to Black List (SSH) Stage 2" connection-state=new src-address-list="Black List (SSH) Stage 1"
add action=add-src-to-address-list address-list="Black List (SSH) Stage 1" address-list-timeout=1m chain="Black List (SSH) Chain" comment="Add initial attempt to Black List (SSH) Stage 1" connection-state=new
add action=return chain="Black List (SSH) Chain" comment="Return from Black List (SSH) chain"

Set Prioritas Bandwith Untuk Zoom

/ip firewall mangle
add action=mark-connection chain=prerouting comment="Mark Zoom Application Connections" dst-address-list=Zoom dst-port=3478,3479,5090,5091,8801-8810 new-connection-mark=Zoom-Connection passthrough=yes protocol=tcp
add action=mark-connection chain=prerouting dst-address-list=Zoom dst-port=3478,3479,5090,5091,8801-8810 new-connection-mark=Zoom-Connection passthrough=yes protocol=udp
add action=mark-connection chain=prerouting comment="Mark Zoom Web App Connections" dst-address-list=Zoom dst-port=80,443 new-connection-mark=Zoom-Connection passthrough=yes protocol=tcp
add action=mark-packet chain=prerouting comment="Mark All Zoom Packets" connection-mark=Zoom-Connection new-packet-mark=Zoom-Packet passthrough=no

/queue simple
add comment="Internet Package (Upload Speed: 300 Mbps, Download Speed: 300 Mbps)" max-limit=300M/300M name=Parent_Queue target=192.168.17.0/24
add comment="Share Speed  to Zoom (Upload Speed: 20Mbps, Download Speed: 20Mbps)" max-limit=20M/20M name=Queue_Zoom packet-marks=Zoom-Packet parent=Parent_Queue priority=1/1 target=192.168.17.0/24
add comment="Share Speed For General Working (Upload Speed: 280 Mbps, Download Speed: 280Mbps)" max-limit=280M/280M name=Queue_Other packet-marks=no-mark parent=Parent_Queue target=192.168.17.0/24

/ip firewall address-list
add address=3.7.35.0/25	list=Zoom
add address=3.21.137.128/25 list=Zoom
add address=3.22.11.0/24 list=Zoom
add address=3.23.93.0/24 list=Zoom
add address=3.25.41.128/25 list=Zoom
add address=3.25.42.0/25 list=Zoom
add address=3.25.49.0/24 list=Zoom
add address=3.80.20.128/25 list=Zoom
add address=3.96.19.0/24 list=Zoom
add address=3.101.32.128/25 list=Zoom
add address=3.101.52.0/25 list=Zoom
add address=3.104.34.128/25 list=Zoom
add address=3.120.121.0/25 list=Zoom
add address=3.127.194.128/25 list=Zoom
add address=3.208.72.0/25 list=Zoom
add address=3.211.241.0/25 list=Zoom
add address=3.235.69.0/25 list=Zoom
add address=3.235.82.0/23 list=Zoom
add address=3.235.71.128/25 list=Zoom
add address=3.235.72.128/25 list=Zoom
add address=3.235.73.0/25 list=Zoom
add address=3.235.96.0/23 list=Zoom
add address=4.34.125.128/25 list=Zoom
add address=4.35.64.128/25 list=Zoom
add address=8.5.128.0/23 list=Zoom
add address=13.52.6.128/25 list=Zoom
add address=13.52.146.0/25 list=Zoom
add address=18.157.88.0/24 list=Zoom
add address=18.205.93.128/25 list=Zoom
add address=20.203.158.80/28 list=Zoom
add address=20.203.190.192/26 list=Zoom
add address=50.239.202.0/23 list=Zoom
add address=50.239.204.0/24 list=Zoom
add address=52.61.100.128/25 list=Zoom
add address=52.202.62.192/26 list=Zoom
add address=52.215.168.0/25 list=Zoom
add address=64.125.62.0/24 list=Zoom
add address=64.211.144.0/24 list=Zoom
add address=64.224.32.0/19 list=Zoom
add address=65.39.152.0/24 list=Zoom
add address=69.174.57.0/24 list=Zoom
add address=69.174.108.0/22 list=Zoom
add address=99.79.20.0/25 list=Zoom
add address=101.36.167.0/24 list=Zoom
add address=103.122.166.0/23 list=Zoom
add address=111.33.115.0/25 list=Zoom
add address=111.33.181.0/25 list=Zoom
add address=115.110.154.192/26 list=Zoom
add address=115.114.56.192/26 list=Zoom
add address=115.114.115.0/26 list=Zoom
add address=115.114.131.0/26 list=Zoom
add address=120.29.148.0/24 list=Zoom
add address=129.151.0.0/19 list=Zoom
add address=129.151.40.0/22 list=Zoom
add address=129.151.48.0/20 list=Zoom
add address=129.159.0.0/20 list=Zoom
add address=129.159.160.0/19 list=Zoom
add address=129.159.208.0/20 list=Zoom
add address=130.61.164.0/22 list=Zoom
add address=134.224.0.0/16 list=Zoom
add address=140.238.128.0/24 list=Zoom
add address=140.238.232.0/22 list=Zoom
add address=144.195.0.0/16 list=Zoom
add address=147.124.96.0/19 list=Zoom
add address=149.137.0.0/17 list=Zoom
add address=150.230.224.0/21 list=Zoom
add address=152.67.20.0/24 list=Zoom
add address=152.67.118.0/24 list=Zoom
add address=152.67.168.0/22 list=Zoom
add address=152.67.180.0/24 list=Zoom
add address=152.67.184.0/22 list=Zoom
add address=152.67.240.0/21 list=Zoom
add address=152.70.224.0/21 list=Zoom
add address=156.45.0.0/17 list=Zoom
add address=158.101.64.0/24 list=Zoom
add address=158.101.184.0/22 list=Zoom
add address=160.1.56.128/25 list=Zoom
add address=161.199.136.0/22 list=Zoom
add address=162.12.232.0/22 list=Zoom
add address=162.255.36.0/22 list=Zoom
add address=165.254.88.0/23 list=Zoom
add address=166.108.64.0/18 list=Zoom
add address=168.138.16.0/22 list=Zoom
add address=168.138.48.0/24 list=Zoom
add address=168.138.56.0/21 list=Zoom
add address=168.138.72.0/24 list=Zoom
add address=168.138.74.0/25 list=Zoom
add address=168.138.80.0/21 list=Zoom
add address=168.138.96.0/22 list=Zoom
add address=168.138.116.0/22 list=Zoom
add address=168.138.244.0/24 list=Zoom
add address=170.114.0.0/16 list=Zoom
add address=173.231.80.0/20 list=Zoom
add address=192.204.12.0/22 list=Zoom
add address=193.122.16.0/20 list=Zoom
add address=193.122.32.0/20 list=Zoom
add address=193.122.208.0/20 list=Zoom
add address=193.122.224.0/20 list=Zoom
add address=193.122.240.0/20 list=Zoom
add address=193.123.0.0/19 list=Zoom
add address=193.123.40.0/21 list=Zoom
add address=193.123.128.0/19 list=Zoom
add address=193.123.168.0/21 list=Zoom
add address=193.123.192.0/19 list=Zoom
add address=198.251.128.0/17 list=Zoom
add address=202.177.207.128/27 list=Zoom
add address=204.80.104.0/21 list=Zoom
add address=204.141.28.0/22 list=Zoom
add address=206.247.0.0/16 list=Zoom
add address=207.226.132.0/24 list=Zoom
add address=209.9.211.0/24 list=Zoom
add address=209.9.215.0/24 list=Zoom
add address=213.19.144.0/24 list=Zoom
add address=213.19.153.0/24 list=Zoom
add address=213.244.140.0/24 list=Zoom
add address=221.122.88.64/27 list=Zoom
add address=221.122.88.128/25 list=Zoom
add address=221.122.89.128/25 list=Zoom
add address=221.123.139.192/27 list=Zoom

Set Prioritas Bandwith Untuk Aplikasi Mircrosoft Teams

/ip firewall mangle
add action=mark-connection chain=prerouting comment="Mark MicrosoftTeams Application Connection" dst-address-list=MicrosoftTeams dst-port=3478,3479,3480,3481 new-connection-mark=MicrosoftTeams-Connection passthrough=yes protocol=tcp
add action=mark-connection chain=prerouting dst-address-list=MicrosoftTeams dst-port=3478,3479,3480,3481 new-connection-mark=MicrosoftTeams-Connection passthrough=yes protocol=udp
add action=mark-connection chain=prerouting comment="Mark MicrosoftTeams Web App Connections" dst-address-list=MicrosoftTeams dst-port=80,443 new-connection-mark=MicrosoftTeams-Connection passthrough=yes protocol=tcp
add action=mark-packet chain=prerouting comment="Mark All MicrosoftTeams Packets" connection-mark=MicrosoftTeams-Connection new-packet-mark=MicrosoftTeams-Packet passthrough=no

/queue simple
add comment="Internet Package (Upload Speed: 300 Mbps, Download Speed: 300 Mbps)" max-limit=300M/300M name=Parent_Queue target=192.168.17.0/24
add comment="Share Speed  to MicrosoftTeams (Upload Speed: 20Mbps, Download Speed: 20Mbps)" max-limit=20M/20M name=Queue_MicrosoftTeams packet-marks=MicrosoftTeams-Packet parent=Parent_Queue priority=1/1 target=192.168.17.0/24
add comment="Share Speed For General Working (Upload Speed: 280 Mbps, Download Speed: 280Mbps)" max-limit=280M/280M name=Queue_Other packet-marks=no-mark parent=Parent_Queue target=192.168.17.0/24

/ip firewall address-list
add address=13.107.64.0/18 list=MicrosoftTeams
add address=52.112.0.0/14 list=MicrosoftTeams
add address=52.120.0.0/14 list=MicrosoftTeams
add address=52.238.119.141/32 list=MicrosoftTeams
add address=52.244.160.207/32 list=MicrosoftTeams

Bypass IP Lokal Agar Tidak Terlimit

# tambahkan address lists ip lokal di mikrotik 

/ip firewall address-list
add address=0.0.0.0/8 list=IP_LOKAL
add address=10.0.0.0/8 list=IP_LOKAL
add address=100.64.0.0/10 list=IP_LOKAL
add address=127.0.0.0/8 list=IP_LOKAL
add address=169.254.0.0/16 list=IP_LOKAL
add address=172.16.0.0/12 list=IP_LOKAL
add address=192.0.0.0/24 list=IP_LOKAL
add address=192.0.2.0/24 list=IP_LOKAL
add address=192.168.0.0/16 list=IP_LOKAL
add address=198.18.0.0/15 list=IP_LOKAL
add address=198.51.100.0/24 list=IP_LOKAL
add address=203.0.113.0/24 list=IP_LOKAL
add address=224.0.0.0/4 list=IP_LOKAL
add address=240.0.0.0/4 list=IP_LOKAL

# letakkan script ini di bagian paling atas pada mangle rules

/ip firewall mangle
add action=accept chain=prerouting dst-address-list=IP_LOKAL  src-address-list=IP_LOKAL
add action=accept chain=postrouting dst-address-list=IP_LOKAL  src-address-list=IP_LOKAL
add action=accept chain=forward dst-address-list=IP_LOKAL  src-address-list=IP_LOKAL
add action=accept chain=input dst-address-list=IP_LOKAL  src-address-list=IP_LOKAL
add action=accept chain=output dst-address-list=IP_LOKAL  src-address-list=IP_LOKAL