完美解决ARP内网攻击+完美限速+ROS小包转发性能差的问题

完美解决ARP内网攻击+完美限速+ROS小包转发性能差的问题(2008-03-12 12:57:12)转载标签：杂谈


完美解决ARP内网攻击+完美限速+ROS小包转发性能差的问题的脚本
2.9系列脚本,2.8不通用

不需要绑定，不需要网管交换机，要的只是ROS,却没有任何后顾之忧

以下只给有ROS基础的人看,2.9.26上调试通过,推荐使用2.9.26版本(主要是目前最高破戒版本是2.9.26,此版本在以前的基础上修正了很多PPPOE错误),2.9.7以上版本可用
ROS终端界面直接输入即可

注释: 不需要再绑定ARP -S了
LAN 内网网卡名
TEL 外网网卡名
SMALL 小包 32-512字节 5级优先级
BIG 大包 512-1200字节 6级优先级
general 其它包 1200-1500字节 7级优先级
P2P类 8级优先，全局限速 600KB/S下载
Leaf 子类
12345 PPPOE密码
xy-server 服务器用PPPOE帐号
xy-dating 大厅电脑用PPPOE帐号
xy-kazuo 卡座电脑用PPPOE帐号
xy-baofang 包房电脑用PPPOE帐号

全部PPPOE帐号限速为上行3000Kbps/下行4096Kbps

以上帐号为公用帐号，有条件的可以自己给每台机器添加固定帐号和固定IP地址，并可限制只有指定MAC地址的电脑拨号连接

192.168.3.2-192.168.3.254为客户机拨号后所获得的本机IP段
172.32.1.2-172.32.254.254为客户机拨号后所获得的网关IP段

解决ARP攻击原理：使用PPPOE封装数据包，并产生虚拟ROS服务器IP和客户机IP地址进行通讯（通过地址池随机分配地址），真实服务器无真实内网

IP，杜绝ARP攻击使用MAC+IP伪造来实现攻击

例：原客户机 IP为 192.168.1.1 有网关IP 192.168.1.254 原服务器IP为192.168.1.254
改造后
客户机 IP为 192.168.1.1 不设置网关IP和DNS ，服务器IP为无(一定要删除ROS内网IP地址),上网IP由PPPOE拨号获得，客户机每次获得的本地PPP连接IP和服务器IP都不一样,ARP攻击无法获得真实的服务器IP，攻击只对本机有效或伪造不成功,无论是否上网拨号内网通讯均不受影响

建议：XP系统不要使用XP自带拨号进行连接，其性能低下，建议使用RASPPPOE0.98B,WIN9X/WIN2000也可使用此软件

我很懒，所以图就不上了,需要看图才能明白的建议不需要看本贴了，其实本贴难度并不高，很普通

PPPOE Server设定
-------------------------------------------------------------------------------------------
/ interface l2tp-server server
set enabled=no max-mtu=1460 max-mru=1460 authentication=pap,chap,mschap1,mschap2 default-profile=default-encryption

/ interface pppoe-server server
add service-name="ros" interface=LAN max-mtu=1488 max-mru=1488 authentication=pap keepalive-timeout=10 one-session-per-host=no max-sessions=0 default-profile=default disabled=no

/ interface pptp-server server
set enabled=no max-mtu=1460 max-mru=14

60 authentication=mschap1,mschap2 keepalive-timeout=30 default-profile=default-encryption

/ ip pool
add name="clientip" ranges=192.168.3.2-192.168.3.254
add name="serverip" ranges=172.32.1.2-172.32.254.254

/ ip upnp
set enabled=no allow-disable-external-interface=no show-dummy-rule=no

/ ppp profile
set default name="default" use-compression=default use-vj-compression=default use-encryption=default only-one=default change-tcp-mss=default comment=""
add name="xy-server" local-address=serverip remote-address=clientip use-compression=default use-vj-compression=default use-encryption=no only-one=no change-tcp-mss=default rate-limit=3000000/4800000 comment=""
add name="xy-dating" local-address=serverip remote-address=clientip use-compression=default use-vj-compression=default use-encryption=no only-one=no change-tcp-mss=default rate-limit=3000000/4096000 comment=""
add name="xy-baofang" local-address=serverip remote-address=clientip use-compression=default use-vj-compression=default use-encryption=no only-one=no change-tcp-mss=default rate-limit=3000000/4096000 comment=""
add name="xy-kazuo" local-address=serverip remote-address=clientip use-compression=default use-vj-compression=default use-encryption=no only-one=no change-tcp-mss=default rate-limit=3000000/4096000 comment=""
set default-encryption name="default-encryption" use-compression=default use-vj-compression=default use-encryption=yes only-one=default change-tcp-mss=default comment=""
/ ppp secret
add name="server" service=pppoe caller-id="" password="12345" profile=xy-server routes="" limit-bytes-in=0 limit-bytes-out=0 comment="" disabled=no
add name="dating" service=pppoe caller-id="" password="12345" profile=xy-dating routes="" limit-bytes-in=0 limit-bytes-out=0 comment="" disabled=no
add name="baofang" service=pppoe caller-id="" password="12345" profile=xy-baofang routes="" limit-bytes-in=0 limit-bytes-out=0 comment="" disabled=no
add name="kazuo" service=pppoe caller-id="" password="12345" profile=xy-kazuo routes="" limit-bytes-in=0 limit-bytes-out=0 comment="" disabled=no

HTB QOS 流量质量控制 1-8级优先级控制，数字越小优先级越高本文中限制P2P类型连接全局流量为600KB/S,自行修改
--------------------------------------------------------------------------------------------------------
/ ip firewall mangle
add chain=forward protocol=tcp tcp-flags=syn action=change-mss new-mss=1440 comment="" disabled=no
add chain=forward p2p=all-p2p action=mark-connection new-connection-mark=p2p_conn passthrough=yes comment="" disabled=no
add chain=forward connection-mark=p2p_conn action=mark-packet new-packet-mark=p2p passthrough=yes comment="" disabled=no
add chain=forward connection-mark=!p2p_conn action=mark-packet new-packet-mark=general passthrough=yes comment="" disabled=no
add chain=forward packet-size=32-520 action=mark-packet new-packet-ma

rk=small passthrough=yes comment="" disabled=no
add chain=forward packet-size=520-1200 action=mark-packet new-packet-mark=big passthrough=yes comment="" disabled=no

/ queue tree
add name="p2p1" parent=TEL packet-mark=p2p limit-at=2000000 queue=default priority=8 max-limit=6000000 burst-limit=0 burst-threshold=0 burst-time=0s disabled=no
add name="p2p2" parent=LAN packet-mark=p2p limit-at=2000000 queue=default priority=8 max-limit=6000000 burst-limit=0 burst-threshold=0 burst-time=0s disabled=no
add name="ClassA" parent=LAN packet-mark="" limit-at=0 queue=default priority=8 max-limit=100000000 burst-limit=0 burst-threshold=0 burst-time=0s disabled=no
add name="ClassB" parent=ClassA packet-mark="" limit-at=0 queue=default priority=8 max-limit=0 burst-limit=0 burst-threshold=0 burst-time=0s disabled=no
add name="Leaf1" parent=ClassA packet-mark=general limit-at=0 queue=default priority=7 max-limit=0 burst-limit=0 burst-threshold=0 burst-time=0s disabled=no
add name="Leaf2" parent=ClassB packet-mark=small limit-at=0 queue=default priority=5 max-limit=0 burst-limit=0 burst-threshold=0 burst-time=0s disabled=no
add name="Leaf3" parent=ClassB packet-mark=big limit-at=0 queue=default priority=6 max-limit=0 burst-limit=0 burst-threshold=0 burst-time=0s disabled=no