Proteccion DDoS para redes Mikroitk

 /ip firewall filter

add action=add-src-to-address-list address-list=block-ddos \

    address-list-timeout=1d chain=input comment="=============================\

    =====Inicio controle DDoS==============" connection-limit=32,32 \

    disabled=no protocol=tcp

add action=tarpit chain=input connection-limit=3,32 disabled=no protocol=tcp \

    src-address-list=block-ddos

add action=jump chain=forward comment="SYN Flood protect" connection-state=\

    new disabled=no jump-target=SYN-Protect protocol=tcp tcp-flags=syn

add action=accept chain=SYN-Protect connection-state=new disabled=no limit=\

    400,5 protocol=tcp tcp-flags=syn

add action=drop chain=SYN-Protect comment=\

    "=================Fin Control DDoS=============================" \

Script control ancho de banda por DHCP Mikrotik

:local queueName "Usuario del DHCP  $leaseActMAC";

:if ($leaseBound = "1") do={

    /queue simple add name=$queueName target=($leaseActIP . "/32") limit-at=5000k/10024k max-limit=10M/20M comment=[/ip dhcp-server lease get [find where active-mac-address=$leaseActMAC && active-address=$leaseActIP] host-name];

} else={

    /queue simple remove $queueName

}

Bloqueo de Bittorrent y P2P

/ip firewall layer7-protocol

add comment="Block Bit Torrent" name=layer7-bittorrent-exp regexp="^(\\x13bitt\

orrent protocol|azver\\x01\$|get /scrape\\\?info_hash=get /announce\\\?inf\

o_hash=|get /client/bitcomet/|GET /data\\\?fid=)|d1:ad2:id20:|\\x08'7P\\)[\

RP]"




/ip firewall filter

add action=add-src-to-address-list address-list=Torrent-Conn \

address-list-timeout=2m chain=forward layer7-protocol=\

layer7-bittorrent-exp src-address=192.168.2.0/24 src-address-list=\

!allow-bit

add action=drop chain=forward dst-port=\

!0-1024,8291,5900,5800,3389,14147,5222,59905 protocol=tcp \

src-address-list=Torrent-Conn

add action=drop chain=forward dst-port=\

!0-1024,8291,5900,5800,3389,14147,5222,59905 protocol=udp \

src-address-list=Torrent-Conn

-----------------------------------------------------------------------------------------

-----------------------------------------------------------------------------------------

Fuente: https://medium.com/karlbooklover/como-censurar-al-internet-con-reglas-simples-en-routeros-c525c5bc245e

-----------------------------------------------------------------------------------------

# First, we block people from finding torrents Using MTKs layer 7 inspection(L7), we match http get requests for bit torrent sites and related sites. Here s my regex:

/ip firewall layer7-protocol

add comment="" name=torrent-wwws regexp="^.*(get|GET).+(torrent|thepiratebay|isohunt|entertane|demonoid|btjunkie|mininova|flixflux|torrentz|vertor|h33t|btscene|bitunity|bittoxic|thunderbytes|entertane|zoozle|vcdq|bitnova|bitsoup|meganova|fulldls|btbot|flixflux|seedpeer|fenopy|gpirate|commonbits).*\$"

# Now we put in a firewall rule to block with this L7.

/ip firewall filter

add action=drop chain=forward comment="block torrent wwws" disabled=no layer7-protocol=torrent-wwws

# Lets block DNS queries based on the same regex.

/ip firewall layer7-protocol

add comment="" name=torrent-dns regexp="^.+(torrent|thepiratebay|isohunt|entertane|demonoid|btjunkie|mininova|flixflux|torrentz|vertor|h33t|btscene|bitunity|bittoxic|thunderbytes|entertane|zoozle|vcdq|bitnova|bitsoup|meganova|fulldls|btbot|flixflux|seedpeer|fenopy|gpirate|commonbits).*\$"

# Here s the firewall rule to block:

/ip firewall filter

add action=drop chain=forward comment="block torrent dns" disabled=no dst-port=53 layer7-protocol=torrent-dns protocol=udp

Script de actualización simple de DYNDNS (freedns.afraid.org)

/tool fetch host="freedns.afraid.org" url="https://freedns.afraid.org/dynamic/update.php?CaMbiAr ClAvE.."

Fuente: https://forum.mikrotik.com/t/simple-dyndns-freedns-afraid-org-update-script/108821

Script para configurar Dynu DNS en MikroTik con IP dinámica

 /tool fetch mode=http url="http://api.ipify.org" src-path="" dst-path=/dyn.html

:local currentIP [/file get dyn.html contents]

:log warning "Public IP Detected $currentIP"

######################################################

 

:global ddnsuser "USER"

:global ddnspass "PASSWORD"

:global ddnshost "DOMINIO"

:global ipddns [:resolve $ddnshost];

:log warning "Current DNS $ipddns"

/file/remove dyn.html

:if ($ipddns != $currentIP) do={

:log warning ("Updating IP = $currentIP")

:global str "/nic/update?username=$ddnsuser&password=$ddnspass&hostname=$ddnshost&myip=$currentIP"

/tool fetch address=api.dynu.com src-path=$str mode=https dst-path=("/Dynu.".$ddnshost)

:delay 1

:global str [/file find name="Dynu.$ddnshost"];

/file remove $str

:global ipddns $currentIP

:log info "DynuDDNS: IP updated to $currentIP!"

} else={

:log info "No Need to change, IP Already Updated";

} }

Configuracion Cake ( Algoritmo avanzado de gestión de colas y Calidad de Servicio) Mikrotik

 Algoritmo avanzado de gestión de colas y Calidad de Servicio

/queue type
add kind=cake \
    name=cake-rx \
    cake-diffserv=besteffort \
    cake-flowmode=dual-dsthost \
    cake-rtt-scheme=regional \
    cake-nat=yes
add kind=cake \
    name=cake-tx \
    cake-ack-filter=filter \
    cake-diffserv=besteffort \
    cake-flowmode=dual-srchost \
    cake-rtt-scheme=regional \
    cake-nat=yes

/queue simple
add name=queue1 \
    max-limit=256M/24M \
    queue=cake-rx/cake-tx \
    target=ether1 \
    total-queue=default

Fuente:

https://tangentsoft.com/mikrotik/wiki?name=CAKE+Configuration

Nginx proxy inverso cache para protocolo HTTP Live Streaming (HLS)

Configuracion:

1° Creando un directorio para el caché de nginx:

proxy_cache_path "/opt/ramcache" use_temp_path=off keys_zone=hls:1m inactive=30s max_size=10g;

---------------------------------------------------------------------

2° Archivo de configuracion " hls_proxy.conf ":

/etc/nginx/conf.d/hls_proxy.conf:

-----------------------------------------------hls_proxy.conf

server {

    listen 4000;

    server_name _;

    location ~* \.(m3u8)$ {

        proxy_cache off;

        expires -1;

        proxy_pass http://192.168.88.100:8000;

        include /etc/nginx/hls_proxy_params.conf;

    }

    location ~* \.(ts)$ {

        proxy_pass http://192.168.88.100:8000;

        proxy_cache hls;

        proxy_cache_key $request_uri;

        proxy_cache_valid 200 10s;

        proxy_cache_lock on;

        proxy_cache_lock_timeout 5s;

        proxy_cache_lock_age 5s;

        include /etc/nginx/hls_proxy_params.conf;

    }

}

----------------------------------------------------------------

3° opciones de proxy comunes en:

 /etc/nginx/hls_proxy_params.conf

----------------------------------------------hls_proxy_params.conf

proxy_redirect              off;

proxy_connect_timeout       5s;

proxy_send_timeout          180s;

proxy_read_timeout          180s;

# Buffer for headers

proxy_buffer_size           16k;

proxy_buffers               512  32k;

proxy_temp_file_write_size  512k;

proxy_max_temp_file_size    256m;

# For keepalive

proxy_http_version          1.1;

proxy_set_header            Host $host;

proxy_set_header            X-Real-IP $remote_addr;

proxy_set_header            X-Forwarded-For $remote_addr;

proxy_set_header            X-Forwarded-Proto $scheme;

proxy_next_upstream         error timeout http_502 http_504;

proxy_next_upstream_tries   2;

-------------------------------------------------------------

fuentes:

https://www.hostingtg.com/blog/nginx-servidor-web-alto-rendimiento/

https://help.cesbo.com/misc/tools-and-utilities/network/hls-caching-proxy-with-nginx

---------------------------------------------------------------------------

Uso practico:

requisitos previos:

1° instalcion Nginx web proxy

2° config segun los pasos anteriores mostrados

3° prueba de funcionamiento