I want to create an address-list named Blacklist of IP address that made an attempt to access router from WAN. So, it would like this:
Input chain > In interface: Ether1 > Scr. address-list: Blacklist > Action:reject
The problem is I would actually like to add a list of IP addresses to this address-list named Blacklist…not just one at a time so to avoid adding a bunch of firewall rules. Is that possible? The bad IP addresses are ones that attempted to access VPN and so far I have three addresses that a Google search resulted as known bad activities. Of course, the attempt never passes phase 1 of IPsec.
Your firewall rule uses address-list, there is no need for more rules. In Blacklist address list you will put all addresses to be blocked by this rule. Like this
Still face the same issue…in the sense that it’s transferred to the Firewall > address list instead. What I want to do is this:
/IP firewall address list add address xxx.xxx.xx1, xx.x.xxx.x2, xx.xx.x.xx3, etc., list = Blacklist, so that one has one entry rather than a new entry for each single IP address.
AFAIK this is not possible, address lists are made from separate entries for each address. This form is more manageable as one entry with multiple values.
karlisi is correct. In the IP->Firewall->Address Lists, you have a single entry per line.
I have over 6000 entries in my address lists. I have a server that generates a blacklist every night, and each morning all of the Mikrotik routers that I manage download that list.
My blacklists are currently private, but I have been working on a system to allow them to be downloaded by others. I’ll see if I can finish it up and then post it.
# Import Intrus Managed Filter Lists
# (C)2015 David Joyce, Intrus Technologies
:log warning "Downloading current Blacklist for this model";
:global model [/system resource get board-name]
:global version [/system resource get version]
:global memory [/system resource get total-memory]
/tool fetch url="http://mikrotik.intrustech.com/download.php?get=complete&model=$model&version=$version&memory=$memory" mode=http dst-path="/currentBlacklist.rsc";
# Disable Logging so each add and remove isn't in the system log, we turn it back on at the end
:log warning "Disabling system Logging";
/system logging disable 0
# Find and Remove the old filters
:log warning "Removing previous Blacklist Address-List entries";
:foreach i in=[/ip firewall address-list find ] do={ :if ( [/ip firewall address-list get $i comment] = "intrusBlacklist" ) do={ /ip firewall address-list remove $i } }
# Import the new filters
:log warning "Importing current Blacklist";
/import file-name=/currentBlacklist.rsc
# Delete the import file
:log warning "Removing temp files";
/file remove currentBlacklist.rsc
# Enable the Logging
:log warning "Enabling system logging, all done.";
/system logging enable 0
And, if you are interested, here are my filter rules:
/ip firewall filter
add action=drop chain=Attacks comment="Invalid TCP flag combo" protocol=tcp tcp-flags=!fin,!syn,!rst,!ack
add action=drop chain=Attacks comment="Invalid TCP flag combo" protocol=tcp tcp-flags=fin,syn
add action=drop chain=Attacks comment="Invalid TCP flag combo" protocol=tcp tcp-flags=fin,rst
add action=drop chain=Attacks comment="Invalid TCP flag combo" protocol=tcp tcp-flags=fin,!ack
add action=drop chain=Attacks comment="Invalid TCP flag combo" protocol=tcp tcp-flags=fin,urg
add action=drop chain=Attacks comment="Invalid TCP flag combo" protocol=tcp tcp-flags=syn,rst
add action=drop chain=Attacks comment="Invalid TCP flag combo" protocol=tcp tcp-flags=rst,urg
add action=drop chain=Attacks comment="Invalid TCP source port (0)" protocol=tcp src-port=0
add action=drop chain=Attacks comment="Invalid TCP destination port (0)" dst-port=0 protocol=tcp
add action=drop chain=Attacks comment="Invalid UDP source port (0)" protocol=udp src-port=0
add action=drop chain=Attacks comment="Invalid UDP destination port (0)" dst-port=0 protocol=udp
add action=drop chain=Attacks comment="Invalid packets (No valid current connection)" connection-state=invalid
add action=drop chain=Attacks comment="Drop connections FROM blacklisted hosts" src-address-list=blacklist
add action=drop chain=Attacks comment="Drop connections TO blacklisted hosts" dst-address-list=blacklist
add action=return chain=Attacks comment="Return to the chain that jumped"
add action=jump chain=input comment="Check for bad stuff in \"Attack\" chain" jump-target=Attacks
add chain=input comment="Allow current valid connections as well as valid related packets" connection-state=established,related
add chain=input comment="Allow any packets from our trusted \"IPSec\" partners" connection-state=new src-address-list=ipSec
add chain=input comment="Allow the Private IP ranges to access the router" connection-state=new src-address-list=PrivateIPs
add chain=input comment="Allow ICMP Response (disabled)" icmp-options=8:0 protocol=icmp
add action=drop chain=input comment="Drop everything else by default"
add action=jump chain=forward comment="Check for bad stuff in \"Attack\" chain" jump-target=Attacks
add chain=forward comment="Allow current valid connections as well as valid related packets" connection-state=established,related
add chain=forward comment="Allow the Private IP ranges to be forwarded by the router" connection-state=new src-address-list=PrivateIPs
add action=drop chain=forward comment="Drop everything else on WAN1" in-interface=wan1
add action=drop chain=forward comment="Drop everything else on WAN2" in-interface=wan2
/ip firewall address-list
add address=172.16.0.0/16 list=PrivateIPs
add address=10.0.0.0/8 list=PrivateIPs
add address=192.168.0.0/16 list=PrivateIPs
2.) OPTIONAL - You can remove it manualy
/ip firewall address-list remove [find where list=“BlackList”]
that COMMAND remove all entries in You Router from You Addresses list with “BlackList” string
3.) import drop.malicious.rsc
that COMMAND import/add to You mikrotik new BlackLists from file
that is JUST EXAMPLE (especially download adresses) and no guarantee to works
You have to download file from that source or another
download it to PC and look into List … to know HOW IMPORT WORKS
that List from www.squidblacklist.org makes 3 Lists on You mikrotik
see inside file to Learn for Yourself
Nollitik, I went through the same process you are going through when I first got my HEX.
There are several services out there, but most cost some $, as they take time, effort, programming and continual maintenance let alone the cost of renting servers etc…
If you do use Dave’s Service consider donating to help his work!
In terms of service, for example there is one that I am trying out at the moment is called Axiom Shield (not cheap) but very good.
They specialize in mikrotik products for good reason (excellent products for this type of defense activity).
Also, they give discounts to active service members and veterans!! https://axiomcyber.com/shield/
A much more affordable and excellent option, that I have also used in the past, that I can say is stable and geared towards Mikrotik products (small or powerful)
is the MOAB by mozerd, a fellow mikrotik forum contributor. http://forum.mikrotik.com/t/moab-mother-of-all-blacklists/122053/1