ROS软路由常用脚本集合.doc

ROS软路由常用脚本集合 转载自：创意安天论坛看完请指出错误 以及自己感想 如果自己有什么好的想法不妨说出来RouterOS监控脚本，断线报警，线路恢复自动解除报警：在/system script里添加脚本name=你要监控的ip内容如下:set i 0:while ($i=0) do=:beep length=2s frequency=2755;:delay 5;:set a abc;:foreach i in=/tool netwatch find host=你要监控的ip do=:set a /tool netwatch get $i status;:put $a;:if($a=up) do=:set i 1然后再在/tool netwatch里添加监控host=你要监控的ip在down里填写/system script run 你要监控的ip:set shendown1 /system clock get date:set shendown2 /system clock get time:set shendown (你要监控的ip down . $shendown1 . . $shendown2):log warning $shendown ROS小包策略：/ ip firewall mangle add chain=forward protocol=tcp tcp-flags=syn action=change-mss new-mss=1440 comment= disabled=no add chain=forwar* *2*=all-p2p action=mark-connection new-connection-mark=p2p_conn passthrough=yes comment= disabled=no add chain=forward connection-mark=p2p_conn action=mark-packet new-packet-mark=p2p passthrough=yes comment= disabled=no add chain=forward connection-mark=!p2p_conn action=mark-packet new-packet-mark=general passthrough=yes comment= disabled=no add chain=forward packet-size=32-512 action=mark-packet new-packet-mark=small passthrough=yes comment= disabled=no add chain=forward packet-size=512-1200 action=mark-packet new-packet-mark=big passthrough=yes comment= disabled=no / queue tree add name=p2p1 parent=wan packet-mark=p2p limit-at=600000 queue=default priority=8 max-limit=800000 burst-limit=0 burst-threshold=0 burst-time=0s disabled=no add name=p2p2 parent=lan packet-mark=p2p limit-at=800000 queue=default priority=8 max-limit=600000 burst-limit=0 burst-threshold=0 burst-time=0s disabled=no add name=ClassA parent=lan packet-mark= limit-at=0 queue=default priority=8 max-limit=100000000 burst-limit=0 burst-threshold=0 burst-time=0s disabled=no add name=ClassB parent=ClassA packet-mark= limit-at=0 queue=default priority=8 max-limit=0 burst-limit=0 burst-threshold=0 burst-time=0s disabled=no add name=Leaf1 parent=ClassA packet-mark=general limit-at=0 queue=default priority=7 max-limit=0 burst-limit=0 burst-threshold=0 burst-time=0s disabled=no add name=Leaf2 parent=ClassB packet-mark=small limit-at=0 queue=default priority=5 max-limit=0 burst-limit=0 burst-threshold=0 burst-time=0s disabled=no add name=Leaf3 parent=ClassB packet-mark=big limit-at=0 queue=default priority=6 max-limit=0 burst-limit=0 burst-threshold=0 burst-time=0s disabled=no ROS封杀常用P2P策略脚本：/ ip firewall filteradd chain=input protocol=udp dst-port=137-138 action=drop comment=drop udp137-138# 讯雷add chain=forward protocol=tcp dst-port=3076-3079 action=drop comment=downTools Xunlei disabled=yes2楼add chain=forward dst-address=1/32 action=dropadd chain=forward dst-address=3/32 action=dropadd chain=forward dst-address=7/32 action=drop# 电骡add chain=forward protocol=tcp dst-port=4661 action=drop comment=downP2P VeryCDadd chain=forward protocol=tcp dst-port=4662 action=dropadd chain=forward protocol=tcp dst-port=4242 action=dropadd chain=forward dst-address=5/32 action=drop# 屁屁狗(PPGOU)add chain=forward protocol=tcp dst-port=8505 action=drop comment=downTools PPGOUadd chain=forward dst-address=52/32 action=dropadd chain=forward dst-address=86/32 action=drop# KUGO酷狗add chain=forward protocol=tcp dst-port=3318 action=drop comment=downMP3 KUGO disabled=yesadd chain=forward protocol=tcp dst-port=1043 action=drop disabled=yesadd chain=forward protocol=tcp dst-port=4224 action=drop disabled=yesadd chain=forward protocol=tcp dst-port=2371 action=drop disabled=yesadd chain=forward protocol=udp dst-port=7000 action=drop disabled=yesadd chain=forward dst-address=27/32 action=drop disabled=yesadd chain=forward dst-address=6/32 action=drop disabled=yesadd chain=forward dst-address=26/32 action=drop disabled=yesadd chain=forward dst-address=06/32 action=drop disabled=yesadd chain=forward dst-address=3/32 action=drop disabled=yes# RF onlineadd chain=forward dst-address=6/32 dst-port=8888 action=accept comment=RF onlineadd chain=forward dst-address=33/32 dst-port=8888 action=acceptadd chain=forward dst-address=6/32 dst-port=8888 action=accept# 比特精灵add chain=forward protocol=tcp dst-port=16881 action=drop comment=downP2P BitSpiritadd chain=forward protocol=tcp dst-port=6881-6890 action=dropadd chain=forward protocol=tcp dst-port=8881-8890 action=dropadd chain=forward protocol=udp dst-port=16881 action=dropadd chain=forward protocol=udp dst-port=6881-6890 action=dropadd chain=forward protocol=udp dst-port=8881-8890 action=drop# 宝酷add chain=forward protocol=tcp dst-port=6346 action=drop comment=downP2P BaoCueadd chain=forward protocol=tcp dst-port=11300 action=dropadd chain=forward dst-address=96/32 action=dropadd chain=forward dst-address=/32 action=dropadd chain=forward dst-address=/32 action=dropadd chain=forward dst-address=/32 action=dropadd chain=forward dst-address=09/32 action=dropadd chain=forward dst-address=97/32 action=dropadd chain=forward dst-address=/32 action=dropadd chain=forward dst-address=18/32 action=dropadd chain=forward dst-address=96/32 action=drop# 百事通下载工具add chain=forward dst-address=50/32 action=drop comment=downP2P Bai*ong# 百度MP3下载add chain=forward dst-address=06/32 action=drop comment=downMP3 BaiDuMP3 disabled=yes# PTC下载工具add chain=forward protocol=tcp dst-port=50007 action=drop comment=downP2P PTCdown# eDonkey2000下载工具add chain=forward protocol=tcp dst-port=4371 action=drop comment=downP2P eDonkey2000add chain=forward protocol=tcp dst-port=4662 action=dropadd chain=forward dst-address=5/32 action=dropadd chain=forward dst-address=7/32 action=drop# Poco2005add chain=forward protocol=udp src-port=8094 action=drop comment=downP2P Poco2005add chain=forward protocol=tcp dst-port=2881 action=dropadd chain=forward protocol=tcp dst-port=5354 action=dropadd chain=forward dst-address=24/32 action=dropadd chain=forward dst-address=47/32 action=dropadd chain=forward dst-address=08/32 action=drop# 卡盟add chain=forward protocol=tcp dst-port=3751 action=drop comment=downP2P KAMUNadd chain=forward protocol=tcp dst-port=3753 action=dropadd chain=forward protocol=tcp dst-port=4772 action=dropadd chain=forward protocol=tcp dst-port=4774 action=dropadd chain=forward dst-address=7/32 action=drop# 维宇RealLinkadd chain=forward dst-address=14/32 action=drop comment=downP2P RealLinkadd chain=forward dst-address=80/32 action=dropadd chain=forward dst-address=5/32 action=dropadd chain=forward dst-address=9/32 action=drop# 百宝add chain=forward protocol=tcp dst-port=3468 action=drop comment=downP2P 100baoadd chain=forward dst-address=6/32 action=dropadd chain=forward dst-address=73/32 action=drop# 百花PPadd chain=forward protocol=tcp dst-port=5093 action=drop comment=downP2P BaiHuaadd chain=forward dst-address=43/32 action=drop# 快递通add chain=forward dst-address=6/32 action=drop comment=downP2P KDT# 酷乐add chain=forward protocol=tcp dst-port=6800-6801 action=drop comment=downMP3 Kuroadd chain=forward protocol=tcp dst-port=7003 action=dropadd chain=forward dst-address=7/32 action=dropadd chain=forward dst-address=45/32 action=drop# 百度下吧add chain=forward protocol=tcp dst-port=11000 action=drop comment=downP2P BaiDuXiaBa disabled=yesadd chain=forward dst-address=71/32 action=drop# 百兆P2Padd chain=forward protocol=tcp dst-port=9000 action=drop comment=downP2P baizhaoP2Padd chain=forward dst-address=0/32 action=drop# 石头(OPENEXT)add chain=forward protocol=tcp dst-port=5467 action=drop comment=downP2P OPENEXTadd chain=forward protocol=tcp dst-port=2500 action=dropadd chain=forward protocol=tcp dst-port=4173 action=dropadd chain=forward protocol=tcp dst-port=10002 action=dropadd chain=forward protocol=tcp dst-port=10003 action=dropadd chain=forward dst-address=66/32 action=dropadd chain=forward dst-address=45/32 action=dropadd chain=forward dst-address=6/32 action=drop# iLink 1.1add chain=forward protocol=tcp dst-port=5000 action=drop comment=downP2P iLink# DDSadd chain=forward protocol=tcp dst-port=11608 action=drop comment=downP2P DDSadd chain=forward dst-address=3/32 action=dropadd chain=forward dst-address=52/32 action=dropadd chain=forward dst-address=7/32 action=drop# iMesh 5add chain=forward protocol=tcp dst-port=4662 action=drop comment=downP2P iMesh 5add chain=forward dst-address=7/32 action=dropadd chain=forward dst-address=4/32 action=dropadd chain=forward dst-address=3/32 action=drop# winmxadd chain=forward protocol=tcp dst-port=5690 action=drop comment=downP2P winmxadd chain=forward dst-address=3/32 action=drop# 网酷add chain=forward protocol=tcp dst-port=2122 action=drop comment=downP2P netcooladd chain=forward dst-address=/32 action=dropadd chain=forward dst-address=01/32 action=dropadd chain=forward dst-address=9/32 action=drop# PPlive网络电视add chain=forward protocol=tcp dst-port=8008 action=drop comment=P2PTV PPliveadd chain=forward protocol=udp dst-port=4004 action=drop# QQ直播add chain=forward protocol=udp dst-port=13002-13999 action=drop comment=P2PTV QQ disabled=yesROS防火墙的一点心得：input - 进入路由，并且需要对其处理forward - 路由转发output - 经过路由处理，并且从接口出去的包 action：1 accept： 接受add-dst-to-address-list - 把一个目标IP地址加入address-listadd-src-to-address-list - 把一个源IP地址加入address-list2 drop - 丢弃3 jump - 跳转，可以跳转到一个规则主题里面，如input forward，也可以跳转到某一条里面4 log - 日志记录5 passthrough - 忽略此条规则6 reject - 丢弃这个包，并且发送一个ICMP回应消息7 return - 把控制返回给jump的所在8 tarpit - 捕获和扣留 进来的TCP连接 (用SYN/ACK回应进来的TCP SYN 包)router os命令：看了很多router os 的资料都是关于如何安装的，却很少见到关于router os的命令资料（也许因为有winbox了），虽然在router os 的手册中有说明，但是是英文版本的，很不好看懂。下面就我就写出一些常用的命令，希望对大家有所帮助：1、开机登陆以后常用的一个 ？ 是常用的帮助命令，可以列出可用的命令及简单的说明。2、有些英文命令很长，可以简写如inte*ce ，你输入in后回车自动就会进入inte*ce了。或者你可以按下tab键来帮你完成长英文命令的输入。3、有些命令的参数很多，你不知道的时候可以输入命令后加空格？，如print ？可以显示该命令的参数。4、setup 该命令可是谁都要记得的，因为最初安装完router os 必须用它分配网卡的ip地址。5、ip route add gate=211.12.*.14，220.163.*.12 该命令用于多线路接入时加入多个网关用的。6、ip firewall add action=nat protocol=tcp dst-address=212.12.*.*/32：80 to-dst-address=98 该命令用于映射端口80到本地的98上。7、print 该命令有点用于列出所有的项目。8、inte*ce monitor-traffice 0，1，2 可以监视当前0，1，2网卡的活动情况。9、ip firewall connection print 显示当前的所有的连接。10、ip arp print 显示所有router os 知道的ip地址和mac地址的对应列表。11、user active print 显示所有的router os 的活动用户。12、system reboot 、system shutdown分别是重启和关机。13、system reset 删除所有原来的配置，并重新启动router os. 14、system resource monitor 可以监视当前的cpu，和内存的使用情况。15、log print 可以显示router os 的日志。 16、tool ping-speed 210.13.14.* 可以显示ping 的速度。 17、tool sniffer start，和tool sniffer stop 可以开启和停止嗅探器。 18、tool sniffer packet print 可列出嗅探的包。 19 、system backup name=2004107.bak 可以将系统的配置备份到文件2004107.bak，可以用file print看到。 还有什么enable，disable，remove，set 那些常用的就不说了。ROS 一些常用脚本：/ ip firewall connection :foreach r in=find do=remove $r 删除所有连接:foreach i in=/ip firewall filter find action=drop do=/ip firewall filter disable $i disable防火墙规则firewall connection tracking syn sendtime 设置成50 rectime 设置成30 减轻syn攻击/system scheduler add name=reboot interval=24h start-time=06:59:00 on-event=/system reboot disabled=no 定时重起/ip route set /ip route find dst-address=/0 gateway=xxx.xxx.xxx.xxx 改变默认网关/queue simple remove find 删除所有Simple Queues:foreach i in=/ip arp find dynamic=yes do=/ip arp add copy-from=$i ARP绑定(静态ARP)每个IP加一个simple queue的脚本:foreach i in /queue simple find do :put (deleting . . . /queue simple get $i name);queue simple remove $i;for i from 1 to 254 do :if ($i!=100) do /queue simple add name=(queue . $i) limit-at=128000/128000 burst-threshold=384000/192000 max-limit=512000/256000 burst-limit=2000000/512000 burst-time=16s/8s dst-address=(192.168.0. . $i); :put (192.168.0. . $i . . . added) ROS其他参数：使用：WinBox-System-Scripts-Name(脚本名程)Source(脚本)OK-选择要运行的脚本-Run Script集体绑定ARP:foreach i in=/ip arp find dynamic=yes do=/ip arp add copy-from=$i集体帮定ARP,这样方便了很多,但是值得注意的是,用这命令绑定之后,要把外网的ARP解除了,要不然会出奇怪问题,反正我是遇见了!限速脚本：:for aaa from 2 to 254 do=/queue simple add name=(queue . $aaa) dst-address=(192.168.0. . $aaa) limit-at=0/0 max-limit=2000000/2000000说明：aaa是变量2 to 254是2254192.168.0. . $aaa是IP上两句加起来是54max-limit=2000000/2000000是上行下行删除所有连接/ ip firewall connection :foreach r in=find do=remove $r disable防火墙规则:foreach i in=/ip firewall filter find action=drop do=/ip firewall filter disable $i 定时重起/system scheduler add name=reboot interval=24h start-time=11:59:00 on-event=/system reboot disabled=no改变默认网关/ip route set /ip route find dst-address=/0 gateway=xxx.xxx.xxx.xxx定时重起/system scheduler add name=reboot interval=24h start-time=11:59:00 on-event=/system reboot disabled=no/sy reset 恢复路由原始状态/sy reboot 重启路由/sy showdown 关机/sy ide set name=机器名 设置机器名/export 查看配置/ip export 查看IP配置/sy backup 回车 save name=你要设置文件名 LOAD NAME=你要设置文件名 备份路由/inte*ce print 查看网卡状态0 X ether1 ether 1500 这个是网卡没有开启0 R ether1 ether 1500 这个是正常状态/int en 0 激活0网卡/int di 0 激活0网卡/ip fir con print 查看当前所有网络边接/ip service set www port=81 改变www服务端口为81/ip hotspot user add name=user1 password=1 增加用户ROUTERos改本机网卡MAC的方法：interface ethernet set (网卡名) mac-address=(你想要的MAC) 机房经常提出这种要求，这节课要求上网，下节课就要求断网。以前就是拨网线，后来用了这个就不用了。并且可以上网时，也能控制学生上联众或者。课后机房开放时即要能上网，还要能上，把这些策略禁止掉就行了。并且操作比较简便，教会管理员，我不需要管了。自由控制机房上网、联众：/ ip firewall rule forward 这里是控制各个机房的上网策略，可以上时设为无效，禁止上时设为有效。1机房add src-address=/26 dst-address=!/16 action=drop comment=1机房 disabled=yes 2机房add src-address=4/26 dst-address=!/16 action=drop comment=2机房 disabled=no 3机房add src-address=28/26 dst-address=!/16 action=drop comment=3机房 disabled=yes 4机房add src-address=92/26 dst-address=!/16 action=drop comment=4机房 disabled=no 5机房add src-address=28/26 dst-address=!/16 action=drop comment=5机房 disabled=no add src-address=92/29 dst-address=!/16 action=drop comment= disabled=no 6机房add src-address=4/26 dst-address=!/16 action=drop comment=6机房 disabled=no 这里是控制各个机房的联众 QQ2机房add src-address=4/26 dst-address=:1007-3400 protocol=tcp action=drop comment=2机房禁止联众 禁止QQ聊天 disabled=no add src-address=4/26 dst-address=:8000 protocol=udp action=drop comment= disabled=no add src-address=4/26 dst-address=/16 action=drop comment= disabled=no add src-address=28/26 dst-address=/16 action=drop comment= disabled=no 机房add src-address=28/26 dst-address=:8000 protocol=udp action=drop comment=3机房禁止QQ聊天 禁止联众 disabled=yes add src-address=28/26 dst-address=:1007-3400 protocol=tcp action=drop comment= disabled=yes 4机房add src-address=92/26 dst-address=:1007-3400 protocol=tcp action=drop comment=4机房禁止联众,QQ聊天 disabled=no add src-address=92/26 dst-address=:8000 protocol=udp action=drop comment= disabled=no add src-address=92/26 dst-address=/16 action=drop comment= disabled=no 5机房add src-address=28/26 dst-address=:8000 protocol=udp action=drop comment=5机房禁止QQ聊天 禁止联众 disabled=no add src-address=92/29 dst-address=:8000 protocol=udp action=drop comment= disabled=no add src-address=28/26 dst-address=/16 action=drop comment= disabled=no add src-address=92/29 dst-address=/16 action=drop comment= disabled=no add src-address=28/26 dst-address=:1007-3400 protocol=tcp action=drop comment= disabled=no a