[Ask] PHP API ICMP Traceroute Firewall Block

RouterOS Scripting
1

I try to add 3 script protection for Traceroute and ICMP flooding

this my script


<?php
require "routeros_api.class.php";

$API = new routeros_api();

$API->debug = false;

if ($API->connect('192.168.88.1', 'admin', 'admin')) 
{
    if ($_POST['add']) 
    {
        $API->comm ("/ip/firewall/filter/add", array(
            "chain" => "forward",
            "action" => "drop",
            "protocol" => "icmp",
            "icmp-options" => "11:0"    
        ));
        
        $API->comm ("ip/firewall/filter/add", array(
            "chain" => "forward",
            "action" => "drop",
            "protocol" => "icmp",
            "icmp-options" => "3:3"
        ));
        
        $API->comm ("ip/firewall/filter/add", array(
            "chain" => "forward",
            "in-bride-port" => "*1",
            "action" => "drop",
            "protocol" => "icmp",
            "icmp-options" => "8:0",
            "disable" => "no"
        ));
        
    }
 $API->disconnect();
    if ($API) 
    {
        header ('location:firewall.php');    
    }
}
?>

my question .. why only first script added to firewall filter list .. only first command send to mikrotik … any wrong in my script??
thanks and sorry my bad english …

2

You don’t have a leading “/” in the later requests.

Compare

$API->comm ("/ip/firewall/filter/add",

with

$API->comm ("ip/firewall/filter/add",
3

sorry for late reply sir
already fixed that .. but third script still not added in filter list …

4

I think “in-bride-port” is supposed to contain the name of the interface you’re targeting, not its ID (which BTW, is probably not “*1”, which is another reason this may be failing).

Also, you should probably remove the “disable” argument… or rename it to “disabled”.

5

thanks anyway sir… my problem solved again :slight_smile:
and i have more question for converting terminal console to php

this console

/ip firewall filter remove [/ip firewall filter find chain=input]

how to add that script with to php ?

6

You’d need a print request with a query that matches all rules you want to remove, and then pass them into the remove request.

That’s kind’a difficult to do with Denis’ client though, although certainly not impossible.

Here’s how it would look with my client:

<?php
use PEAR2\Net\RouterOS;
require_once 'PEAR2_Net_RouterOS-1.0.0b3.phar';
 
$client = new RouterOS\Client('192.168.88.1', 'admin', 'admin');

$printRequest = new RouterOS\Request(
    '/ip firewall filter print .proplist=.id',
    RouterOS\Query::where('chain', 'input')
);
$idList = '';

foreach ($client->sendSync($printRequest)->getAllOfType(RouterOS\Response::TYPE_DATA) as $entry) {
    $idList .= $entry->getArgument('.id') . ',';
}
$idList = rtrim($idList, ',');
//$idList now contains a comma separated list of the IDs of the entries we're targeting

$removeRequest = new RouterOS\Request('/ip firewall filter remove');
$removeRequest->setArgument('numbers', $idList);
$client->sendSync($removeRequest);

(again: That’s the easy variant, so if that looks complicated to you, Denis’ client wouldn’t really look any easier)

7

yep im already read and learn about your project sir
but that different API with im use now…

i try to learn script by script.. but im confused .. actually im new in programming php.. n first time .. im read PHP API from denis client

can i take that script for denis client API?

8

i try to learn script by script.. but im confused .. actually im new in programming php.. n first time

Sounds like all the more reason you should learn to be doing things “the right way”.

im read PHP API from denis client

OK… why?

can i take that script for denis client API?

:confused:

<?php
require "routeros_api.class.php";

$client = new routeros_api();

$client->debug = false;

if ($client->connect('192.168.88.1', 'admin', 'admin')) 
{    
    $idList = '';
    foreach ($client->comm ("/ip/firewall/filter/print", array(
        "?chain" => "input",
        ".proplist" => ".id"
    )) as $entry) {
        if (isset($entry['.id'])) {
           $idList .= $entry['.id'] . ",";
        }
    }
    $idList = rtrim($idList, ',');
    //$idList now contains a comma separated list of the IDs of the entries we're targeting

    $client->comm("/ip/firewall/filter/print", array(
        "numbers" => $idList
    ));

    $client->disconnect();
}
?>
9

dont know … maybe first time im read .. API from dennis looks like simple .. actually im tried quite a Net Router OS .. but in the beginning I had trouble understanding what it’s “Pyrus and Phar” … I tried it and had trouble installing on windows .. That’s the reason why I chose dennis client

thats script for remove firewall same as

/ip firewall filter remove [/ip firewall filter find chain=input]

??
im try thats script .. but there are no change at firewall list …

thanks very much for ur help n sorry if i have many questions

10

Opps… sorry, replace

    $client->comm("/ip/firewall/filter/print", array(
        "numbers" => $idList
    ));

with

    $client->comm("/ip/firewall/filter/remove", array(
        "numbers" => $idList
    ));



I had trouble understanding what it’s “Pyrus and Phar”

You don’t need Pyrus.

“PHAR” stands for “PHP Archive”. It’s basically multiple PHP files, combined into one, same as a zip file*. You can just download the “.phar” file, and include it as shown above.

I can understand that Pyrus can appear hard to deal with, especially if you’re not used to working with the command line - that’s what the Phar file is for. Pyrus is recommend for those who wish to also download updates when they come out, especially updates to dependencies. If you’re only just getting started, the PHAR is as good of an option as Pyrus, if not better.

n sorry if i have many questions

No problem. In fact… Did you found me on Skype as we discussed?

\

  • Strictly speaking, it’s an actual archive (TAR with optional GZip or BZip2 compression) with the additional option of prepending a PHP file at the start (the so called “stub”), which can be executed. In the case of my client (as well as any library distributed as a PHAR), an autoloader is registered, and that’s about it. Pyrus’ PHAR file on the other hand triggers a file that does different things based on the command line arguments.