Community discussions

MUM Europe 2020
 
raminmalek
Member Candidate
Member Candidate
Topic Author
Posts: 118
Joined: Sun Nov 02, 2008 5:51 pm

How add address List From The TXT File to Firewall Address List

Tue Dec 29, 2015 10:14 am

Hi dear friend I want deny Ip address form specify Country Form http://www.ipdeny.com/ipblocks/data/countries/

Deny in my router


I see this link http://forum.mikrotik.com/viewtopic.php?t=83910



But Problem is how Detachment Range on Ips in txt file

Now when This scripts add only range in line 1 and errorr back to me
value of address must have nemask after '/' either as number or as ip value


Please Help me
 
User avatar
ConnectivityEngineer
Frequent Visitor
Frequent Visitor
Posts: 57
Joined: Sat Dec 19, 2015 10:57 pm
Location: Ohio, USA
Contact:

Re: How add address List From The TXT File to Firewall Address List

Tue Dec 29, 2015 11:42 am

I would suggest asking in the thread you posted - especially since it appears the author may be in the thread.

I would also however suggest a much different approach.

Allowing Access TO your router should Only happen if you know WHO IS COMING

Allowing Access THROUGH Your Router on the other hand is a much better approach.

Rick Frey Consulting has a great script - and Butch Evans has an even better script that would allow for you to manage the firewall in a much better way.

Also - be very careful - Every Firewall Entry MUST BE READ until there is a match and/or if no match than it releases the packet.

If you were to place hundreds of entries this can SLOW DOWN your router but also TRAFFIC...

We often receive calls into the Mikrotik TAC @ http://Connectivity.Engineer with such complaints.

In fact we had one during the recent debate on Television (you can read about that here: http://connectivity.engineer/networking ... hardening/

The best approach imho is to lessen your attack vector by FIREWALLING EVERYTHING that you do not need to allow and allowing only whom you do.

Access TO the router is rarely needed - Access Through the router often is.


Questions - please feel free to ask - and remember that other thread might be a good place as well (keep in mind the script is looping in version 6.x of RouterOS however)
Glenn Kelley | MCTNA, MTCWE, MTCTCE, RHCE, RHCSS
http://Connectivity.Engineer
USA Based 24x7x365 Mikrotik, Juniper, Ubiquiti TAC & WISP / ISP Blind Label Support Call Center
 
User avatar
ConnectivityEngineer
Frequent Visitor
Frequent Visitor
Posts: 57
Joined: Sat Dec 19, 2015 10:57 pm
Location: Ohio, USA
Contact:

Re: How add address List From The TXT File to Firewall Address List

Tue Dec 29, 2015 11:59 am

One other note: you might want to check out the script from Joshaven.
http://joshaven.com/resources/tricks/mi ... ress-list/

Blocking known bad guys from even getting THROUGH your router is a great start :-)

We mirror the lists he wgets and creates as well http://connectivity.engineer/lists/ should his server ever become non-responsive.

We highly however recommend you run this on your own web server this way you can verify the validitiy of anything that is sent.

:lol:
Glenn Kelley | MCTNA, MTCWE, MTCTCE, RHCE, RHCSS
http://Connectivity.Engineer
USA Based 24x7x365 Mikrotik, Juniper, Ubiquiti TAC & WISP / ISP Blind Label Support Call Center
 
nescafe2002
Long time Member
Long time Member
Posts: 649
Joined: Tue Aug 11, 2015 12:46 pm
Location: Netherlands

Re: How add address List From The TXT File to Firewall Address List

Tue Dec 29, 2015 12:21 pm

Remember that you are putting your trust in Joshaven.com by dynamically adjusting your router configuration based on an unverified source.. potentially breaking or damaging your setup. This may or may not happen intentionally.

I'd rather script outside the router or check the produced file line-by-line for expected input to prevent possible script injection.

By example, this is the script I am using to keep the address list up to date. It checks for correct format of IP address, or at least allows strings in the form of nnn.nnn.nnn.nnn/nn.
// --------------------------------------------------------------------------------------------------------------------------------
// Purpose: Update address list country-nl in MikroTik router based on ipdeny.com nl-aggregated zone.
// Needs:   LINQPad 5, Windows
// NuGet:   SSH.NET
// Usings:  System.Net
//          Renci.SshNet
//          Renci.SshNet.Common
// --------------------------------------------------------------------------------------------------------------------------------

var listName = "country-nl";
var url = @"http://ipdeny.com/ipblocks/data/aggregated/nl-aggregated.zone";
var regexIpAddress = new Regex(@"(\d{1,3}.\d{1,3}.\d{1,3}.\d{1,3}(:?\/\d{1,2})?)");
var regexMikroTikCli = new Regex($@"add address={regexIpAddress.ToString()} list={listName}");
var expect = @"[admin@MikroTik] > ";
var timeout = TimeSpan.FromSeconds(5);

using (var client = new SshClient("router.home.local", "admin+ct", Util.GetPassword("admin@router.home.local")))
{
  client.Connect();
  using (var shellStream = client.CreateShellStream("xterm", 800, 2400, 800, 600, 1024))
  {
    shellStream.DataReceived += (o, e) => Util.SqlOutputWriter.Write(Encoding.Default.GetString(e.Data));

    string rep = shellStream.Expect(expect, timeout);
    shellStream.WriteLine(@"/ip firewall address-list export");

    rep = shellStream.Expect(expect, timeout);

    // ----------------------------------------------------------------------------------------------------------------------------
    // Get current address list from MikroTik.
    // ----------------------------------------------------------------------------------------------------------------------------

    var mikrotikIps =
      rep
        .Split(new[] { "\r\n", "\r", "\n" }, StringSplitOptions.None)
        .Select(x => regexMikroTikCli.Match(x))
        .Where(x => x.Success)
        .Select(x => x.Groups[1].Value)
        .ToArray();

    // ----------------------------------------------------------------------------------------------------------------------------
    // Get new address list from ipdeny.com.
    // ----------------------------------------------------------------------------------------------------------------------------

    var ipblockIps =
      Util.Cache(() =>
        new WebClient()
          .DownloadString(url)
          .Split(new[] { "\r\n", "\r", "\n" }, StringSplitOptions.None))
          .Where(x => regexIpAddress.IsMatch(x));

    // ----------------------------------------------------------------------------------------------------------------------------
    // Remove entries in MikroTik not in ipdeny.
    // ----------------------------------------------------------------------------------------------------------------------------

    foreach (var ip in mikrotikIps.Except(ipblockIps).Dump("Old / Missing"))
    {
      shellStream.WriteLine($@"/ip firewall address-list remove [/ip firewall address-list find address={ip} list={listName}]");
      rep = shellStream.Expect(expect, timeout);
    }

    // ----------------------------------------------------------------------------------------------------------------------------
    // Add new entries from ipdeny to MikroTik.
    // ----------------------------------------------------------------------------------------------------------------------------

    foreach (var ip in ipblockIps.Except(mikrotikIps).Dump("New"))
    {
      shellStream.WriteLine($@"/ip firewall address-list add address={ip} list={listName}");
      rep = shellStream.Expect(expect, timeout);
    }

    // Clean shutdown.
    shellStream.Flush();
    Thread.Sleep(650);
  }
  if (client.IsConnected)
  {
    client.Disconnect();
  }
}
 
raminmalek
Member Candidate
Member Candidate
Topic Author
Posts: 118
Joined: Sun Nov 02, 2008 5:51 pm

Re: How add address List From The TXT File to Firewall Address List

Sat Jan 02, 2016 10:41 pm

I donnot user spamthus and other spam list i must use http://www.ipdeny.com/ipblocks/data/countries/


And the file .zone format




and the cafe2002 code not working

Who is online

Users browsing this forum: arnoldmikro and 123 guests