8/14/2019 Planning Internet Cafe With Speedy Internet Connection

1/19

Planning Internet Cafe With Speedy internet

Connection

Using PC LINUX and router Mikrotik

Network Schema 192.168.1.2/29

Modem 4 Port -Mikrotik Hub-Client 192.168.0.0/24

192.168.1.1/29 192.168.0.254/24

Linux proxy192.168.1.3/29

A. Router Mikrotik Configuration

a. Interface

/ interface ethernetset Local name=Local mtu=1500 mac-address=00:50:DA:5F:AB:16 arp=enabled \disable-running-check=yes auto-negotiation=yes full-duplex=yes \cable-settings=default speed=100Mbps comment=" disabled=noset Public name=Public mtu=1500 mac-address=00:A0:D2:11:C2:79 arp=enabled \disable-running-check=yes auto-negotiation=yes full-duplex=yes \cable-settings=default speed=100Mbps comment=" disabled=no

b. ARP

/ ip arpadd address=192.168.0.7 mac-address=00:19:21:14:4A:E7 interface=Local \comment=" disabled=noadd address=192.168.0.4 mac-address=00:E0:4D:2F:81:6E interface=Local \comment=" disabled=noadd address=192.168.0.1 mac-address=00:1B:B9:57:79:75 interface=Local \comment=" disabled=noadd address=192.168.0.6 mac-address=00:E0:4D:2F:4D:F3 interface=Local \comment=" disabled=no

add address=192.168.0.11 mac-address=00:1B:B9:57:7E:31 interface=Local \comment=" disabled=noadd address=192.168.0.2 mac-address=00:E0:4D:2F:81:6D interface=Local \comment=" disabled=noadd address=192.168.0.5 mac-address=00:19:21:DD:90:F4 interface=Local \comment=" disabled=noadd address=192.168.0.10 mac-address=00:1B:B9:95:EB:6D interface=Local \comment=" disabled=no

8/14/2019 Planning Internet Cafe With Speedy Internet Connection

2/19

add address=192.168.0.253 mac-address=00:1A:92:56:79:5E interface=Local \comment=" disabled=noadd address=192.168.1.1 mac-address=00:18:6E:CA:4F:2E interface=Public \comment=" disabled=noadd address=192.168.1.3 mac-address=00:1B:11:66:2A:69 interface=Public \

comment=" disabled=noc. DNS ISP/ ip dnsset primary-dns=192.168.1.3 secondary-dns=202.134.0.155 \allow-remote-requests=yes cache-size=2048KiB cache-max-ttl=1w

d. IP address

/ ip addressadd address=192.168.1.2/29 network=192.168.1.0 broadcast=192.168.1.7 \interface=Public comment=" disabled=no

add address=192.168.0.254/24 network=192.168.0.0 broadcast=192.168.0.255 \interface=Local comment=" disabled=no

e. Mangle

/ ip firewall mangleadd chain=prerouting src-address=192.168.0.0/24 protocol=icmp \action=mark-connection new-connection-mark=ICMP-CM passthrough=yes \comment=ToS disabled=noadd chain=prerouting connection-mark=ICMP-CM action=mark-packet \new-packet-mark=ICMP-PM passthrough=yes comment=" disabled=no

add chain=prerouting packet-mark=ICMP-PM action=change-tos new-tos=min-delay \comment=" disabled=noadd chain=prerouting src-address=192.168.0.0/24 protocol=tcp dst-port=53 \action=mark-connection new-connection-mark=DNS-CM passthrough=yes \comment=" disabled=noadd chain=prerouting src-address=192.168.0.0/24 protocol=udp dst-port=53 \action=mark-connection new-connection-mark=DNS-CM passthrough=yes \comment=" disabled=noadd chain=prerouting connection-mark=DNS-CM action=mark-packet \new-packet-mark=DNS-PM passthrough=yes comment=" disabled=noadd chain=prerouting packet-mark=DNS-PM action=change-tos new-tos=min-delay \comment=" disabled=noadd chain=prerouting protocol=tcp dst-port=80 action=mark-connection \new-connection-mark=http_conn passthrough=yes comment=Services \disabled=noadd chain=prerouting protocol=tcp dst-port=443 action=mark-connection \new-connection-mark=http_conn passthrough=yes comment=" disabled=noadd chain=prerouting protocol=tcp dst-port=8080 action=mark-connection \new-connection-mark=http_conn passthrough=yes comment=" disabled=no

8/14/2019 Planning Internet Cafe With Speedy Internet Connection

3/19

add chain=prerouting protocol=tcp dst-port=3128 action=mark-connection \new-connection-mark=http_conn passthrough=yes comment=" disabled=noadd chain=prerouting connection-mark=http_conn action=mark-packet \new-packet-mark=http passthrough=no comment=" disabled=noadd chain=prerouting protocol=tcp dst-port=5050-5061 action=mark-connection \

new-connection-mark=ym_conn passthrough=yes comment=" disabled=noadd chain=prerouting connection-mark=ym_conn action=mark-packet \new-packet-mark=ym passthrough=no comment=" disabled=noadd chain=prerouting protocol=udp dst-port=27015 action=mark-connection \new-connection-mark=cs_conn passthrough=yes comment=" disabled=noadd chain=prerouting connection-mark=cs_conn action=mark-packet \new-packet-mark=cs passthrough=no comment=" disabled=noadd chain=prerouting protocol=tcp dst-port=6667-7000 action=mark-connection \new-connection-mark=irc_conn passthrough=yes comment=" disabled=noadd chain=prerouting connection-mark=irc_conn action=mark-packet \new-packet-mark=irc passthrough=no comment=" disabled=no

add chain=prerouting protocol=tcp dst-port=8291 action=mark-connection \new-connection-mark=mt_conn passthrough=yes comment=" disabled=noadd chain=prerouting connection-mark=mt_conn action=mark-packet \new-packet-mark=mt passthrough=no comment=" disabled=noadd chain=prerouting protocol=tcp dst-port=110 action=mark-connection \new-connection-mark=email_conn passthrough=yes comment=" disabled=noadd chain=prerouting protocol=tcp dst-port=25 action=mark-connection \new-connection-mark=email_conn passthrough=yes comment=" disabled=noadd chain=prerouting connection-mark=email_conn action=mark-packet \new-packet-mark=email passthrough=no comment=" disabled=noadd chain=prerouting protocol=tcp dst-port=22 action=mark-connection \new-connection-mark=ssh_conn passthrough=yes comment=" disabled=noadd chain=prerouting connection-mark=ssh_conn action=mark-packet \new-packet-mark=ssh passthrough=no comment=" disabled=noadd chain=prerouting protocol=tcp dst-port=500-3127 action=mark-connection \new-connection-mark=games_conn passthrough=yes comment=" disabled=noadd chain=prerouting protocol=tcp dst-port=3129-6665 action=mark-connection \new-connection-mark=games_conn passthrough=yes comment=" disabled=noadd chain=prerouting protocol=tcp dst-port=7001-65535 action=mark-connection \new-connection-mark=games_conn passthrough=yes comment=" disabled=noadd chain=prerouting protocol=udp dst-port=500-3127 action=mark-connection \new-connection-mark=games_conn passthrough=yes comment=" disabled=noadd chain=prerouting protocol=udp dst-port=3129-6665 action=mark-connection \new-connection-mark=games_conn passthrough=yes comment=" disabled=noadd chain=prerouting protocol=udp dst-port=7001-65535 action=mark-connection \new-connection-mark=games_conn passthrough=yes comment=" disabled=noadd chain=prerouting connection-mark=games_conn action=mark-packet \new-packet-mark=games passthrough=no comment=" disabled=noadd chain=prerouting src-address=192.168.0.0/24 action=mark-packet \new-packet-mark=Naik passthrough=no comment=Up Traffic disabled=no

8/14/2019 Planning Internet Cafe With Speedy Internet Connection

4/19

add chain=forward src-address=192.168.0.0/24 action=mark-connection \new-connection-mark=Koneksi passthrough=yes comment=Conn-Mark \disabled=noadd chain=forward in-interface=Public connection-mark=Koneksi \action=mark-packet new-packet-mark=Turun passthrough=no \

comment=Down-Direct Connection disabled=noadd chain=output out-interface=Local dst-address=192.168.0.0/24 \action=mark-packet new-packet-mark=Turun passthrough=no comment=Down-Via \Proxy disabled=nof. ip nat

/ ip firewall natadd chain=srcnat out-interface=Public action=masquerade comment=" disabled=noadd chain=dstnat src-address=192.168.0.0/24 protocol=tcp dst-port=80 \dst-address-list=!servergames action=dst-nat to-addresses=192.168.1.3 \to-ports=8080 comment=Pakai Proxy Linux disabled=no

add chain=dstnat src-address=192.168.0.0/24 protocol=tcp dst-port=3128 \dst-address-list=!servergames action=dst-nat to-addresses=192.168.1.3 \to-ports=8080 comment=" disabled=noadd chain=dstnat src-address=192.168.0.0/24 protocol=tcp dst-port=8080 \dst-address-list=!servergames action=dst-nat to-addresses=192.168.1.3 \to-ports=8080 comment=" disabled=noadd chain=dstnat src-address=192.168.0.0/24 protocol=tcp dst-port=80 \action=redirect to-ports=8080 comment=Tanpa proxy Linux disabled=yesadd chain=dstnat src-address=192.168.0.0/24 protocol=tcp dst-port=3128 \action=redirect to-ports=8080 comment=" disabled=yesadd chain=dstnat src-address=192.168.0.0/24 protocol=tcp dst-port=8080 \

action=redirect to-ports=8080 comment=" disabled=yes

g. filter

/ ip firewall filteradd chain=input connection-state=invalid action=drop comment=Drop invalid \connections disabled=noadd chain=input connection-state=established action=accept comment=Allow \esatblished connections disabled=noadd chain=input connection-state=related action=accept comment=Allow related \connections disabled=noadd chain=input protocol=udp action=accept comment=Allow UDP disabled=noadd chain=input protocol=icmp action=accept comment=Allow ICMP disabled=noadd chain=input in-interface=!Public action=accept comment=Allow connection \to router from local network disabled=noadd chain=input action=drop comment=Drop everything else disabled=noadd chain=input protocol=tcp dst-port=1337 action=add-src-to-address-list \address-list=knock address-list-timeout=15s comment=" disabled=noadd chain=input protocol=tcp dst-port=7331 src-address-list=knock \

8/14/2019 Planning Internet Cafe With Speedy Internet Connection

5/19

action=add-src-to-address-list address-list=safe address-list-timeout=15m \comment=" disabled=noadd chain=input connection-state=established action=accept comment=accept \established connection packets disabled=noadd chain=input connection-state=related action=accept comment=accept related \

connection packets disabled=noadd chain=input connection-state=invalid action=drop comment=drop invalid \packets disabled=noadd chain=input protocol=tcp psd=21,3s,3,1 action=drop comment=detect and \drop port scan connections disabled=noadd chain=input protocol=tcp connection-limit=3,32 src-address-list=black_list \action=tarpit comment=suppress DoS attack disabled=noadd chain=input protocol=tcp connection-limit=10,32 \action=add-src-to-address-list address-list=black_list \address-list-timeout=1d comment=detect DoS attack disabled=noadd chain=input protocol=icmp action=jump jump-target=ICMP comment=jump to \

chain ICMP disabled=noadd chain=input action=jump jump-target=services comment=jump to chain \services disabled=noadd chain=input dst-address-type=broadcast action=accept comment=Allow \Broadcast Traffic disabled=noadd chain=input action=log log-prefix=Filter: comment=" disabled=noadd chain=input action=accept comment=Allow access to router from known \network disabled=noadd chain=input src-address=192.168.0.0/24 action=accept comment=" \disabled=noadd chain=input src-address=192.168.5.0/29 action=accept comment=" \disabled=noadd chain=input src-address=192.168.4.0/29 action=accept comment=" \disabled=noadd chain=input src-address=63.219.6.0/24 action=accept comment=" disabled=noadd chain=input src-address=125.0.0.0/8 action=accept comment=" disabled=noadd chain=input action=drop comment=drop everything else disabled=noadd chain=ICMP protocol=icmp icmp-options=0:0-255 limit=5,5 action=accept \comment=0:0 and limit for 5pac/s disabled=noadd chain=ICMP protocol=icmp icmp-options=3:3 limit=5,5 action=accept \comment=3:3 and limit for 5pac/s disabled=noadd chain=ICMP protocol=icmp icmp-options=3:4 limit=5,5 action=accept \comment=3:4 and limit for 5pac/s disabled=noadd chain=ICMP protocol=icmp icmp-options=8:0-255 limit=5,5 action=accept \comment=8:0 and limit for 5pac/s disabled=noadd chain=ICMP protocol=icmp icmp-options=11:0-255 limit=5,5 action=accept \comment=11:0 and limit for 5pac/s disabled=noadd chain=ICMP protocol=icmp action=drop comment=Drop everything else \disabled=noadd chain=input protocol=tcp psd=21,3s,3,1 action=add-src-to-address-list \

8/14/2019 Planning Internet Cafe With Speedy Internet Connection

6/19

address-list=port scanners address-list-timeout=2w comment=Port \scanners to list disabled=noadd chain=input protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg \action=add-src-to-address-list address-list=port scanners \address-list-timeout=2w comment=NMAP FIN Stealth scan disabled=no

add chain=input protocol=tcp tcp-flags=fin,syn action=add-src-to-address-list \address-list=port scanners address-list-timeout=2w comment=SYN/FIN \scan disabled=noadd chain=input protocol=tcp tcp-flags=syn,rst action=add-src-to-address-list \address-list=port scanners address-list-timeout=2w comment=SYN/RST \scan disabled=noadd chain=input protocol=tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack \action=add-src-to-address-list address-list=port scanners \address-list-timeout=2w comment=FIN/PSH/URG scan disabled=noadd chain=input protocol=tcp tcp-flags=fin,syn,rst,psh,ack,urg \action=add-src-to-address-list address-list=port scanners \

address-list-timeout=2w comment=ALL/ALL scan disabled=noadd chain=input protocol=tcp tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg \action=add-src-to-address-list address-list=port scanners \address-list-timeout=2w comment=NMAP NULL scan disabled=noadd chain=input src-address-list=port scanners action=drop comment=dropping \port scanners disabled=noadd chain=forward connection-state=established action=accept comment=allow \established connections disabled=noadd chain=forward connection-state=related action=accept comment=allow \related connections disabled=noadd chain=forward connection-state=invalid action=drop comment=drop invalid \connections disabled=noadd chain=virus protocol=tcp dst-port=135-139 action=drop comment=Drop \Blaster Worm disabled=noadd chain=virus protocol=udp dst-port=135-139 action=drop comment=Drop \Messenger Worm disabled=noadd chain=virus protocol=tcp dst-port=445 action=drop comment=Drop Blaster \Worm disabled=noadd chain=virus protocol=udp dst-port=445 action=drop comment=Drop Blaster \Worm disabled=noadd chain=virus protocol=tcp dst-port=593 action=drop comment=________ \disabled=noadd chain=virus protocol=tcp dst-port=1024-1030 action=drop comment=________ \disabled=noadd chain=virus protocol=tcp dst-port=1080 action=drop comment=Drop MyDoom \disabled=noadd chain=virus protocol=tcp dst-port=1214 action=drop comment=________ \disabled=noadd chain=virus protocol=tcp dst-port=1363 action=drop comment=ndm requester \disabled=no

8/14/2019 Planning Internet Cafe With Speedy Internet Connection

7/19

add chain=virus protocol=tcp dst-port=1364 action=drop comment=ndm server \disabled=noadd chain=virus protocol=tcp dst-port=1368 action=drop comment=screen cast \disabled=noadd chain=virus protocol=tcp dst-port=1373 action=drop comment=hromgrafx \

disabled=noadd chain=virus protocol=tcp dst-port=1377 action=drop comment=cichlid \disabled=noadd chain=virus protocol=tcp dst-port=1433-1434 action=drop comment=Worm \disabled=noadd chain=virus protocol=tcp dst-port=2745 action=drop comment=Bagle Virus \disabled=noadd chain=virus protocol=tcp dst-port=2283 action=drop comment=Drop Dumaru.Y \disabled=noadd chain=virus protocol=tcp dst-port=2535 action=drop comment=Drop Beagle \disabled=no

add chain=virus protocol=tcp dst-port=2745 action=drop comment=Drop \Beagle.C-K disabled=noadd chain=virus protocol=tcp dst-port=3127 action=drop comment=Drop MyDoom \disabled=noadd chain=virus protocol=tcp dst-port=3410 action=drop comment=Drop Backdoor \OptixPro disabled=noadd chain=virus protocol=tcp dst-port=4444 action=drop comment=Worm \disabled=noadd chain=virus protocol=udp dst-port=4444 action=drop comment=Worm \disabled=noadd chain=virus protocol=tcp dst-port=5554 action=drop comment=Drop Sasser \disabled=noadd chain=virus protocol=tcp dst-port=8866 action=drop comment=Drop Beagle.B \disabled=noadd chain=virus protocol=tcp dst-port=9898 action=drop comment=Drop \Dabber.A-B disabled=noadd chain=virus protocol=tcp dst-port=10000 action=drop comment=Drop \Dumaru.Y disabled=noadd chain=virus protocol=tcp dst-port=10080 action=drop comment=Drop \MyDoom.B disabled=noadd chain=virus protocol=tcp dst-port=12345 action=drop comment=Drop NetBus \disabled=noadd chain=virus protocol=tcp dst-port=17300 action=drop comment=Drop Kuang2 \disabled=noadd chain=virus protocol=tcp dst-port=27374 action=drop comment=Drop \SubSeven disabled=noadd chain=virus protocol=tcp dst-port=65506 action=drop comment=Drop PhatBot, \Agobot, Gaobot disabled=noadd chain=forward action=jump jump-target=virus comment=jump to the virus \chain disabled=no

8/14/2019 Planning Internet Cafe With Speedy Internet Connection

8/19

add chain=input connection-state=invalid action=drop comment=Drop Invalid \connections disabled=noadd chain=input connection-state=established action=accept comment=Allow \Established connections disabled=noadd chain=input protocol=udp action=accept comment=Allow UDP disabled=no

add chain=input protocol=icmp action=accept comment=Allow ICMP disabled=noadd chain=input action=drop comment=Drop anything else disabled=noadd chain=forward protocol=tcp connection-state=invalid action=drop \comment=drop invalid connections disabled=noadd chain=forward connection-state=established action=accept comment=allow \already established connections disabled=noadd chain=forward connection-state=related action=accept comment=allow \related connections disabled=noadd chain=forward src-address=0.0.0.0/8 action=drop comment=" disabled=noadd chain=forward dst-address=0.0.0.0/8 action=drop comment=" disabled=noadd chain=forward src-address=127.0.0.0/8 action=drop comment=" disabled=no

add chain=forward dst-address=127.0.0.0/8 action=drop comment=" disabled=noadd chain=forward src-address=224.0.0.0/3 action=drop comment=" disabled=noadd chain=forward dst-address=224.0.0.0/3 action=drop comment=" disabled=noadd chain=forward protocol=tcp action=jump jump-target=tcp comment=" \disabled=noadd chain=forward protocol=udp action=jump jump-target=udp comment=" \disabled=noadd chain=forward protocol=icmp action=jump jump-target=icmp comment=" \disabled=noadd chain=tcp protocol=tcp dst-port=69 action=drop comment=deny TFTP \disabled=noadd chain=tcp protocol=tcp dst-port=111 action=drop comment=deny RPC \portmapper disabled=noadd chain=tcp protocol=tcp dst-port=135 action=drop comment=deny RPC \portmapper disabled=noadd chain=tcp protocol=tcp dst-port=137-139 action=drop comment=deny NBT \disabled=noadd chain=tcp protocol=tcp dst-port=445 action=drop comment=deny cifs \disabled=noadd chain=tcp protocol=tcp dst-port=2049 action=drop comment=deny NFS \disabled=noadd chain=tcp protocol=tcp dst-port=12345-12346 action=drop comment=deny \NetBus disabled=noadd chain=tcp protocol=tcp dst-port=20034 action=drop comment=deny NetBus \disabled=noadd chain=tcp protocol=tcp dst-port=3133 action=drop comment=deny \BackOriffice disabled=noadd chain=tcp protocol=tcp dst-port=67-68 action=drop comment=deny DHCP \disabled=noadd chain=udp protocol=udp dst-port=69 action=drop comment=deny TFTP \

8/14/2019 Planning Internet Cafe With Speedy Internet Connection

9/19

disabled=noadd chain=udp protocol=udp dst-port=111 action=drop comment=deny PRC \portmapper disabled=noadd chain=udp protocol=udp dst-port=135 action=drop comment=deny PRC \portmapper disabled=no

add chain=udp protocol=udp dst-port=137-139 action=drop comment=deny NBT \disabled=noadd chain=udp protocol=udp dst-port=2049 action=drop comment=deny NFS \disabled=noadd chain=udp protocol=udp dst-port=3133 action=drop comment=deny \BackOriffice disabled=noadd chain=icmp protocol=icmp icmp-options=0:0 action=accept comment=drop \invalid connections disabled=noadd chain=icmp protocol=icmp icmp-options=3:0 action=accept comment=allow \established connections disabled=noadd chain=icmp protocol=icmp icmp-options=3:1 action=accept comment=allow \

already established connections disabled=noadd chain=icmp protocol=icmp icmp-options=4:0 action=accept comment=allow \source quench disabled=noadd chain=icmp protocol=icmp icmp-options=8:0 action=accept comment=allow \echo request disabled=noadd chain=icmp protocol=icmp icmp-options=11:0 action=accept comment=allow \time exceed disabled=noadd chain=icmp protocol=icmp icmp-options=12:0 action=accept comment=allow \parameter bad disabled=noadd chain=icmp action=drop comment=deny all other types disabled=noadd chain=input connection-state=established action=accept comment=Accept \established connections disabled=noadd chain=input connection-state=related action=accept comment=Accept related \connections disabled=noadd chain=input connection-state=invalid action=drop comment=Drop invalid \connections disabled=noadd chain=input protocol=udp action=accept comment=UDP disabled=noadd chain=input protocol=icmp limit=50/5s,2 action=accept comment=Allow \limited pings disabled=noadd chain=input protocol=icmp action=drop comment=Drop excess pings \disabled=noadd chain=input protocol=tcp dst-port=22 action=accept comment=SSH for secure \shell disabled=noadd chain=input protocol=tcp dst-port=8291 action=accept comment=winbox \disabled=noadd chain=input src-address=159.148.172.192/28 action=accept comment=From \Mikrotikls network disabled=noadd chain=input src-address=192.168.0.0/24 action=accept comment=From our \private LAN disabled=noadd chain=input action=log log-prefix=DROP INPUT comment=Log everything \

8/14/2019 Planning Internet Cafe With Speedy Internet Connection

10/19

else disabled=noadd chain=tcp protocol=tcp p2p=all-p2p action=drop comment=deny DHCP \disabled=noadd chain=tcp src-address=192.168.0.2 protocol=tcp dst-port=3133 p2p=all-p2p \action=drop comment=deny BackOriffice disabled=no

h. ip firewaal address list/ ip firewall address-listadd list=servergames address=202.93.20.201 comment=" disabled=noi.queue type

/ queue typeset default name=default kind=pfifo pfifo-limit=50set ethernet-default name=ethernet-default kind=pfifo pfifo-limit=50set wireless-default name=wireless-default kind=sfq sfq-perturb=5 \sfq-allot=1514set synchronous-default name=synchronous-default kind=red red-limit=60 \

red-min-threshold=10 red-max-threshold=50 red-burst=20 red-avg-packet=1000set hotspot-default name=hotspot-default kind=sfq sfq-perturb=5 \sfq-allot=1514add name=PFIFO-64 kind=pfifo pfifo-limit=64add name=default-small kind=pfifo pfifo-limit=10add name=pcq-download kind=pcq pcq-rate=384000 pcq-limit=50 \pcq-classifier=dst-address pcq-total-limit=2000add name=pcq-upload kind=pcq pcq-rate=64000 pcq-limit=50 \pcq-classifier=src-address pcq-total-limit=2000

j.queue tree

/ queue treeadd name=ICMP parent=global-in packet-mark=ICMP-PM limit-at=8000 \queue=PFIFO-64 priority=1 max-limit=16000 burst-limit=0 burst-threshold=0 \burst-time=0s disabled=noadd name=DNS parent=global-in packet-mark=DNS-PM limit-at=8000 \queue=PFIFO-64 priority=1 max-limit=16000 burst-limit=0 burst-threshold=0 \burst-time=0s disabled=noadd name=downstream parent=Local packet-mark=Turun limit-at=0 \queue=pcq-download priority=1 max-limit=0 burst-limit=0 burst-threshold=0 \burst-time=0s disabled=noadd name=upstream parent=global-in packet-mark=Naik limit-at=0 \queue=pcq-upload priority=1 max-limit=0 burst-limit=0 burst-threshold=0 \burst-time=0s disabled=nok. queue simple

/ queue simpleadd name=Fantasy.net dst-address=0.0.0.0/0 interface=Local parent=none \priority=1 queue=default/default limit-at=0/786000 max-limit=0/786000 \

8/14/2019 Planning Internet Cafe With Speedy Internet Connection

11/19

total-queue=default disabled=noadd name=01 target-addresses=192.168.0.1/32 dst-address=0.0.0.0/0 \interface=Local parent=Fantasy.net priority=8 \queue=ethernet-default/ethernet-default limit-at=0/16000 \max-limit=8000/48000 total-queue=default time=0s-0s, p2p=fasttrack \

disabled=noadd name=02 target-addresses=192.168.0.2/32 dst-address=0.0.0.0/0 \interface=Local parent=Fantasy.net priority=8 \queue=ethernet-default/ethernet-default limit-at=0/16000 \max-limit=8000/48000 total-queue=default disabled=noadd name=03 target-addresses=192.168.0.3/32 dst-address=0.0.0.0/0 \interface=Local parent=Fantasy.net priority=8 \queue=ethernet-default/ethernet-default limit-at=0/16000 \max-limit=8000/48000 total-queue=default disabled=noadd name=04 target-addresses=192.168.0.4/32 dst-address=0.0.0.0/0 \interface=Local parent=Fantasy.net priority=8 \

queue=ethernet-default/ethernet-default limit-at=0/16000 \max-limit=8000/48000 total-queue=default time=0s-0s, disabled=noadd name=06 target-addresses=192.168.0.6/32 dst-address=0.0.0.0/0 \interface=Local parent=Fantasy.net priority=8 \queue=ethernet-default/ethernet-default limit-at=0/16000 \max-limit=8000/48000 total-queue=default p2p=fasttrack disabled=noadd name=05 target-addresses=192.168.0.5/32 dst-address=0.0.0.0/0 \interface=Local parent=Fantasy.net priority=8 \queue=ethernet-default/ethernet-default limit-at=0/16000 \max-limit=8000/60000 total-queue=default disabled=noadd name=07 target-addresses=192.168.0.7/32 dst-address=0.0.0.0/0 \interface=Local parent=Fantasy.net priority=8 \queue=ethernet-default/ethernet-default limit-at=0/16000 \max-limit=8000/48000 total-queue=default disabled=noadd name=08 target-addresses=192.168.0.8/32 dst-address=0.0.0.0/0 \interface=Local parent=Fantasy.net priority=8 \queue=ethernet-default/ethernet-default limit-at=0/16000 \max-limit=8000/48000 total-queue=default disabled=noadd name=09 target-addresses=192.168.0.9/32 dst-address=0.0.0.0/0 \interface=Local parent=Fantasy.net priority=8 \queue=ethernet-default/ethernet-default limit-at=0/16000 \max-limit=8000/48000 total-queue=default disabled=noadd name=10 target-addresses=192.168.0.10/32 dst-address=0.0.0.0/0 \interface=Local parent=Fantasy.net priority=8 queue=default/default \limit-at=0/16000 max-limit=8000/48000 total-queue=default disabled=noadd name=11 target-addresses=192.168.0.11/32 dst-address=0.0.0.0/0 \interface=Local parent=Fantasy.net priority=8 \queue=ethernet-default/ethernet-default limit-at=0/16000 \max-limit=8000/48000 total-queue=default p2p=all-p2p disabled=noadd name=Server target-addresses=192.168.0.253/32 dst-address=0.0.0.0/0 \

8/14/2019 Planning Internet Cafe With Speedy Internet Connection

12/19

interface=Local parent=Fantasy.net priority=8 \queue=ethernet-default/ethernet-default limit-at=0/16000 \max-limit=8000/120000 total-queue=default disabled=yes

B. LINUX Proxy

a. vi /etc/sysconfig/network-scripts/ifcfg-eth0

DEVICE=eth0

BOOTPROTO=staticBROADCAST=192.168.1.255HWADDR=00:1B:11:66:2A:69IPADDR=192.168.1.3NETMASK=255.255.255.0NETWORK=192.168.1.0

ONBOOT=yesTYPE=Ethernet

b. Routing Proxy Ke Modem

[root@proxies squid]# netstat -rKernel IP routing tableDestination Gateway Genmask Flags MSS Window irtt Iface192.168.1.0 * 255.255.255.0 U 0 0 0 eth0

169.254.0.0 * 255.255.0.0 U 0 0 0 eth0

default . 192.168.1.1 UG 0 0 0 eth0

c. named.conf

tambahkan opsi fowarder di named.conf

// query-source address * port 53;forwarders {203.130.193.74;202.134.0.155;

202.134.2.5;};

};

d. resolve.conf

8/14/2019 Planning Internet Cafe With Speedy Internet Connection

13/19

[root@proxies squid]# cat /etc/resolv.confnameserver 192.168.1.1nameserver 203.130.193.74nameserver 202.134.0.155nameserver 202.134.2.5

e. Squid.conf

http_port 8080#icp_port 3130

icp_query_timeout 0maximum_icp_query_timeout 5000mcast_icp_query_timeout 2000dead_peer_timeout 10 secondshierarchy_stoplist cgi-bin ? localhost

acl QUERY urlpath_regex cgi-bin \? localhost

### Opsi Cachecache_mem 6 MBcache_swap_low 98cache_swap_high 99maximum_object_size 128 MBminimum_object_size 0 KBmaximum_object_size_in_memory 32 KBipcache_size 10240ipcache_low 98

ipcache_high 99fqdncache_size 256cache_replacement_policy heap LFUDAmemory_replacement_policy heap GDSF

### Opsi Tuning Squidrefresh_pattern -i \.(swfpngjpgjpegbmptiffpnggif) 43200 90% 129600 reload-into-imsoverride-lastmodrefresh_pattern -i \.(movmpgmpegflvavimp33gpsiswma) 43200 90% 129600 reload-into-ims override-lastmodrefresh_pattern -i \.(zipraracebzbz2targzexe) 43200 90% 129600 reload-into-imsoverride-lastmodrefresh_pattern -i (.*html$.*htm.*shtml.*aspx.*asp) 43200 90% 1440 reload-into-imsoverride-lastmodrefresh_pattern -i \.(classcssjsgifjpg)$ 10080 100% 43200 override-expirerefresh_pattern -i \.(jpejpegpngbmptif)$ 10080 100% 43200 override-expirerefresh_pattern -i \.(tiffmovaviqtmpeg)$ 10080 100% 43200 override-expirerefresh_pattern -i \.(mpgmpewavaumid)$ 10080 100% 43200 override-expirerefresh_pattern -i \.(zipgzarjlhalzh)$ 10080 100% 43200 override-expire

8/14/2019 Planning Internet Cafe With Speedy Internet Connection

14/19

refresh_pattern -i \.(rartgztarexebin)$ 10080 100% 43200 override-expirerefresh_pattern -i \.(hqxpdfrtfdocswf)$ 10080 100% 43200 override-expirerefresh_pattern -i \.(inccabadtxtdll)$ 10080 100% 43200 override-expirerefresh_pattern -i \.(aspacgiplshtmlphp3php)$ 2 20% 4320 reload-into-imsrefresh_pattern ^http://*.google.*/.* 720 100% 4320 reload-into-ims override-lastmod

refresh_pattern ^http://*korea.*/.* 720 100% 4320 reload-into-ims override-lastmodrefresh_pattern ^http://*.akamai.*/.* 720 100% 4320 reload-into-ims override-lastmodrefresh_pattern ^http://*.windowsmedia.*/.* 720 100% 4320 reload-into-ims override-lastmodrefresh_pattern ^http://*.googlesyndication.*/.* 720 100% 4320 reload-into-ims override-lastmodrefresh_pattern ^http://*.plasa.*/.* 720 100% 4320 reload-into-ims override-lastmodrefresh_pattern ^http://*.telkom.*/.* 720 100% 4320 reload-into-ims override-lastmodrefresh_pattern ^http://www.friendster.com/.* 720 100% 4320 reload-into-ims override-lastmodrefresh_pattern ^http://mail.yahoo.com/.* 720 100% 4320 reload-into-ims override-

lastmodrefresh_pattern ^http://*.yahoo.*/.* 720 100% 4320 reload-into-ims override-lastmodrefresh_pattern ^http://*.yimg.*/.* 720 100% 4320 reload-into-ims override-lastmodrefresh_pattern ^http://*.gmail.*/.* 720 100% 4320 reload-into-ims override-lastmodrefresh_pattern ^http://*.detik.*/.* 720 100% 4320 reload-into-ims override-lastmodrefresh_pattern ^gopher: 1440 0% 1440refresh_pattern ^ftp: 43200 90% 129600 reload-into-ims override-expire#refresh_pattern ^ftp: 1440 20% 10080#refresh_pattern ^gopher: 1440 0% 1440refresh_pattern . 0 20% 4320#refresh_pattern . 180 95% 120960 reload-into-ims override-lastmod

### Direktori cache#cache_dir aufs /cache 20000 16 256#cache_dir diskd /cache 7000 16 256 Q1=72 Q2=88cache_dir aufs /cache 50000 16 256

### Logcache_access_log /var/log/squid/access.loglogfile_rotate 1cache_log nonecache_store_log noneemulate_httpd_log offlog_ip_on_direct onlog_fqdn offlog_icp_queries off

### DNS serverdns_nameservers 127.0.0.1

8/14/2019 Planning Internet Cafe With Speedy Internet Connection

15/19

quick_abort_min 0quick_abort_max 0quick_abort_pct 98%negative_ttl 15 minutepositive_dns_ttl 24 hours

negative_dns_ttl 5 minutesrange_offset_limit 0 KB

### Opsi Timeoutconnect_timeout 1 minutepeer_connect_timeout 5 secondsread_timeout 30 minuterequest_timeout 1 minute#client_lifetime 10 hourhalf_closed_clients offpconn_timeout 15 second

shutdown_lifetime 15 second

### Opsi ACLacl manager proto cache_objectacl all src 0.0.0.0/0.0.0.0acl client src 192.168.1.0/29acl tidakbebasdownload time 08:00-22:00acl porn url_regex -i /usr/local/squid/etc/bokep.txt time 08:00-22:00acl noporn url_regex -i /usr/local/squid/etc/nobokep.txt time 08:00-22:00acl file_terlarang url_regex -i hot_indonesia.exeacl file_terlarang url_regex -i hotsurprise_id.exe

acl file_terlarang url_regex -i best-mp3-download.exeacl file_terlarang url_regex -i R32.exeacl file_terlarang url_regex -i rb32.exeacl file_terlarang url_regex -i mp3.exeacl file_terlarang url_regex -i HOTSEX.exeacl file_terlarang url_regex -i Browser_Plugin.exeacl file_terlarang url_regex -i DDialer.exeacl file_terlarang url_regex -i od-teenacl file_terlarang url_regex -i URLDownload.exeacl file_terlarang url_regex -i od-stnd67.exeacl file_terlarang url_regex -i Download_Plugin.exeacl file_terlarang url_regex -i od-teen52.exeacl file_terlarang url_regex -i malaysexacl file_terlarang url_regex -i edita.htmlacl file_terlarang url_regex -i info.exeacl file_terlarang url_regex -i run.exeacl file_terlarang url_regex -i Lovers2Goacl file_terlarang url_regex -i GlobalDialeracl file_terlarang url_regex -i WebDialer

8/14/2019 Planning Internet Cafe With Speedy Internet Connection

16/19

acl file_terlarang url_regex -i britneynudeacl file_terlarang url_regex -i download.exeacl file_terlarang url_regex -i backup.exeacl file_terlarang url_regex -i GnoOS2003acl file_terlarang url_regex -i wintrim.exe

acl file_terlarang url_regex -i MPREXE.EXEacl file_terlarang url_regex -i exengd.EXEacl file_terlarang url_regex -i xxxvideo.exeacl file_terlarang url_regex -i Save.exeacl file_terlarang url_regex -i ATLBROWSER.DLLacl file_terlarang url_regex -i NawaL_rmacl file_terlarang url_regex -i Socks32.dllacl file_terlarang url_regex -i Sc32Lnch.exeacl file_terlarang url_regex -i dat0.exeacl IIX dst_as 7713 4622 4795 7597 4787 4795 4800acl block url_regex -i

\.(aiffasfavidifdivxmovmoviemp3mpe?g?mpv2oggra?msndqtwavwmfwmv)$acl local-domain dstdomain localhostacl Bad_ports port 7 9 11 19 22 23 25 53 110 119 513 514acl Safe_ports port 21 70 80 210 443 488 563 591 777 1025-65535acl Virus urlpath_regex winnt/system32/cmd.exe?acl connect method CONNECTacl post method POSTacl ssl method CONNECTacl purge method PURGEacl IpAddrProbeUA browser Mozilla/4.0.\(compatible;.MSIE.5.5;.Windows.98\)$acl IpAddrProbeURL url_regex //[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+/$no_cache deny QUERY manager

http_access allow manager IIX Safe_portshttp_access allow clienthttp_access deny porn !nopornhttp_access deny Bad_ports Virus IpAddrProbeUA IpAddrProbeURLhttp_access deny file_terlaranghttp_access deny all

### Paramater Administratifcache_mgr support@fantasy.war.net.idcache_effective_user squidcache_effective_group squidvisible_hostname proxy.fantasy.war.net.id

### Opsi Akseleratormemory_pools offforwarded_for onlog_icp_queries off

8/14/2019 Planning Internet Cafe With Speedy Internet Connection

17/19

icp_hit_stale onminimum_direct_hops 4minimum_direct_rtt 400store_avg_object_size 13 KBstore_objects_per_bucket 20

client_db onnetdb_low 9900netdb_high 10000netdb_ping_period 30 secondsquery_icmp offpipeline_prefetch onreload_into_ims onpipeline_prefetch onvary_ignore_expire onmax_open_disk_fds 100nonhierarchical_direct on

prefer_direct off

### Pendukung Transparan Proxyhttpd_accel_host virtualhttpd_accel_port 80httpd_accel_with_proxy onhttpd_accel_uses_host_header on

### Membatasi Besar File untuk downloadreply_body_max_size 3512000 allow client block tidakbebasdownload

### SNMP#snmp_port 3401#acl snmppublic snmp_community public#snmp_access allow all

header_access User-Agent deny allheader_replace User-Agent Mozilla/5.0 (compatible; MSIE 6.0)header_access Accept deny allheader_replace Accept */*header_access Accept-Language deny allheader_replace Accept-Language id, en

f. firewall tambahan di proxy

#05-12-05/sbin/iptables -I INPUT -p tcp -s 0/0 -d 0/0 destination-port 12 -j DROP/sbin/iptables -A FORWARD -p tcp -s 0/0 -d 0/0 destination-port 12 -j REJECT/sbin/iptables -I INPUT -p tcp -s 192.168.0.0/32 -d 0/0 destination-port 12 -j DROP/sbin/iptables -A FORWARD -p tcp -s 192.168.0.0/32 -d 0/0 destination-port 12 -j

8/14/2019 Planning Internet Cafe With Speedy Internet Connection

18/19

REJECT/sbin/iptables -I INPUT -p tcp -s 0/0 -d 0/0 destination-port 16 -j DROP/sbin/iptables -A FORWARD -p tcp -s 0/0 -d 0/0 destination-port 16 -j REJECT/sbin/iptables -I INPUT -p tcp -s 192.168.0.0/32 -d 0/0 destination-port 16 -j DROP/sbin/iptables -A FORWARD -p tcp -s 192.168.0.0/32 -d 0/0 destination-port 16 -j

REJECT/sbin/iptables -I INPUT -p tcp -s 0/0 -d 0/0 destination-port 17 -j DROP/sbin/iptables -A FORWARD -p tcp -s 0/0 -d 0/0 destination-port 17 -j REJECT/sbin/iptables -I INPUT -p tcp -s 192.168.0.0/32 -d 0/0 destination-port 17 -j DROP/sbin/iptables -A FORWARD -p tcp -s 192.168.0.0/32 -d 0/0 destination-port 17 -jREJECT/sbin/iptables -I INPUT -p tcp -s 0/0 -d 0/0 destination-port 12:20 -j DROP/sbin/iptables -A FORWARD -p tcp -s 0/0 -d 0/0 destination-port 12:20 -j REJECT/sbin/iptables -I INPUT -p tcp -s 192.168.0.0/32 -d 0/0 destination-port 12:20 -j DROP/sbin/iptables -A FORWARD -p tcp -s 192.168.0.0/32 -d 0/0 destination-port 12:20 -jREJECT

/sbin/iptables -I INPUT -p tcp -s 0/0 -d 0/0 destination-port 110 -j DROP/sbin/iptables -A FORWARD -p tcp -s 0/0 -d 0/0 destination-port 110 -j REJECT/sbin/iptables -I INPUT -p tcp -s 192.168.0.0/32 -d 0/0 destination-port 110 -j DROP/sbin/iptables -A FORWARD -p tcp -s 192.168.0.0/32 -d 0/0 destination-port 110 -jREJECT/sbin/iptables -I INPUT -p tcp -s 192.168.0.0/32 -d 0/0 destination-port 25 -j DROP/sbin/iptables -A FORWARD -p tcp -s 192.168.0.0/32 -d 0/0 destination-port 25 -jREJECT/sbin/iptables -I INPUT -p tcp -s 0/0 -d 0/0 destination-port 25 -j DROP/sbin/iptables -A FORWARD -p tcp -s 0/0 -d 0/0 destination-port 25 -j REJECT

/sbin/iptables -I INPUT -p tcp -s 192.168.0.0/32 -d 0/0 destination-port 24 -j DROP/sbin/iptables -A FORWARD -p tcp -s 192.168.0.0/32 -d 0/0 destination-port 24 -jREJECT/sbin/iptables -I INPUT -p tcp -s 0/0 -d 0/0 destination-port 123 -j DROP/sbin/iptables -A FORWARD -p tcp -s 0/0 -d 0/0 destination-port 123 -j REJECT/sbin/iptables -I INPUT -p tcp -s 192.168.0.0/32 -d 0/0 destination-port 123 -j DROP/sbin/iptables -A FORWARD -p tcp -s 192.168.0.0/32 -d 0/0 destination-port 123 -jREJECT/sbin/iptables -I INPUT -p tcp -s 0/0 -d 0/0 destination-port 24 -j DROP/sbin/iptables -A FORWARD -p tcp -s 0/0 -d 0/0 destination-port 24 -j REJECT/sbin/iptables -I INPUT -p tcp -s 192.168.0.0/32 -d 0/0 destination-port 24 -j DROP/sbin/iptables -A FORWARD -p tcp -s 192.168.0.0/32 -d 0/0 destination-port 24 -jREJECT/sbin/iptables -I INPUT -p tcp -s 192.168.0.0/32 -d 0/0 destination-port 23 -j DROP/sbin/iptables -A FORWARD -p tcp -s 192.168.0.0/32 -d 0/0 destination-port 23 -jREJECT

/sbin/iptables -N syn-flood/sbin/iptables -A INPUT -i input_interface -p tcp syn -j syn-flood

8/14/2019 Planning Internet Cafe With Speedy Internet Connection

19/19

/sbin/iptables -A syn-flood -m limit limit 1/s limit-burst 4 -j RETURN/sbin/iptables -A syn-flood -j DROP

/sbin/iptables -I INPUT -p tcp -s 0/0 -d 0/0 destination-port 199 -j DROP/sbin/iptables -I INPUT -p udp -s 0/0 -d 0/0 destination-port 199 -j DROP

/sbin/iptables -A FORWARD -p tcp -s 0/0 -d 0/0 destination-port 199 -j REJECT/sbin/iptables -A FORWARD -p udp -s 0/0 -d 0/0 destination-port 199 -j REJECT/sbin/iptables -I INPUT -p tcp -s 0/0 -d 0/0 destination-port 119 -j DROP/sbin/iptables -I INPUT -p udp -s 0/0 -d 0/0 destination-port 119 -j DROP/sbin/iptables -A FORWARD -p tcp -s 0/0 -d 0/0 destination-port 119 -j REJECT/sbin/iptables -A FORWARD -p udp -s 0/0 -d 0/0 destination-port 119 -j REJECT/sbin/iptables -I INPUT -p tcp -s 0/0 -d 0/0 destination-port 111 -j DROP/sbin/iptables -I INPUT -p udp -s 0/0 -d 0/0 destination-port 111 -j DROP/sbin/iptables -A FORWARD -p tcp -s 0/0 -d 0/0 destination-port 111 -j REJECT/sbin/iptables -A FORWARD -p udp -s 0/0 -d 0/0 destination-port 111 -j REJECT/sbin/iptables -I INPUT -p tcp -s 0/0 -d 0/0 destination-port 411 -j DROP

/sbin/iptables -I INPUT -p udp -s 0/0 -d 0/0 destination-port 411 -j DROP/sbin/iptables -A FORWARD -p tcp -s 0/0 -d 0/0 destination-port 67:68 -j REJECT/sbin/iptables -A FORWARD -p udp -s 0/0 -d 0/0 destination-port 67:68 -j REJECT