ROS 命令大全
类别: 常用技术文章 来源:www.nanyuetong.com
摘要:绑定:foreach i in=[/ip arp find dynamic=yes ] do=[/ip arp add copy-from=$i]
解除绑定:foreach i in=[/ip arp find ] do=[/ip arp ...
绑定:foreach i in=[/ip arp find dynamic=yes ] do=[/ip arp add copy-from=$i]
解除绑定:foreach i in=[/ip arp find ] do=[/ip arp remove $i]
完了在interfaces里面选择内网在选择reply-only
改MAC /interface ethernet set lan2 mac-address=00:b4:cb:ad:fe:af
关闭防火墙
:foreach i in=[/ip firewall filter find disable=no] do=[/ip firewall filter disable $i]
套取IP
/tool netwatch set test host [/ ip firewall address-list get [/ ip firewall address-list find list=winboxOnline] address]
限速关
:foreach i in=[/ queue simple find disable=no] do=[/ queue simple disable $i]
限速开
:foreach i in=[/ queue simple find disable=yes] do=[/ queue simple enable $i]
ros常用命令2007-07-25 10:44routeros监控脚本,断线报警,线路恢复自动解除报警:
在/system script里添加脚本
name=你要监控的ip
内容如下
:set i 0
:while ($i=0) do={:beep length=2s frequency=2755;:delay 5;:set a abc;\
:foreach i in=[/tool netwatch find host=你要监控的ip] \
do={:set a [/tool netwatch get $i status]};:put $a;:if($a=up) do={:set i 1}}
然后再在/tool netwatch里添加监控
host=你要监控的ip
在down里填写
/system script run 你要监控的ip
:set shendown1 [/system clock get date]
:set shendown2 [/system clock get time]
:set shendown ("你要监控的ip down " . $shendown1 . " " . $shendown2)
:log warning $shendown
ros小包策略:
/ ip firewall mangle
add chain=forward protocol=tcp tcp-flags=syn action=change-mss new-mss=1440 comment="" disabled=no
add chain=forwar* *2*=all-p2p action=mark-connection new-connection-mark=p2p_conn passthrough=yes comment="" disabled=no
add chain=forward connection-mark=p2p_conn action=mark-packet new-packet-mark=p2p passthrough=yes comment="" disabled=no
add chain=forward connection-mark=!p2p_conn action=mark-packet new-packet-mark=general passthrough=yes comment="" disabled=no
add chain=forward packet-size=32-512 action=mark-packet new-packet-mark=small passthrough=yes comment="" disabled=no
add chain=forward packet-size=512-1200 action=mark-packet new-packet-mark=big passthrough=yes comment="" disabled=no
/ queue tree
add name="p2p1" parent=wan packet-mark=p2p limit-at=600000 queue=default priority=8 max-limit=800000 burst-limit=0 burst-threshold=0 burst-time=0s disabled=no
add name="p2p2" parent=lan packet-mark=p2p limit-at=800000 queue=default priority=8 max-limit=600000 burst-limit=0 burst-threshold=0 burst-time=0s disabled=no
add name="classa" parent=lan packet-mark="" limit-at=0 queue=default priority=8 max-limit=100000000 burst-limit=0 burst-threshold=0 burst-time=0s disabled=no
add name="classb" parent=classa packet-mark="" limit-at=0 queue=default priority=8 max-limit=0 burst-limit=0 burst-threshold=0 burst-time=0s disabled=no
add name="leaf1" parent=classa packet-mark=general limit-at=0 queue=default priority=7 max-limit=0 burst-limit=0 burst-threshold=0 burst-time=0s disabled=no
add name="leaf2" parent=classb packet-mark=small limit-at=0 queue=default priority=5 max-limit=0 burst-limit=0 burst-threshold=0 burst-time=0s disabled=no
add name="leaf3" parent=classb packet-mark=big limit-at=0 queue=default priority=6 max-limit=0 burst-limit=0 burst-threshold=0 burst-time=0s disabled=no
ros封杀常用p2p策略脚本:
/ ip firewall filter
add chain=input protocol=udp dst-port=137-138 action=drop comment="drop udp137-138"
# 讯雷
add chain=forward protocol=tcp dst-port=3076-3079 action=drop comment="downtools xunlei" disabled=yes
add chain=forward dst-address=202.96.155.91/32 action=drop
add chain=forward dst-address=210.22.12.53/32 action=drop
add chain=forward dst-address=61.128.198.97/32 action=drop
# 电骡
add chain=forward protocol=tcp dst-port=4661 action=drop comment="downp2p verycd"
add chain=forward protocol=tcp dst-port=4662 action=drop
add chain=forward protocol=tcp dst-port=4242 action=drop
add chain=forward dst-address=62.241.53.15/32 action=drop
# 屁屁狗(ppgou)
add chain=forward protocol=tcp dst-port=8505 action=drop comment="downtools ppgou"
add chain=forward dst-address=219.153.0.152/32 action=drop
add chain=forward dst-address=61.145.116.186/32 action=drop
# kugo酷狗
add chain=forward protocol=tcp dst-port=3318 action=drop comment="downmp3 kugo" disabled=yes
add chain=forward protocol=tcp dst-port=1043 action=drop disabled=yes
add chain=forward protocol=tcp dst-port=4224 action=drop disabled=yes
add chain=forward protocol=tcp dst-port=2371 action=drop disabled=yes
add chain=forward protocol=udp dst-port=7000 action=drop disabled=yes
add chain=forward dst-address=218.16.125.227/32 action=drop disabled=yes
add chain=forward dst-address=61.143.210.56/32 action=drop disabled=yes
add chain=forward dst-address=218.16.125.226/32 action=drop disabled=yes
add chain=forward dst-address=61.129.115.206/32 action=drop disabled=yes
add chain=forward dst-address=61.145.114.33/32 action=drop disabled=yes
# rf online
add chain=forward dst-address=218.30.85.16/32 dst-port=8888 action=accept comment="rf online"
add chain=forward dst-address=59.34.215.133/32 dst-port=8888 action=accept
add chain=forward dst-address=60.28.26.66/32 dst-port=8888 action=accept
# 比特精灵
add chain=forward protocol=tcp dst-port=16881 action=drop comment="downp2p bitspirit"
add chain=forward protocol=tcp dst-port=6881-6890 action=drop
add chain=forward protocol=tcp dst-port=8881-8890 action=drop
add chain=forward protocol=udp dst-port=16881 action=drop
add chain=forward protocol=udp dst-port=6881-6890 action=drop
add chain=forward protocol=udp dst-port=8881-8890 action=drop
# 宝酷
add chain=forward protocol=tcp dst-port=6346 action=drop comment="downp2p baocue"
add chain=forward protocol=tcp dst-port=11300 action=drop
add chain=forward dst-address=61.172.197.196/32 action=drop
add chain=forward dst-address=218.1.14.3/32 action=drop
add chain=forward dst-address=218.1.14.4/32 action=drop
add chain=forward dst-address=218.1.14.9/32 action=drop
add chain=forward dst-address=61.172.197.209/32 action=drop
add chain=forward dst-address=61.172.197.197/32 action=drop
add chain=forward dst-address=218.1.14.5/32 action=drop
add chain=forward dst-address=218.5.72.118/32 action=drop
add chain=forward dst-address=61.172.197.196/32 action=drop
# 百事通下载工具
add chain=forward dst-address=61.145.126.150/32 action=drop comment="downp2p bai****ong"
# 百度mp3下载
add chain=forward dst-address=202.108.156.206/32 action=drop comment="downmp3 baidump3" disabled=yes
# ptc下载工具
add chain=forward protocol=tcp dst-port=50007 action=drop comment="downp2p ptcdown"
# edonkey2000下载工具
add chain=forward protocol=tcp dst-port=4371 action=drop comment="downp2p edonkey2000"
add chain=forward protocol=tcp dst-port=4662 action=drop
add chain=forward dst-address=62.241.53.15/32 action=drop
add chain=forward dst-address=62.241.53.17/32 action=drop
# poco2005
add chain=forward protocol=udp src-port=8094 action=drop comment="downp2p poco2005"
add chain=forward protocol=tcp dst-port=2881 action=drop
add chain=forward protocol=tcp dst-port=5354 action=drop
add chain=forward dst-address=61.145.118.224/32 action=drop
add chain=forward dst-address=210.192.122.147/32 action=drop
add chain=forward dst-address=207.46.196.108/32 action=drop
# 卡盟
add chain=forward protocol=tcp dst-port=3751 action=drop comment="downp2p kamun"
add chain=forward protocol=tcp dst-port=3753 action=drop
add chain=forward protocol=tcp dst-port=4772 action=drop
add chain=forward protocol=tcp dst-port=4774 action=drop
add chain=forward dst-address=211.155.224.67/32 action=drop
# 维宇reallink
add chain=forward dst-address=211.91.135.114/32 action=drop comment="downp2p reallink"
add chain=forward dst-address=221.233.18.180/32 action=drop
add chain=forward dst-address=61.145.119.55/32 action=drop
add chain=forward dst-address=221.3.132.99/32 action=drop
# 百宝
add chain=forward protocol=tcp dst-port=3468 action=drop comment="downp2p 100bao"
add chain=forward dst-address=219.136.251.56/32 action=drop
add chain=forward dst-address=61.149.124.173/32 action=drop
# 百花pp
add chain=forward protocol=tcp dst-port=5093 action=drop comment="downp2p baihua"
add chain=forward dst-address=221.229.241.243/32 action=drop
# 快递通
add chain=forward dst-address=202.96.137.56/32 action=drop comment="downp2p kdt"
# 酷乐
add chain=forward protocol=tcp dst-port=6800-6801 action=drop comment="downmp3 kuro"
add chain=forward protocol=tcp dst-port=7003 action=drop
add chain=forward dst-address=218.244.45.67/32 action=drop
add chain=forward dst-address=220.169.192.145/32 action=drop
# 百度下吧
add chain=forward protocol=tcp dst-port=11000 action=drop comment="downp2p baiduxiaba" disabled=yes
add chain=forward dst-address=202.108.249.171/32 action=drop
# 百兆p2p
add chain=forward protocol=tcp dst-port=9000 action=drop comment="downp2p baizhaop2p"
add chain=forward dst-address=221.233.19.30/32 action=drop
# 石头(openext)
add chain=forward protocol=tcp dst-port=5467 action=drop comment="downp2p openext"
add chain=forward protocol=tcp dst-port=2500 action=drop
add chain=forward protocol=tcp dst-port=4173 action=drop
add chain=forward protocol=tcp dst-port=10002 action=drop
add chain=forward protocol=tcp dst-port=10003 action=drop
add chain=forward dst-address=66.197.13.166/32 action=drop
add chain=forward dst-address=210.22.12.245/32 action=drop
add chain=forward dst-address=69.93.222.56/32 action=drop
# ilink 1.1
add chain=forward protocol=tcp dst-port=5000 action=drop comment="downp2p ilink"
# dds
add chain=forward protocol=tcp dst-port=11608 action=drop comment="downp2p dds"
add chain=forward dst-address=210.51.168.13/32 action=drop
add chain=forward dst-address=211.157.105.252/32 action=drop
add chain=forward dst-address=212.179.66.17/32 action=drop
# imesh 5
add chain=forward protocol=tcp dst-port=4662 action=drop comment="downp2p imesh 5"
add chain=forward dst-address=212.179.66.17/32 action=drop
add chain=forward dst-address=212.179.66.24/32 action=drop
add chain=forward dst-address=38.117.175.23/32 action=drop
# winmx
add chain=forward protocol=tcp dst-port=5690 action=drop comment="downp2p winmx"
add chain=forward dst-address=64.246.15.43/32 action=drop
# 网酷
add chain=forward protocol=tcp dst-port=2122 action=drop comment="downp2p netcool"
add chain=forward dst-address=211.152.22.9/32 action=drop
add chain=forward dst-address=211.152.22.101/32 action=drop
add chain=forward dst-address=221.192.132.29/32 action=drop
# pplive网络电视
add chain=forward protocol=tcp dst-port=8008 action=drop comment="p2ptv pplive"
add chain=forward protocol=udp dst-port=4004 action=drop
# qq直播
add chain=forward protocol=udp dst-port=13002-13999 action=drop comment="p2ptv qq" disabled=yes
ros防火墙的一点心得:
input - 进入路由,并且需要对其处理
forward - 路由转发
output - 经过路由处理,并且从接口出去的包
action:
1 accept: 接受
add-dst-to-address-list - 把一个目标ip地址加入address-list
add-src-to-address-list - 把一个源ip地址加入address-list
2 drop - 丢弃
3 jump - 跳转,可以跳转到一个规则主题里面,如input forward,也可以跳转到某一条里面
4 log - 日志记录
5 passthrough - 忽略此条规则
6 reject - 丢弃这个包,并且发送一个icmp回应消息
7 return - 把控制返回给jump的所在
8 tarpit - 捕获和扣留 进来的tcp连接 (用syn/ack回应进来的tcp syn 包)router os命令:
看了很多router os 的资料都是关于如何安装的,却很少见到关于router os的命令资料(也许因为有winbox了),虽然在router os 的手册中有说明,但是是英文版本的,很不好看懂。下面就我就写出一些常用的命令,希望对大家有所帮助:
1、开机登陆以后常用的一个 ? 是常用的帮助命令,可以列出可用的命令及简单的说明。
2、有些英文命令很长,可以简写如inte***ce ,你输入in后回车自动就会进入inte***ce了。或者你可以按下tab键来帮你完成长英文命令的输入。
3、有些命令的参数很多,你不知道的时候可以输入命令后加空格?,如print ?可以显示该命令的参数。
4、setup 该命令可是谁都要记得的,因为最初安装完router os 必须用它分配网卡的ip地址。
5、ip route add gate=211.12.*.14,220.163.*.12 该命令用于多线路接入时加入多个网关用的。
6、ip firewall add action=nat protocol=tcp dst-address=212.12.*.*/32:80 to-dst-address=192.168.0.198 该命令用于映射端口80到本地的192.168.0.198上。
7、print 该命令有点用于列出所有的项目。
8、inte***ce monitor-traffice 0,1,2 可以监视当前0,1,2网卡的活动情况。
9、ip firewall connection print 显示当前的所有的连接。
10、ip arp print 显示所有router os 知道的ip地址和mac地址的对应列表。
11、user active print 显示所有的router os 的活动用户。
12、system reboot 、system shutdown分别是重启和关机。
13、system reset 删除所有原来的配置,并重新启动router os. 14、system resource monitor 可以监视当前的cpu,和内存的使用情况。
15、log print 可以显示router os 的日志。
16、tool ping-speed 210.13.14.* 可以显示ping 的速度。
17、tool sniffer start,和tool sniffer stop 可以开启和停止嗅探器。
18、tool sniffer packet print 可列出嗅探的包。
19 、system backup name=2004107.bak 可以将系统的配置备份到文件2004107.bak,可以用file print看到。
还有什么enable,disable,remove,set 那些常用的就不说了。
ros 一些常用脚本:
/ ip firewall connection {:foreach r in=[find] do={remove $r}} 删除所有连接
:foreach i in=[/ip firewall filter find action=drop ] do=[/ip firewall filter disable $i] disable防火墙规则
firewall connection tracking syn sendtime 设置成50 rectime 设置成30 减轻syn攻击
/system scheduler add name=reboot interval=24h start-time=06:59:00 on-event={/system reboot} disabled=no 定时重起
/ip route set [/ip route find dst-address=0.0.0.0/0] gateway=xxx.xxx.xxx.xxx 改变默认网关
/queue simple remove [find] 删除所有simple queues
:foreach i in=[/ip arp find dynamic=yes ] do={/ip arp add copy-from=$i} arp绑定(静态arp)
每个ip加一个simple queue的脚本
:foreach i in [/queue simple find] \
do {:put (deleting . ... . [/queue simple get $i name]);
queue simple remove $i;}
for i from 1 to 254 \
do { \
:if ($i!=100) \
do {/queue simple add \
name=(queue . $i) \
limit-at=128000/128000 \
burst-threshold=384000/192000 \
max-limit=512000/256000 \
burst-limit=2000000/512000 \
burst-time=16s/8s \
dst-address=(192.168.0. . $i); \
:put (192.168.0. . $i . ... . added)} \
}ros其他参数:
使用:
winbox-system-scripts-+
name(脚本名程)
source(脚本)
ok-选择要运行的脚本-run script
集体绑定arp
:foreach i in=[/ip arp find dynamic=yes ] do={/ip arp add copy-from=$i}
集体帮定arp,这样方便了很多,但是值得注意的是,用这命令绑定之后,要把外网的arp解除了,要不然会出奇怪问题,反正我是遇见了!
限速脚本:
:for aaa from 2 to 254 do={/queue simple add name=(queue . $aaa) dst-address=(192.168.0. . $aaa) limit-at=0/0 max-limit=2000000/2000000}
说明:
aaa是变量
2 to 254是2~254
192.168.0. . $aaa是ip
上两句加起来是192.168.0.2~192.168.0.254
max-limit=2000000/2000000是上行/下行
删除所有连接
/ ip firewall connection {:foreach r in=[find] do={remove $r}}
disable防火墙规则
:foreach i in=[/ip firewall filter find action=drop ] do=[/ip firewall filter disable $i]
定时重起
/system scheduler add name=reboot interval=24h start-time=11:59:00 on-event={/system reboot} disabled=no
改变默认网关
/ip route set [/ip route find dst-address=0.0.0.0/0] gateway=xxx.xxx.xxx.xxx
定时重起
/system scheduler add name=reboot interval=24h start-time=11:59:00 on-event={/system reboot} disabled=no
/sy reset 恢复路由原始状态
/sy reboot 重启路由
/sy showdown 关机
/sy ide set name=机器名 设置机器名
/export 查看配置
/ip export 查看ip配置
/sy backup 回车 save name=你要设置文件名 load name=你要设置文件名 备份路由
/inte***ce print 查看网卡状态
0 x ether1 ether 1500 这个是网卡没有开启
0 r ether1 ether 1500 这个是正常状态
/int en 0 激活0网卡
/int di 0 关闭0网卡
/ip fir con print 查看当前所有网络边接
/ip service set www port=81 改变www服务端口为81
/ip hotspot user add name=user1 password=1 增加用户routeros改本机网卡mac的方法:
interface ethernet> set (网卡名) mac-address=(你想要的mac)
机房经常提出这种要求,这节课要求上网,下节课就要求断网。以前就是拨网线,后来用了这个就不用了。并且可以上网时,也能控制学生上联众或者qq。课后机房开放时即要能上网,还要能上qq,把这些策略禁止掉就行了。
并且winbox操作比较简便,教会管理员,我不需要管了。
自由控制机房上网、qq、联众:
/ ip firewall rule forward
这里是控制各个机房的上网策略,可以上时设为无效,禁止上时设为有效。
1机房
add src-address=192.168.3.0/26 dst-address=!192.168.0.0/16 action=drop \
comment="1机房" disabled=yes
2机房
add src-address=192.168.3.64/26 dst-address=!192.168.0.0/16 action=drop \
comment="2机房" disabled=no
3机房
add src-address=192.168.3.128/26 dst-address=!192.168.0.0/16 action=drop \
comment="3机房" disabled=yes
4机房
add src-address=192.168.3.192/26 dst-address=!192.168.0.0/16 action=drop \
comment="4机房" disabled=no
5机房
add src-address=192.168.0.128/26 dst-address=!192.168.0.0/16 action=drop \
comment="5机房" disabled=no
add src-address=192.168.0.192/29 dst-address=!192.168.0.0/16 action=drop \
comment="" disabled=no
6机房
add src-address=192.168.0.64/26 dst-address=!192.168.0.0/16 action=drop \
comment="6机房" disabled=no
这里是控制各个机房的联众 qq
2机房
add src-address=192.168.3.64/26 dst-address=:1007-3400 protocol=tcp \
action=drop comment="2机房禁止联众 禁止qq聊天" disabled=no
add src-address=192.168.3.64/26 dst-address=:8000 protocol=udp action=drop \
comment="" disabled=no
add src-address=192.168.3.64/26 dst-address=219.133.0.0/16 action=drop \
comment="" disabled=no
add src-address=192.168.3.128/26 dst-address=219.133.0.0/16 action=drop \
comment="" disabled=no
机房
add src-address=192.168.3.128/26 dst-address=:8000 protocol=udp action=drop \
comment="3机房禁止qq聊天 禁止联众" disabled=yes
add src-address=192.168.3.128/26 dst-address=:1007-3400 protocol=tcp \
action=drop comment="" disabled=yes
4机房
add src-address=192.168.3.192/26 dst-address=:1007-3400 protocol=tcp \
action=drop comment="4机房禁止联众,qq聊天" disabled=no
add src-address=192.168.3.192/26 dst-address=:8000 protocol=udp action=drop \
comment="" disabled=no
add src-address=192.168.3.192/26 dst-address=219.133.0.0/16 action=drop \
comment="" disabled=no
5机房
add src-address=192.168.0.128/26 dst-address=:8000 protocol=udp action=drop \
comment="5机房禁止qq聊天 禁止联众" disabled=no
add src-address=192.168.0.192/29 dst-address=:8000 protocol=udp action=drop \
comment="" disabled=no
add src-address=192.168.0.128/26 dst-address=219.133.0.0/16 action=drop \
comment="" disabled=no
add src-address=192.168.0.192/29 dst-address=219.133.0.0/16 action=drop \
comment="" disabled=no
add src-address=192.168.0.128/26 dst-address=:1007-3400 protocol=tcp \
action=drop comment="" disabled=no
add src-address=192.168.0.192/29 dst-address=:1007-3400 protocol=tcp \
action=drop comment="" disabled=no
6机房
add src-address=192.168.0.64/26 dst-address=:8000 protocol=udp action=drop \
comment="6机房禁止qq聊天 禁止联众" disabled=no
add src-address=192.168.0.64/26 dst-address=219.133.0.0/16 action=drop \
comment="" disabled=no
add src-address=192.168.0.64/26 dst-address=:1007-3400 protocol=tcp \
action=drop comment="" disabled=noros限线程脚本+限速脚本:
限线程脚本:
:for aaa from 2 to 254 do={/ip firewall filter add chain=forward src-address=(192.168.0. . $aaa) protocol=tcp connection-limit=50,32 action=drop}
限速脚本:
:for aaa from 2 to 254 do={/queue simple add name=(queue . $aaa) dst-address=(192.168.0. . $aaa) limit-at=0/0 max-limit=2000000/2000000}
说明:
aaa是变量
2 to 254是2~254
192.168.0. . $aaa是ip
上两句加起来是192.168.0.2~192.168.0.254
connection-limit=50是线程数这里为50
max-limit=2000000/2000000是上行/下行
使用:
winbox-system-scripts-+
name(脚本名程)
source(脚本)
ok-选择要运行的脚本-run script
查看:
限线程:winbox-ip-firewall-filter rules(看是否已经填加进来)
限速:winbox-queues-simple queues(看是否已经填加进来)
斩断扫描你的ros 的黑手:
【收藏本页】 【返回顶部】 【关闭窗口】
