User Tools
networking:router:mikrotik_blocklist
Table of Contents
Mikrotik Block Lists
New Method: https://forum.mikrotik.com/viewtopic.php?f=9&t=152632&p=758435
Another way to block ads: https://stopad.hook.sh/
Block by Country: https://mikrotikconfig.com/firewall/
Sources
Scripts
http://forum.mikrotik.com/viewtopic.php?t=98804
http://www.wisptech.com/index.php?title=MikrotikBlackList
http://joshaven.com/mikrotik-auto-updated-begones-list/
The Joshaven scripts seem to work well on ROS 6.4. I have expanded and modified these scripts here.
- The DShield list is small, but up to date.
- The Spamhaus list is also fairly small and up to date.
- The BDE All list is quite long and will cause the router's web interface (not Winbox) to misbehave when viewing lists.
- The BDE list is made up of the most recent attackers and the size of the list can be adjusted by changing the number for 'time' (max is about 18 hours). A better choice for a low end router might be the
last hourlist rather than thelast four hourslist (14400 seconds). - The VoIPBL list is also quite long (over 12,000 entries) and will cause the router's web interface to misbehave even more. If implementing this list, use Winbox to access the Address List page.
- The Combined list is the longest list because it contains unique entries from all the four previous lists. Use Winbox.
Gather and Format the Lists
Run this script from cron on a Linux web server. Then we can use the same files for all our Mikrotik routers.
blocklists4mt.sh
We use a dynamic address-list with a 7-day timeout in an attempt at eliminating cruft and minimizing flash (NAND) writes.
We use a very crude mechanism to limit the size of the combined list. You can carefully adjust the number of characters considered in sorting using the uniq -w 36 argument in the last line. This can also eliminate errors running the script due to duplicate or overlapping entries.
#!/bin/sh
saveTo=/home/virtualarchitects/public_html/blocklists
now=$(date);
echo "# Generated by blocklists4mt.sh on $now" > $saveTo/dshield.rsc
echo "/ip firewall address-list" >> $saveTo/dshield.rsc
wget -q -O - https://feeds.dshield.org/block.txt | awk --posix '/^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.0\t/ { print "add list=blocklist address=" $1 "/24 timeout=7d comment=DShield";}' >> $saveTo/dshield.rsc
echo "# Generated by blocklists4mt.sh on $now" > $saveTo/spamhaus.rsc
echo "/ip firewall address-list" >> $saveTo/spamhaus.rsc
wget -q -O - https://www.spamhaus.org/drop/drop.lasso | awk --posix '/[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\// { print "add list=blocklist address=" $1 " timeout=7d comment=SpamHaus";}' >> $saveTo/spamhaus.rsc
wget -q -O - http://www.spamhaus.org/drop/edrop.lasso | awk --posix '/[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\// { print "add list=blocklist address=" $1 " timeout=7d comment=SpamHaus";}' >> $saveTo/spamhaus.rsc
echo "# Generated by blocklists4mt.sh on $now" > $saveTo/bde.rsc
echo "/ip firewall address-list" >> $saveTo/bde.rsc
wget -q -O - https://api.blocklist.de/getlast.php?time=14400 | awk --posix '/^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}/ { print "add list=blocklist address=" $1 " timeout=7d comment=BDE";}' >> $saveTo/bde.rsc
echo "# Generated by blocklists4mt.sh on $now" > $saveTo/voipbl.rsc
echo "/ip firewall address-list" >> $saveTo/voipbl.rsc
wget -q -O - https://voipbl.org/update/ | awk --posix '/^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}/ { print "add list=blocklist address=" $1 " timeout=7d comment=VoIPBL";}' >> $saveTo/voipbl.rsc
# dshield, bde, spamhaus and voipbl lists
#echo "# Generated by blocklists4mt.sh on $now" > $saveTo/combined.rsc
#echo "# This is a combined blocklist created from unique entries in the" >> $saveTo/combined.rsc
#echo "# DShield, SpamHaus, BDE and VoIPBL blocklists." >> $saveTo/combined.rsc
#echo "/ip firewall address-list" >> $saveTo/combined.rsc
#cat $saveTo/dshield.rsc $saveTo/bde.rsc $saveTo/spamhaus.rsc $saveTo/voipbl.rsc |sort |grep -v '^$\|^\s*\#|^\/' |uniq -w 38 >> $saveTo/combined.rsc
# dshield, bde and spamhaus lists
#echo "# Generated by blocklists4mt.sh on $now" > $saveTo/combined.rsc
#echo "# This is a combined blocklist created from unique entries in the" >> $saveTo/combined.rsc
#echo "# DShield, SpamHaus and BDE blocklists." >> $saveTo/combined.rsc
#echo "/ip firewall address-list" >> $saveTo/combined.rsc
#cat $saveTo/dshield.rsc $saveTo/bde.rsc $saveTo/spamhaus.rsc |sort |grep -v '^$\|^\s*\#|^\/' |uniq -w 39 >> $saveTo/combined.rsc
# dshield, voipbl and spamhaus lists
echo "# Generated by blocklists4mt.sh on $now" > $saveTo/combined.rsc
echo "# This is a combined blocklist created from unique entries in the" >> $saveTo/combined.rsc
echo "# DShield, SpamHaus and VoIPBL blocklists." >> $saveTo/combined.rsc
echo "/ip firewall address-list" >> $saveTo/combined.rsc
cat $saveTo/dshield.rsc $saveTo/voipbl.rsc $saveTo/spamhaus.rsc |sort |grep -v '^$\|^\s*\#|^\/' |uniq -w 36 >> $saveTo/combined.rsc
# dshield and spamhaus lists
#echo "# Generated by blocklists4mt.sh on $now" > $saveTo/combined.rsc
#echo "# This is a combined blocklist created from unique entries in the" >> $saveTo/combined.rsc
#echo "# DShield and SpamHaus blocklists." >> $saveTo/combined.rsc
#echo "/ip firewall address-list" >> $saveTo/combined.rsc
#cat $saveTo/dshield.rsc $saveTo/spamhaus.rsc |sort |grep -v '^$\|^\s*\#|^\/' |uniq -w 39 >> $saveTo/combined.rsc
Create the Blocklist
Now that we have the blocklists on the web server, we need to get them into an address-list on the Mikrotik Router.
Bogons? Should we not include bogons in the blocklist!? Would the router drop internal traffic with these next rules? If we specify in-interface as WAN interface, could we include bogons? We can't specify out-interface in prerouting table.
At the time of this writing, the combined list added 34,648 items to the blocklist address-list and plays havoc with a web browser using the Mikrotik web interface when you click on the Address Lists tab. Verify your Mikrotik router has enough memory if you use the combined list.
DShield
# Script which will download the DShield drop list as a text file
/system script add name="Download_dshield" source={
/tool fetch url="http://virtualarchitects.com/blocklists/dshield.rsc" mode=http;
:log info "Downloaded dshield.rsc from virtualarchitects.com";
}
# Script which will remove old DShield list and add new one
/system script add name="Replace_dshield" source={
:foreach i in=[/ip firewall address-list find ] do={
:if ( [/ip firewall address-list get $i comment] = "DShield" ) do={
/ip firewall address-list remove $i
}
}
:log info "Remove old DShield list and add new";
/import file-name=dshield.rsc;
}
# Schedule the download and application of the DShield list
/system scheduler add comment="Download DShield list" interval=7d name="DownloadDShieldList" \
on-event=Download_dshield start-date=jan/01/1970 start-time=01:05:00
/system scheduler add comment="Apply DShield List" interval=7d name="ApplyDShieldList" \
on-event=Replace_dshield start-date=jan/01/1970 start-time=01:10:00
/system scheduler add comment="Apply DShield List After Reboot" name="ApplyDShieldListAfterReboot" \
on-event=Replace_dshield start-time=startup
SpamHaus
# Script which will download the Spamhaus drop list as a text file
/system script add name="Download_spamhaus" source={
/tool fetch url="http://virtualarchitects.com/blocklists/spamhaus.rsc" mode=http;
:log info "Downloaded spamhaus.rsc from virtualarchitects.com";
}
# Script which will remove old Spamhaus list and add new one
/system script add name="Replace_spamhaus" source={
:foreach i in=[/ip firewall address-list find ] do={
:if ( [/ip firewall address-list get $i comment] = "SpamHaus" ) do={
/ip firewall address-list remove $i
}
}
:log info "Remove old Spamhaus and add new";
/import file-name=spamhaus.rsc;
}
# Schedule the download and application of the spamhaus list
/system scheduler add comment="Download Spamhaus list" interval=7d name="DownloadSpamhausList" \
on-event=Download_spamhaus start-date=jan/01/1970 start-time=01:15:00
/system scheduler add comment="Apply Spamhaus List" interval=7d name="ApplySpamhausList" \
on-event=Replace_spamhaus start-date=jan/01/1970 start-time=01:20:00
/system scheduler add comment="Apply Spamhaus List After Reboot" name="ApplySpamhausListAfterReboot" \
on-event=Replace_spamhaus start-time=startup
BDE
# Script which will download the BDE drop list as a text file
/system script add name="Download_bde" source={
/tool fetch url="http://virtualarchitects.com/blocklists/bde.rsc" mode=http;
:log info "Downloaded bde.rsc from virtualarchitects.com";
}
# Script which will Remove old BDE list and add new one
/system script add name="Replace_bde" source={
:foreach i in=[/ip firewall address-list find ] do={
:if ( [/ip firewall address-list get $i comment] = "BDE" ) do={
/ip firewall address-list remove $i
}
}
:log info "Remove old BDE and add new";
/import file-name=bde.rsc;
}
# Schedule the download and application of the BDE list
/system scheduler add comment="Download BDE list" interval=7d name="DownloadBDEList" \
on-event=Download_bde start-date=jan/01/1970 start-time=01:25:00
/system scheduler add comment="Apply BDE List" interval=7d name="ApplyBDEList" \
on-event=Replace_bde start-date=jan/01/1970 start-time=01:30:00
/system scheduler add comment="Apply BDE List After Reboot" name="ApplyBDEListAfterReboot" \
on-event=Replace_bde start-time=startup
VoIPBL
# Script which will download the VoIPBL drop list as a text file
/system script add name="Download_voipbl" source={
/tool fetch url="http://virtualarchitects.com/blocklists/voipbl.rsc" mode=http;
:log info "Downloaded voipbl.rsc from virtualarchitects.com";
}
# Script which will remove old VoIPBL list and add new one
/system script add name="Replace_voipbl" source={
:foreach i in=[/ip firewall address-list find ] do={
:if ( [/ip firewall address-list get $i comment] = "VoIPBL" ) do={
/ip firewall address-list remove $i
}
}
:log info "Remove old VoIPBL list and add new";
/import file-name=voipbl.rsc;
}
# Schedule the download and application of the VoIPBL list
/system scheduler add comment="Download VoIPBL list" interval=7d name="DownloadVoIPBLList" \
on-event=Download_voipbl start-date=jan/01/1970 start-time=01:40:00
/system scheduler add comment="Apply VoIPBL List" interval=7d name="ApplyVoIPBLList" \
on-event=Replace_voipbl start-date=jan/01/1970 start-time=01:50:00
/system scheduler add comment="Apply VoIPBL List After Reboot" name="ApplyVoIPBLListAfterReboot" \
on-event=Replace_voipbl start-time=startup
Combined
You won't use this list with any of the other lists as it contains all the entries from the other lists and only exists to eliminate import errors caused by duplicate entries.
# Script which will download the combined drop list as a .rsc script file
/system script add name="Download_combined" source={
/tool fetch url="http://virtualarchitects.com/blocklists/combined.rsc" mode=http;
:log info "Downloaded combined.rsc from virtualarchitects.com";
}
# Script which will remove old blocklist entries and add new ones
/system script add name="Replace_combined" source={
:foreach i in=[/ip firewall address-list find ] do={
:if ( [/ip firewall address-list get $i comment] = "DShield" ) do={
/ip firewall address-list remove $i
}
:if ( [/ip firewall address-list get $i comment] = "SpamHaus" ) do={
/ip firewall address-list remove $i
}
:if ( [/ip firewall address-list get $i comment] = "BDE" ) do={
/ip firewall address-list remove $i
}
:if ( [/ip firewall address-list get $i comment] = "VoIPBL" ) do={
/ip firewall address-list remove $i
}
}
:log info "Remove old blocklist entries and add new";
/import file-name=combined.rsc;
}
# Schedule the download and application of the 'combined' list
/system scheduler add comment="Download Combined Blocklist" interval=7d name="DownloadCombinedList" \
on-event=Download_combined start-date=jan/01/1970 start-time=01:25:00
/system scheduler add comment="Apply Combined List" interval=7d name="ApplyCombinedList" \
on-event=Replace_combined start-date=jan/01/1970 start-time=01:30:00
/system scheduler add comment="Apply Combined List After Reboot" name="ApplyCombinedListAfterReboot" \
on-event=Replace_combined start-time=startup
Block Traffic
Now that we have the address-list on the Mikrotik router, we can log it, drop it or reject it as we wish.
These rules use place-before=0 to put the rules at the beginning of the rule set. You may not want that.
The input chain is for traffic destined for the router.
The forward chain is for traffic forwarded through the router to a network behind it.
/ip firewall filter
add chain=input src-address-list=blocklist action=drop place-before=0 \
comment="Drop all traffic from blocklisted addresses - Input chain"
add chain=forward src-address-list=blocklist action=drop place-before=0 \
comment="Drop all traffic from blocklisted addresses - Output chain"
The following are newer filter rules for newer Mikrotik RouterOS versions. These rules use the RAW chain to reduce the total number of rules and to reduce CPU utilization. RAW filters happen before connection tracking to reduce CPU utilization.
We only need two rules to cover incoming and outgoing traffic in both INPUT and FORWARD chains.
These rules need testing and editing, particularly for in-interface settings.
/ip firewall raw
add action=drop in-interface=ether1 chain=prerouting comment=\
"Drop connections from Blocklist addresses" src-address-list=blocklist
add action=drop in-interface=br-lan chain=prerouting comment=\
"Drop connections to Blocklist addresses" dst-address-list=blocklist
networking/router/mikrotik_blocklist.txt · Last modified: 2024/02/24 14:44 by gcooper
Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Share Alike 4.0 International
