Primeiro devemos marcar os pacotes que está em cache, no ex abaixo também está sendo marcados pacotes P2P e outros serviços que acho importante de serem controlados:
/ ip firewall mangle
add chain=output protocol=tcp src-port=3128 content=”X-Cache: HIT”
action=mark-connection new-connection-mark=proxyfull passthrough=yes
comment=”PROXY FULL” disabled=no
add chain=output connection-mark=proxyfull action=mark-packet
new-packet-mark=proxyfull passthrough=yes comment=”" disabled=no
add chain=output connection-mark=proxyfull action=return comment=”"
disabled=no
add chain=prerouting p2p=all-p2p action=mark-connection
new-connection-mark=P2P-Conexao passthrough=yes comment=”CONTROLE P2P”
disabled=no
add chain=prerouting protocol=tcp p2p=all-p2p connection-limit=40,32
action=mark-connection new-connection-mark=P2P-Conexao-Limite
passthrough=yes comment=”" disabled=no
add chain=prerouting connection-mark=P2P-Conexao action=mark-packet
new-packet-mark=P2P-Pacotes passthrough=no comment=”" disabled=no
add chain=prerouting connection-mark=P2P-Conexao-Limite action=mark-packet
new-packet-mark=P2P-Pacotes passthrough=no comment=”" disabled=no
add chain=prerouting protocol=udp dst-port=5060 action=mark-connection
new-connection-mark=voip_in passthrough=yes comment=”VOIP-IN” disabled=no
add chain=prerouting connection-mark=voip_in action=mark-packet
new-packet-mark=VOIP_IN passthrough=yes comment=”" disabled=no
add chain=prerouting protocol=udp src-port=5060 action=mark-connection
new-connection-mark=voip_out passthrough=yes comment=”VOIP-OUT”
disabled=no
add chain=prerouting connection-mark=voip_out action=mark-packet
new-packet-mark=VOIP_OUT passthrough=yes comment=”" disabled=no
Fazendo o mascaramento e o redirecionamento dos dados de nosso servidor:
/ ip firewall nat
add chain=srcnat src-address=192.168.1.0/24 action=masquerade comment=”masquerade hotspot
network” disabled=no
add chain=pre-hotspot in-interface=Net protocol=tcp dst-port=80 hotspot=auth action=redirect to-ports=3128 comment=”Redirecionamento Proxy – HotSpot”
Colocamos um drop para que não tenhamos acesso de fora da nossa rede junto ao nosso cache:
/ ip firewall filter
add chain=virus protocol=tcp dst-port=445 action=drop comment=”bloqueio de
VIRUS conhecidos” disabled=no
…….
add chain=input in-interface=Link protocol=tcp dst-port=3128 action=drop
comment=”bloqueia Xeretas” disabled=no
———————————————————–
/ ip hotspot
add name=”hotspot1″ interface=Net address-pool=hs-pool-1 profile=hsprof1 idle-timeout=5m
keepalive-timeout=none addresses-per-mac=2 disabled=no
/ ip hotspot service-port
set ftp ports=21 disabled=no
/ ip hotspot profile
set default name=”default” hotspot-address=0.0.0.0 dns-name=”" html-directory=hotspot
rate-limit=”" http-proxy=0.0.0.0:0 smtp-server=0.0.0.0 login-by=cookie,http-chap
http-cookie-lifetime=3d split-user-domain=no use-radius=no
add name=”hsprof1″ hotspot-address=192.168.1.1 dns-name=”hotspot.arnetms.com.br”
html-directory=hotspot rate-limit=”" http-proxy=0.0.0.0:0 smtp-server=0.0.0.0
login-by=cookie,http-chap,http-pap http-cookie-lifetime=3d split-user-domain=no
use-radius=no
/ ip hotspot user
add name=”admin” password=”XXXXX” profile=default comment=”" disabled=no
add server=hotspot1 name=”josevaldo” password=”XXXXX” profile=640k comment=”" disabled=no
/ ip hotspot user profile
set default name=”default” idle-timeout=none keepalive-timeout=2m status-autorefresh=1m
shared-users=1 transparent-proxy=yes open-status-page=always advertise=no
add name=”160k” address-pool=hs-pool-1 idle-timeout=none keepalive-timeout=2m
status-autorefresh=1m shared-users=1 rate-limit=”60k/160k” transparent-proxy=no
add name=”320k” address-pool=hs-pool-1 idle-timeout=none keepalive-timeout=2m
status-autorefresh=1m shared-users=1 rate-limit=”80k/320k” transparent-proxy=no
add name=”640k” address-pool=hs-pool-1 idle-timeout=none keepalive-timeout=2m
status-autorefresh=1m shared-users=1 rate-limit=”120k/640k” transparent-proxy=no
—————————————————————
/ ip web-proxy
set enabled=yes src-address=0.0.0.0 port=3128 hostname=”proxy” transparent-proxy=yes parent-proxy=0.0.0.0:0
cache-administrator=”webmaster” max-object-size=20000KiB cache-drive=secondary-master max-cache-size=unlimited
max-ram-cache-size=393216KiB
/ ip web-proxy access
add dst-port=23-25 action=deny comment=”block telnet & spam e-mail relaying” disabled=no
/ ip web-proxy cache
add url=”:cgi-bin \?” action=deny comment=”don’t cache dynamic http pages” disabled=no
add url=”youtube.com*” action=allow comment=”youtube” disabled=no
add url=”orkut.com*” action=allow comment=”orkut” disabled=no
add url=”video.youtube.com*” action=allow comment=”videos” disabled=no
0 comentários