|
|
马上注册,结交更多好友,享用更多功能,让你轻松玩转社区。
您需要 登录 才可以下载或查看,没有账号?注册
×
本帖最后由 adslcool 于 2009-11-12 23:07 编辑
如上图,内网流量是控制了,可是外网进来的下行数据依然在接口排队,仍然会卡,期待解决!
现在开放一个Router OS 系统,欢迎诸位拍砖!
域名:testspeed.3322.org
用户名:demo
密 码:没有
搞了几天依然没效果,相信重赏之下必有勇夫!
好了我在淘宝直接给你冲QQ币,或者手机充值卡,怎样都行!
QQ:165306921
:)
限速脚本
# oct/18/2009 19:15:25 by routeros 2.9.6
# software id = S5KG-G0N
#
/ queue type
add name="Upload" kind=pcq pcq-rate=1000000 pcq-limit=50 \
pcq-classifier=src-address pcq-total-limit=2000
add name="Download" kind=pcq pcq-rate=1000000 pcq-limit=50 \
pcq-classifier=dst-address pcq-total-limit=2000
/ queue simple
add name=" CQ" dst-address=192.168.0.0/24 interface=all parent=none priority=8 \
queue=Download/Upload limit-at=0/0 max-limit=0/0 total-queue=default \
disabled=no
防火墙脚本
# 防火墙
/ ip firewall connection tracking
set enabled=yes tcp-syn-sent-timeout=5s tcp-syn-received-timeout=5s \
tcp-established-timeout=1d tcp-fin-wait-timeout=10s \
tcp-close-wait-timeout=10s tcp-last-ack-timeout=10s \
tcp-time-wait-timeout=10s tcp-close-timeout=10s udp-timeout=10s \
udp-stream-timeout=3m icmp-timeout=10s generic-timeout=10m
/ ip firewall filter
add chain=input action=add-src-to-address-list protocol=tcp psd=21,3s,3,1 \
address-list="port scanners" address-list-timeout=1d comment="ort \
scanners to list " disabled=no
add chain=input action=add-src-to-address-list \
tcp-flags=fin,!syn,!rst,!psh,!ack,!urg protocol=tcp address-list="port \
scanners" address-list-timeout=1d comment="NMAP FIN Stealth scan" \
disabled=no
add chain=input action=add-src-to-address-list tcp-flags=fin,syn protocol=tcp \
address-list="port scanners" address-list-timeout=1d comment="SYN/FIN \
scan" disabled=no
add chain=input action=add-src-to-address-list tcp-flags=syn,rst protocol=tcp \
address-list="port scanners" address-list-timeout=1d comment="SYN/RST \
scan" disabled=no
add chain=input action=add-src-to-address-list \
tcp-flags=fin,psh,urg,!syn,!rst,!ack protocol=tcp address-list="port \
scanners" address-list-timeout=1d comment="FIN/PSH/URG scan" disabled=no
add chain=input action=add-src-to-address-list \
tcp-flags=fin,syn,rst,psh,ack,urg protocol=tcp address-list="port \
scanners" address-list-timeout=1d comment="ALL/ALL scan" disabled=no
add chain=input action=add-src-to-address-list \
tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg protocol=tcp address-list="port \
scanners" address-list-timeout=1d comment="NMAP NULL scan" disabled=no
add chain=input action=drop src-address-list="port scanners" comment=" port \
scanners " disabled=no
add chain=input action=drop src-address-list=black_list comment=" Black list " \
disabled=no
add chain=input action=drop connection-state=invalid comment="drop invalid \
packets" disabled=no
add chain=input action=accept connection-state=related comment="accept related \
packets" disabled=no
add chain=input action=accept connection-state=established comment="accept \
established packets" disabled=no
add chain=input action=drop protocol=tcp psd=21,3s,3,1 comment="detect and \
drop port scan connections" disabled=no
add chain=input action=tarpit protocol=tcp connection-limit=3,32 \
src-address-list=black_list comment="suppress DoS attack" disabled=no
add chain=input action=add-src-to-address-list protocol=tcp \
connection-limit=10,32 address-list=black_list address-list-timeout=1d \
comment="detect DoS attack" disabled=no
add chain=input action=drop dst-address-type=!local comment="drop all that is \
not to local" disabled=no
add chain=input action=jump jump-target=ICMP protocol=icmp comment="jump to \
chain ICMP" disabled=no
add chain=input action=jump jump-target=services comment="Jump to service" \
disabled=no
add chain=input action=jump jump-target=virus comment="jump to Virus" \
disabled=no
add chain=ICMP action=accept protocol=icmp icmp-options=0:0-255 limit=5,5 \
comment="0:0 and limit for 5pac/s" disabled=no
add chain=ICMP action=accept protocol=icmp icmp-options=3:3 limit=5,5 \
comment="3:3 and limit for 5pac/s" disabled=no
add chain=ICMP action=accept protocol=icmp icmp-options=3:4 limit=5,5 \
comment="3:4 and limit for 5pac/s" disabled=no
add chain=ICMP action=accept protocol=icmp icmp-options=8:0-255 limit=5,5 \
comment="8:0 and limit for 5pac/s" disabled=no
add chain=ICMP action=accept protocol=icmp icmp-options=11:0-255 limit=5,5 \
comment="11:0 and limit for 5pac/s" disabled=no
add chain=services action=accept dst-port=8291 protocol=tcp comment="Allow \
winbox" disabled=no
add chain=services action=accept dst-port=20-21 protocol=tcp comment="allow \
ftp" disabled=no
add chain=services action=accept dst-port=8080 protocol=tcp comment="allow Web \
Proxy" disabled=no
add chain=services action=accept src-address=127.0.0.1 dst-address=127.0.0.1 \
comment="accept localhost" disabled=no
add chain=services action=accept dst-port=22 protocol=tcp comment="allow sftp, \
ssh" disabled=no
add chain=services action=accept dst-port=23 protocol=tcp comment="allow \
telnet" disabled=no
add chain=services action=accept dst-port=81 protocol=tcp comment="allow http, \
webbox" disabled=no
add chain=services action=accept dst-port=20561 protocol=udp comment="allow \
MACwinbox " disabled=no
add chain=services action=accept dst-port=5678 protocol=udp comment=" MT \
Discovery Protocol" disabled=no
add chain=services action=accept dst-port=53 protocol=tcp comment="allow DNS \
request" disabled=no
add chain=services action=accept dst-port=53 protocol=udp comment="Allow DNS \
request" disabled=no
add chain=services action=accept dst-port=1701 protocol=udp comment="allow \
L2TP" disabled=no
add chain=services action=accept dst-port=1723 protocol=tcp comment="allow \
PPTP" disabled=no
add chain=services action=accept protocol=gre comment="allow PPTP and EoIP" \
disabled=no
add chain=services action=accept protocol=ipencap comment="allow IPIP" \
disabled=no
add chain=services action=accept dst-port=1900 protocol=udp comment="UPnP" \
disabled=no
add chain=services action=accept dst-port=2828 protocol=tcp comment="UPnP" \
disabled=no
add chain=services action=accept dst-port=67-68 protocol=udp comment="allow \
DHCP" disabled=no
add chain=services action=accept dst-port=123 protocol=tcp comment="allow NTP" \
disabled=no
add chain=services action=accept dst-port=161 protocol=tcp comment="allow \
SNMP" disabled=no
add chain=services action=accept dst-port=443 protocol=tcp comment="allow \
https for Hotspot" disabled=no
add chain=services action=accept dst-port=1080 protocol=tcp comment="allow \
Socks for Hotspot" disabled=no
add chain=services action=accept dst-port=500 protocol=udp comment="allow \
IPSec connections" disabled=no
add chain=services action=accept protocol=ipsec-esp comment="allow IPSec" \
disabled=no
add chain=services action=accept protocol=ipsec-ah comment="allow IPSec" \
disabled=no
add chain=services action=accept dst-port=179 protocol=tcp comment="Allow BGP" \
disabled=no
add chain=services action=accept dst-port=520-521 protocol=udp comment="allow \
RIP" disabled=no
add chain=services action=accept protocol=ospf comment="allow OSPF" \
disabled=no
add chain=services action=accept dst-port=5000-5100 protocol=udp \
comment="allow BGP" disabled=no
add chain=services action=accept dst-port=1720 protocol=tcp comment="allow \
Telephony" disabled=no
add chain=services action=accept dst-port=1719 protocol=udp comment="allow \
Telephony" disabled=no
add chain=services action=accept protocol=vrrp comment="allow VRRP " \
disabled=no
add chain=forward action=drop connection-state=invalid comment="drop invalid \
packets" disabled=no
add chain=output action=drop connection-state=invalid comment="drop invalid \
packets" disabled=no
add chain=input action=drop comment="Drop All input" disabled=no |
|
|Archiver|手机版|小黑屋|软路由
( 渝ICP备15001194号-1|
渝公网安备 50011602500124号 )
IP卡
狗仔卡
发表于 2009-11-10 14:13:28
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡
发表于 2009-11-10 15:07:12
