Drop all traffic not from address list

RouterOS Beginner Basics
1

Hello
The ports I have open on the router I only want to be accessibly from the address list and the rest it must drop.
I have created a Address list to include the most common IP ranges for my country and internal network

/ip firewall address-list
add address=196.0.0.0/8 disabled=yes list=SA_Sub
add address=41.0.0.0/8 list=SA_Sub
add address=165.0.0.0/8 list=SA_Sub
add address=197.0.0.0/8 list=SA_Sub
add address=129.0.0.0/8 list=SA_Sub
add address=105.0.0.0/8 list=SA_Sub
add address=10.0.0.0/24 list=SA_Sub

then I would like just to have 2 rules one to allow and one to drop, with out having todo it for each port that i foward in

add chain=input comment=“Allow access from SA_Sub List” protocol=tcp src-address-list=SA_Sub
add action=drop chain=input comment=“Block access not from SA_Sub List” protocol=tcp

or

add chain=input comment=“Allow access from SA_Sub List” in-interface=pppoe-out1 protocol=tcp src-address-list=SA_Sub
add action=drop chain=input comment=“Block access not from SA_Sub List” in-interface=pppoe-out1 protocol=tcp src-address-list=!SA_Sub

It does not seem to work and pointers or better suggestions would be appreciates

2

If you forward ports, you need to do your filtering in forward chain. Input chain is for packets for router itself.

3

Thank you that sorted that out
It seems that the rule below does the job by itself, am I correct and that they both say the same thing just the other way around?

add action=drop chain=forward comment=“Block access not from SA_Sub List” in-interface=pppoe-out1 protocol=tcp src-address-list=!SA_Sub

Then this one below will not be necessary

add chain=forward comment=“Allow access from SA_Sub List” in-interface=pppoe-out1 protocol=tcp src-address-list=SA_Sub

4

It depends on rest of your firewall. But if you (as it seems, if this works for you) allow everything by default, then single blocking rule is enough. It will get rid of packets that you don’t want. And you don’t need additional accept rule, because unless some other following rule blocks them, they will be accepted automatically.