My Logging Write | All About Network, Router ( Cisco, Huawei, Zte, Alactel) , Server ( Linux, BSD, Windows ), Multiplex ( DSLAM, OMUX, MSAN, MSOAN )

Gpon ( Giga Bit Passive Optical Network)?

By harrychanputra On May 16, 2012 · Leave a Comment · In Gpon

Pengertian GPON ( Giga Bit Passive Optical Network)?

•Adalah suatu teknologi akses yang dikategorikan sebagai Broadband Access berbasis kabel serat optik. •Merupakan salah satu teknologi yang dikembangkan oleh ITU-T via G.984. •Satu perangkat akan diletakkan pada sentral, berperan mendistribusikan Traffic Triple Play ke arah subscriber. •Ciri khas dari teknologi ini dibanding teknologi optik lainnya semacam [...]

Pengertian GPON ( Giga Bit Passive Optical Network)?

•Adalah suatu teknologi akses yang dikategorikan sebagai Broadband Access berbasis kabel serat optik.

•Merupakan salah satu teknologi yang dikembangkan oleh ITU-T via G.984.

•Satu perangkat akan diletakkan pada sentral, berperan mendistribusikan Traffic Triple Play ke arah subscriber.

•Ciri khas dari teknologi ini dibanding teknologi optik lainnya semacam SDH adalah teknik distribusi traffic nya dilakukan secara pasif. Dari sentral hingga ke arah subscriber akan didistribusikan menggunakan pasif splitter (1:2, 1:4, 1:8, 1:16, 1:32, 1:64). Dengan metoda ini, baik CAPEX maupun OPEX akan dapat ditekan drastis

•GPON menggunakan TDMA sebagai teknik multiple access upstream dan menggunakan broadcast ke arah downstream. Tiap pelanggan akan mempunyai identitas berupa T-CONT yang merupakan container komunikasi antara OLT (Sentral) dengan ONT.

Konfigurasi GPON

a. Triple play with RF video

b. IP triple play application

Perangkat GPON terdiri dari :

§Optical Line Termination (OLT) dipasang di Central Office

§Sejumlah Optical Network Units (ONU) atau Optical Network Terminations (ONT) diletakkan di beberapa lokasi dalam jaringan akses broadband point-to-multipoint antara central office dan customer premises.

§ODN terdiri dari fiber optik dan passive splitters/couplers serta aksesories lain seperti connector yang menjadikan elemen-elemen ODN terkoneksi.

Layanan GPON

1. Basic Service ( Layanan Telekomunikasi Dasar)?

a.Voice (Telepon)?

b.Internet Broadband.

c.IP TV.

2. Intelligent Cyber Building System/ Cyber Home

•Fire Alarm

•Security System

•Energy Management System

•Program Maintenance

•Entertainment

3. VPN/IP

Contoh Desain Jaringan Internet untuk Pelanggan ISP

By harrychanputra On April 25, 2012 · Leave a Comment · In Board, Info-IT

Akses Internet semakin banyak di butuhkan oleh berbagai pihak, baik untuk kantor, warnet, game online, sekolah, kampus bahkan dirumah.

Untuk lebih memudahkan pelanggan dalam mengimplementasikan jaringan Internet di lingkungannya berikut adalah beberapa contoh umum yang dapat digunakan dalam merancang jaringan komputer berbasis TCP/IP.

Contoh 1.

Akses Internet melalui:

Wireless LAN (WLAN) / Leased line

[...]

Akses Internet semakin banyak di butuhkan oleh berbagai pihak, baik untuk kantor, warnet, game online, sekolah, kampus bahkan dirumah.

Contoh 1.

Akses Internet melalui:

Wireless LAN (WLAN) / Leased line

Implementasi untuk:

SOHO = Small Office Home Office atau UKM = Usaha Kecil Menengah
Kantor Cabang
Sekolah
Warung Internet atau Game Online

Aplikasi untuk:

Browsing Internet
Chatting
Download / Upload
VoIP = Voice Over Internet Protocol
Game online

Keterangan:

Jika diperlukan adanya server yang dapat diakses dari Internet yang terpisah dengan PC Router dapat menggunakan teknik Port Forwarding.

Gambar 1. Jaringan Internet Sederhana menggunakan WLAN

Contoh 2.

Akses Internet melalui:

Wireless LAN (WLAN)

Implementasi untuk:

SOHO = Small Office Home Office atau UKM = Usaha Kecil Menengah
Kantor Cabang
Sekolah
Warung Internet atau Game Online

Aplikasi untuk:

Browsing Internet
Chatting
Download / Upload
VoIP = Voice Over Internet Protocol
Game online

Keterangan:

Terdapat DMZ = De Military Zone untuk sistem keamanan Server
Dapat menambahkan 1 Server yang dapat diakses dari Internet

Membutuhkan 4 IP Public = 1 IP Public untuk server yang dapat diakses langsung dari Internet, 1 IP Public sebagai gateway dari server yang ada, 1 IP Public sebagai Network Address, 1 IP Public sebagai Broadcast Address.

Gambar 2. Jaringan Internet dengan DMZ menggunakan WLAN

Contoh 3.

Akses Internet melalui:

Wireless LAN (WLAN)

Implementasi untuk:

Perusahaan menengah
Kantor Pusat
Kampus

Aplikasi untuk:

Browsing Internet
Chatting
Download / Upload
VoIP = Voice Over Internet Protocol
Application Server

Keterangan:

Memerlukan alokasi /29 dengan 8 IP Public = 5 IP Public untuk server yang dapat diakses langsung dari Internet, 1 IP Public sebagai gateway dari server yang ada, 1 IP Public sebagai Network Address, 1 IP Public sebagai Broadcast Address.
Memiliki Netname sendiri yang dapat di whois dari Internet.
Membutuhkan Network/System Administrator.

Gambar 3. Jaringan Internet dengan alokasi /29 menggunakan WLAN

Contoh 4.

Akses Internet melalui:

ADSL

Implementasi untuk:

SOHO = Small Office Home Office atau UKM = Usaha Kecil Menengah
Kantor Cabang
Sekolah
Warung Internet atau Game Online

Aplikasi untuk:

Browsing Internet
Chatting
Download / Upload
VoIP = Voice Over Internet Protocol
Game online

Keterangan:

Jika diperlukan adanya server yang dapat diakses dari Internet yang terpisah dengan PC Router dapat menggunakan teknik Port Forwarding, tetapi perlu diketahui teknologi ADSL tidak cocok untuk menempatkan web server di dalam jaringan karena sifatnya yang Asymmetric dimana Downstream biasanya besar tetapi Upstream kecil.

Gambar 4.Jaringan Internet Sederhana Menggunakan ADSL menggunakan modem eksternal

Contoh 5.

Akses Internet melalui:

ADSL

Implementasi untuk:

SOHO = Small Office Home Office atau UKM = Usaha Kecil Menengah
Kantor Cabang
Sekolah
Warung Internet atau Game Online

Aplikasi untuk:

Browsing Internet
Chatting
Download / Upload
VoIP = Voice Over Internet Protocol
Game online

Keterangan:

Jika diperlukan adanya server yang dapat diakses dari Internet yang terpisah dengan PC Router dapat menggunakan teknik Port Forwarding, tetapi perlu diketahui teknologi ADSL tidak cocok untuk menempatkan web server di dalam jaringan karena sifatnya yang Asymmetric dimana Downstream biasanya besar tetapi Upstream kecil.

Gambar 5.
Jaringan Internet Sederhana Menggunakan ADSL
menggunakan modem internal/USB

Contoh 6.

Akses Internet melalui:

ADSL

Implementasi untuk:

SOHO = Small Office Home Office atau UKM = Usaha Kecil Menengah
Kantor Cabang
Personal

Aplikasi untuk:

Browsing Internet
Chatting
Download / Upload
VoIP = Voice Over Internet Protocol
Game online

Gambar 6. Jaringan Internet Personal menggunakan ADSL

Contoh 7.

Akses Internet melalui:

Wireless LAN (WLAN), ADSL, Fiber Optic, Leased Line dll.

Implementasi untuk:

APARTEMENT
Gedung Perkantoran

Aplikasi untuk:

Browsing Internet
Chatting
Download / Upload
VoIP = Voice Over Internet Protocol
Game Online

Keterangan:

Akses Internet melalui infrastruktur kabel telepon gedung , dimana Internet di tumpangkan pada kabel telepon yang ada di Apartment atau gedung perkantoran.
Pelanggan cukup menggunakan Home PNA Adaptor atau ADSL modem biasa sebagai pengganti modem.

Gambar 7. Jaringan Internet menggunakan Home PNA

souce teman DutaUtama

Cisco ME3400 UNI/NNI Port Types

By harrychanputra On April 21, 2012 · Leave a Comment · In Switch, Switch-Cisco

Cisco ME 3400 series switches are designed to meet the needs of Metro service providers. Introduce brand new concept and features to make the product easier to manage, deploy, and troubleshoot. One of new features is the new concept of UNI/NNI Port Types.

UNI – User Network Interface NNI – Network Node Interface

Based on [...]

UNI – User Network Interface
NNI – Network Node Interface

Based on the port type, certain features/behaviors are enabled or disabled to ease configuration, deployment, and troubleshooting.

UNI ports will not do local switching by default, for example no local switching on UNI protects customers from each other ( host A dosn’t see host B ), and Control Plane Security (CPS) is enabled, CPS protects against DoS attacks.

By default UNI ports:

not switching local traffic, for example no local switching on UNI protects customers from each other ( host A dosn’t see host B ).
Control Plane Security (CPS) is enabled, CPS protects against DoS attacks.
using multiple UNI ports on the same ME 3400, up to 8 UNI ports can be configured to do local switching.

NNI ports:

For ME 3400-24TS, by default, the 2 SFP ports are NNI port-type
For ME 3400G-12CS and ME 3400G-2CS, by default, the SFP-only ports are NNI port-type
There can be a maximum of 4 ports defined as NNI ports (applicable to ME 3400-24TS and ME 3400G-12CS, all 4 ports can be configured as NNI on ME 3400G-2CS)

NOTE: In 12.2(25)SEG and later releases—Metro IP Access Image, all ports can be optionally configured as NNI (not limited to 4).

To configure port type:

me3400#conf t
me3400(config)#int gi0/10
me3400(config-if)#port-type ?
  nni  Set port-type to NNI
  uni  Set port-type to UNI

Configuring UNI ports to do local switching (forwarding traffic between UNI ports)

Port Fa0/3 and Fa0/4 on Cisco me3400 are UNI ports, belongs to VLAN 10, and Fa0/3 is not forwarding traffic to Fa0/4, and vice versa, but we wand to do local switching between them. Interface Fa0/1 is NNI. Configuration:

me3400(config)#vlan 10
me3400(config-vlan)#uni-vlan community

Configuration of ports:

interface FastEthernet0/3
 switchport trunk allowed vlan 10
 switchport mode trunk
!
interface FastEthernet0/4
 switchport access vlan 10
!

View VLAN configuration:

me3400-test#sh vlan

VLAN Name                             Status    Ports
---- -------------------------------- --------- -------------------------------
1    default                          active    Fa0/2, Fa0/5, Fa0/6, Fa0/7
                                                Fa0/8, Fa0/9, Fa0/10, Fa0/11
                                                Fa0/12, Fa0/13, Fa0/14, Fa0/15
                                                Fa0/16, Fa0/17, Fa0/18, Fa0/19
                                                Fa0/20, Fa0/21, Fa0/22, Fa0/23
                                                Fa0/24, Gi0/1, Gi0/2
10   test1                           active    Fa0/4
20   test                             active
1002 fddi-default                     act/unsup
1003 token-ring-default               act/unsup
1004 fddinet-default                  act/unsup
1005 trnet-default                    act/unsup

VLAN Type  SAID       MTU   Parent RingNo BridgeNo Stp  BrdgMode Trans1 Trans2
---- ----- ---------- ----- ------ ------ -------- ---- -------- ------ ------
1    enet  100001     1500  -      -      -        -    -        0      0
10   enet  100010     1500  -      -      -        -    -        0      0
20   enet  100020     1500  -      -      -        -    -        0      0
1002 fddi  101002     1500  -      -      -        -    -        0      0
1003 tr    101003     1500  -      -      -        -    -        0      0
1004 fdnet 101004     1500  -      -      -        ieee -        0      0
1005 trnet 101005     1500  -      -      -        ibm  -        0      0

Remote SPAN VLANs
------------------------------------------------------------------------------

Primary Secondary Type              Ports
------- --------- ----------------- ------------------------------------------

VLAN Type              Ports
---- ----------------- -------------------------------------------------------
10   UNI community     Fa0/1, Fa0/3, Fa0/4

Ubuntu Linux and Cisco switch link aggregation (load balancing, bonding)

By harrychanputra On April 21, 2012 · Leave a Comment · In Linux, OS, Router, Router-Cisco

Link aggregation between Cisco 3750 switch and Ubintu 9.10
Ubuntu configuration:
Install ifenslave — Attach and detach slave network devices to a bonding device.

apt-get install ifenslave

Edit or create file /etc/modprobe.d/aliases.conf

alias bond0 bonding options bonding mode=4 miimon=100

where mode 4 – IEEE 802.3ad Dynamic link aggregation. Creates aggregation groups that share [...]

Link aggregation between Cisco 3750 switch and Ubintu 9.10
Ubuntu configuration:
Install ifenslave — Attach and detach slave network devices to a bonding device.

apt-get install  ifenslave

Edit or create file /etc/modprobe.d/aliases.conf

alias bond0 bonding
options bonding mode=4 miimon=100

where mode 4 – IEEE 802.3ad Dynamic link aggregation. Creates aggregation groups that share the same speed and
duplex settings. Utilizes all slaves in the active aggregator according to the 802.3ad specification.
Edit /etc/network/interfaces.

auto bond0
iface bond0 inet static
        address 192.168.200.5
        netmask 255.255.255.0
        network 192.168.200.0
        broadcast 192.168.200.255
        post-up ifenslave bond0 eth0 eth1
        gateway 192.168.200.1
        dns-nameservers 192.168.200.1
        dns-search example.com

UPDATE (02.01.2012): Ubuntu 11.10 (oneiric).

1. Edit or create file /etc/modprobe.d/aliases.conf

alias netdev-bond0 bonding
options bonding mode=4 miimon=100

2. To run bonding first put module “bonding” in “/etc/modules” :

# /etc/modules: kernel modules to load at boot time.
#
# This file contains the names of kernel modules that should be loaded
# at boot time, one per line. Lines beginning with "#" are ignored.
loop
lp
rtc
bonding

In “/etc/network/interfaces”

auto bond0
iface bond0 inet static
        slaves eth0 eth1
        bond_mode 4
        bond_miimon 100
        address 192.168.200.5
        netmask 255.255.255.0
        network 192.168.200.0
        broadcast 192.168.200.255
        post-up ifenslave bond0 eth0 eth1

Cisco configuration ( Gi1/0/1 and Gi1/0/2 will be aggregated ):

cisco-3750(config)#interface range GigabitEthernet 1/0/1, GigabitEthernet 1/0/2
cisco-3750(config-if-range)#switchport trunk encapsulation dot1q
cisco-3750(config-if-range)#switchport trunk allowed vlan 10,20
cisco-3750(config-if-range)#switchport mode trunk
cisco-3750(config-if-range)#channel-group 1 mode active
Creating a port-channel interface Port-channel 1
cisco-3750(config-if-range)#end
cisco-3750#

Configuration of interface Port-Channel 1 must be exactly the same as Gi1/0/1 and Gi1/0/2.

cisco-3750#sh ru int Po1
Building configuration...
Current configuration : 159 bytes
!
interface Port-channel1
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 10,20
end

If you want to modify configuration of aggregated interfaces, modify only configuration of Port-Channel interface.
And the last step is to set load-balance algorithm:

cisco-3750(config)#port-channel load-balance src-dst-ip
cisco-3750#sh etherchannel load-balance
EtherChannel Load-Balancing Operational State (src-dst-ip):
Non-IP: Source XOR Destination MAC address
  IPv4: Source XOR Destination IP address
  IPv6: Source XOR Destination IP address

cisco-3750#show etherchannel summary
Flags:  D - down        P - in port-channel
        I - stand-alone s - suspended
        H - Hot-standby (LACP only)
        R - Layer3      S - Layer2
        U - in use      f - failed to allocate aggregator
        u - unsuitable for bundling
        w - waiting to be aggregated
        d - default port

Number of channel-groups in use: 1
Number of aggregators:           1

Group  Port-channel  Protocol    Ports
------+-------------+-----------+-----------------------------------------------
1      Po1(SU)         LACP      Gi1/0/1(P)  Gi1/0/2(P)

cisco-3750#
cisco-3750#show etherchannel protocol
                Channel-group listing:
                ----------------------
Group: 1
----------
Protocol:  LACP

Traffic on Gi1/0/1

Traffic on Gi1/0/2

Traffic on Port-Channel1

Tos

By harrychanputra On April 21, 2012 · Leave a Comment · In Board, Info-Networking

ToS
dec ToS hex ToS bin ToS Prec. (bin) ToS Prec. (dec) ToS Delay Flag ToS Throgh-
put Flag ToS Relia-
bility FLag DSCP bin DSCP hex DSCP dec DSCP Class 0 0×00 00000000 000 0 0 0 0 000000 0×00 0 none 32 0×20 00100000 001 1 0 0 0 001000 [...]

ToS dec	ToS hex	ToS bin	ToS Prec. (bin)	ToS Prec. (dec)	ToS Delay Flag	ToS Throgh- put Flag	DSCP bin	DSCP hex	DSCP dec	DSCP Class
0	0×00	00000000	000	0	0	0	000000	0×00	0	none
32	0×20	00100000	001	1	0	0	001000	0×08	8	cs1
40	0×28	00101000	001	1	0	1	001010	0x0A	10	af11
48	0×30	00110000	001	1	1	0	001100	0x0C	12	af12
56	0×38	00111000	001	1	1	1	001110	0x0E	14	af13
64	0×40	01000000	010	2	0	0	010000	0×10	16	cs2
72	0×48	01001000	010	2	0	1	010010	0×12	18	af21
80	0×50	01010000	010	2	1	0	010100	0×14	20	af22
88	0×58	01011000	010	2	1	1	010110	0×16	22	af23
96	0×60	01100000	011	3	0	0	011000	0×18	24	cs3
104	0×68	01101000	011	3	0	1	011010	0x1A	26	af31
112	0×70	01110000	011	3	1	0	011100	0x1C	28	af32
120	0×78	01111000	011	3	1	1	011110	0x1E	30	af33
128	0×80	10000000	100	4	0	0	100000	0×20	32	cs4
136	0×88	10001000	100	4	0	1	100010	0×22	34	af41
144	0×90	10010000	100	4	1	0	100100	0×24	36	af42
152	0×98	10011000	100	4	1	1	100110	0×26	38	af43
160	0xA0	10100000	101	5	0	0	101000	0×28	40	cs5
184	0xB8	10111000	101	5	1	1	101110	0x2E	46	ef
192	0xC0	11000000	110	6	0	0	110000	0×30	48	cs6
224	0xE0	11100000	111	7	0	0	111000	0×38	56	cs7

qos cisco

By harrychanputra On April 21, 2012 · Leave a Comment · In Router, Router-Cisco

ip nbar custom jabber_tcp tcp 5222
ip nbar custom jabber_udp udp 5222

class-map match-any Realtime
match protocol sip
match protocol rtp
match protocol jabber_udp
match vlan 3

class-map match-any Interactive
match protocol http
match protocol secure-http
match protocol telnet
match protocol dns
match protocol icmp

ip nbar custom jabber_tcp tcp 5222
ip nbar custom jabber_udp udp 5222

class-map match-any Realtime
match protocol sip
match protocol rtp
match protocol jabber_udp
match vlan 3

class-map match-any Interactive
match protocol http
match protocol secure-http
match protocol telnet
match protocol dns
match protocol icmp
match protocol jabber_tcp

class-map match-any Batch
match protocol snmp
match protocol rip
match protocol netbios
match protocol ntp

policy-map ke-QoS-policy
class Realtime
set dscp ef
class Interactive
set dscp af11
class Batch
set dscp af11
class class-default
fair-queue
set dscp default

interface FastEthernet4
ip nbar protocol-discovery
service-policy output ke-QoS-policy

mysql Squid access report

By harrychanputra On April 14, 2012 · Leave a Comment · In Linux, OS

#You must have the webserver and database modules installed and the services running prior to installing MySQL Squid Access Report !!

#log in and change to the download directory.
cd /usr/local/src

#Download the current version of MySQL Squid Access Report(MySAR) from sourceforge
#2.1.4 as of August 7, 2010
wget http://downloads.sourceforge.net/project/mysar/mysar/2.1.4/mysar-2.1.4.tar.gz

#extract [...]

#You must have the webserver and database modules installed and the services running prior to installing MySQL Squid Access Report !!

#log in and change to the download directory.
cd /usr/local/src

#Download the current version of MySQL Squid Access Report(MySAR) from sourceforge
#2.1.4 as of August 7, 2010
wget http://downloads.sourceforge.net/project/mysar/mysar/2.1.4/mysar-2.1.4.tar.gz

#extract it to /usr/local (it will create /usr/local/mysar)
tar zxvf mysar-2.1.4.tar.gz -C /usr/local

#copy the apache alias to the conf.d directory
cp /usr/local/mysar/etc/mysar.apache /etc/httpd/conf.d/mysar.apache.conf

#create the MySAR config.ini form the example
cp /usr/local/mysar/etc/config.ini.example /usr/local/mysar/etc/config.ini

#restart the webserver
service httpd restart

#go to a browser and configure Mysar
#http://<IP of your ClearOS Box>/mysar
#for example: http://10.0.1.1/mysar
#follow the instructions!!! it is really hard to mess up.

#when it says you are done and need to delete the install folder, DO SO.
rm -rf /usr/local/mysar/www/install

#finally copy the cron job over to begin the automated database population.
cp /usr/local/mysar/etc/mysar.cron /etc/cron.d/mysar

#you are done, now go back to the browser and hit refresh to watch it start populating

Satu MAC satu IP Address

By harrychanputra On April 1, 2012 · Leave a Comment · In Board, Info-Security, Linux, OS

#!/bin/sh

iptables=/sbin/iptables

#definisikan default policy disini
$iptables -F INPUT
$iptables -F OUTPUT
$iptables -P INPUT DROP
$iptables -P OUTPUT DROP #ingat nanti buka policy output yg perlu
$iptables -F FORWARD
$iptables -F -t nat
$iptables -P FORWARD DROP

#definisi default policy dan bikin chain baru bernama maccheck di [...]

#!/bin/sh

iptables=/sbin/iptables

#definisi default policy dan bikin chain baru bernama maccheck di interface eth1
$iptables -t mangle -F
$iptables -t mangle -F maccheck
$iptables -t mangle -X maccheck
$iptables -t mangle -N maccheck
$iptables -t mangle -I PREROUTING -i eth1 -p all -j maccheck

#self explanatory… ip address + mac
$iptables -t mangle -A maccheck -s 192.168.0.1 -i eth1 -m mac -j RETURN
–mac-source
00:80:11:11:11:11
$iptables -t mangle -A maccheck -s 192.168.0.2 -i eth1 -m mac -j RETURN
–mac-source
00:80:22:22:22:22
$iptables -t mangle -A maccheck -s 192.168.0.3 -i eth1 -m mac -j RETURN
–mac-source
00:80:33:33:33:33

#selain yg terdaftar baik ip maupun mac akan di mark untuk nanti di drop, isi
dengan salah satu
mac yg aktif yg mana saja
#disini contohnya 00:80:11:11:11:11 yg sudah kita definisikan di atas
$iptables -t mangle -A maccheck -s 0/0 -i eth1 -m mac -j MARK –mac-source !
00:80:11:11:11:11
–set-mark 1
$iptables -t mangle -A maccheck -s 0/0 -i eth1 -p all -j MARK –set-mark 1

#drop packet yg di mark
$iptables -A INPUT -i eth1 -m mark –mark 1 -j DROP
$iptables -A OUTPUT -o eth1 -m mark –mark 1 -j DROP
$iptables -A FORWARD -i eth1 -m mark –mark 1 -j DROP

#lanjutkan firewall script anda disini

Nice Firewall With Linux IpTables

By harrychanputra On April 1, 2012 · Leave a Comment · In Board, Info-Security, Linux, OS

#!/bin/sh
# —————————————————
# Copyright (C) 2005
# Last modified by Dani ‘Abah’ Hadimukti : 09-05-2005
# This firewall configuration is suitable for Router.
# —————————————————
IPTABLES=/sbin/iptables

# Definisi komponen sistem untuk mempermudah perawatan.
# —————————————————————————–
LOOPBACK_INTERFACE=”lo” # Interface Loopback
CLASS_D_MULTICAST=”224.0.0.0/4? # Class D multicast addr
CLASS_E_RESERVED_NET=”240.0.0.0/5? # Class E reserved addr
OSPF_MCAST=”224.0.0.5? # OSPF
OSPFD_MCAST=”224.0.0.6? # OSPFD
BROADCAST_src=”0.0.0.0? mce_src=”0.0.0.0? # Broadcast source addr
BROADCAST_DEST=”255.255.255.255? # Broadcast destination addr
PRIVPORTS=”0:1023? # Privileged port range
UNPRIVPORTS=”1024:” # Unprivileged port range
SSH_LOCAL_PORTS=”1022:65535? # Port range for local clients
SSH_REMOTE_PORTS=”513:65535? # Port range for remote clients
TRACEROUTE_SRC_PORTS=”32769:65535? # Port range sources for traceroute
TRACEROUTE_DEST_PORTS=”33434:33523? # Port range destination for traceroute
# —————————————————————————–

# Firewalls…. begins here!

# Kosongin semua aturan
$IPTABLES -P INPUT ACCEPT
$IPTABLES -P FORWARD ACCEPT
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -F

# Buat aturan firewall (DROP semua)
$IPTABLES -P INPUT DROP
$IPTABLES -P FORWARD DROP
$IPTABLES -P OUTPUT DROP

# Spesifik Rule Firewall
# Furtive Port scanner
$IPTABLES -A INPUT -p tcp –tcp-flags SYN,ACK,FIN,RST RST -m limit –limit 1/s -j ACCEPT
$IPTABLES -A FORWARD -p tcp –tcp-flags SYN,ACK,FIN,RST RST -m limit –limit 1/s -j ACCEPT
$IPTABLES -A OUTPUT -p tcp –tcp-flags SYN,ACK,FIN,RST RST -m limit –limit 1/s -j ACCEPT

# Batasi Paket Flooding
$IPTABLES -A INPUT -p tcp –syn -m limit –limit 1/s -j ACCEPT
$IPTABLES -A FORWARD -p tcp –syn -m limit –limit 1/s -j ACCEPT
$IPTABLES -A OUTPUT -p tcp –syn -m limit –limit 1/s -j ACCEPT
# Batasi Ping of Death
$IPTABLES -A INPUT -p icmp -m length –length 512: -j DROP
$IPTABLES -A FORWARD -p icmp -m length –length 512: -j DROP
$IPTABLES -A OUTPUT -p icmp -m length –length 512: -j DROP

$IPTABLES -A INPUT -p icmp –icmp-type echo-request -m limit –limit 1/s -j ACCEPT
$IPTABLES -A FORWARD -p icmp –icmp-type echo-request -m limit –limit 1/s -j ACCEPT
$IPTABLES -A OUTPUT -p icmp –icmp-type echo-request -m limit –limit 1/s -j ACCEPT

# Unlimited traffic on the loopback interface.
$IPTABLES -A INPUT -i $LOOPBACK_INTERFACE -j ACCEPT
$IPTABLES -A OUTPUT -o $LOOPBACK_INTERFACE -j ACCEPT

# OSPF
$IPTABLES -A INPUT -p ospf -j ACCEPT
$IPTABLES -A FORWARD -p ospf -j ACCEPT
$IPTABLES -A OUTPUT -p ospf -j ACCEPT

# GRE Tunneling
#$IPTABLES -A INPUT -p GRE -j ACCEPT
#$IPTABLES -A FORWARD -p GRE -j ACCEPT
#$IPTABLES -A OUTPUT -p GRE -j ACCEPT

# ICMP
$IPTABLES -A INPUT -p icmp -j ACCEPT
$IPTABLES -A FORWARD -p icmp -j ACCEPT
$IPTABLES -A OUTPUT -p icmp -j ACCEPT

# TRACEROUTE (-S 32769:65535 -D 33434:33523)
$IPTABLES -A INPUT -p udp –sport $TRACEROUTE_SRC_PORTS –dport $TRACEROUTE_DEST_PORTS -j ACCEPT
$IPTABLES -A FORWARD -p udp –sport $TRACEROUTE_SRC_PORTS –dport $TRACEROUTE_DEST_PORTS -j ACCEPT
$IPTABLES -A OUTPUT -p udp –sport $TRACEROUTE_SRC_PORTS –dport $TRACEROUTE_DEST_PORTS -j ACCEPT

# Dynamic Routing (2600-2605)
$IPTABLES -A INPUT -p tcp –sport $UNPRIVPORTS –dport 2600:2605 -j ACCEPT
$IPTABLES -A FORWARD -p tcp –sport $UNPRIVPORTS –dport 2600:2605 -j ACCEPT
$IPTABLES -A OUTPUT -p tcp –sport 2600:2605 –dport $UNPRIVPORTS -j ACCEPT

$IPTABLES -A INPUT -p tcp –sport 2600:2605 –dport $UNPRIVPORTS -j ACCEPT
$IPTABLES -A FORWARD -p tcp –sport 2600:2605 –dport $UNPRIVPORTS -j ACCEPT
$IPTABLES -A OUTPUT -p tcp –sport $UNPRIVPORTS –dport 2600:2605 -j ACCEPT

# HTTP (80)
$IPTABLES -A INPUT -p tcp –sport $UNPRIVPORTS –dport 80 -j ACCEPT
$IPTABLES -A FORWARD -p tcp –sport $UNPRIVPORTS –dport 80 -j ACCEPT
$IPTABLES -A OUTPUT -p tcp –sport 80 –dport $UNPRIVPORTS -j ACCEPT

$IPTABLES -A INPUT -p tcp –sport 80 –dport $UNPRIVPORTS -j ACCEPT
$IPTABLES -A FORWARD -p tcp –sport 80 –dport $UNPRIVPORTS -j ACCEPT
$IPTABLES -A OUTPUT -p tcp –sport $UNPRIVPORTS –dport 80 -j ACCEPT

# WebCache (8080)
$IPTABLES -A INPUT -p tcp –sport $UNPRIVPORTS –dport 8080 -j ACCEPT
$IPTABLES -A FORWARD -p tcp –sport $UNPRIVPORTS –dport 8080 -j ACCEPT
$IPTABLES -A OUTPUT -p tcp –sport 8080 –dport $UNPRIVPORTS -j ACCEPT

$IPTABLES -A INPUT -p tcp –sport 8080 –dport $UNPRIVPORTS -j ACCEPT
$IPTABLES -A FORWARD -p tcp –sport 8080 –dport $UNPRIVPORTS -j ACCEPT
$IPTABLES -A OUTPUT -p tcp –sport $UNPRIVPORTS –dport 8080 -j ACCEPT

# DNS: full server (53)
$IPTABLES -A INPUT -p udp –sport $UNPRIVPORTS –dport 53 -j ACCEPT
$IPTABLES -A FORWARD -p udp –sport $UNPRIVPORTS –dport 53 -j ACCEPT
$IPTABLES -A OUTPUT -p udp –sport 53 –dport $UNPRIVPORTS -j ACCEPT

$IPTABLES -A INPUT -p udp –sport 53 –dport 53 -j ACCEPT
$IPTABLES -A FORWARD -p udp –sport 53 –dport 53 -j ACCEPT
$IPTABLES -A OUTPUT -p udp –sport 53 –dport 53 -j ACCEPT

# DNS client (53)
$IPTABLES -A INPUT -p udp –sport 53 –dport $UNPRIVPORTS -j ACCEPT
$IPTABLES -A FORWARD -p udp –sport 53 –dport $UNPRIVPORTS -j ACCEPT
$IPTABLES -A OUTPUT -p udp –sport $UNPRIVPORTS –dport 53 -j ACCEPT

$IPTABLES -A INPUT -p tcp –sport 53 –dport $UNPRIVPORTS -j ACCEPT
$IPTABLES -A FORWARD -p tcp –sport 53 –dport $UNPRIVPORTS -j ACCEPT
$IPTABLES -A OUTPUT -p tcp –sport $UNPRIVPORTS –dport 53 -j ACCEPT

# DNS Zone Transfers (53)
$IPTABLES -A INPUT -p tcp –sport $UNPRIVPORTS –dport 53 -j ACCEPT
$IPTABLES -A FORWARD -p tcp –sport $UNPRIVPORTS –dport 53 -j ACCEPT
$IPTABLES -A OUTPUT -p tcp –sport 53 –dport $UNPRIVPORTS -j ACCEPT

# HTTPS (443)
$IPTABLES -A INPUT -p tcp –sport $UNPRIVPORTS –dport 443 -j ACCEPT
$IPTABLES -A FORWARD -p tcp –sport $UNPRIVPORTS –dport 443 -j ACCEPT
$IPTABLES -A OUTPUT -p tcp –sport 443 –dport $UNPRIVPORTS -j ACCEPT

$IPTABLES -A INPUT -p tcp –sport 443 –dport $UNPRIVPORTS -j ACCEPT
$IPTABLES -A FORWARD -p tcp –sport 443 –dport $UNPRIVPORTS -j ACCEPT
$IPTABLES -A OUTPUT -p tcp –sport $UNPRIVPORTS –dport 443 -j ACCEPT

# Mikrotik (3987)
$IPTABLES -A INPUT -p tcp –sport $UNPRIVPORTS –dport 3987 -j ACCEPT
$IPTABLES -A FORWARD -p tcp –sport $UNPRIVPORTS –dport 3987 -j ACCEPT
$IPTABLES -A OUTPUT -p tcp –sport 3987 –dport $UNPRIVPORTS -j ACCEPT

$IPTABLES -A INPUT -p tcp –sport 3987 –dport $UNPRIVPORTS -j ACCEPT
$IPTABLES -A FORWARD -p tcp –sport 3987 –dport $UNPRIVPORTS -j ACCEPT
$IPTABLES -A OUTPUT -p tcp –sport $UNPRIVPORTS –dport 3987 -j ACCEPT

$IPTABLES -A INPUT -p tcp –sport $UNPRIVPORTS –dport 8291 -j ACCEPT
$IPTABLES -A FORWARD -p tcp –sport $UNPRIVPORTS –dport 8291 -j ACCEPT
$IPTABLES -A OUTPUT -p tcp –sport 8291 –dport $UNPRIVPORTS -j ACCEPT

$IPTABLES -A INPUT -p tcp –sport 8291 –dport $UNPRIVPORTS -j ACCEPT
$IPTABLES -A FORWARD -p tcp –sport 8291 –dport $UNPRIVPORTS -j ACCEPT
$IPTABLES -A OUTPUT -p tcp –sport $UNPRIVPORTS –dport 8291 -j ACCEPT

# SSH (22)
$IPTABLES -A INPUT -p tcp –sport $UNPRIVPORTS –dport 22 -j ACCEPT
$IPTABLES -A FORWARD -p tcp –sport $UNPRIVPORTS –dport 22 -j ACCEPT
$IPTABLES -A OUTPUT -p tcp –sport 22 –dport $UNPRIVPORTS -j ACCEPT

$IPTABLES -A INPUT -p tcp –sport 22 –dport $UNPRIVPORTS -j ACCEPT
$IPTABLES -A FORWARD -p tcp –sport 22 –dport $UNPRIVPORTS -j ACCEPT
$IPTABLES -A OUTPUT -p tcp –sport $UNPRIVPORTS –dport 22 -j ACCEPT

# FTP (20-21)
$IPTABLES -A INPUT -p tcp –sport $UNPRIVPORTS –dport 20:1024 -j ACCEPT
$IPTABLES -A FORWARD -p tcp –sport $UNPRIVPORTS –dport 20:1024 -j ACCEPT
$IPTABLES -A OUTPUT -p tcp –sport 20:1024 –dport $UNPRIVPORTS -j ACCEPT

$IPTABLES -A INPUT -p tcp –sport 20:21 –dport $UNPRIVPORTS -j ACCEPT
$IPTABLES -A FORWARD -p tcp –sport 20:21 –dport $UNPRIVPORTS -j ACCEPT
$IPTABLES -A OUTPUT -p tcp –sport $UNPRIVPORTS –dport 20:21 -j ACCEPT

# POP3 (110)
$IPTABLES -A INPUT -p tcp –sport $UNPRIVPORTS –dport 110 -j ACCEPT
$IPTABLES -A FORWARD -p tcp –sport $UNPRIVPORTS –dport 110 -j ACCEPT
$IPTABLES -A OUTPUT -p tcp –sport 110 –dport $UNPRIVPORTS -j ACCEPT

$IPTABLES -A INPUT -p tcp –sport 110 –dport $UNPRIVPORTS -j ACCEPT
$IPTABLES -A FORWARD -p tcp –sport 110 –dport $UNPRIVPORTS -j ACCEPT
$IPTABLES -A OUTPUT -p tcp –sport $UNPRIVPORTS –dport 110 -j ACCEPT

# Instant Messanger (5050)
$IPTABLES -A INPUT -p tcp –sport $UNPRIVPORTS –dport 5050 -j ACCEPT
$IPTABLES -A FORWARD -p tcp –sport $UNPRIVPORTS –dport 5050 -j ACCEPT
$IPTABLES -A OUTPUT -p tcp –sport 5050 –dport $UNPRIVPORTS -j ACCEPT

$IPTABLES -A INPUT -p tcp –sport 5050 –dport $UNPRIVPORTS -j ACCEPT
$IPTABLES -A FORWARD -p tcp –sport 5050 –dport $UNPRIVPORTS -j ACCEPT
$IPTABLES -A OUTPUT -p tcp –sport $UNPRIVPORTS –dport 5050 -j ACCEPT

# VoIP (5060)
$IPTABLES -A INPUT -p udp –sport $UNPRIVPORTS –dport 5060 -j ACCEPT
$IPTABLES -A FORWARD -p udp –sport $UNPRIVPORTS –dport 5060 -j ACCEPT
$IPTABLES -A OUTPUT -p udp –sport 5060 –dport $UNPRIVPORTS -j ACCEPT

$IPTABLES -A INPUT -p udp –sport 5060 –dport $UNPRIVPORTS -j ACCEPT
$IPTABLES -A FORWARD -p udp –sport 5060 –dport $UNPRIVPORTS -j ACCEPT
$IPTABLES -A OUTPUT -p udp –sport $UNPRIVPORTS –dport 5060 -j ACCEPT

# SNMP (161)
$IPTABLES -A INPUT -p udp –sport $UNPRIVPORTS –dport 161 -j ACCEPT
$IPTABLES -A FORWARD -p udp –sport $UNPRIVPORTS –dport 161 -j ACCEPT
$IPTABLES -A OUTPUT -p udp –sport 161 –dport $UNPRIVPORTS -j ACCEPT
#$IPTABLES -A INPUT -p udp –sport 161 –dport $UNPRIVPORTS -j ACCEPT
$IPTABLES -A FORWARD -p udp –sport 161 –dport $UNPRIVPORTS -j ACCEPT
# IMAP over SSL (993)
$IPTABLES -A INPUT -p tcp –sport $UNPRIVPORTS –dport 993 -j ACCEPT
$IPTABLES -A FORWARD -p tcp –sport $UNPRIVPORTS –dport 993 -j ACCEPT
$IPTABLES -A OUTPUT -p tcp –sport 993 –dport $UNPRIVPORTS -j ACCEPT

$IPTABLES -A INPUT -p tcp –sport 993 –dport $UNPRIVPORTS -j ACCEPT
$IPTABLES -A FORWARD -p tcp –sport 993 –dport $UNPRIVPORTS -j ACCEPT
$IPTABLES -A OUTPUT -p tcp –sport $UNPRIVPORTS –dport 993 -j ACCEPT

# IMAP (143)
$IPTABLES -A INPUT -p tcp –sport $UNPRIVPORTS –dport 143 -j ACCEPT
$IPTABLES -A FORWARD -p tcp –sport $UNPRIVPORTS –dport 143 -j ACCEPT
$IPTABLES -A OUTPUT -p tcp –sport 143 –dport $UNPRIVPORTS -j ACCEPT

$IPTABLES -A INPUT -p tcp –sport 143 –dport $UNPRIVPORTS -j ACCEPT
$IPTABLES -A FORWARD -p tcp –sport 143 –dport $UNPRIVPORTS -j ACCEPT
$IPTABLES -A OUTPUT -p tcp –sport $UNPRIVPORTS –dport 143 -j ACCEPT

# QMQP (628)
$IPTABLES -A INPUT -p tcp –sport $UNPRIVPORTS –dport 628 -j ACCEPT
$IPTABLES -A FORWARD -p tcp –sport $UNPRIVPORTS –dport 628 -j ACCEPT
$IPTABLES -A OUTPUT -p tcp –sport 628 –dport $UNPRIVPORTS -j ACCEPT

$IPTABLES -A INPUT -p tcp –sport 628 –dport $UNPRIVPORTS -j ACCEPT
$IPTABLES -A FORWARD -p tcp –sport 628 –dport $UNPRIVPORTS -j ACCEPT
$IPTABLES -A OUTPUT -p tcp –sport $UNPRIVPORTS –dport 628 -j ACCEPT

# SMTP (25)
$IPTABLES -A INPUT -p tcp –sport $UNPRIVPORTS –dport 25 -j ACCEPT
$IPTABLES -A FORWARD -p tcp –sport $UNPRIVPORTS –dport 25 -j ACCEPT
$IPTABLES -A OUTPUT -p tcp –sport 25 –dport $UNPRIVPORTS -j ACCEPT

$IPTABLES -A INPUT -p tcp –sport 25 –dport $UNPRIVPORTS -j ACCEPT
$IPTABLES -A FORWARD -p tcp –sport 25 –dport $UNPRIVPORTS -j ACCEPT
$IPTABLES -A OUTPUT -p tcp –sport $UNPRIVPORTS –dport 25 -j ACCEPT

Netmask Conversion Table

By harrychanputra On April 1, 2012 · Leave a Comment · In Board, Info-Networking

Bitmask (Bits) Dotted Decimal Netmask Hexadecimal Netmask Binary Netmask /0 0.0.0.0 0×00000000 00000000 00000000 00000000 00000000 /1 128.0.0.0 0×80000000 10000000 00000000 00000000 00000000 /2 192.0.0.0 0xc0000000 11000000 00000000 00000000 00000000 /3 224.0.0.0 0xe0000000 11100000 00000000 00000000 00000000 /4 240.0.0.0 0xf0000000 11110000 00000000 00000000 00000000 /5 248.0.0.0 0xf8000000 11111000 00000000 00000000 00000000 /6 252.0.0.0 0xfc000000 11111100 [...]

Bitmask (Bits)	Dotted Decimal Netmask	Hexadecimal Netmask	Binary Netmask
/0	0.0.0.0	0×00000000	00000000 00000000 00000000 00000000
/1	128.0.0.0	0×80000000	10000000 00000000 00000000 00000000
/2	192.0.0.0	0xc0000000	11000000 00000000 00000000 00000000
/3	224.0.0.0	0xe0000000	11100000 00000000 00000000 00000000
/4	240.0.0.0	0xf0000000	11110000 00000000 00000000 00000000
/5	248.0.0.0	0xf8000000	11111000 00000000 00000000 00000000
/6	252.0.0.0	0xfc000000	11111100 00000000 00000000 00000000
/7	254.0.0.0	0xfe000000	11111110 00000000 00000000 00000000
/8	255.0.0.0	0xff000000	11111111 00000000 00000000 00000000

/9	255.128.0.0	0xff800000	11111111 10000000 00000000 00000000
/10	255.192.0.0	0xffc00000	11111111 11000000 00000000 00000000
/11	255.224.0.0	0xffe00000	11111111 11100000 00000000 00000000
/12	255.240.0.0	0xfff00000	11111111 11110000 00000000 00000000
/13	255.248.0.0	0xfff80000	11111111 11111000 00000000 00000000
/14	255.252.0.0	0xfffc0000	11111111 11111100 00000000 00000000
/15	255.254.0.0	0xfffe0000	11111111 11111110 00000000 00000000
/16	255.255.0.0	0xffff0000	11111111 11111111 00000000 00000000

/17	255.255.128.0	0xffff8000	11111111 11111111 10000000 00000000
/18	255.255.192.0	0xffffc000	11111111 11111111 11000000 00000000
/19	255.255.224.0	0xffffe000	11111111 11111111 11100000 00000000
/20	255.255.240.0	0xfffff000	11111111 11111111 11110000 00000000
/21	255.255.248.0	0xfffff800	11111111 11111111 11111000 00000000
/22	255.255.252.0	0xfffffc00	11111111 11111111 11111100 00000000
/23	255.255.254.0	0xfffffe00	11111111 11111111 11111110 00000000
/24	255.255.255.0	0xffffff00	11111111 11111111 11111111 00000000

/25	255.255.255.128	0xffffff80	11111111 11111111 11111111 10000000
/26	255.255.255.192	0xffffffc0	11111111 11111111 11111111 11000000
/27	255.255.255.224	0xffffffe0	11111111 11111111 11111111 11100000
/28	255.255.255.240	0xfffffff0	11111111 11111111 11111111 11110000
/29	255.255.255.248	0xfffffff8	11111111 11111111 11111111 11111000
/30	255.255.255.252	0xfffffffc	11111111 11111111 11111111 11111100
/31	255.255.255.254	0xfffffffe	11111111 11111111 11111111 11111110
/32	255.255.255.255	0xffffffff	11111111 11111111 11111111 11111111