|
发表于 2009-3-11 14:32:47
|
显示全部楼层
绑定:foreach i in=[/ip arp find dynamic=yes ] do=[/ip arp add copy-from=$i]
解除绑定:foreach i in=[/ip arp find ] do=[/ip arp remove $i]
完了在interfaces里面选择内网在选择reply-only
改MAC /interface ethernet set lan2 mac-address=00:b4:cb:ad:fe:af
关闭防火墙
:foreach i in=[/ip firewall filter find disable=no] do=[/ip firewall filter disable $i]
套取IP
/tool netwatch set test host [/ ip firewall address-list get [/ ip firewall address-list find list=winboxOnline] address]
限速关
:foreach i in=[/ queue simple find disable=no] do=[/ queue simple disable $i]
限速开
:foreach i in=[/ queue simple find disable=yes] do=[/ queue simple enable $i]
ros常用命令2007-07-25 10:44routeros监控脚本,断线报警,线路恢复自动解除报警:
在/system script里添加脚本
name=你要监控的ip
内容如下
:set i 0
:while ($i=0) do={:beep length=2s frequency=2755;:delay 5;:set a abc;\
:foreach i in=[/tool netwatch find host=你要监控的ip] \
do={:set a [/tool netwatch get $i status]};:put $a;:if($a=up) do={:set i 1}}
然后再在/tool netwatch里添加监控
host=你要监控的ip
在down里填写
/system script run 你要监控的ip
:set shendown1 [/system clock get date]
:set shendown2 [/system clock get time]
:set shendown ("你要监控的ip down " . $shendown1 . " " . $shendown2)
:log warning $shendown
ros小包策略:
/ ip firewall mangle
add chain=forward protocol=tcp tcp-flags=syn action=change-mss new-mss=1440 comment="" disabled=no
add chain=forwar* *2*=all-p2p action=mark-connection new-connection-mark=p2p_conn passthrough=yes comment="" disabled=no
add chain=forward connection-mark=p2p_conn action=mark-packet new-packet-mark=p2p passthrough=yes comment="" disabled=no
add chain=forward connection-mark=!p2p_conn action=mark-packet new-packet-mark=general passthrough=yes comment="" disabled=no
add chain=forward packet-size=32-512 action=mark-packet new-packet-mark=small passthrough=yes comment="" disabled=no
add chain=forward packet-size=512-1200 action=mark-packet new-packet-mark=big passthrough=yes comment="" disabled=no
/ queue tree
add name="p2p1" parent=wan packet-mark=p2p limit-at=600000 queue=default priority=8 max-limit=800000 burst-limit=0 burst-threshold=0 burst-time=0s disabled=no
add name="p2p2" parent=lan packet-mark=p2p limit-at=800000 queue=default priority=8 max-limit=600000 burst-limit=0 burst-threshold=0 burst-time=0s disabled=no
add name="classa" parent=lan packet-mark="" limit-at=0 queue=default priority=8 max-limit=100000000 burst-limit=0 burst-threshold=0 burst-time=0s disabled=no
add name="classb" parent=classa packet-mark="" limit-at=0 queue=default priority=8 max-limit=0 burst-limit=0 burst-threshold=0 burst-time=0s disabled=no
add name="leaf1" parent=classa packet-mark=general limit-at=0 queue=default priority=7 max-limit=0 burst-limit=0 burst-threshold=0 burst-time=0s disabled=no
add name="leaf2" parent=classb packet-mark=small limit-at=0 queue=default priority=5 max-limit=0 burst-limit=0 burst-threshold=0 burst-time=0s disabled=no
add name="leaf3" parent=classb packet-mark=big limit-at=0 queue=default priority=6 max-limit=0 burst-limit=0 burst-threshold=0 burst-time=0s disabled=no
ros封杀常用p2p策略脚本:
/ ip firewall filter
add chain=input protocol=udp dst-port=137-138 action=drop comment="drop udp137-138"
# 讯雷
add chain=forward protocol=tcp dst-port=3076-3079 action=drop comment="downtools xunlei" disabled=yes
add chain=forward dst-address=202.96.155.91/32 action=drop
add chain=forward dst-address=210.22.12.53/32 action=drop
add chain=forward dst-address=61.128.198.97/32 action=drop
# 电骡
add chain=forward protocol=tcp dst-port=4661 action=drop comment="downp2p verycd"
add chain=forward protocol=tcp dst-port=4662 action=drop
add chain=forward protocol=tcp dst-port=4242 action=drop
add chain=forward dst-address=62.241.53.15/32 action=drop
# 屁屁狗(ppgou)
add chain=forward protocol=tcp dst-port=8505 action=drop comment="downtools ppgou"
add chain=forward dst-address=219.153.0.152/32 action=drop
add chain=forward dst-address=61.145.116.186/32 action=drop
# kugo酷狗
add chain=forward protocol=tcp dst-port=3318 action=drop comment="downmp3 kugo" disabled=yes
add chain=forward protocol=tcp dst-port=1043 action=drop disabled=yes
add chain=forward protocol=tcp dst-port=4224 action=drop disabled=yes
add chain=forward protocol=tcp dst-port=2371 action=drop disabled=yes
add chain=forward protocol=udp dst-port=7000 action=drop disabled=yes
add chain=forward dst-address=218.16.125.227/32 action=drop disabled=yes
add chain=forward dst-address=61.143.210.56/32 action=drop disabled=yes
add chain=forward dst-address=218.16.125.226/32 action=drop disabled=yes
add chain=forward dst-address=61.129.115.206/32 action=drop disabled=yes
add chain=forward dst-address=61.145.114.33/32 action=drop disabled=yes
# rf online
add chain=forward dst-address=218.30.85.16/32 dst-port=8888 action=accept comment="rf online"
add chain=forward dst-address=59.34.215.133/32 dst-port=8888 action=accept
add chain=forward dst-address=60.28.26.66/32 dst-port=8888 action=accept
# 比特精灵
add chain=forward protocol=tcp dst-port=16881 action=drop comment="downp2p bitspirit"
add chain=forward protocol=tcp dst-port=6881-6890 action=drop
add chain=forward protocol=tcp dst-port=8881-8890 action=drop
add chain=forward protocol=udp dst-port=16881 action=drop
add chain=forward protocol=udp dst-port=6881-6890 action=drop
add chain=forward protocol=udp dst-port=8881-8890 action=drop
# 宝酷
add chain=forward protocol=tcp dst-port=6346 action=drop comment="downp2p baocue"
add chain=forward protocol=tcp dst-port=11300 action=drop
add chain=forward dst-address=61.172.197.196/32 action=drop
add chain=forward dst-address=218.1.14.3/32 action=drop
add chain=forward dst-address=218.1.14.4/32 action=drop
add chain=forward dst-address=218.1.14.9/32 action=drop
add chain=forward dst-address=61.172.197.209/32 action=drop
add chain=forward dst-address=61.172.197.197/32 action=drop
add chain=forward dst-address=218.1.14.5/32 action=drop
add chain=forward dst-address=218.5.72.118/32 action=drop
add chain=forward dst-address=61.172.197.196/32 action=drop
# 百事通下载工具
add chain=forward dst-address=61.145.126.150/32 action=drop comment="downp2p bai****ong"
# 百度mp3下载
add chain=forward dst-address=202.108.156.206/32 action=drop comment="downmp3 baidump3" disabled=yes
# ptc下载工具
add chain=forward protocol=tcp dst-port=50007 action=drop comment="downp2p ptcdown"
# edonkey2000下载工具
add chain=forward protocol=tcp dst-port=4371 action=drop comment="downp2p edonkey2000"
add chain=forward protocol=tcp dst-port=4662 action=drop
add chain=forward dst-address=62.241.53.15/32 action=drop
add chain=forward dst-address=62.241.53.17/32 action=drop
# poco2005
add chain=forward protocol=udp src-port=8094 action=drop comment="downp2p poco2005"
add chain=forward protocol=tcp dst-port=2881 action=drop
add chain=forward protocol=tcp dst-port=5354 action=drop
add chain=forward dst-address=61.145.118.224/32 action=drop
add chain=forward dst-address=210.192.122.147/32 action=drop
add chain=forward dst-address=207.46.196.108/32 action=drop
# 卡盟
add chain=forward protocol=tcp dst-port=3751 action=drop comment="downp2p kamun"
add chain=forward protocol=tcp dst-port=3753 action=drop
add chain=forward protocol=tcp dst-port=4772 action=drop
add chain=forward protocol=tcp dst-port=4774 action=drop
add chain=forward dst-address=211.155.224.67/32 action=drop
# 维宇reallink
add chain=forward dst-address=211.91.135.114/32 action=drop comment="downp2p reallink"
add chain=forward dst-address=221.233.18.180/32 action=drop
add chain=forward dst-address=61.145.119.55/32 action=drop
add chain=forward dst-address=221.3.132.99/32 action=drop
# 百宝
add chain=forward protocol=tcp dst-port=3468 action=drop comment="downp2p 100bao"
add chain=forward dst-address=219.136.251.56/32 action=drop
add chain=forward dst-address=61.149.124.173/32 action=drop
# 百花pp
add chain=forward protocol=tcp dst-port=5093 action=drop comment="downp2p baihua"
add chain=forward dst-address=221.229.241.243/32 action=drop
# 快递通
add chain=forward dst-address=202.96.137.56/32 action=drop comment="downp2p kdt"
# 酷乐
add chain=forward protocol=tcp dst-port=6800-6801 action=drop comment="downmp3 kuro"
add chain=forward protocol=tcp dst-port=7003 action=drop
add chain=forward dst-address=218.244.45.67/32 action=drop
add chain=forward dst-address=220.169.192.145/32 action=drop
# 百度下吧
add chain=forward protocol=tcp dst-port=11000 action=drop comment="downp2p baiduxiaba" disabled=yes
add chain=forward dst-address=202.108.249.171/32 action=drop
# 百兆p2p
add chain=forward protocol=tcp dst-port=9000 action=drop comment="downp2p baizhaop2p"
add chain=forward dst-address=221.233.19.30/32 action=drop
# 石头(openext)
add chain=forward protocol=tcp dst-port=5467 action=drop comment="downp2p openext"
add chain=forward protocol=tcp dst-port=2500 action=drop
add chain=forward protocol=tcp dst-port=4173 action=drop
add chain=forward protocol=tcp dst-port=10002 action=drop
add chain=forward protocol=tcp dst-port=10003 action=drop
add chain=forward dst-address=66.197.13.166/32 action=drop
add chain=forward dst-address=210.22.12.245/32 action=drop
add chain=forward dst-address=69.93.222.56/32 action=drop
# ilink 1.1
add chain=forward protocol=tcp dst-port=5000 action=drop comment="downp2p ilink"
# dds
add chain=forward protocol=tcp dst-port=11608 action=drop comment="downp2p dds"
add chain=forward dst-address=210.51.168.13/32 action=drop
add chain=forward dst-address=211.157.105.252/32 action=drop
add chain=forward dst-address=212.179.66.17/32 action=drop
# imesh 5
add chain=forward protocol=tcp dst-port=4662 action=drop comment="downp2p imesh 5"
add chain=forward dst-address=212.179.66.17/32 action=drop
add chain=forward dst-address=212.179.66.24/32 action=drop
add chain=forward dst-address=38.117.175.23/32 action=drop
# winmx
add chain=forward protocol=tcp dst-port=5690 action=drop comment="downp2p winmx"
add chain=forward dst-address=64.246.15.43/32 action=drop
# 网酷
add chain=forward protocol=tcp dst-port=2122 action=drop comment="downp2p netcool"
add chain=forward dst-address=211.152.22.9/32 action=drop
add chain=forward dst-address=211.152.22.101/32 action=drop
add chain=forward dst-address=221.192.132.29/32 action=drop
# pplive网络电视
add chain=forward protocol=tcp dst-port=8008 action=drop comment="p2ptv pplive"
add chain=forward protocol=udp dst-port=4004 action=drop
# qq直播
add chain=forward protocol=udp dst-port=13002-13999 action=drop comment="p2ptv qq" disabled=yes
ros防火墙的一点心得:
input - 进入路由,并且需要对其处理
forward - 路由转发
output - 经过路由处理,并且从接口出去的包
action:
1 accept: 接受
add-dst-to-address-list - 把一个目标ip地址加入address-list
add-src-to-address-list - 把一个源ip地址加入address-list
2 drop - 丢弃
3 jump - 跳转,可以跳转到一个规则主题里面,如input forward,也可以跳转到某一条里面
4 log - 日志记录
5 passthrough - 忽略此条规则
6 reject - 丢弃这个包,并且发送一个icmp回应消息
7 return - 把控制返回给jump的所在
8 tarpit - 捕获和扣留 进来的tcp连接 (用syn/ack回应进来的tcp syn 包)router os命令:
看了很多router os 的资料都是关于如何安装的,却很少见到关于router os的命令资料(也许因为有winbox了),虽然在router os 的手册中有说明,但是是英文版本的,很不好看懂。下面就我就写出一些常用的命令,希望对大家有所帮助:
1、开机登陆以后常用的一个 ? 是常用的帮助命令,可以列出可用的命令及简单的说明。
2、有些英文命令很长,可以简写如inte***ce ,你输入in后回车自动就会进入inte***ce了。或者你可以按下tab键来帮你完成长英文命令的输入。
3、有些命令的参数很多,你不知道的时候可以输入命令后加空格?,如print ?可以显示该命令的参数。
4、setup 该命令可是谁都要记得的,因为最初安装完router os 必须用它分配网卡的ip地址。
5、ip route add gate=211.12.*.14,220.163.*.12 该命令用于多线路接入时加入多个网关用的。
6、ip firewall add action=nat protocol=tcp dst-address=212.12.*.*/32:80 to-dst-address=192.168.0.198 该命令用于映射端口80到本地的192.168.0.198上。
7、print 该命令有点用于列出所有的项目。
8、inte***ce monitor-traffice 0,1,2 可以监视当前0,1,2网卡的活动情况。
9、ip firewall connection print 显示当前的所有的连接。
10、ip arp print 显示所有router os 知道的ip地址和mac地址的对应列表。
11、user active print 显示所有的router os 的活动用户。
12、system reboot 、system shutdown分别是重启和关机。
13、system reset 删除所有原来的配置,并重新启动router os. 14、system resource monitor 可以监视当前的cpu,和内存的使用情况。
15、log print 可以显示router os 的日志。
16、tool ping-speed 210.13.14.* 可以显示ping 的速度。
17、tool sniffer start,和tool sniffer stop 可以开启和停止嗅探器。
18、tool sniffer packet print 可列出嗅探的包。
19 、system backup name=2004107.bak 可以将系统的配置备份到文件2004107.bak,可以用file print看到。
还有什么enable,disable,remove,set 那些常用的就不说了。
ros 一些常用脚本:
/ ip firewall connection {:foreach r in=[find] do={remove $r}} 删除所有连接
:foreach i in=[/ip firewall filter find action=drop ] do=[/ip firewall filter disable $i] disable防火墙规则
firewall connection tracking syn sendtime 设置成50 rectime 设置成30 减轻syn攻击
/system scheduler add name=reboot interval=24h start-time=06:59:00 on-event={/system reboot} disabled=no 定时重起
/ip route set [/ip route find dst-address=0.0.0.0/0] gateway=xxx.xxx.xxx.xxx 改变默认网关
/queue simple remove [find] 删除所有simple queues
:foreach i in=[/ip arp find dynamic=yes ] do={/ip arp add copy-from=$i} arp绑定(静态arp)
每个ip加一个simple queue的脚本
:foreach i in [/queue simple find] \
do {:put (deleting . ... . [/queue simple get $i name]);
queue simple remove $i;}
for i from 1 to 254 \
do { \
:if ($i!=100) \
do {/queue simple add \
name=(queue . $i) \
limit-at=128000/128000 \
burst-threshold=384000/192000 \
max-limit=512000/256000 \
burst-limit=2000000/512000 \
burst-time=16s/8s \
dst-address=(192.168.0. . $i); \
:put (192.168.0. . $i . ... . added)} \
}ros其他参数:
使用:
winbox-system-scripts-+
name(脚本名程)
source(脚本)
ok-选择要运行的脚本-run script
集体绑定arp
:foreach i in=[/ip arp find dynamic=yes ] do={/ip arp add copy-from=$i}
集体帮定arp,这样方便了很多,但是值得注意的是,用这命令绑定之后,要把外网的arp解除了,要不然会出奇怪问题,反正我是遇见了!
限速脚本:
:for aaa from 2 to 254 do={/queue simple add name=(queue . $aaa) dst-address=(192.168.0. . $aaa) limit-at=0/0 max-limit=2000000/2000000}
说明:
aaa是变量
2 to 254是2~254
192.168.0. . $aaa是ip
上两句加起来是192.168.0.2~192.168.0.254
max-limit=2000000/2000000是上行/下行
删除所有连接
/ ip firewall connection {:foreach r in=[find] do={remove $r}}
disable防火墙规则
:foreach i in=[/ip firewall filter find action=drop ] do=[/ip firewall filter disable $i]
定时重起
/system scheduler add name=reboot interval=24h start-time=11:59:00 on-event={/system reboot} disabled=no
改变默认网关
/ip route set [/ip route find dst-address=0.0.0.0/0] gateway=xxx.xxx.xxx.xxx
定时重起
/system scheduler add name=reboot interval=24h start-time=11:59:00 on-event={/system reboot} disabled=no
/sy reset 恢复路由原始状态
/sy reboot 重启路由
/sy showdown 关机
/sy ide set name=机器名 设置机器名
/export 查看配置
/ip export 查看ip配置
/sy backup 回车 save name=你要设置文件名 load name=你要设置文件名 备份路由
/inte***ce print 查看网卡状态
0 x ether1 ether 1500 这个是网卡没有开启
0 r ether1 ether 1500 这个是正常状态
/int en 0 激活0网卡
/int di 0 关闭0网卡
/ip fir con print 查看当前所有网络边接
/ip service set www port=81 改变www服务端口为81
/ip hotspot user add name=user1 password=1 增加用户routeros改本机网卡mac的方法:
interface ethernet> set (网卡名) mac-address=(你想要的mac)
机房经常提出这种要求,这节课要求上网,下节课就要求断网。以前就是拨网线,后来用了这个就不用了。并且可以上网时,也能控制学生上联众或者qq。课后机房开放时即要能上网,还要能上qq,把这些策略禁止掉就行了。
并且winbox操作比较简便,教会管理员,我不需要管了。
自由控制机房上网、qq、联众:
/ ip firewall rule forward
这里是控制各个机房的上网策略,可以上时设为无效,禁止上时设为有效。
1机房
add src-address=192.168.3.0/26 dst-address=!192.168.0.0/16 action=drop \
comment="1机房" disabled=yes
2机房
add src-address=192.168.3.64/26 dst-address=!192.168.0.0/16 action=drop \
comment="2机房" disabled=no
3机房
add src-address=192.168.3.128/26 dst-address=!192.168.0.0/16 action=drop \
comment="3机房" disabled=yes
4机房
add src-address=192.168.3.192/26 dst-address=!192.168.0.0/16 action=drop \
comment="4机房" disabled=no
5机房
add src-address=192.168.0.128/26 dst-address=!192.168.0.0/16 action=drop \
comment="5机房" disabled=no
add src-address=192.168.0.192/29 dst-address=!192.168.0.0/16 action=drop \
comment="" disabled=no
6机房
add src-address=192.168.0.64/26 dst-address=!192.168.0.0/16 action=drop \
comment="6机房" disabled=no
这里是控制各个机房的联众 qq
2机房
add src-address=192.168.3.64/26 dst-address=:1007-3400 protocol=tcp \
action=drop comment="2机房禁止联众 禁止qq聊天" disabled=no
add src-address=192.168.3.64/26 dst-address=:8000 protocol=udp action=drop \
comment="" disabled=no
add src-address=192.168.3.64/26 dst-address=219.133.0.0/16 action=drop \
comment="" disabled=no
add src-address=192.168.3.128/26 dst-address=219.133.0.0/16 action=drop \
comment="" disabled=no
机房
add src-address=192.168.3.128/26 dst-address=:8000 protocol=udp action=drop \
comment="3机房禁止qq聊天 禁止联众" disabled=yes
add src-address=192.168.3.128/26 dst-address=:1007-3400 protocol=tcp \
action=drop comment="" disabled=yes
4机房
add src-address=192.168.3.192/26 dst-address=:1007-3400 protocol=tcp \
action=drop comment="4机房禁止联众,qq聊天" disabled=no
add src-address=192.168.3.192/26 dst-address=:8000 protocol=udp action=drop \
comment="" disabled=no
add src-address=192.168.3.192/26 dst-address=219.133.0.0/16 action=drop \
comment="" disabled=no
5机房
add src-address=192.168.0.128/26 dst-address=:8000 protocol=udp action=drop \
comment="5机房禁止qq聊天 禁止联众" disabled=no
add src-address=192.168.0.192/29 dst-address=:8000 protocol=udp action=drop \
comment="" disabled=no
add src-address=192.168.0.128/26 dst-address=219.133.0.0/16 action=drop \
comment="" disabled=no
add src-address=192.168.0.192/29 dst-address=219.133.0.0/16 action=drop \
comment="" disabled=no
add src-address=192.168.0.128/26 dst-address=:1007-3400 protocol=tcp \
action=drop comment="" disabled=no
add src-address=192.168.0.192/29 dst-address=:1007-3400 protocol=tcp \
action=drop comment="" disabled=no
6机房
add src-address=192.168.0.64/26 dst-address=:8000 protocol=udp action=drop \
comment="6机房禁止qq聊天 禁止联众" disabled=no
add src-address=192.168.0.64/26 dst-address=219.133.0.0/16 action=drop \
comment="" disabled=no
add src-address=192.168.0.64/26 dst-address=:1007-3400 protocol=tcp \
action=drop comment="" disabled=noros限线程脚本+限速脚本:
限线程脚本:
:for aaa from 2 to 254 do={/ip firewall filter add chain=forward src-address=(192.168.0. . $aaa) protocol=tcp connection-limit=50,32 action=drop}
限速脚本:
:for aaa from 2 to 254 do={/queue simple add name=(queue . $aaa) dst-address=(192.168.0. . $aaa) limit-at=0/0 max-limit=2000000/2000000}
说明:
aaa是变量
2 to 254是2~254
192.168.0. . $aaa是ip
上两句加起来是192.168.0.2~192.168.0.254
connection-limit=50是线程数这里为50
max-limit=2000000/2000000是上行/下行
使用:
winbox-system-scripts-+
name(脚本名程)
source(脚本)
ok-选择要运行的脚本-run script
查看:
限线程:winbox-ip-firewall-filter rules(看是否已经填加进来)
限速:winbox-queues-simple queues(看是否已经填加进来)
斩断扫描你的ros 的黑手:
/ip firewall filter add chain=input protocol=tcp psd=21,3s,3,1 action=add-src-to-address-list address-list="port scanners" address-list-timeout=14d comment="port scanners to list " disabled=no
/ip firewall filter add chain=input protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg action=add-src-to-address-list address-list="port scanners" address-list-timeout=14d comment="nmap fin stealth scan"
/ip firewall filter add chain=input protocol=tcp tcp-flags=fin,syn action=add-src-to-address-list address-list="port scanners" address-list-timeout=14d comment="syn/fin scan"
/ip firewall filter add chain=input protocol=tcp tcp-flags=syn,rst action=add-src-to-address-list address-list="port scanners" address-list-timeout=14d comment="syn/rst scan"
/ip firewall filter add chain=input protocol=tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack action=add-src-to-address-list address-list="port scanners" address-list-timeout=14d comment="fin/psh/urg scan"
/ip firewall filter add chain=input protocol=tcp tcp-flags=fin,syn,rst,psh,ack,urg action=add-src-to-address-list address-list="port scanners" address-list-timeout=14d comment="all/all scan"
/ip firewall filter add chain=input protocol=tcp tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg action=add-src-to-address-list address-list="port scanners" address-list-timeout=14d comment="nmap null scan"
/ip firewall filter add chain=input src-address-list="port scanners" action=drop comment="dropping port scanners" disabled=no在winbox下对routeros整体限速.:
以限制下载速度640k上行速度320k为例
ip→firewall→mangle→添加一个action项中action=accept flow mark=all
以限制下载速度640k,上行速度320k为例:
queues→queue types→添加一个general项中name=netbardown kind=pcq,settings项中rate:655360
classifier中勾上src.两项;
queues→queue types→添加一个general项中name=netbarup kind=pcq,settings项中rate:327680
classifier中勾上dst.两项;
queues→queue tree→添加一个general项中name=netbardown parent=lan flow=all queue type=netbardown //lan为本地网卡
queues→queue tree→添加一个general项中name=netbarup parent=wan flow=all queue type=netbarup //wan为外网网卡
想不限速时可以直接把之前添加的这条关掉:
ip→firewall→mangle→添加一个action项中action=accept flow mark=all
别告诉我你不会关...继续发 ~~
网吧一般都打两条线以上,电信会在晚上断掉你一条线,然后会影响到网吧的网络连接,所以做此脚本,让ros定时开关一条线路,利用的是网关。其中的192.168.2.1和192.168.3.1分别代表两个网关。192.168.2.1被电信限制的光纤的网关,192.168.3.1为24小时可用的光纤的网关。
/ system script
add name="allon" source="/ip route set\[/ip route find dst 0.0.0.0\] gateway \
192.168.2.1,192.168.3.1" policy=ftp,reboot,read,write,policy,test
add name="2moff" source="/ip route set\[/ip route find dst 0.0.0.0\] \
gateway 192.168.3.1" policy=ftp,reboot,read,write,policy,test
/ system scheduler
add name="allok" on-event=allon start-date=mar/24/2006 start-time=08:30:00 \
interval=1d comment="" disabled=no
add name="8mok" on-event=2moff start-date=mar/24/2006 start-time=23:40:00 \
interval=1d comment="" disabled=no
ros映射和回流脚本:
# jun/18/2006 18:43:44 by routeros 2.9.6
# to-ports 是映射端口 0-65535 指完全映射 如果只想映射 www(网站)端口改为 80 即可
# 只想映射 ftp 端口 则 to-ports=21 即可~``还有不明白的可以加我 qq 33679934 ~``
/ ip firewall nat
add chain=dstnat dst-address=外网地址 action=dst-nat \
to-addresses=内部服务器地址 to-ports=0-65535 comment="映射" disabled=no
add chain=srcnat src-address=内部服务器地址 action=src-nat \
to-addresses=外网地址 to-ports=0-65535 comment="回流" disabled=no 使用export命令导出,使用import命令导入。
如:导出全部配置命令为:/export file=xxx
导入配置命令:/import file=xxx
导出防火墙配置的命令:/ip firewall export file=xxx
备份设置:files-->backup 再用ftp client download备份文件
恢复设置:ftp client upload 备份文件;files --> restore
1。备份和恢复设置
绝对是好东东!你想想辛辛苦苦设置好的防火墙规则,网卡设置,各个路由,端口映射万一弄错了或重新安装时,是不是都要重新自已设置?这个巨麻烦!!!但rouetos却为你考虑得很周到,可以手工备份你的设置文件,需要时只要一个命令即可恢复!
大家可以用winbox登陆,注意用admin帐号,在左边是不是有个files?点开,再点对话框上面的backup,这样就把当前的设置保存一个文件里面了,再用ie登陆你的路由,用网管帐号:密码@路由ip:端口,登陆到你的路由后就会到你保存的文件了!用ie直接下载吧!/" target=_blank>ftp://网管帐号:密码@路由ip:端口,登陆到你的路由后就会到你保存的文件了!用ie直接下载吧!
当你重新安装时,只要把内网弄通,用ie再登陆你的路由,把这个设置文件传上去,在winbox左边下面有个te开头的英文,这是终端模拟,点开后就像在路由上操作一样,用以下命令恢复你以前的设置:
system回车
backup回车
load name=你保存的设置文件名 回车
提示重启就一下子恢复到你以前设置了!!
是不是方便实用啊?
大家可能会说用winbox备份不爽,那我们也可以用终端备份呀!
在winbox左边下面有个te开头的英文,这是终端模拟,点开后就像在路由上操作一样,用以下命令备份你以前的设置:
system回车
backup回车
save name=你保存的设置文件名 回车
建议文件名用日期表示可以很直观。这样就按你的文件名保存了。
用load name命令就是恢复了。。。]
2.恢复路由本身默认值。
如果设错了规则或者地址,造成win不能进入管理界面,可以这样复原:
使用 admin 登陆
system 回车
reset 选择 y
将删除所有改动,恢复新装的状态
这个是恢复到出厂设置,很适合刚开始设置routeos时用用! |
|