As the black list of hacker’s ip addresses increases, it is hard to handle it.
Let’s think the opposite: white list would be much easier to handle.
Divide the white-list into two groups:
#1. DNS resolvable, like, sip providers, your client’s dyndns address(es) etc.
#2. Static ip addresses, like your local ip address pool. (which cannot be find out through DNS)
For the DNS resolvable group:
Copy the script from RouterOS’s wiki(http://wiki.mikrotik.com/wiki/Use_host_names_in_firewall_rules, be aware of the Ooops too):
/system script add
name=resolvehostnames policy=write,read
source=“# define variables\r
\n:local list\r
\n:local comment\r
\n:local newip\r
\n\r
\n# Loop through each entry in the address list.\r
\n:foreach i in=[/ip firewall address-list find] do={\r
\n\r
\n# Get the first five characters of the list name\r
\n :set list [:pick [/ip firewall address-list get $i list] 0 5]\r
\n\r
\n# If they’re ‘host_’, then we’ve got a match - process it\r
\n :if ($list = "host_") do={\r
\n\r
\n# Get the comment for this address list item (this is the host name to u
se)\r
\n :set comment [/ip firewall address-list get $i comment]\r
\n\r
\n# Resolve it and set the address list entry accordingly.\r
\n :set newip [:resolve $comment]\r
\n /ip firewall address-list set $i address=$newip\r
\n }\r
\n }”
And scheduler(run each hour, you can change the frequency if you like):
/system scheduler
add comment=“” disabled=no interval=1h name=updatehostnames on-event=resolvehostnames start-date=jan/01/1970 start-time=00:00:00
Add your host name to your list(listname must started with host_), for instance, you like to add Bigfoot.org to your list host_allowedlist:
/ip firewall address-list add address=0.0.0.0 comment=> Bigfoot.org > list=> host_allowedlist
After you add all your host names to the list, run the script resolvehostnames.
For the static ip addresses, just use address-list add command. For instance, you add your IP01(192.168.88.100) to allowed_staticiplist:
/ip firewall address-list add address=> 192.168.88.100 > comment=IP01 list=> allowed_staticiplist
Done for adding allowed ip address list!
Next step is to allow white list to use port 5060(The first statement is to put all udp 5060 to extra control chain named allowedsip):
/ip firewall filter add chain=forward action=jump jump-target=allowedsip protocol=udp dst-port=5060
/ip firewall filter add chain=allowedsip action=accept protocol=udp src-address-list=host_allowedlist dst-port=5060
/ip firewall filter add chain=allowedsip action=accept protocol=udp src-address-list=allowed_staticiplist dst-port=5060
And drop all others!
/ip firewall filter add chain=allowedsip action=drop
Now those are not in the allowed list would not be able to launch attack through udp port 5060! lol