Você está na página 1de 4

Howto Block Torrent / P2P

/ip firewall layer7-protocol


add comment="P2P WWW web base cnoetent Matching / Zaib" name=p2p_www regexp=\
"^.*(get|GET).+(torrent|thepiratebay|isohunt|entertane|demonoid|btjunkie|mininov
a|flixflux|vertor|h33t|zoozle|bitnova|bitsoup|meganova|fulldls|btbot|fenopy|gpir
ate|commonbits).*\$"
add comment="P2P DNS Matching / Zaib" name=p2p_dns regexp=\
"^.+(torrent|thepiratebay|isohunt|entertane|demonoid|btjunkie|mininova|flixflux|
vertor|h33t|zoozle|bitnova|bitsoup|meganova|fulldls|btbot|fenopy|gpirate|commonb
its).*\$"

/ip firewall mangle
add action=mark-packet chain=postrouting comment="p2p download" disabled=no laye
r7-protocol=p2p_www new-packet-mark="p2p download" passthrough=no
add action=mark-packet chain=postrouting disabled=no layer7-protocol=p2p_dns new
-packet-mark="p2p download" passthrough=no

/ip firewall filter
add action=drop chain=forward comment="Block P2p_www Packets / Zaib" disabled=no
layer7-protocol=p2p_www
add action=drop chain=forward comment="Block P2p_dns Packets / Zaib" disabled=no
layer7-protocol=p2p_dns
add action=drop chain=forward comment="Block General P2P Connections , default m
ikrotik p2p colelction / zaib" disabled=no p2p=all-p2p
Another approach to block P2P, taken from the mikrotik forum, Not personally che
cked yet. Someone please check and update
/ip firewall filter
add action=drop chain=forward comment="TORRENT No 1: Classic non security torren
t" disabled=no p2p=all-p2p
add action=drop chain=forward comment="TORRENT No 2: block outgoing DHT" content
=d1:ad2:id20: disabled=no dst-port=1025-65535 packet-size=95-190 protocol=udp
add action=drop chain=forward comment="TORRENT No 3: block outgoing TCP announce
" content="info_hash=" disabled=no dst-port=2710,80 protocol=tcp
add action=drop chain=forward comment="TORRENT No 4: prohibits download .torrent
files. " content="\r\nContent-Type: application/x-bittorrent" disabled=no proto
col=tcp src-port=80
add action=drop chain=forward comment="TORRENT No 5: 6771 block Local Broadcast"
content="\r\nInfohash:" disabled=no dst-port=6771 protocol=udp
How to open port 80 (only) on Mikrotik
Script for blocking all port on Mikrotik except port 80
/ip firewall filter
add action=accept chain=forward comment="Established connections" connection-sta
te=established disabled=no
add action=accept chain=forward comment="Related connections" connection-state=r
elated disabled=no
add chain=forward dst-port=80 protocol=tcp action=accept disabled=no
add chain=forward action=drop disabled=no
/ip firewall filter
add chain=forward protocol=tcp connection-state=invalid action=drop comment="dro
p invalid connections"
add chain=forward connection-state=established action=accept comment="allow alre
ady established connections"
add chain=forward connection-state=related action=accept comment="allow related
connections"
add chain=forward action=accept protocol=tcp dst-port=53 in-interface=LAN commen
t "allow DNS"
add chain=forward action=accept protocol=udp dst-port=53 in-interface=LAN commen
t "allow DNS"
add chain=forward action=accept protocol=tcp dst-port=80 in-interface=LAN commen
t "allow HTTP"
add chain=forward action=accept protocol=tcp dst-port=443 in-interface=LAN comme
nt "allow HTTPS"
add chain=forward action=accept protocol=tcp dst-port=3389 in-interface=VPN comm
ent "allow RDP via VPN"
add chain=forward action=drop
/ip firewall filter
add chain=forward disabled=no action=accept in-interface=LAN protocol=tcp dst-po
rt=21
add chain=forward disabled=no action=accept in-interface=LAN protocol=tcp dst-po
rt=25
add chain=forward disabled=no action=accept in-interface=LAN protocol=tcp dst-po
rt=80
add chain=forward disabled=no action=accept in-interface=LAN protocol=tcp dst-po
rt=110
add chain=forward disabled=no action=accept in-interface=LAN protocol=tcp dst-po
rt=443
add chain=forward disabled=no action=accept in-interface=LAN protocol=tcp dst-po
rt=8080
add chain=forward disabled=no action=drop in-interface=LAN
/ip firewall layer7-protocol
add comment="" name=streaming regexp="^.*get.+\\.(c.youtube.com|cdn.dailymotion.
com|metacafe.com|mccont.com).*\$"
/ip firewall mangle
add action=mark-packet chain=prerouting comment="Mark Packet Streaming" disabled
=no layer7-protocol=streaming new-packet-mark=streaming passthrough=no
/queue tree add name="streaming" parent=global-out packet-mark=streaming limit-a
t=0 queue=default priority=8 max-limit=32k burst-limit=0 burst-threshold=0 burst
-time=0s
\
/ip firewall mangle add action=mark-packet chain=prerouting comment="http-video
mark-packet" disabled=no layer7-protocol=http-video new-packet-mark=http-video p
assthrough=no
/ip firewall layer7-protocol add name=http-video regexp="http/(0.9|1.0|1.1)[x09
-x0d ][1-5][0-9][0-9][x09-x0d -~]*(content-type: video)"
Kedua, membuat mangle untuk menandai paket video streaming :
/ip firewall mangle add action=mark-packet chain=prerouting comment="http-video
mark-packet" disabled=no layer7-protocol=http-video new-packet-mark=http-video p
assthrough=no
di simple queue (pada contoh ini batas download video streaming adalah 64kbps) :
/queue simple add max-limit=0/64000 name=http-video packet-marks=http-video
/ip firewall layer7-protocol add name="EXE" regexp="\\.(exe)"
/ip firewall layer7-protocol add name="RAR" regexp="\\.(rar)"
/ip firewall layer7-protocol add name="ZIP" regexp="\\.(zip)"
/ip firewall layer7-protocol add name="7z" regexp="\\.(7z)"
/ip firewall layer7-protocol add name="CAB" regexp="\\.(cab)"
/ip firewall layer7-protocol add name="ASF" regexp="\\.(asf)"
/ip firewall layer7-protocol add name="MOV" regexp="\\.(mov)"
/ip firewall layer7-protocol add name="WMV" regexp="\\.(wmv)"
/ip firewall layer7-protocol add name="MPG" regexp="\\.(mpg)"
/ip firewall layer7-protocol add name="MPEG" regexp="\\.(mpeg)"
/ip firewall layer7-protocol add name="MKV" regexp="\\.(mkv)"
/ip firewall layer7-protocol add name="AVI" regexp="\\.(avi)"
/ip firewall layer7-protocol add name="FLV" regexp="\\.(flv)"
/ip firewall layer7-protocol add name="WAV" regexp="\\.(wav)"
/ip firewall layer7-protocol add name="RM" regexp="\\.(rm)"
/ip firewall layer7-protocol add name="MP3" regexp="\\.(mp3)"
/ip firewall layer7-protocol add name="MP4" regexp="\\.(mp4)"
/ip firewall layer7-protocol add name="RAM" regexp="\\.(ram)"
/ip firewall layer7-protocol add name="RMVB" regexp="\\.(rmvb)"
/ip firewall layer7-protocol add name="DAT" regexp="\\.(dat)"
/ip firewall layer7-protocol add name="ISO" regexp="\\.(iso)"
/ip firewall layer7-protocol add name="NRG" regexp="\\.(nrg)"
/ip firewall layer7-protocol add name="BIN" regexp="\\.(bin)"
/ip firewall layer7-protocol add name="VCD" regexp="\\.(vcd)"