====== Mikrotik Block Lists ======
FIXME **New Method**: https://forum.mikrotik.com/viewtopic.php?f=9&t=152632&p=758435
**Another way to block ads**: https://stopad.hook.sh/
**Block by Country**: https://mikrotikconfig.com/firewall/
===== Sources =====
http://www.spamhaus.org/drop/
http://feeds.dshield.org/block.txt
http://www.openbl.org/
http://www.voipbl.org/
===== Scripts =====
http://forum.mikrotik.com/viewtopic.php?t=98804
http://www.wisptech.com/index.php?title=MikrotikBlackList
http://joshaven.com/mikrotik-auto-updated-begones-list/
:!: The Joshaven scripts seem to work well on ROS 6.4. I have expanded and modified these scripts here.
* The **DShield list** is small, but up to date.
* The **Spamhaus list** is also fairly small and up to date.
* The **BDE All list** is quite long and will cause the router's **web** interface (not Winbox) to misbehave when viewing lists.
* The **BDE list** is made up of the most recent attackers and the size of the list can be adjusted by changing the number for 'time' (max is about 18 hours). A better choice for a low end router might be the ''last hour'' list rather than the ''last four hours'' list (14400 seconds).
* https://api.blocklist.de/getlast.php?time=3600
* The **VoIPBL list** is also quite long (over 12,000 entries) and will cause the router's web interface to misbehave even more. **If implementing this list, use Winbox to access the Address List page**.
* The **Combined list** is the longest list because it contains unique entries from all the four previous lists. **Use Winbox**.
==== Gather and Format the Lists ====
Run this script from cron on a Linux web server. Then we can use the same files for all our Mikrotik routers.
=== blocklists4mt.sh ===
:!: We use a **dynamic address-list with a 7-day timeout** in an attempt at eliminating cruft and minimizing flash (NAND) writes.
:!: We use a very crude mechanism to **limit the size of the combined list**. You can **carefully** adjust the number of characters considered in sorting using the ''uniq -w 36'' argument in the last line. This can also eliminate errors running the script due to duplicate or overlapping entries.
#!/bin/sh
saveTo=/home/virtualarchitects/public_html/blocklists
now=$(date);
echo "# Generated by blocklists4mt.sh on $now" > $saveTo/dshield.rsc
echo "/ip firewall address-list" >> $saveTo/dshield.rsc
wget -q -O - https://feeds.dshield.org/block.txt | awk --posix '/^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.0\t/ { print "add list=blocklist address=" $1 "/24 timeout=7d comment=DShield";}' >> $saveTo/dshield.rsc
echo "# Generated by blocklists4mt.sh on $now" > $saveTo/spamhaus.rsc
echo "/ip firewall address-list" >> $saveTo/spamhaus.rsc
wget -q -O - https://www.spamhaus.org/drop/drop.lasso | awk --posix '/[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\// { print "add list=blocklist address=" $1 " timeout=7d comment=SpamHaus";}' >> $saveTo/spamhaus.rsc
wget -q -O - http://www.spamhaus.org/drop/edrop.lasso | awk --posix '/[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\// { print "add list=blocklist address=" $1 " timeout=7d comment=SpamHaus";}' >> $saveTo/spamhaus.rsc
echo "# Generated by blocklists4mt.sh on $now" > $saveTo/bde.rsc
echo "/ip firewall address-list" >> $saveTo/bde.rsc
wget -q -O - https://api.blocklist.de/getlast.php?time=14400 | awk --posix '/^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}/ { print "add list=blocklist address=" $1 " timeout=7d comment=BDE";}' >> $saveTo/bde.rsc
echo "# Generated by blocklists4mt.sh on $now" > $saveTo/voipbl.rsc
echo "/ip firewall address-list" >> $saveTo/voipbl.rsc
wget -q -O - https://voipbl.org/update/ | awk --posix '/^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}/ { print "add list=blocklist address=" $1 " timeout=7d comment=VoIPBL";}' >> $saveTo/voipbl.rsc
# dshield, bde, spamhaus and voipbl lists
#echo "# Generated by blocklists4mt.sh on $now" > $saveTo/combined.rsc
#echo "# This is a combined blocklist created from unique entries in the" >> $saveTo/combined.rsc
#echo "# DShield, SpamHaus, BDE and VoIPBL blocklists." >> $saveTo/combined.rsc
#echo "/ip firewall address-list" >> $saveTo/combined.rsc
#cat $saveTo/dshield.rsc $saveTo/bde.rsc $saveTo/spamhaus.rsc $saveTo/voipbl.rsc |sort |grep -v '^$\|^\s*\#|^\/' |uniq -w 38 >> $saveTo/combined.rsc
# dshield, bde and spamhaus lists
#echo "# Generated by blocklists4mt.sh on $now" > $saveTo/combined.rsc
#echo "# This is a combined blocklist created from unique entries in the" >> $saveTo/combined.rsc
#echo "# DShield, SpamHaus and BDE blocklists." >> $saveTo/combined.rsc
#echo "/ip firewall address-list" >> $saveTo/combined.rsc
#cat $saveTo/dshield.rsc $saveTo/bde.rsc $saveTo/spamhaus.rsc |sort |grep -v '^$\|^\s*\#|^\/' |uniq -w 39 >> $saveTo/combined.rsc
# dshield, voipbl and spamhaus lists
echo "# Generated by blocklists4mt.sh on $now" > $saveTo/combined.rsc
echo "# This is a combined blocklist created from unique entries in the" >> $saveTo/combined.rsc
echo "# DShield, SpamHaus and VoIPBL blocklists." >> $saveTo/combined.rsc
echo "/ip firewall address-list" >> $saveTo/combined.rsc
cat $saveTo/dshield.rsc $saveTo/voipbl.rsc $saveTo/spamhaus.rsc |sort |grep -v '^$\|^\s*\#|^\/' |uniq -w 36 >> $saveTo/combined.rsc
# dshield and spamhaus lists
#echo "# Generated by blocklists4mt.sh on $now" > $saveTo/combined.rsc
#echo "# This is a combined blocklist created from unique entries in the" >> $saveTo/combined.rsc
#echo "# DShield and SpamHaus blocklists." >> $saveTo/combined.rsc
#echo "/ip firewall address-list" >> $saveTo/combined.rsc
#cat $saveTo/dshield.rsc $saveTo/spamhaus.rsc |sort |grep -v '^$\|^\s*\#|^\/' |uniq -w 39 >> $saveTo/combined.rsc
==== Create the Blocklist ====
Now that we have the blocklists on the web server, we need to get them into an ''address-list'' on the Mikrotik Router.
FIXME Bogons? Should we not include bogons in the blocklist!? Would the router drop internal traffic with these next rules? If we specify in-interface as WAN interface, could we include bogons? We can't specify out-interface in prerouting table.
:!: At the time of this writing, the combined list added **34,648 items** to the ''blocklist'' address-list and plays havoc with a web browser using the Mikrotik web interface when you click on the Address Lists tab. Verify your Mikrotik router has enough memory if you use the combined list.
=== DShield ===
# Script which will download the DShield drop list as a text file
/system script add name="Download_dshield" source={
/tool fetch url="http://virtualarchitects.com/blocklists/dshield.rsc" mode=http;
:log info "Downloaded dshield.rsc from virtualarchitects.com";
}
# Script which will remove old DShield list and add new one
/system script add name="Replace_dshield" source={
:foreach i in=[/ip firewall address-list find ] do={
:if ( [/ip firewall address-list get $i comment] = "DShield" ) do={
/ip firewall address-list remove $i
}
}
:log info "Remove old DShield list and add new";
/import file-name=dshield.rsc;
}
# Schedule the download and application of the DShield list
/system scheduler add comment="Download DShield list" interval=7d name="DownloadDShieldList" \
on-event=Download_dshield start-date=jan/01/1970 start-time=01:05:00
/system scheduler add comment="Apply DShield List" interval=7d name="ApplyDShieldList" \
on-event=Replace_dshield start-date=jan/01/1970 start-time=01:10:00
/system scheduler add comment="Apply DShield List After Reboot" name="ApplyDShieldListAfterReboot" \
on-event=Replace_dshield start-time=startup
=== SpamHaus ===
# Script which will download the Spamhaus drop list as a text file
/system script add name="Download_spamhaus" source={
/tool fetch url="http://virtualarchitects.com/blocklists/spamhaus.rsc" mode=http;
:log info "Downloaded spamhaus.rsc from virtualarchitects.com";
}
# Script which will remove old Spamhaus list and add new one
/system script add name="Replace_spamhaus" source={
:foreach i in=[/ip firewall address-list find ] do={
:if ( [/ip firewall address-list get $i comment] = "SpamHaus" ) do={
/ip firewall address-list remove $i
}
}
:log info "Remove old Spamhaus and add new";
/import file-name=spamhaus.rsc;
}
# Schedule the download and application of the spamhaus list
/system scheduler add comment="Download Spamhaus list" interval=7d name="DownloadSpamhausList" \
on-event=Download_spamhaus start-date=jan/01/1970 start-time=01:15:00
/system scheduler add comment="Apply Spamhaus List" interval=7d name="ApplySpamhausList" \
on-event=Replace_spamhaus start-date=jan/01/1970 start-time=01:20:00
/system scheduler add comment="Apply Spamhaus List After Reboot" name="ApplySpamhausListAfterReboot" \
on-event=Replace_spamhaus start-time=startup
=== BDE ===
# Script which will download the BDE drop list as a text file
/system script add name="Download_bde" source={
/tool fetch url="http://virtualarchitects.com/blocklists/bde.rsc" mode=http;
:log info "Downloaded bde.rsc from virtualarchitects.com";
}
# Script which will Remove old BDE list and add new one
/system script add name="Replace_bde" source={
:foreach i in=[/ip firewall address-list find ] do={
:if ( [/ip firewall address-list get $i comment] = "BDE" ) do={
/ip firewall address-list remove $i
}
}
:log info "Remove old BDE and add new";
/import file-name=bde.rsc;
}
# Schedule the download and application of the BDE list
/system scheduler add comment="Download BDE list" interval=7d name="DownloadBDEList" \
on-event=Download_bde start-date=jan/01/1970 start-time=01:25:00
/system scheduler add comment="Apply BDE List" interval=7d name="ApplyBDEList" \
on-event=Replace_bde start-date=jan/01/1970 start-time=01:30:00
/system scheduler add comment="Apply BDE List After Reboot" name="ApplyBDEListAfterReboot" \
on-event=Replace_bde start-time=startup
=== VoIPBL ===
# Script which will download the VoIPBL drop list as a text file
/system script add name="Download_voipbl" source={
/tool fetch url="http://virtualarchitects.com/blocklists/voipbl.rsc" mode=http;
:log info "Downloaded voipbl.rsc from virtualarchitects.com";
}
# Script which will remove old VoIPBL list and add new one
/system script add name="Replace_voipbl" source={
:foreach i in=[/ip firewall address-list find ] do={
:if ( [/ip firewall address-list get $i comment] = "VoIPBL" ) do={
/ip firewall address-list remove $i
}
}
:log info "Remove old VoIPBL list and add new";
/import file-name=voipbl.rsc;
}
# Schedule the download and application of the VoIPBL list
/system scheduler add comment="Download VoIPBL list" interval=7d name="DownloadVoIPBLList" \
on-event=Download_voipbl start-date=jan/01/1970 start-time=01:40:00
/system scheduler add comment="Apply VoIPBL List" interval=7d name="ApplyVoIPBLList" \
on-event=Replace_voipbl start-date=jan/01/1970 start-time=01:50:00
/system scheduler add comment="Apply VoIPBL List After Reboot" name="ApplyVoIPBLListAfterReboot" \
on-event=Replace_voipbl start-time=startup
=== Combined ===
:!: **You won't use this list with any of the other lists** as it contains all the entries from the other lists and only exists to eliminate import errors caused by duplicate entries.
# Script which will download the combined drop list as a .rsc script file
/system script add name="Download_combined" source={
/tool fetch url="http://virtualarchitects.com/blocklists/combined.rsc" mode=http;
:log info "Downloaded combined.rsc from virtualarchitects.com";
}
# Script which will remove old blocklist entries and add new ones
/system script add name="Replace_combined" source={
:foreach i in=[/ip firewall address-list find ] do={
:if ( [/ip firewall address-list get $i comment] = "DShield" ) do={
/ip firewall address-list remove $i
}
:if ( [/ip firewall address-list get $i comment] = "SpamHaus" ) do={
/ip firewall address-list remove $i
}
:if ( [/ip firewall address-list get $i comment] = "BDE" ) do={
/ip firewall address-list remove $i
}
:if ( [/ip firewall address-list get $i comment] = "VoIPBL" ) do={
/ip firewall address-list remove $i
}
}
:log info "Remove old blocklist entries and add new";
/import file-name=combined.rsc;
}
# Schedule the download and application of the 'combined' list
/system scheduler add comment="Download Combined Blocklist" interval=7d name="DownloadCombinedList" \
on-event=Download_combined start-date=jan/01/1970 start-time=01:25:00
/system scheduler add comment="Apply Combined List" interval=7d name="ApplyCombinedList" \
on-event=Replace_combined start-date=jan/01/1970 start-time=01:30:00
/system scheduler add comment="Apply Combined List After Reboot" name="ApplyCombinedListAfterReboot" \
on-event=Replace_combined start-time=startup
===== Block Traffic =====
Now that we have the address-list on the Mikrotik router, we can log it, drop it or reject it as we wish.
:!: These rules use ''place-before=0'' to put the rules at the **beginning of the rule set**. You may not want that.
:!: The **input chain** is for traffic destined for the router.
:!: The **forward chain** is for traffic forwarded through the router to a network behind it.
/ip firewall filter
add chain=input src-address-list=blocklist action=drop place-before=0 \
comment="Drop all traffic from blocklisted addresses - Input chain"
add chain=forward src-address-list=blocklist action=drop place-before=0 \
comment="Drop all traffic from blocklisted addresses - Output chain"
The following are **newer filter rules for newer Mikrotik RouterOS versions**. These rules use the **RAW chain** to reduce the total number of rules and to reduce CPU utilization. RAW filters happen **before connection tracking** to reduce CPU utilization.
We only need two rules to cover incoming and outgoing traffic in both INPUT and FORWARD chains.
FIXME These rules need testing and editing, particularly for ''in-interface'' settings.
/ip firewall raw
add action=drop in-interface=ether1 chain=prerouting comment=\
"Drop connections from Blocklist addresses" src-address-list=blocklist
add action=drop in-interface=br-lan chain=prerouting comment=\
"Drop connections to Blocklist addresses" dst-address-list=blocklist