MEMBUAT SQUIDSTATS di ubuntu server atau debian

MEMBUAT SQUIDSTATS di ubuntu server atau debian

1. apt-get install librrds-perl libsnmp-session-perl snmpd rrdtool snmp apache2 -y
2. perl -MCPAN -e 'install Config::IniFiles'
3. wget http://jaringanwarnet.com/downloads/squidstats-r54.tar
4. tar -xvf squidstats-r54.tar
5. cd squidstats-r54
5. cp mib.txt /etc/squid/
6. cp snmpd.conf /etc/snmp/
8. untuk squid.conf tambahkan berikut ini :

snmp_port 3401
acl snmppublic snmp_community public
snmp_access allow snmppublic all

9. make && make install
10. snmpwalk -v 1 -c public localhost
11. squidstats.pl createdb
12. squidstats.pl gather
13. crontab -e (kemudian copy rule dibawah ini)
*/5 * * * * /usr/local/bin/squidstats.pl gather >/dev/null
14. cp squidstats.conf /etc/apache2/conf.d
15. reboot
16. cek hasilnya ke http://isi dg ipproxy/squidstats/graph-summary.cgi

Agar bias di akses dari luar buat spt ini :
/ip firewall nat
add action=dst-nat chain=dstnat comment=redir-squidtasq disabled=no \
dst-address=xxx.xxx.xxx.xxx dst-port=80 protocol=tcp to-addresses=192.168.77.2 to-ports=80

Bandwidth division in accordance with the contract of the ISP or NAP

Ini Settingan sederhana tapi ganas.... tinggal ngoprek sedikit untuk menaikan bw konfig ini untuk koneksi Sekelas ISP Banwid yang di bagi bagikan sesuai apa yang mereka kontrak denga isp itu sendiri
/ip firewall nat
add action=masquerade chain=srcnat disabled=no src-address=192.168.11.1
add action=masquerade chain=srcnat disabled=no src-address=192.168.11.10
add action=masquerade chain=srcnat disabled=no src-address=192.168.11.15
add action=masquerade chain=srcnat disabled=no src-address=192.168.11.20
add action=masquerade chain=srcnat disabled=no src-address=192.168.11.25
add action=masquerade chain=srcnat disabled=no src-address=192.168.11.30
/ip firewall mangle
add action=mark-connection chain=prerouting disabled=no dst-address=!192.168.77.0/24 new-connection-mark=client01-con passthrough=yes src-address=192.168.11.1
add action=mark-connection chain=prerouting disabled=no dst-address=!192.168.77.0/24 new-connection-mark=client02-con passthrough=yes src-address=192.168.11.10
add action=mark-connection chain=prerouting disabled=no dst-address=!192.168.77.0/24 new-connection-mark=client03-con passthrough=yes src-address=192.168.11.15
add action=mark-connection chain=prerouting disabled=no dst-address=!192.168.77.0/24 new-connection-mark=client04-con passthrough=yes src-address=192.168.11.20
add action=mark-connection chain=prerouting disabled=no dst-address=!192.168.77.0/24 new-connection-mark=client05-con passthrough=yes src-address=192.168.11.25
add action=mark-connection chain=prerouting disabled=no dst-address=!192.168.77.0/24 new-connection-mark=client06-con passthrough=yes src-address=192.168.11.30
add action=mark-packet chain=prerouting connection-mark=client01-con disabled=no new-packet-mark=client01 passthrough=yes
add action=mark-packet chain=prerouting connection-mark=client02-con disabled=no new-packet-mark=client02 passthrough=yes
add action=mark-packet chain=prerouting connection-mark=client03-con disabled=no new-packet-mark=client03 passthrough=yes
add action=mark-packet chain=prerouting connection-mark=client04-con disabled=no new-packet-mark=client04 passthrough=yes
add action=mark-packet chain=prerouting connection-mark=client05-con disabled=no new-packet-mark=client05 passthrough=yes
add action=mark-packet chain=prerouting connection-mark=client06-con disabled=no new-packet-mark=client06 passthrough=yes
/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=192.168.77.1 scope=30 target-scope=10
/queue tree
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=131072 max-limit=131072 name=client01-download packet-mark=client01 parent=local priority=8 queue=default
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=65536 max-limit=65536 name=client01-upload packet-mark=client01 parent=wan priority=8 queue=default
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=131072 max-limit=131072 name=client02-download packet-mark=client02 parent=local priority=8 queue=default
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=65536 max-limit=65536 name=client02-upload packet-mark=client02 parent=wan priority=8 queue=default
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=131072 max-limit=131072 name=client03-download packet-mark=client03 parent=local priority=8 queue=default
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=65536 max-limit=65536 name=client03-upload packet-mark=client03 parent=wan priority=8 queue=default
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=131072 max-limit=131072 name=client04-download packet-mark=client04 parent=local priority=8 queue=default
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=65536 max-limit=65536 name=client04-upload packet-mark=client04 parent=wan priority=8 queue=default
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=131072 max-limit=131072 name=client05-download packet-mark=client05 parent=local priority=8 queue=default
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=65536 max-limit=65536 name=client05-upload packet-mark=client05 parent=wan priority=8 queue=default
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=131072 max-limit=131072 name=client06-download packet-mark=client06 parent=local priority=8 queue=default
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=65536 max-limit=65536 name=client06-upload packet-mark=client06 parent=wan priority=8 queue=default

LoadBalancing PPC 3 Line LPSE Wajo

/ip address
add address=192.168.25.1/30 disabled=no interface=WAN1 network=192.168.25.0
add address=192.168.26.1/30 disabled=no interface=WAN2 network=192.168.26.0
add address=192.168.27.1/30 disabled=no interface=WAN3 network=192.168.27.0
add address=192.168.40.1/25 disabled=no interface=LAN network=192.168.40.0

/ip route
add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=ISP1 routing-mark=to_LINE1 scope=30 \
    target-scope=10
add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=ISP2 routing-mark=to_LINE2 scope=30 \
    target-scope=10
add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=ISP3 routing-mark=to_LINE3 scope=30 \
    target-scope=10
add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=ISP1 scope=30 target-scope=10
add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=ISP2 scope=30 target-scope=10
add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=ISP3 scope=30 target-scope=10

/ip firewall mangle
add action=mark-connection chain=input disabled=no in-interface=WAN1 new-connection-mark=LINE1_conn passthrough=yes
add action=mark-connection chain=input disabled=no in-interface=WAN2 new-connection-mark=LINE2_conn passthrough=yes
add action=mark-connection chain=input disabled=no in-interface=WAN3 new-connection-mark=LINE3_conn passthrough=yes
add action=mark-routing chain=output connection-mark=LINE1_conn disabled=no new-routing-mark=to_LINE1 passthrough=yes
add action=mark-routing chain=output connection-mark=LINE2_conn disabled=no new-routing-mark=to_LINE2 passthrough=yes
add action=mark-routing chain=output connection-mark=LINE3_conn disabled=no new-routing-mark=to_LINE3 passthrough=yes
add action=accept chain=prerouting disabled=no dst-address=192.168.25.0/30 in-interface=LAN
add action=accept chain=prerouting disabled=no dst-address=192.168.26.0/30 in-interface=LAN
add action=accept chain=prerouting disabled=no dst-address=192.168.27.0/30 in-interface=LAN
add action=mark-connection chain=prerouting disabled=no dst-address-type=!local in-interface=LAN new-connection-mark=\
    LINE1_conn passthrough=yes per-connection-classifier=both-addresses-and-ports:3/0
add action=mark-connection chain=prerouting disabled=no dst-address-type=!local in-interface=LAN new-connection-mark=\
    LINE2_conn passthrough=yes per-connection-classifier=both-addresses-and-ports:3/1
add action=mark-connection chain=prerouting disabled=no dst-address-type=!local in-interface=LAN new-connection-mark=\
    LINE3_conn passthrough=yes per-connection-classifier=both-addresses-and-ports:3/2
add action=mark-routing chain=prerouting connection-mark=LINE1_conn disabled=no in-interface=LAN new-routing-mark=to_LINE1 \
    passthrough=yes
add action=mark-routing chain=prerouting connection-mark=LINE2_conn disabled=no in-interface=LAN new-routing-mark=to_LINE2 \
    passthrough=yes
add action=mark-routing chain=prerouting connection-mark=LINE3_conn disabled=no in-interface=LAN new-routing-mark=to_LINE3 \
    passthrough=yes

LoadBalancing ICMP 3 Line

/ ip address
add address=192.168.0.1/24 network=192.168.0.0 broadcast=192.168.0.255 interface=Local
add address=10.111.0.2/24 network=10.111.0.0 broadcast=10.111.0.255 interface=wlan2
add address=10.112.0.2/24 network=10.112.0.0 broadcast=10.112.0.255 interface=wlan1
add address=10.113.0.2/24 network=10.113.0.0 broadcast=10.113.0.255 interface=wlan3

/ ip route
add dst-address=0.0.0.0/0 gateway=10.111.0.1,10.112.0.1,10.113.0.1 check-gateway=ping

/ ip firewall nat
add chain=srcnat out-interface=wlan1 action=masquerade
add chain=srcnat out-interface=wlan2 action=masquerade
add chain=srcnat out-interface=wlan3 action=masquerade

/ ip firewall mangle
add chain=input in-interface=wlan1 action=mark-connection new-connection-mark=wlan1_conn
add chain=input in-interface=wlan2 action=mark-connection new-connection-mark=wlan2_conn
add chain=input in-interface=wlan3 action=mark-connection new-connection-mark=wlan3_conn

add chain=output connection-mark=wlan1_conn action=mark-routing new-routing-mark=to_wla1  
add chain=output connection-mark=wlan1_conn action=mark-routing new-routing-mark=to_wla2  
add chain=output connection-mark=wlan1_conn action=mark-routing new-routing-mark=to_wla3  


/ ip route
add dst-address=0.0.0.0/0 gateway=10.111.0.1 routing-mark=to_wla1
add dst-address=0.0.0.0/0 gateway=10.112.0.1 routing-mark=to_wla2
add dst-address=0.0.0.0/0 gateway=10.113.0.1 routing-mark=to_wla2

LIMIT BANDWIDTH SIANG DAN MALAM

Gini caranya Andaikan kita punya jaringan 192.168.40.0/24 dan mau dilimit berdasarkan siang dan malam hari

Network 192.168.40.0/24
Bandwidth = 06:00am – 18:00pm – 1Mbps. <Max-Limit>
Bandwidth = 18:00pm – 06:00am – 2Mbps. <Max-Limit>

Buat 2 Simple Queue untuk jaringan local kita  yg sama dengan beda bandwidth.
yang untuk Siang
/queue simple
#name=”Siang” target-addresses=192.168.40.0/24 dst-address=0.0.0.0/0
interface=lOCAL parent=none direction=both priority=8
queue=default-small/default-small limit-at=512k/512k
max-limit=1M/1M total-queue=default-small

YANG UNTUK mALAM

#name=”Malam” target-addresses=192.168.40.0/24 dst-address=0.0.0.0/0
interface=lOCAL parent=none direction=both priority=8
queue=default-small/default-small limit-at=1M/1M
max-limit=2M/2M total-queue=default-small


lalu ini untuk scripnya
/system script
#name=”Siang” source=/queue simple enable Siang; /queue simple disable Malam
#name=”Malam” source=/queue simple enable Malam; /queue simple disable Siang

dan ini scedulnya

/system scheduler
#name=”Siang” on-event=Siang start-date=may/15/2008 start-time=06:00:00 interval=1d
#name=”Malam” on-event=Malam start-date=may/15/2008 start-time=18:00:00 interval=1d

Scheduler yang diberi nama “Siang” akan mengeksekusi script yang diberi nama “Siang” dimulai tanggal 12 juni 2013 pada jam 06.00 dengan interval 1 hari.
Scheduler yang diberi nama “Malam” akan mengeksekusi script yang diberi nama “Malam” dimulai tanggal 12 juni 2013 pada jam 18.00/ jam 6 sore dengan interval 1 hari.

Simple and Powerfull Firewall Mikrotik

/ip firewall filter
add action=drop chain=input comment=”Drop Invalid connections” connection-state=invalid disabled=no
add action=accept chain=input comment=”Allow UDP” disabled=no protocol=udp
add action=accept chain=input comment=”Allow Established connections” connection-state=established disabled=no
add action=drop chain=forward connection-state=invalid disabled=no protocol=tcp
add action=accept chain=input comment=”Allow ICMP” disabled=no protocol=icmp
add action=accept chain=forward connection-state=established disabled=no
add action=accept chain=input disabled=no in-interface=ether2 src-address=192.168.1.0/24
add action=accept chain=forward comment=”allow related connections” connection-state=related disabled=no
add action=drop chain=forward disabled=no src-address=0.0.0.0/8
add action=drop chain=forward disabled=no dst-address=0.0.0.0/8
add action=drop chain=forward disabled=no src-address=127.0.0.0/8
add action=drop chain=forward disabled=no dst-address=127.0.0.0/8
add action=drop chain=forward disabled=no src-address=224.0.0.0/3
add action=drop chain=forward disabled=no dst-address=224.0.0.0/3
add action=jump chain=forward disabled=no jump-target=tcp protocol=tcp
add action=jump chain=forward disabled=no jump-target=udp protocol=udp
add action=jump chain=forward disabled=no jump-target=icmp protocol=icmp
add action=drop chain=tcp comment=”deny TFTP” disabled=no dst-port=69 protocol=tcp
add action=drop chain=tcp comment=”deny RPC portmapper” disabled=no dst-port=111 protocol=tcp
add action=drop chain=tcp comment=”deny RPC portmapper” disabled=no dst-port=135 protocol=tcp
add action=reject chain=tcp comment=”deny NBT” disabled=no dst-port=137-139 protocol=tcp reject-with=icmp-network-unreachable
add action=reject chain=tcp comment=”deny cifs” disabled=no dst-port=445 protocol=tcp reject-with=icmp-network-unreachable
add action=drop chain=tcp comment=”deny NFS” disabled=no dst-port=2049 protocol=tcp
add action=drop chain=tcp comment=”deny NetBus” disabled=no dst-port=12345-12346 protocol=tcp
add action=drop chain=tcp comment=”deny NetBus” disabled=no dst-port=20034 protocol=tcp
add action=drop chain=tcp comment=”deny BackOriffice” disabled=no dst-port=3133 protocol=tcp
add action=drop chain=tcp comment=”deny DHCP” disabled=no dst-port=67-68 protocol=tcp
add action=drop chain=udp comment=”deny TFTP” disabled=no dst-port=69 protocol=udp
add action=drop chain=udp comment=”deny PRC portmapper” disabled=no dst-port=111 protocol=udp
add action=drop chain=udp comment=”deny PRC portmapper” disabled=no dst-port=135 protocol=udp
add action=drop chain=udp comment=”deny NBT” disabled=no dst-port=137-139 protocol=udp
add action=drop chain=udp comment=”deny NFS” disabled=no dst-port=2049 protocol=udp
add action=reject chain=forward content=whatsmyipaddress.org disabled=no reject-with=icmp-network-unreachable
add action=drop chain=udp comment=”deny BackOriffice” disabled=no dst-port=3133 protocol=udp
add action=accept chain=icmp comment=”drop invalid connections” disabled=no icmp-options=0:0 protocol=icmp
add action=accept chain=icmp comment=”allow established connections” disabled=no icmp-options=3:0 protocol=icmp
add action=accept chain=icmp comment=”allow already established connections” disabled=no icmp-options=3:1 protocol=icmp
add action=accept chain=icmp comment=”allow source quench” disabled=no icmp-options=4:0 protocol=icmp
add action=accept chain=icmp comment=”allow echo request” disabled=no icmp-options=8:0 protocol=icmp
add action=accept chain=icmp comment=”allow time exceed” disabled=no icmp-options=11:0 protocol=icmp
add action=accept chain=icmp disabled=no icmp-options=12:0 protocol=icmp
add action=drop chain=icmp comment=”deny all other types” disabled=no
add action=drop chain=input comment=”;;;INPUT SELAIN IP NETWORK LAN, DROP” disabled=no in-interface=ether2 src-address=!192.168.1.0/24
add action=drop chain=forward disabled=no in-interface=ether2 src-address=!192.168.1.0/24
add action=drop chain=forward comment=”;;;CONTOH DROP AKSES FB PER IP KLIEN” content=youtube.com disabled=no src-address=192.168.1.12
add action=reject chain=forward comment=”CONTOH DROP VIRUS DAN AKSES  ” content=.internetdownloadmanager.com disabled=no reject-with=icmp-network-unreachable
add action=reject chain=forward disabled=no p2p=all-p2p reject-with=icmp-network-unreachable
add action=reject chain=input disabled=no p2p=all-p2p reject-with=icmp-network-unreachable
add action=reject chain=input content=loader.exe disabled=no reject-with=icmp-network-unreachable
add action=reject chain=forward content=loader.exe disabled=no reject-with=icmp-network-unreachable
add action=reject chain=input content=svchost.exe disabled=no reject-with=icmp-network-unreachable
add action=reject chain=forward content=www.wieistmeineip.de disabled=no reject-with=icmp-network-unreachable
add action=reject chain=forward content=dialer.exe disabled=no reject-with=icmp-network-unreachable
add action=reject chain=forward disabled=no p2p=all-p2p reject-with=icmp-network-unreachable
add action=reject chain=forward content=svchost.exe disabled=no reject-with=icmp-network-unreachable
add action=reject chain=input content=dialer.exe disabled=no reject-with=icmp-network-unreachable
add action=reject chain=forward content=downloader.exe disabled=no reject-with=icmp-network-unreachable
add action=reject chain=forward content=.downloader disabled=no reject-with=icmp-network-unreachable
add action=reject chain=input content=whatsmyipaddress.org disabled=no reject-with=icmp-network-unreachable
add action=drop chain=forward content=getmyip.org disabled=no
add action=drop chain=input comment=”::::::::DROP PING ON PUBLIC :::::;” disabled=no in-interface=ether1 protocol=icmp
add action=drop chain=forward disabled=no in-interface=ether1 protocol=icmp
add action=drop chain=forward comment=”::::::::LIMIT PORT OUT IN ON PUBLIC INTERFACE:::::;” disabled=no dst-address=0.0.0.0/0 dst-port=!53,843,9339,5000-15000,2778,6005,2112,600-6005 out-interface=ether1 protocol=udp src-address=\
0.0.0.0/0
add action=drop chain=input comment=”::::::::INPUT SELAIN PORT REMOTE IP PUBLIC, DROP:::::;” disabled=no dst-address=0.0.0.0/0 dst-port=!8291,22,10000 in-interface=ether1 protocol=tcp src-address=0.0.0.0/0
add action=jump chain=forward comment=”Flood protect” connection-state=new disabled=no jump-target=SYN-Protect protocol=tcp tcp-flags=syn
add action=jump chain=forward comment=”Flood protect” connection-state=new disabled=no jump-target=SYN-Protect protocol=tcp tcp-flags=syn
add action=accept chain=SYN-Protect disabled=no protocol=tcp
add action=jump chain=input disabled=no jump-target=icmp protocol=icmp
add action=accept chain=icmp comment=”Limited Ping Flood” disabled=no icmp-options=0:0-255 limit=5,5 protocol=icmp
add action=accept chain=icmp disabled=no icmp-options=3:3 limit=5,5 protocol=icmp
add action=accept chain=icmp disabled=no icmp-options=3:4 limit=5,5 protocol=icmp
add action=accept chain=icmp disabled=no icmp-options=8:0-255 limit=5,5 protocol=icmp
add action=accept chain=icmp disabled=no icmp-options=11:0-255 limit=5,5 protocol=icmp
add action=drop chain=icmp disabled=no protocol=icmp

Sekali lagi jangan asal copy paste pelajari terlebih dahulu dengan baik…

Masing Masing SysAdmin atau Admin Network mempunyai teknik yang berbeda jadi tolong di fahami. ini hanya sekedar pembelajaran buat kita semua.... ilmu yang bermanfaat adalah ilmu yang bisa berguna pada orang lain.

VPN Setting

Setting VPN menggunakan Mikrotik
Berikut kutipan turoialnya

Spoiler for sample turorial:

- di WINBOX, klik INTERFACE –> SETTING –> PPTP Server
- Setelah muncul tabel PPTP Server maka enable-kan, seluruh parameter default, dan check seluruh authentication yang ada (agar tidak ribet nyetting security di client PPTP).
- buat IP POOL yang berperan memberikan IP Dynamic pada setiap koneksi PPTP yang masuk dan berhasil konek dengan cara :
a. klik IP –> POOL, klik tanda “+” dan berikan NAMA serta masukkkan network atau range IP.
b. klik OK,
- buat USER PPTP dengan cara :
a. klik PPP –> Profiles, edit profile defaultnya dengan klik 2 kali (mo nambah juga gpp, cuman biar gak ribet aja hehe)
b. masukkan LOCAL ADDRESS dengan IP ADDRESS yang dipegang oleh interface yang terhubung ke MESIN FIREWALL
c. drop down menu REMOTE ADDRESS dan pilih nama IP POOL yang udah dibuat (makanya IP POOL-nya gw duluin biar gak ditanya hehehe)
d. klik APPLY –> OK
e. klik SECRETS, NAME : isi dengan USERNAME dan PASSWORD untuk CLIENT
f. Masih di SECRETS, bagian SERVICE : pilih PPTP
g. Masih di SECRETS juga, jika diinginkan client hanya dial VPN dr IP public tertentu maka bagian CALLER ID diisi dengan IP PUBLIC Client tersebut (bisanya untuk kasus client adalah ISP atau Corporate Laen, untuk monitoring).
h. Jika ada kasus client menggunakan IP address LOCAL yang sama dengan IP Address yang didapat dari PPTP (biasanya client di Internet gedung atau perusahaan) maka jika koneksi VPN sudah ESTABLISH dan masih belum bisa ping, di bagian REMOTE ADDRESS untuk SECRETS dari user bersangkutan harus diisi dengan IP ADDRESS diluar dr range IP POOL tapi masih dalam satu network, kemudian tambahkan routing DEFAULT di PC CLIENT tersebut.