Hi,

In CloudFlare you can block a country which they will be doing by IP block.

On Microtik CCR I really would like to be able to block Countries by using the firewall.

So tick boxes. Create a Rule. Select Countries, set rule to drop packets

Now could use MaxMind binary DB or another ...

Make my life so much easier.

regards

Tony

+1 it coul'd be a great feature

Why you want to block countries according to ip addresses?

Imagine you want to block China ... There is too many ip addresses to add

ok, I can imagine that.

But why I should do it? Should not be internet open and unblocked by definition? If there is no attack from the IPs, why to block them?

This would be impossible as there would need to be a central database of what IPs belong to what country, and that database would have to be set up for public query through some standard format (Which doesn't exist as far as I know).

On top of this, geolocation data is not perfect either.

You're better managing the blocking yourself, but just remember, the internet was never meant to have countries blocked or separated like that. So you're not going to find any "Easy" system to do that. It breaks the entire scope of what the internet was meant to do, so there will not be any simple system to do it.

Take a look at MikroTikConfig.com I have not tried the config but it gives you a check box listings of countries

Add these commands in /system schedule
Then setup startup and run interval you want

/tool fetch url=http://www.iwik.org/ipcountry/mikrotik/CN
/import file-name=CN
/file remove CN

I'm currently using this script to keep all China IPs up to date.

PS: you can change the country code like TW US JP
l'm also searching for a job in Taiwan or Japan.

-1
(IMHO) you can do it yourself without the development of Mikrotik.

There is a web site that implements the Country Block function in the Script below.

http://blog.erben.sk/2014/02/06/country-cidr-ip-ranges/

Take more time and effort because it managed by Script, but the size of the log output increases.

Why May you want to do this? block traffic by Country on a CCR

Say you run an anycast network and you have 30 pops all 72 core 10gb interface CCR.

An attack starts and you look at the botnet and it happens to be all machines from countries in Asia attacking 1 IP

Your client base happens to be UK, and Europe

So either you suffer or you login to the the affected CCR's open up the firewall and drop http traffic from those countries where the attacks are coming from to that IP

Your websites are fine and all traffic from UK and Europe are not affected, business as normal.

This is why cloudflare do so well they have the ability on their anycast network to mitigate attacks, most business websites have their clients not worldwide but regional and as attacks get more frequent and bigger it would be very useful to drop traffic by Country to mitigate attacks.

Or may be you run a VOIP network in the USA a botnet starts dossing your UDP ports from a country you have no customers in, drop UDP packets from that country, 1 tick in the firewall for that country, drop UDP problem solved.

So many IP's you say can't do it !

Take the MaxMind Country binary DB, load the DB in memory on CCR. Microtik interface the binary DB and give tick boxes by country
Free version or a monthly paid updated binary DB

IP blocks are country specific so you can easily block IP's by country at IP block level.

http://dev.maxmind.com/geoip/legacy/geolite/
http://dev.maxmind.com/geoip/legacy/install/country/

API's
http://dev.maxmind.com/geoip/legacy/downloadable/

C API
https://github.com/maxmind/geoip-api-c/ ... /README.md

Anyway its possible, in fact easy for Microtik if they want to add a fantastic feature to the CCR

latest maxmind DB
https://www.maxmind.com/en/geoip2-country

So is it possible to write a script on Microtik that can interface the Maxmind Bindary DB?

Great feature .

Has this feature ever been implemented?

+100 for this feature...

With that feature will prevent SPAM. I use and after one month SPAM reduce with ~30%

Regards

Try this: viewtopic.php?f=9&t=98804&hilit=intrusDave

Since last Friday: 33 000 tries to send mail from blocked IPs vs 2500 accepted IPs

IP2Location is providing free ACL list by country for Mikrotik. All system administrators can download the free list from block visitors by country.