How to Blacklist Filters on MikroTik RouterOS?
To prevent your users from accessing blacklist IP addresses
, you need to create the following firewall rules. Thus, we protect our users from unnecessary sites.
In order to use any of the following lists you will want to add a rule to your input or forward chains like the following:
1 2 3 | /ip firewall filter add action=drop chain=input comment=" Drop new connectionsfrom blacklisted IP's to this router" connection-state=new in-interface=ether1 src-address-list=blacklist |
or
1 2 3 | /ip firewall filter add action=drop chain=forward comment=" Drop new connectionsfrom blacklisted IP's to this router" dst-address-list=blacklist |
SpamHaus
“Spamhaus Don’t Route Or Peer List (DROP)”
The DROP list will not include any IP address space under the control of any legitimate network – even if being used by “the spammers from hell”. DROP will only include netblocks allocated directly by an established Regional Internet Registry (RIR)
or National Internet Registry (NIR)
such as ARIN, RIPE, AFRINIC, APNIC, LACNIC or KRNIC or direct RIR allocations.”
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 | # Script which will download the drop list as a text file /system script add name="DownloadSpamhaus" source={ /tool fetch url="http://joshaven.com/spamhaus.rsc" mode=http; :log info "Downloaded spamhaus.rsc from Joshaven.com"; } # Script which will Remove old Spamhaus list and add new one /system script add name="ReplaceSpamhaus" source={ /ip firewall address-list remove [find where comment="SpamHaus"] /import file-name=spamhaus.rsc; :log info "Removed old Spamhaus records and imported new list"; } # Schedule the download and application of the spamhaus list /system scheduler add comment="Download spamnaus list" interval=3d \ name="DownloadSpamhausList" on-event=DownloadSpamhaus \ start-date=jan/01/1970 start-time=10:24:17 /system scheduler add comment="Apply spamnaus List" interval=3d \ name="InstallSpamhausList" on-event=ReplaceSpamhaus \ start-date=jan/01/1970 start-time=10:29:17 |
dshield
“This list summarizes the top 20 attacking class C (/24) subnets over the last three days. The number of ‘attacks’ indicates the number of targets reporting scans from this subnet.”
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 | # Script which will download the drop list as a text file /system script add name="Download_dshield" source={ /tool fetch url="http://joshaven.com/dshield.rsc" mode=http; :log info "Downloaded dshield.rsc from Joshaven.com"; } # Script which will Remove old dshield list and add new one /system script add name="Replace_dshield" source={ /ip firewall address-list remove [find where comment="DShield"] /import file-name=dshield.rsc; :log info "Removed old dshield records and imported new list"; } # Schedule the download and application of the dshield list /system scheduler add comment="Download dshield list" interval=3d \ name="DownloadDShieldList" on-event=Download_dshield \ start-date=jan/01/1970 start-time=10:34:17 /system scheduler add comment="Apply dshield List" interval=3d \ name="InstallDShieldList" on-event=Replace_dshield \ start-date=jan/01/1970 start-time=10:39:17 |
malc0de
“The files below will be updated daily with domains that have been identified distributing malware during the past 30 days”
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 | # Script which will download the malc0de list as a text file /system script add name="Download_malc0de" source={ /tool fetch url="http://joshaven.com/malc0de.rsc" mode=http; :log info "Downloaded malc0de.rsc from Joshaven.com"; } # Script which will Remove old malc0de list and add new one /system script add name="Replace_malc0de" source={ /ip firewall address-list remove [find where comment="malc0de"] /import file-name=malc0de.rsc; :log info "Removed old malc0de records and imported new list"; } # Schedule the download and application of the malc0de list /system scheduler add comment="Download malc0de list" interval=3d \ name="Downloadmalc0deList" on-event=Download_malc0de \ start-date=jan/01/1970 start-time=10:34:17 /system scheduler add comment="Apply malc0de List" interval=3d \ name="Installmalc0deList" on-event=Replace_malc0de \ start-date=jan/01/1970 start-time=10:39:17 |
I hope it has been a useful article.
Very usefull!!! I have a question about… it is possible to use two of the sources (i.e. Spamhaus and dShield) combined in the same address-list regardless if one of the subnets included is duplicated (both lists contains the same x.x.x.x/24 address)?
Hello, write only one of the two IP addresses that are the same as the list. So unique IP list.