软路由策略-----概括版

lpx007 · 发表于 2008-6-26 18:05:17

沙发，呵呵~
很有用啊，都是需要的，
谢谢分享！ [s:115]

烽火ㄨ飞狐 · 发表于 2007-12-16 21:51:07

不知道这个帖子适不适合放在这里...反正跟安全有关，假如不对，希望斑竹帮忙转下~~！[这次做的软路由...以前的策略没了...只好自己配置了...为了方便大家，我就自己把一些策略作个总结，有不对之处，希望高手指教，本人对路由的了解只限与应用...呵呵，高手莫笑！]
防DDOS攻击

Copy code

/ ip firewall filter
add chain=input protocol=icmp in-interface=ether1 action=drop comment=\"No DDOS\"

/将\"ether1\"改成您的处网网卡名称，此行请不要复制上！

防灰鸽子常见木马

Copy code

/ ip firewall filter
add chain=forward protocol=tcp dst-port=1999 action=drop comment=\"Backdoor.GrayBird.ad\"
add chain=forward dst-address=80.190.240.125 action=drop
add chain=forward dst-address=203.209.245.168 action=drop
add chain=forward dst-address=210.192.122.106 action=drop
add chain=forward dst-address=218.30.88.43 action=drop
add chain=forward dst-address=219.238.233.110 action=drop
add chain=forward dst-address=222.186.8.88 action=drop
add chain=forward dst-address=124.42.125.37 action=drop
add chain=forward dst-address=210.192.122.107 action=drop
add chain=forward dst-address=61.147.118.198 action=drop
add chain=forward dst-address=219.238.233.11 action=drop

抗三波病毒

Copy code

/ ip firewall filter
add chain=forward protocol=tcp dst-port=135-139 action=drop comment=\"No 3B\"

禁止PING路由

Copy code

/ ip firewall filter
add chain=output protocol=icmp action=drop comment=\"No Ping\"

禁止P2P下载

Copy code

/ ip firewall filter
add chain=forward protocol=tcp dst-port=4661-4662 action=drop comment=\"No Emule\"
add chain=forward protocol=tcp dst-port=4242 action=drop
add chain=forward dst-address=62.241.53.15 action=drop

禁止比特精灵下载

Copy code

/ ip firewall filter
add chain=forward protocol=tcp dst-port=16***81 action=drop comment=\"No BitSpirit\"

批量绑定ARP

Copy code

:foreach szwm in=[/ip arp find dynamic=yes ] do=[/ip arp add copy-from=$szwm]

端口映射

Copy code

ip firewall nat add chain=dstnat dst-address=(外网IP) protocol=tcp dst-port=外端口 to-addresses=(内网IP) to-ports=内端口 action=dst-nat

封域名

Copy code

/ ip firewall filter
add chain=forward content=域名action=reject comment=\"备注\"

双线切换

Copy code

/ system script
add name=\"dxup\" source=\"/ip route set \\[/ip route find comment=tel\\] \\
gateway=电信网关;
\\n/ip route set \\[/ip route find comment=tel\\] \\
disable=no;\" policy=ftp,reboot,read,write,policy,test,winbox,password
add name=\"cncup\" source=\"/ip route enable \\[/ip route find \\
gateway=网通网关\\]\" \\
policy=ftp,reboot,read,write,policy,test,winbox,password
add name=\"dxdown\" source=\"/ip route set \\[/ip route find comment=tel\\] \\
gateway=网通网关\" \\
policy=ftp,reboot,read,write,policy,test,winbox,password
add name=\"cncdown\" source=\"/ip route disable \\[/ip route find \\
gateway=网通网关\\]\" \\

policy=ftp,reboot,read,write,policy,test,winbox,password

===================================
常用的就这些...其他基本的，我就没写了...
这些脚本，我没写的太清楚...有修改ROS权限的技术员，
我想应该可以看明白...呵呵...高手莫笑~~~

账号		自动登录	找回密码
密码			开放注册