Lintang Sumunar

sebelumnya suwun buat mas Rafee atas distro dan trik2 yang telah diberikan

biasanya satu user bisa dibuat login rame2 oleh beberapa user sekaligus, wah bisa bangkrut dong lama…he..he, untung mas Rafee ngasih trik ini (tak comot dari blognya)

for quick fix please replace your “/var/www/system/application/models/billingplanmodel.php” file with http://pastebin.com/f3ceb50d7
and replace your “/var/www/system/application/models/postpaidmodel.php with http://pastebin.com/f6b5e1485

cuman setelah diterapkan, kok masih bablas aja ya….satu user masih bisa di buat login oleh beberapa orang, karena penasaran, utak-atik sampai di satru istri gara2 dicuekin katanya ( he..he), akhirnya ketemu juga, tinggal buka pagar aja difile /etc/freeradius/sql.conf, pada baris…

#######################################################################
# Simultaneous Use Checking Queries
#######################################################################
# simul_count_query - query for the number of current connections
# - If this is not defined, no simultaneouls use checking
# - will be performed by this module instance
# simul_verify_query - query to return details of current connections for verification
# - Leave blank or commented out to disable verification step
# - Note that the returned field order should not be changed.
#######################################################################

# Uncomment simul_count_query to enable simultaneous use checking
hilangkan pagar disini----> simul_count_query = "SELECT COUNT(*) FROM ${acct_table1} WHERE UserName='%{SQL-User-Name}' AND AcctStopTime = 0"
simul_verify_query = "SELECT RadAcctId, AcctSessionId, UserName, NASIPAddress, NASPortId, FramedIPAddress, CallingStationId, FramedProtocol FROM ${acct_table1} WHERE UserName='%{SQL-User-Name}' AND AcctStopTime = 0"

habis itu restart pc, dan coba…..
semoga berhasil

install easyhotspot distro seperti biasanya, selanjutnya install squid proxy…dan konfigurasikan agar squid transparent, easyhotspot disini digunakan untuk server proxy yang melayani user biasa di class ip 192.168.0.0 dan hotspot prepaid di class ip 192.168.182.0, selanjutnya kita bikin script firewall buat user biasa agar setiap permintaan ke port 80 di redirect ke port 3128 (squid)

#!/bin/sh

# squid server IP
SQUID_SERVER=”192.168.0.254″
# Interface connected to Internet
INTERNET=”eth4″
# Interface connected to LAN
LAN_IN=”eth3″
# Squid port
SQUID_PORT=”3128″

# DO NOT MODIFY BELOW
# Clean old firewall
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
# Load IPTABLES modules for NAT and IP conntrack support
modprobe ip_conntrack
modprobe ip_conntrack_ftp
# For win xp ftp client
modprobe ip_nat_ftp
echo 1 > /proc/sys/net/ipv4/ip_forward
# Setting default filter policy
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
# Unlimited access to loop back
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
# Allow UDP, DNS and Passive FTP
iptables -A INPUT -i $INTERNET -m state –state ESTABLISHED,RELATED -j ACCEPT
# set this system as a router for Rest of LAN
iptables –table nat –append POSTROUTING –out-interface $INTERNET -j MASQUERADE
iptables –append FORWARD –in-interface $LAN_IN -j ACCEPT
# unlimited access to LAN
iptables -A INPUT -i $LAN_IN -j ACCEPT
iptables -A OUTPUT -o $LAN_IN -j ACCEPT

iptables -t nat -A PREROUTING -i $LAN_IN -p tcp –dport 80 -j DNAT –to $SQUID_SERVER:$SQUID_PORT
iptables -t nat -A PREROUTING -i $INTERNET -p tcp –dport 80 -j REDIRECT –to-port $SQUID_PORT
iptables -t nat -A PREROUTING -p tcp -m tcp -s 192.168.0.0/24 –dport 80 -j DNAT –to-destination 192.168.0.254:3128

# DROP everything and Log it
iptables -A INPUT -j LOG

#iptables -t mangle -A POSTROUTING -d 192.168.0.14 -j MARK –set-mark 101
#iptables -A INPUT -j DROP
##############################
save dan letakkan di /etc/init.d/sharing, setelah itu chmod a+x /etc/init.d/sharing agar bisa di eksekusi

agar user hotspot prepaid setelah login bisa akses internet dan diredirect ke port squid (melalui transparent proxy squid) edit file /etc/init.d/chillispot.firewall menjadi seperti ini

#!/bin/sh
#
# Firewall script for ChilliSpot
# A Wireless LAN Access Point Controller
#
# Uses $EXTIF (eth0) as the external interface (Internet or intranet) and
# $INTIF (eth1) as the internal interface (access points).
#
#
# SUMMARY
# * All connections originating from chilli are allowed.
# * Only ssh is allowed in on external interface.
# * Nothing is allowed in on internal interface.
# * Forwarding is allowed to and from the external interface, but disallowed
# to and from the internal interface.
# * NAT is enabled on the external interface.

/bin/echo 1 > /proc/sys/net/ipv4/ip_forward

IPTABLES=”/sbin/iptables”
EXTIF=”eth4″
INTIF=”eth3″

$IPTABLES -P INPUT DROP
$IPTABLES -P FORWARD ACCEPT
$IPTABLES -P OUTPUT ACCEPT

#Allow related and established on all interfaces (input)
$IPTABLES -A INPUT -m state –state RELATED,ESTABLISHED -j ACCEPT

#Allow releated, established and ssh on $EXTIF. Reject everything else.
$IPTABLES -A INPUT -i $EXTIF -p tcp -m tcp –dport 22 –syn -j ACCEPT
$IPTABLES -A INPUT -i $EXTIF -j REJECT

#Allow related and established from $INTIF. Drop everything else.
$IPTABLES -A INPUT -i $INTIF -j DROP

#Allow http and https on other interfaces (input).
#This is only needed if authentication server is on same server as chilli
$IPTABLES -A INPUT -p tcp -m tcp –dport 80 –syn -j ACCEPT
$IPTABLES -A INPUT -p tcp -m tcp –dport 443 –syn -j ACCEPT

#Allow 3990 on other interfaces (input).
$IPTABLES -A INPUT -p tcp -m tcp –dport 3990 –syn -j ACCEPT

#Allow everything on loopback interface.
$IPTABLES -A INPUT -i lo -j ACCEPT

# Drop everything to and from $INTIF (forward)
# This means that access points can only be managed from ChilliSpot
#$IPTABLES -A FORWARD -i $INTIF -j DROP
#$IPTABLES -A FORWARD -o $INTIF -j DROP

#Enable NAT on output device
$IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE
iptables –append FORWARD –in-interface $INTIF -j ACCEPT
$IPTABLES -t nat -A PREROUTING -i 192.168.0.0/24 -p tcp –dport 80 -j DNAT –to 192.168.0.254:3128

###########################################################

agar setiap booting bisa dieksekusi otomatis edit file /etc/rc.local menjadi seperti ini

#!/bin/sh -e
#
# rc.local
#
# This script is executed at the end of each multiuser runlevel.
# Make sure that the script will “exit 0″ on success or any other
# value on error.
#
# In order to enable or disable this script just change the execution
# bits.
#
# By default this script does nothing.
sh /etc/init.d/sharing
sh /etc/init.d/chillispot.firewall

exit 0

reboot easyhotpsot dan kalo gak ada kesalahan maka user biasa dan user hotspot prepaid bisa internetan melalui squid proxy, lumayan ngirit pc..he..he

browsing2 akhirnya dapat link buat cache youtube dengan squid 2.6 http://fedora.co.in/content/youtube-cache-version-03-available, tapi ini buat fedora…..mumpung ada waktu kosong iseng-iseng dicoba di xubuntu 7.10, dan ternyata proses tersulit adalah pada saat compile python-iniparse karena paket ini tidak tersedia buat debian base, kita mulai ya….

download http://kulbirsaini.fedorapeople.org/stuff/youtube_cache/youtube_cache-0.3-1.tar.gz dan ekstrak

pastikan sebelumnya paket-paket dibawah ini sudah terinstall

1. python
2. python-urlgrabber
3. python-iniparse
4. squid

dari keempat paket tersebut sudah tersedia semua di repo ubuntu, tapi untuk python-iniparse gak ada dan kita harus install dari source, caranya download paketnya di http://code.google.com/p/iniparse/

ekstrak, kemudian dari hasil ekstrak tersebut copy folder iniparse ke dalam /usr/lib/python2.5/site-packages/

gitu aja installnya..he..he, padaha; tadi ada satu jam cari lewat google, gak ketemu….

setelah itu ekstark file youtube_cache-0.3-1.tar.gz

[root@localhost root]# tar -xvzf youtube_cache-0-3-1.tar.gz

masuk ke youtube_cache-0-3-1 directory

[root@localhost youtube_cache-x.x-x]# cd youtube_cache-0.3-1

Copy youtube_cache.conf ke /etc/youtube_cache.conf

[root@localhost youtube_cache-0.3-1]# cp youtube_cache.conf /etc/youtube_cache.conf

Copy youtube_cache directory to /etc/squid/

[root@localhost youtube_cache-0.3-1]# cp -r youtube_cache /etc/squid/

Buat directories untuk cache youtube videos

[root@localhost root]# cd /var/spool/
[root@localhost spool]# chmod 751 squid
[root@localhost spool]# cd squid
[root@localhost squid]# mkdir youtube
[root@localhost squid]# chown squid:squid youtube
[root@localhost squid]# chmod 755 youtube
[root@localhost squid]# cd youtube
[root@localhost youtube]# mkdir temp
[root@localhost youtube]# chown squid:squid temp
[root@localhost youtube]# chmod 755 temp

setelah itu, masukkan baris di bawah ini ke squid.conf di /etc/squid/squid.conf .

#### BEGIN Add to squid.conf ####
redirect_program /usr/bin/python /etc/squid/youtube_cache/youtube_cache.py
redirect_children 20
#### END Add to squid.conf ####

buat file youtube_cache.log di /var/log/squid/youtube_cache.log dan set permission buat squid

pastikan konfigurasi pada /etc/youtube_cache.conf, sesuai dengan mesin proxy anda

Save squid.conf dan reload squid service menggunakan perintah
[root@proxy root]# /etc/init.d/squid restart

sekarang tinggal di test…dan tempatku berhasil dengan baik….hemat bandwith mas, masalahnya sekarang harus nyediain berapa giga untuk cache youtube ini….?

sudah seminggu ini dipusingkan oleh klien yang download pake Internet download manager, masak dari 12 klien yang konek 2 aja pake IDM, koneksi di klien lainnya langsung drop, sampek pecas ndahe dibuatnya..he..he, squid udah diset delay poolnya…tapi IDM memang sakti, transfer limitnya sih turun tapi tetep aja sekali download, si IDM ini kalo diset full akan membuat seolah-olah ada 16 user yang download bareng-bareng pada waktu yang bersamaan. azoureus juga bikin pusing, di cachemgr.cgi d\ndak ada permintaan dari klien wajar, dan gak ada yang download tapi kok user pada komplain katanya inet lemot…..setelah menyebar mata-mata, akhirnya ketahuan software p2p itu yang bikin lemot….akhirnya nyari-nyari tutorial HTB.init, ketemu juga…dan sekarang udah bisa tidur nyeyak lagi…he..he

install HTB.init (dikutip sebagian dari http://125.160.17.21/wiki/index.php/Bandwidth_Manajemen_Menggunakan_HTB)

Beberapa langkah sederhana untuk menginstalasi htb.init adalah sebagai berikut

Ambil file htb.init-* yang terbaru dari Source Forge

http://sourceforge.net/projects/htbinit/

Copy ke directory /sbin

# cp htb.init-v0.8.5 /sbin/
# mv /sbin/htb.init-v0.8.5 /sbin/htb.init

Buat directory htb di /etc/sysconfig

# mkdir /etc/sysconfig/htb

Buat Aturan untuk manajemen bandwidth di /etc/sysconfig/htb berbentuk file-file untuk masing-masing aturan yang nantinya akan di compile melalui perintah htb.init compile.

contoh :

bikin file dengan nama eth3 (lan ke klien atau download)

isi dengan

DEFAULT = 30

bikin file lagi dengan nama eth3-2.root

isi dengan

RATE=300Kbit
BURST = 15k
LEAF  = sfq

untuk konfigurasi pengelompokan klien, buat file dengan nama eth3-2:20.unlimited

isi dengan

RATE=300Kbit
BURST = 15k
LEAF  = sfq

dalam kelompok unlimited, terdapat beberapa klien, konfigurasi masing-masing klien dengan file eth3-2:20:200.klien1

isi file

RATE=64Kbit
CEIL=128Kbit
RULE=192.168.0.11
BURST = 15k
LEAF  = sfq

begitu sampai klien habis, sesuaikan ip addressnya

untuk upload buat file dengan nama eth4 (ke speedy atau upload)

DEFAULT = 30

buat lagi file dengan nama eth4-2.default

isi dengan

RATE=59Kbit
BURST = 15k

untuk konfigurasi masing2 kelompok klien, buat file eth4-2:20.unlimited

isi dengan

RATE=12Kbit
CEIL=59Kbit
BURST = 15k
LEAF  = sfq

untuk masing-masing klien dalam kelompok unlimited, buat file dengan nama eth4-2:20:200.klien1

isi dengan

RATE=4Kbit
CEIL=12Kbit
RULE=192.168.0.11
BURST = 15k
LEAF  = sfq
MARK = 1

begitu seterusnya

dan agar squid bebas hambatan alias gak kena bandwith limiter ini, buat eth3-30.squid

isi dengan

RATE=100000000000Kbit
CEIL=25000000000000000Kbit
RULE=:3128,0.0.0.0
RULE=:80,0.0.0.0
RULE=:443,0.0.0.0
RULE=:22,0.0.0.0

itu contoh-contohnya, sebagai pengingat aku aja siapa tahu, server ini rusak dan file konfigurasi hilang, gak pusing lagi ngatur bandwithnya

http_port 3128 transparent
icp_port 3130
acl youtube dstdomain -i .youtube.com
acl striming url_regex -i get_video\?video_id videodownload\?
cache allow youtube
cache allow striming
#redirect_program /usr/local/adzap/scripts/wrapzap
#auth_param basic program /usr/lib/squid/ncsa_auth /etc/squid/squid_passwd
#auth_param basic children 5
#auth_param basic realm Squid proxy-caching web server
#cache_peer proxies.telkom.net.id parent 8080 3130
#cache_peer proxy-sby.telkom.net.id sibling 8080 3130
#============================================================$
hierarchy_stoplist cgi-bin ? .js .jsp localhost kambing.ui.edu buaya.klas.or.id
acl QUERY urlpath_regex cgi-bin \? .js .jsp localhost kambing.ui.edu buaya.klas.or.id
no_cache deny QUERY
#============================================================$

#============================================================$
# OPTIONS WHICH AFFECT THE CACHE SIZE
#============================================================$
cache_mem 6 MB
maximum_object_size 64 MB
maximum_object_size_in_memory 16 KB
cache_swap_low 98
cache_swap_high 99
cache_replacement_policy heap LFUDA
memory_replacement_policy heap GDSF
high_memory_warning 70 MB
ipcache_size 8192
ipcache_low 98
ipcache_high 99
fqdncache_size 8192

#============================================================$
# LOGFILE PATHNAMES AND CACHE DIRECTORIES
#============================================================$
#cache_dir aufs /cache1 4500 18 256
cache_dir aufs /cache 7000 17 256
#cache_dir aufs /cache2 3200 8 256
cache_access_log /var/log/squid/access.log
cache_store_log /var/log/squid/store.log
log_fqdn off
log_icp_queries off
log_mime_hdrs off
log_ip_on_direct off
debug_options ALL,1
emulate_httpd_log off

#============================================================$
# FTP section
#============================================================$
ftp_user anonymous@
ftp_list_width 32
ftp_passive on
ftp_sanitycheck on

#============================================================$
# DNS resolution section
#============================================================$
#cache_dns_program /usr/sbin/dnsserver
dns_nameservers 192.168.0.254 202.154.1.2 208.67.202.202 202.134.2.5 202.134.0.155
#============================================================$
# Refresh Rate
#============================================================$
#refresh_pattern ^ftp: 20160 95% 241920 reload-into-ims override-lastmod override-expire reload-into-ims ignore-no-cache ignore-private ignore-auth
#refresh_pattern . 1440 95% 120960 reload-into-ims override-lastmod override-expire reload-into-ims ignore-no-cache ignore-private ignore-auth
refresh_pattern ^ftp: 20160 95% 241920 reload-into-ims override-lastmod override-expire reload-into-ims ignore-no-cache
refresh_pattern . 1440 95% 120960 reload-into-ims override-lastmod override-expire reload-into-ims ignore-no-cache
quick_abort_min 0 KB
quick_abort_max 0 KB
quick_abort_pct 98
negative_ttl 2 minutes
half_closed_clients off
read_timeout 15 minutes
client_lifetime 2 hours
pconn_timeout 60 seconds
request_timeout 1 minutes
shutdown_lifetime 10 seconds
positive_dns_ttl 60 seconds
negative_dns_ttl 30 seconds
#============================================================$
# ACL section
#============================================================$
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl localnet src 192.168.0.252
acl butiti src 192.168.0.3
acl pecenx src 192.168.0.2
acl kost src 192.168.0.4-192.168.0.10
acl outsider src 192.168.0.11-192.168.0.252
acl SSL_ports port 443 563
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 563 # https, snews
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access deny to_localhost
http_access allow localnet
http_access allow localhost
http_access allow butiti
http_access allow kost
http_access allow pecenx
http_access deny outsider
http_reply_access allow all
icp_access allow all

cache_mgr poerwo2211@yahoo.com
#cache_effective_user _squid
#cache_effective_group _squid
visible_hostname poerwo2211@gmail.com

#============================================================$
# MISCELLANEOUS
#============================================================$
offline_mode off
forwarded_for on
#ssl_unclean_shutdown on
memory_pools off
header_access From deny all
logfile_rotate 7
reload_into_ims on
shutdown_lifetime 10 seconds
cachemgr_passwd disable shutdown
cachemgr_passwd all
buffered_logs off
icp_hit_stale on
log_icp_queries off
strip_query_terms off
query_icmp on
ignore_unknown_nameservers on
acl hotmail dstdomain .hotmail.com .msn.com .passport.net .msn.co.id .passport.com
header_access Accept-Encoding deny hotmail
reload_into_ims on
pipeline_prefetch on
ie_refresh on
vary_ignore_expire on
client_db on

#============================================================$
# DELAY POOLS
#============================================================$
acl download url_regex -i ftp \.exe$ \.mp3$ \.mp4$ \.tar.gz$ \.gz$ \.tar.bz2$ \.rpm$ \.zip$ \.rar$
acl download url_regex -i \.avi$ \.mpg$ \.mpeg$ \.rm$ \.iso$ \.wav$ \.mov$ \.dat$ \.mpe$ \.mid$
acl download url_regex -i \.midi$ \.rmi$ \.wma$ \.wmv$ \.ogg$ \.ogm$ \.m1v$ \.mp2$ \.mpa$ \.wax$
acl download url_regex -i \.m3u$ \.asx$ \.wpl$ \.wmx$ \.dvr-ms$ \.snd$ \.au$ \.aif$ \.asf$ \.m2v$
acl download url_regex -i \.m2p$ \.ts$ \.tp$ \.trp$ \.div$ \.divx$ \.mod$ \.vob$ \.aob$ \.dts$ \.bin$
acl download url_regex -i \.ac3$ \.cda$ \.vro$
acl akses_donlot url_regex -i ftp .exe .dll .zip .rar .rpm .tgz
acl akses_donlot url_regex -i ftp .tar.gz .tar.bz2 .iso .avi .mov .wmv .3gp .bin
acl akses_donlot url_regex -i ftp .mpg .mpeg .mp3 .ram .rm .flv
acl akses_donlot url_regex -i .exe .dll .zip .rar .rpm .tgz
acl akses_donlot url_regex -i .tar.gz .tar.bz2 .iso .avi .mov
acl akses_donlot url_regex -i .mpg .mpeg .mp3 .ram .rm .flv
acl kenadelay url_regex -i .jpg .gif .doc .xls .zip .rar
acl aplot method POST

delay_pools 3
delay_class 1 2
delay_parameters 1 4000/8000 4000/4000
delay_access 1 allow download
delay_access 1 allow pecenx akses_donlot
delay_access 1 allow striming
delay_access 1 allow aplot kenadelay
delay_access 1 deny all
delay_class 2 2
delay_parameters 2 64000/128000 10000/64000
delay_access 2 allow pecenx
delay_access 2 deny all
delay_class 3 2
delay_parameters 3 5000/6000 3000/5000
delay_access 3 allow kost
delay_access 3 deny all

#!/bin/sh
# Setting IPTABLES paling sederhana untuk masquerading
######################################################

# Konstanta
$IPT=”iptables”
$LOAD=”/sbin/modprobe”

# Interface
# Kalau pakai modem, ganti RED=ppp0

RED=”eth0″
RED_NET=192.168.1.2

#BLUE=ra0
#BLUE_NET=192.168.2.0/24

GREEN=”eth1″
GREEN_NET=192.168.0.0/24

PORT=”3128″
#——————————–
# Inisialisasi IPTABLES
$LOAD ip_tables
$LOAD iptable_filter
$LOAD iptable_nat
$LOAD ip_conntrack
$LOAD ip_conntrack_ftp
$LOAD ip_nat_ftp
$LOAD ip_conntrack_irc
$LOAD ip_nat_irc

#——————————–
# Kosongkan rumus-rumus IPTABLES
$IPT -F
$IPT -F -t nat
$IPT -F -t mangle
$IPT -X

#——————————–
# Rumus default
$IPT -P INPUT DROP
$IPT -P FORWARD DROP
$IPT -P OUTPUT ACCEPT

#——————————–
#ip route add default scope global nexthop via 192.168.100.101 dev $RED weight 1 nexthop via 10.64.64.65 dev $BLUE weight 1
# Rumus masquerading, IP statik
#$IPT -t nat -A POSTROUTING -o $RED -j SNAT –to -source $RED_IP

# Rumus masquerading, lebih komplit
#$IPT -t nat -A POSTROUTING -s $GREEN_NET -o $RED -j SNAT –to -source $RED_NET

# Kalau RED anda IP dinamik (ppp0), gunakan
$IPT -t nat -A POSTROUTING -o $RED -j MASQUERADE
# $IPT -t nat -A POSTROUTING -o $BLUE -j MASQUERADE
$IPT -t nat -A PREROUTING -i $GREEN -p tcp –dport 80 -j REDIRECT –to-port $PORT
#$IPT -t nat -A PREROUTING -i $BLUE -p tcp –dport 80 -j REDIRECT –to-port 3128
# $IPT -t nat -A OUTPUT -p tcp –dport 80 -j DNAT –to-destination 192.168.0.254:3128
#$IPT -t nat -A PREROUTING -i $BLUE -p tcp –dport 80 -j DNAT –to-destination 192.168.0.254:3128
#iptables -t nat -A OUTPUT -p tcp –dport 80 -j DNAT –to-destination 192.168.0.1:3128 iptables -t nat -A PREROUTING -p tcp –dport 80 -j DNAT –to- destination 192.168.0.254:3128
#$IPT -A INPUT -i $BLUE -p tcp -d 192.168.0.254 -s 192.168.1.1 –dport 9333 -m state –state NEW,ESTABLISHED -j ACCEPT
#$IPT -t nat -A POSTROUTING -s 192.168.2.0/24 -j SNAT –to 192.168.0.254
#$IPT -t nat -A PREROUTING -p tcp -m tcp –dport 80 -j REDIRECT –to-port 3128
#$IPT -t filter -A INPUT -p tcp –dport 9333 -j ACCEPT
#——————————–
# Rumus forward, hanya dari dalam atau luar related
#$IPT -t mangle -A PREROUTING -d 10.1.2.10 -j DROP
$IPT -A FORWARD -i $GREEN -o $RED -j ACCEPT
#$IPT -A FORWARD -i $BLUE -o $RED -j ACCEPT
$IPT -A FORWARD -i $RED -o $GREEN -m state –state ESTABLISHED,RELATED -j ACCEPT
#$IPT -A FORWARD -i $RED -o $BLUE -m state –state ESTABLISHED,RELATED -j ACCEPT

#——————————–
# Rumus INPUT, hanya terima dari dalam atau luar yang related
$IPT -A INPUT -i lo -j ACCEPT
$IPT -A INPUT -i $GREEN -j ACCEPT
#$IPT -A INPUT -i $BLUE -j ACCEPT
$IPT -A INPUT -i $RED -m state –state ESTABLISHED,RELATED -j ACCEPT
#$IPT -A INPUT  -p icmp -m icmp –icmp-type echo-request -j REJECT
#$IPT -A OUTPUT  -p icmp -m icmp –icmp-type echo-reply -j REJECT

#$IPT -A FORWARD -p ICMP -i $GREEN –icmp-type 24 -j REJECT
#$IPT -A FORWARD -p ICMP -i $BLUE –icmp-type 24 -j REJECT
#$IPT -A INPUT -i $BLUE -m state –state ESTABLISHED,RELATED -j ACCEPT
#——————————–
## Allow some ports
if [ "$PORT_IN" != "ALL" ]; then
for PORT in $PORT_IN ; do
$IPT -A INPUT -p udp –dport $PORT -j ACCEPT
$IPT -A INPUT -p tcp –dport $PORT -j ACCEPT
done
else
$IPT -A INPUT -p udp -j ACCEPT
$IPT -A INPUT -p tcp -j ACCEPT
fi

# Hidupkan forwarding
echo “1″ > /proc/sys/net/ipv4/ip_forward