http://www.spamhaus.org/drop/

http://feeds.dshield.org/block.txt

http://www.openbl.org/

http://www.voipbl.org/

http://forum.mikrotik.com/viewtopic.php?t=98804

http://www.wisptech.com/index.php?title=MikrotikBlackList

http://joshaven.com/mikrotik-auto-updated-begones-list/

The Joshaven scripts seem to work well on ROS 6.4. I have expanded and modified these scripts here.

• The DShield list is small, but up to date.
• The Spamhaus list is also fairly small and up to date.
• The OpenBL default list (linked to base_90days) is quite long and will cause the router's web interface to misbehave if you select the Address List page (this does not happen in Winbox). A better choice for router use might be the base_30days list.
• The VoIPBL list is also quite long (over 12,000 entries) and will cause the router's web interface to misbehave even more. If implementing this list, use Winbox to access the Address List page.
• The Combined list is the longest list because it contains unique entries from all the four previous lists. Use Winbox.

Run this script from cron on a Linux web server. Then we can use the same files for all our Mikrotik routers.

We use a 7-day timeout in an attempt at eliminating cruft and minimizing flash (NAND) writes.

We use a very crude mechanism to limit the size of the combined list. You can adjust the number of characters considered in sorting using the uniq -w argument.

#!/bin/sh
saveTo=/home/sonoracomm/public_html/blocklists
now=$(date);

echo "# Generated by blocklists4mt.sh on $now" > $saveTo/dshield.rsc
echo "/ip firewall address-list" >> $saveTo/dshield.rsc
wget -q -O - http://feeds.dshield.org/block.txt | awk --posix '/^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.0\t/ { print "add list=blocklist address=" $1 "/24 timeout=7d comment=DShield";}' >> $saveTo/dshield.rsc

echo "# Generated by blocklists4mt.sh on $now" > $saveTo/spamhaus.rsc
echo "/ip firewall address-list" >> $saveTo/spamhaus.rsc
wget -q -O - http://www.spamhaus.org/drop/drop.lasso | awk --posix '/[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\// { print "add list=blocklist address=" $1 " timeout=7d comment=SpamHaus";}' >> $saveTo/spamhaus.rsc
wget -q -O - http://www.spamhaus.org/drop/edrop.lasso | awk --posix '/[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\// { print "add list=blocklist address=" $1 " timeout=7d comment=SpamHaus";}' >> $saveTo/spamhaus.rsc

echo "# Generated by blocklists4mt.sh on $now" > $saveTo/openbl.rsc
echo "/ip firewall address-list" >> $saveTo/openbl.rsc
wget -q -O - http://www.openbl.org/lists/base_30days.txt.gz | gunzip | awk --posix '/^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}/ { print "add list=blocklist address=" $1 " timeout=7d comment=OpenBL";}' >> $saveTo/openbl.rsc

echo "# Generated by blocklists4mt.sh on $now" > $saveTo/voipbl.rsc
echo "/ip firewall address-list" >> $saveTo/voipbl.rsc
wget -q -O - http://www.voipbl.org/update/ | awk --posix '/^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}/ { print "add list=blocklist address=" $1 " timeout=7d comment=VoIPBL";}' >> $saveTo/voipbl.rsc

echo "# Generated by blocklists4mt.sh on $now" > $saveTo/combined.rsc
echo "# This is a combined blocklist created from unique entries in the" >> $saveTo/combined.rsc
echo "# DShield, SpamHaus, OpenBL and VoIPBL blocklists." >> $saveTo/combined.rsc
echo "/ip firewall address-list" >> $saveTo/combined.rsc
cat $saveTo/dshield.rsc $saveTo/openbl.rsc $saveTo/spamhaus.rsc $saveTo/voipbl.rsc |sort |grep -v '^$\|^\s*\#|^\/' |uniq -w 36 >> $saveTo/combined.rsc

Here is one way to configure cron to run the script every day.

chown root.root blocklists4mt.sh
chmod +x blocklists4mt.sh
cp -a blocklists4mt.sh /etc/cron.daily/

Now that we have the blocklists on the web server, we need to get them into an address-list on the Mikrotik Router.

Bogons? Should we not include bogons in the blocklist!? Would the router drop internal traffic with these next rules? If we specify in-interface as WAN interface, could we include bogons? We can't specify out-interface in prerouting table.

At the time of this writing, the first three lists combined added 6,181 items to the blocklist address-list and plays havoc with a web browser using the Mikrotik web interface when you click on the Address Lists tab. The list is even longer if you use the OpenBL Default (base_90days) list.

# Script which will download the DShield drop list as a text file
/system script add name="Download_dshield" source={
/tool fetch url="http://sonoracomm.com/blocklists/dshield.rsc" mode=http;
:log info "Downloaded dshield.rsc from sonoracomm.com";
}

# Script which will remove old DShield list and add new one
/system script add name="Replace_dshield" source={
:foreach i in=[/ip firewall address-list find ] do={
:if ( [/ip firewall address-list get $i comment] = "DShield" ) do={
/ip firewall address-list remove $i
}
}
/import file-name=dshield.rsc;
:log info "Remove old DShield list and add new";
}

# Schedule the download and application of the DShield list
/system scheduler add comment="Download DShield list" interval=7d name="DownloadDShieldList" \
    on-event=Download_dshield start-date=jan/01/1970 start-time=01:05:00
/system scheduler add comment="Apply DShield List" interval=7d name="ApplyDShieldList" \
    on-event=Replace_dshield start-date=jan/01/1970 start-time=01:10:00
/system scheduler add comment="Apply DShield List After Reboot" name="ApplyDShieldListAfterReboot" \
    on-event=Replace_dshield start-time=startup

# Script which will download the Spamhaus drop list as a text file
/system script add name="Download_spamhaus" source={
/tool fetch url="http://sonoracomm.com/blocklists/spamhaus.rsc" mode=http;
:log info "Downloaded spamhaus.rsc from sonoracomm.com";
}

# Script which will remove old Spamhaus list and add new one
/system script add name="Replace_spamhaus" source={
:foreach i in=[/ip firewall address-list find ] do={
:if ( [/ip firewall address-list get $i comment] = "SpamHaus" ) do={
/ip firewall address-list remove $i
}
}
/import file-name=spamhaus.rsc;
:log info "Remove old Spamhaus and add new";
}

# Schedule the download and application of the spamhaus list
/system scheduler add comment="Download Spamhaus list" interval=7d name="DownloadSpamhausList" \
    on-event=Download_spamhaus start-date=jan/01/1970 start-time=01:15:00
/system scheduler add comment="Apply Spamhaus List" interval=7d name="ApplySpamhausList" \
    on-event=Replace_spamhaus start-date=jan/01/1970 start-time=01:20:00
/system scheduler add comment="Apply Spamhaus List After Reboot" name="ApplySpamhausListAfterReboot" \
    on-event=Replace_spamhaus start-time=startup

# Script which will download the OpenBl drop list as a text file
/system script add name="Download_openbl" source={
/tool fetch url="http://sonoracomm.com/blocklists/openbl.rsc" mode=http;
:log info "Downloaded openbl.rsc from sonoracomm.com";
}

# Script which will Remove old OpenBL list and add new one
/system script add name="Replace_openbl" source={
:foreach i in=[/ip firewall address-list find ] do={
:if ( [/ip firewall address-list get $i comment] = "OpenBL" ) do={
/ip firewall address-list remove $i
}
}
/import file-name=openbl.rsc;
:log info "Remove old OpenBL and add new";
}

# Schedule the download and application of the openbl list
/system scheduler add comment="Download OpenBL list" interval=7d name="DownloadOpenblList" \
    on-event=Download_openbl start-date=jan/01/1970 start-time=01:25:00
/system scheduler add comment="Apply OpenBL List" interval=7d name="ApplyOpenblList" \
    on-event=Replace_openbl start-date=jan/01/1970 start-time=01:30:00
/system scheduler add comment="Apply OpenBL List After Reboot" name="ApplyOpenblListAfterReboot" \
    on-event=Replace_openbl start-time=startup

# Script which will download the VoIPBL drop list as a text file
/system script add name="Download_voipbl" source={
/tool fetch url="http://sonoracomm.com/blocklists/voipbl.rsc" mode=http;
:log info "Downloaded voipbl.rsc from sonoracomm.com";
}

# Script which will remove old VoIPBL list and add new one
/system script add name="Replace_voipbl" source={
:foreach i in=[/ip firewall address-list find ] do={
:if ( [/ip firewall address-list get $i comment] = "VoIPBL" ) do={
/ip firewall address-list remove $i
}
}
/import file-name=voipbl.rsc;
:log info "Remove old VoIPBL list and add new";
}

# Schedule the download and application of the VoIPBL list
/system scheduler add comment="Download VoIPBL list" interval=7d name="DownloadVoIPBLList" \
    on-event=Download_voipbl start-date=jan/01/1970 start-time=01:40:00
/system scheduler add comment="Apply VoIPBL List" interval=7d name="ApplyVoIPBLList" \
    on-event=Replace_voipbl start-date=jan/01/1970 start-time=01:50:00
/system scheduler add comment="Apply VoIPBL List After Reboot" name="ApplyVoIPBLListAfterReboot" \
    on-event=Replace_voipbl start-time=startup

You won't use this list with any of the other lists as it contains all the entries from the other lists and only exists to eliminate import errors caused by duplicate entries.

# Script which will download the combined drop list as a .rsc script file
/system script add name="Download_combined" source={
/tool fetch url="http://sonoracomm.com/blocklists/combined.rsc" mode=http;
:log info "Downloaded combined.rsc from sonoracomm.com";
}

# Script which will remove old blocklist entries and add new ones
/system script add name="Replace_combined" source={
:foreach i in=[/ip firewall address-list find ] do={
:if ( [/ip firewall address-list get $i comment] = "DShield" ) do={
/ip firewall address-list remove $i
}
:if ( [/ip firewall address-list get $i comment] = "SpamHaus" ) do={
/ip firewall address-list remove $i
}
:if ( [/ip firewall address-list get $i comment] = "OpenBL" ) do={
/ip firewall address-list remove $i
}
:if ( [/ip firewall address-list get $i comment] = "VoIPBL" ) do={
/ip firewall address-list remove $i
}
}
:log info "Remove old blocklist entries and add new";
/import file-name=combined.rsc;
}

# Schedule the download and application of the 'combined' list
/system scheduler add comment="Download Combined Blocklist" interval=7d name="DownloadCombinedList" \
    on-event=Download_combined start-date=jan/01/1970 start-time=01:25:00
/system scheduler add comment="Apply Combined List" interval=7d name="ApplyCombinedList" \
    on-event=Replace_combined start-date=jan/01/1970 start-time=01:30:00
/system scheduler add comment="Apply Combined List After Reboot" name="ApplyCombinedListAfterReboot" \
    on-event=Replace_combined start-time=startup

Now that we have the address-list on the Mikrotik router, we can log it, drop it or reject it as we wish.

These rules use place-before=0 to put the rules at the beginning of the rule set. You may not want that.

The input chain is for traffic destined for the router.

The forward chain is for traffic forwarded through the router to a network behind it.

/ip firewall filter
add chain=input src-address-list=blocklist action=drop place-before=0 \
    comment="Drop all traffic from blocklisted addresses - Input chain" 
add chain=forward src-address-list=blocklist action=drop place-before=0 \
    comment="Drop all traffic from blocklisted addresses - Output chain"

The following are newer filter rules for newer Mikrotik RouterOS versions. These rules use the RAW chain to reduce the total number of rules and to reduce CPU utilization. RAW filters happen before connection tracking to reduce CPU utilization.

We only need two rules to cover incoming and outgoing traffic in both INPUT and FORWARD chains.

These rules need testing and editing, particularly for in-interface settings.

/ip firewall raw
add action=drop in-interface=ether1 chain=prerouting comment=\
    "Drop connections from Blocklist addresses" src-address-list=blocklist
add action=drop in-interface=br-lan chain=prerouting comment=\
    "Drop connections to Blocklist addresses" dst-address-list=blocklist