Blacklist Filters on MikroTik RouterOS
Posted by jpluimers on 2017/09/08
Some blacklist filters you can use on Mikrotik RouterOS devices:
- Blacklist Filter update script – MikroTik RouterOS [WayBack]
- Downloading it by hand [WayBack]
- You might want to use
rawdrops instead offilterdrops: http://forum.mikrotik.com/viewtopic.php?f=9&t=98804&start=100 [WayBack]
- BGP blacklist filter [WayBack]
- MikroTik Automatically Updated Address List – Joshaven.com [WayBack]
- Mikrotik RouterOS scripts converted from these sources:
- Mikrotik RouterOS Malicious IP Blacklist – Firewall Import Script – Gratis – Blog.Squidblacklist.org [WayBack]
- Has a slightly different version of DShield than Joshaven
- Has spamhaus1 that is virtually same version of SpamHaus as Joshaven but extends with spamhaus2 that Joshaven does not privide.
- Does not provide OpenBL nor malc0de.
- Has halfway instructions on how to install them; use this gist in stead: https://gist.github.com/jpluimers/3e4e0c854dad83c169442a33d8bd25e9
You might consider to use these instead of action=drop:
action=tarpitto delay incoming traffic even further (for instance to help against DoS attacks).action=reject reject-with=icmp-admin-prohibited[WayBack] which is explained very well [WayBack] by Chris Down [WayBack] referring to the iptables man page [WayBack]- Note this is not documented in the most recent
/ip firewall ruleproperties [WayBack] any more, but it is
- Note this is not documented in the most recent
–jeroen
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Script which will download the SquidBlacklistMalicious list as a text file | |
| /system script add name="Download_SquidBlacklistMalicious" source={ | |
| /tool fetch url="http://www.squidblacklist.org/downloads/drop.malicious.rsc" mode=http; | |
| :log info "Downloaded drop.malicious.rsc from squidblacklist.org"; | |
| } | |
| # Script which will Remove old SquidBlacklistMalicious list and add new one | |
| /system script add name="Replace_SquidBlacklistMalicious" source={ | |
| /system logging disable 0 | |
| /ip firewall address-list remove [find where comment="SquidBlacklistMalicious"] | |
| /import file-name=drop.malicious.rsc; | |
| /system logging enable 0 | |
| :log info "Removed old SquidBlacklistMalicious records and imported new list"; | |
| } | |
| # Schedule the download and application of the SquidBlacklistMalicious list | |
| /system scheduler add comment="Download SquidBlacklistMalicious list" interval=3d \ | |
| name="DownloadSquidBlacklistMaliciousList" on-event=Download_SquidBlacklistMalicious \ | |
| start-date=jan/01/1970 start-time=04:26:52 | |
| /system scheduler add comment="Apply SquidBlacklistMalicious List" interval=3d \ | |
| name="InstallSquidBlacklistMaliciousList" on-event=Replace_SquidBlacklistMalicious \ | |
| start-date=jan/01/1970 start-time=04:31:52 | |
| # Install the firewall rules of the SquidBlacklistMalicious list | |
| /ip firewall filter add chain=input src-address-list=drop.dshield action=drop log=yes log-prefix=drop.dshield | |
| /ip firewall filter add chain=input src-address-list=drop.spamhaus1 action=drop log=yes log-prefix=drop.spamhaus1 | |
| /ip firewall filter add chain=input src-address-list=drop.spamhaus2 action=drop log=yes log-prefix=drop.spamhaus2 | |
| /ip firewall filter add chain=input dst-address-list=drop.dshield action=drop log=yes log-prefix=drop.dshield | |
| /ip firewall filter add chain=input dst-address-list=drop.spamhaus1 action=drop log=yes log-prefix=drop.spamhaus1 | |
| /ip firewall filter add chain=input dst-address-list=drop.spamhaus2 action=drop log=yes log-prefix=drop.spamhaus2 |
The Wiert Corner - irregular stream of stuff 
jpluimers said
Note that Malcode seems to have been less good than it used to be:
jpluimers said
The install script for the squidblacklist is at https://gist.github.com/jpluimers/3e4e0c854dad83c169442a33d8bd25e9 and based on https://blog.squidblacklist.org/?p=297