Is there a way to permit only the dst-address-list=CountryIPBlocks? What I'd like to do is add my "good guys" to CountryIPBlocks, drop all the bad guys, then permit only the good guys.Pretty cool link. The firewall syntax they use shows this was designed for a bit older revs of RouterOS, but it will work just fine in modern revs as well. You may also want to cross-check the address lists generated against some other sites with similar lists, because this can change from time to time.
I don't recall whether the IP > Firewall > Raw functionality was introduced by version 6.38 or not - but if it is in your system, you may want to replace the drop rules in the filter with drop rules in RAW (which also prevents blocked hosts from consuming resources in state tracking)
e.g.:
/ip firewall raw add chain=prerouting action=drop src-address-list=CountryIPBlocks
/ip firewall raw add chain=prerouting action=drop dst-address-list=CountryIPBlocks
/ip firewall raw add chain=output action=drop dst-address-list=CountryIPBlocks
Is there a way to permit only the dst-address-list=CountryIPBlocks? What I'd like to do is add my "good guys" to CountryIPBlocks, drop all the bad guys, then permit only the good guys.Pretty cool link. The firewall syntax they use shows this was designed for a bit older revs of RouterOS, but it will work just fine in modern revs as well. You may also want to cross-check the address lists generated against some other sites with similar lists, because this can change from time to time.
I don't recall whether the IP > Firewall > Raw functionality was introduced by version 6.38 or not - but if it is in your system, you may want to replace the drop rules in the filter with drop rules in RAW (which also prevents blocked hosts from consuming resources in state tracking)
e.g.:
/ip firewall raw add chain=prerouting action=drop src-address-list=CountryIPBlocks
/ip firewall raw add chain=prerouting action=drop dst-address-list=CountryIPBlocks
/ip firewall raw add chain=output action=drop dst-address-list=CountryIPBlocks
/ip firewall raw
add action=accept chain=prerouting log-prefix="dropped by geo IP blocked ranges" src-address-list=\
CountryIPBlocksToAllowToAllow
add action=accept chain=prerouting dst-address-list=CountryIPBlocksToAllowToAllow log-prefix=\
"dropped by geo IP blocked ranges"
add action=accept chain=output disabled=yes dst-address-list=CountryIPBlocksToAllowToAllow log-prefix=\
"dropped by geo IP blocked ranges"
add action=drop chain=prerouting comment="Prerouting DENY ALL" log=yes log-prefix=\
"dropped by geo IP blocked ranges"
add action=drop chain=output comment="Output DENY ALL" log=yes log-prefix="dropped by geo IP blocked ranges"
/ip firewall raw
add action=accept chain=prerouting log-prefix="dropped by geo IP blocked ranges" src-address-list=Local
add action=accept chain=output dst-address-list=Local log-prefix="dropped by geo IP blocked ranges"
add action=accept chain=prerouting log-prefix="dropped by geo IP blocked ranges" src-address-list=\
CountryIPBlocksToAllowToAllow
add action=accept chain=prerouting dst-address-list=CountryIPBlocksToAllowToAllow log-prefix=\
"dropped by geo IP blocked ranges"
add action=accept chain=output disabled=yes log-prefix="dropped by geo IP blocked ranges" src-address-list=\
CountryIPBlocksToAllowToAllow
add action=accept chain=output dst-address-list=CountryIPBlocksToAllowToAllow log-prefix=\
"dropped by geo IP blocked ranges"
add action=drop chain=prerouting comment="Prerouting DENY ALL" log=yes log-prefix=\
"dropped by geo IP blocked ranges"
add action=drop chain=output comment="Output DENY ALL" log=yes log-prefix="dropped by geo IP blocked ranges"
Please do not use this website! It's not updated properly.https://mikrotikconfig.com/firewall/
see if this is what you are looking for
I don't see how the info I posted is inaccurate. It contains a bash snippet which downloads current allocations directly from RIPE's ftp. It builds the download URL using current system date.And info from 2013 is accurate ?
So a solution that pulls data from RIPE is useless, and those two websites which provide payed services with NO source cited are the proper solution?Without any knowledge of the source of information or how current, its basically useless.
No I said, the proper solution is for a business ISP account with or without an edge router such that the MT is not involved in such processes.So a solution that pulls data from RIPE is useless, and those two websites which provide payed services with NO source cited are the proper solution?Without any knowledge of the source of information or how current, its basically useless.
It's as accurate as it's going to get. That data (not only from RIPE, but all the regional RIRs, are used for example for RPKI as well. Yes, they make mistakes sometimes, it happens, but they are the 'authoritive' supplier, as well as maintainer of this data. There are a LOT of things, that depend on this information being accurate (incl. GeoIP databases).I don't see how the info I posted is inaccurate. It contains a bash snippet which downloads current allocations directly from RIPE's ftp. It builds the download URL using current system date.
You can check RIPE's ftp contents using this http mirror: https://ftp.ripe.net/pub/stats/ripencc/ . As you can see it's being regularly updated.
Then as the custodian of that IP Space / ASN, you should be contacting the RIR to correct that. In fact, RIPE has one of the best management web sites that I've seen in a long time relating to IP resources. Chances are, you more than likely could have fixed it yourself too. In fact, I know for a fact that RIPE's database does have a "Country" attribute that can be used on a INET / INET6 object to specifically indicate in which country the IP range is used...I spotted the problem, as I got an allocation from RIPE in 2021 which was previously allocated to The Russian Federation. Recently few of my clients decided to block russian IPs and used free tools, like quoted above, to obtain russian allocations. Most of these tools return my ip block as being allocated to Russia.
The problem was not in RIPE's db, but in mikrotikconfig.com. I had proper "Country" attribute set since I got the allocation. Other sites like ipinfo or various whois websites reported proper country. I mailed ISP Supplies several times and got no response. My prefix however disappeared from the russian list, so they either updated their lists, or removed it manually. I suspect the latter, because now my prefix is absent entirely from their lists.Then as the custodian of that IP Space / ASN, you should be contacting the RIR to correct that. In fact, RIPE has one of the best management web sites that I've seen in a long time relating to IP resources. Chances are, you more than likely could have fixed it yourself too. In fact, I know for a fact that RIPE's database does have a "Country" attribute that can be used on a INET / INET6 object to specifically indicate in which country the IP range is used...
Our prefixes was mistakenly listed in Team CYMR's BOGON lists a few years ago due to a f-up that our local RIR did in these databases. Took me 1 email, and 30 minutes and the entire issue was resolved globally.
/system scheduler
add interval=1d name="address_lists_UK" on-event=\
"/tool fetch url=\"http://www.iwik.org/ipcountry/mikrotik/UK\" dst-path=\"UK.rsc\"\r\
\n/delay 10\r\
\n/import file-name=\"UK.rsc\"" policy=read,write,test start-time=startup
CRITICAL: Never trust who provides scripts containing "/import" from "/tool fetch" from external sources.Script to download current country IP list
[...]
/log info "Loading UK ipv4 address list"
/ip firewall address-list remove [/ip firewall address-list find list=UK]
/ip firewall address-list
/log info "Loading UK ipv6 address list"
/ipv6 firewall address-list remove [/ipv6 firewall address-list find list=UK]
/ipv6 firewall address-list