How to Blacklist Filters on MikroTik RouterOS?

Posted on 19 March 201920 July 2019 by fadıl

To prevent your users from accessing blacklist IP addresses, you need to create the following firewall rules. Thus, we protect our users from unnecessary sites.

In order to use any of the following lists you will want to add a rule to your input or forward chains like the following:

/ip firewall  filter add action=drop chain=input 
comment=" Drop new connectionsfrom blacklisted IP's to this router" 
connection-state=new  in-interface=ether1 src-address-list=blacklist

/ip firewall filter add action=drop chain=input

comment=" Drop new connectionsfrom blacklisted IP's to this router"

connection-state=new in-interface=ether1 src-address-list=blacklist

/ip firewall filter
add action=drop chain=forward comment=" Drop new connectionsfrom blacklisted 
IP's to this router"  dst-address-list=blacklist

/ip firewall filter

add action=drop chain=forward comment=" Drop new connectionsfrom blacklisted

IP's to this router" dst-address-list=blacklist

SpamHaus

“Spamhaus Don’t Route Or Peer List (DROP)”

The DROP list will not include any IP address space under the control of any legitimate network – even if being used by “the spammers from hell”. DROP will only include netblocks allocated directly by an established Regional Internet Registry (RIR) or National Internet Registry (NIR) such as ARIN, RIPE, AFRINIC, APNIC, LACNIC or KRNIC or direct RIR allocations.”

# Script which will download the drop list as a text file
/system script add name="DownloadSpamhaus" source={
/tool fetch url="http://joshaven.com/spamhaus.rsc" mode=http;
:log info "Downloaded spamhaus.rsc from Joshaven.com";
}
# Script which will Remove old Spamhaus list and add new one
/system script add name="ReplaceSpamhaus" source={
/ip firewall address-list remove [find where comment="SpamHaus"]
/import file-name=spamhaus.rsc;
:log info "Removed old Spamhaus records and imported new list";
}
# Schedule the download and application of the spamhaus list
/system scheduler add comment="Download spamnaus list" interval=3d \
name="DownloadSpamhausList" on-event=DownloadSpamhaus \
start-date=jan/01/1970 start-time=10:24:17
/system scheduler add comment="Apply spamnaus List" interval=3d \
name="InstallSpamhausList" on-event=ReplaceSpamhaus \
start-date=jan/01/1970 start-time=10:29:17

# Script which will download the drop list as a text file

/system script add name="DownloadSpamhaus" source={

/tool fetch url="http://joshaven.com/spamhaus.rsc" mode=http;

:log info "Downloaded spamhaus.rsc from Joshaven.com";

}

# Script which will Remove old Spamhaus list and add new one

/system script add name="ReplaceSpamhaus" source={

/ip firewall address-list remove [find where comment="SpamHaus"]

/import file-name=spamhaus.rsc;

:log info "Removed old Spamhaus records and imported new list";

}

# Schedule the download and application of the spamhaus list

/system scheduler add comment="Download spamnaus list" interval=3d \

name="DownloadSpamhausList" on-event=DownloadSpamhaus \

start-date=jan/01/1970 start-time=10:24:17

/system scheduler add comment="Apply spamnaus List" interval=3d \

name="InstallSpamhausList" on-event=ReplaceSpamhaus \

start-date=jan/01/1970 start-time=10:29:17

dshield

“This list summarizes the top 20 attacking class C (/24) subnets over the last three days. The number of ‘attacks’ indicates the number of targets reporting scans from this subnet.”

# Script which will download the drop list as a text file
/system script add name="Download_dshield" source={
/tool fetch url="http://joshaven.com/dshield.rsc" mode=http;
:log info "Downloaded dshield.rsc from Joshaven.com";
}
# Script which will Remove old dshield list and add new one
/system script add name="Replace_dshield" source={
/ip firewall address-list remove [find where comment="DShield"]
/import file-name=dshield.rsc;
:log info "Removed old dshield records and imported new list";
}
# Schedule the download and application of the dshield list
/system scheduler add comment="Download dshield list" interval=3d \
name="DownloadDShieldList" on-event=Download_dshield \
start-date=jan/01/1970 start-time=10:34:17
/system scheduler add comment="Apply dshield List" interval=3d \
name="InstallDShieldList" on-event=Replace_dshield \
start-date=jan/01/1970 start-time=10:39:17

# Script which will download the drop list as a text file

/system script add name="Download_dshield" source={

/tool fetch url="http://joshaven.com/dshield.rsc" mode=http;

:log info "Downloaded dshield.rsc from Joshaven.com";

}

# Script which will Remove old dshield list and add new one

/system script add name="Replace_dshield" source={

/ip firewall address-list remove [find where comment="DShield"]

/import file-name=dshield.rsc;

:log info "Removed old dshield records and imported new list";

}

# Schedule the download and application of the dshield list

/system scheduler add comment="Download dshield list" interval=3d \

name="DownloadDShieldList" on-event=Download_dshield \

start-date=jan/01/1970 start-time=10:34:17

/system scheduler add comment="Apply dshield List" interval=3d \

name="InstallDShieldList" on-event=Replace_dshield \

start-date=jan/01/1970 start-time=10:39:17

malc0de

“The files below will be updated daily with domains that have been identified distributing malware during the past 30 days”

# Script which will download the malc0de list as a text file
/system script add name="Download_malc0de" source={
/tool fetch url="http://joshaven.com/malc0de.rsc" mode=http;
:log info "Downloaded malc0de.rsc from Joshaven.com";
}

# Script which will Remove old malc0de list and add new one
/system script add name="Replace_malc0de" source={
/ip firewall address-list remove [find where comment="malc0de"]
/import file-name=malc0de.rsc;
:log info "Removed old malc0de records and imported new list";
}

# Schedule the download and application of the malc0de list
/system scheduler add comment="Download malc0de list" interval=3d \
name="Downloadmalc0deList" on-event=Download_malc0de \
start-date=jan/01/1970 start-time=10:34:17
/system scheduler add comment="Apply malc0de List" interval=3d \
name="Installmalc0deList" on-event=Replace_malc0de \
start-date=jan/01/1970 start-time=10:39:17

# Script which will download the malc0de list as a text file

/system script add name="Download_malc0de" source={

/tool fetch url="http://joshaven.com/malc0de.rsc" mode=http;

:log info "Downloaded malc0de.rsc from Joshaven.com";

}

# Script which will Remove old malc0de list and add new one

/system script add name="Replace_malc0de" source={

/ip firewall address-list remove [find where comment="malc0de"]

/import file-name=malc0de.rsc;

:log info "Removed old malc0de records and imported new list";

}

# Schedule the download and application of the malc0de list

/system scheduler add comment="Download malc0de list" interval=3d \

name="Downloadmalc0deList" on-event=Download_malc0de \

start-date=jan/01/1970 start-time=10:34:17

/system scheduler add comment="Apply malc0de List" interval=3d \

name="Installmalc0deList" on-event=Replace_malc0de \

start-date=jan/01/1970 start-time=10:39:17

I hope it has been a useful article.

2 thoughts on “How to Blacklist Filters on MikroTik RouterOS?”

Gerardo says:
4 January 2021 at 7:42 PM
Very usefull!!! I have a question about… it is possible to use two of the sources (i.e. Spamhaus and dShield) combined in the same address-list regardless if one of the subnets included is duplicated (both lists contains the same x.x.x.x/24 address)?
1. fadıl says:
  5 January 2021 at 8:07 AM
  Hello, write only one of the two IP addresses that are the same as the list. So unique IP list.

SpamHaus

“Spamhaus Don’t Route Or Peer List (DROP)”

dshield

malc0de

2 thoughts on “How to Blacklist Filters on MikroTik RouterOS?”

Leave a Reply Cancel reply