I know someone must have written a script get the the addresses from the url and parse based on location and import to an address list
i need to pull in and whitelist us-east-1 and us-east-2 but can change it myself if you have something written that pulls in the lists parses and creates and address list..
thanks in advance.
Re: amazon address list import
for anyone interested i would like the file to look like this but pulling in the .json url which i can do on the router..
but i dont see any scripting utilities to automatically pull out the relavent lines and change them like grep and sed
i did this manually and uploaded to my router but this is all amazon ip blocks as off today..
i also would like only us-east but didnt see how to easily extract only those lines so this is all of them
https://github.com/lgkahn/hubitat/blob/master/amazonaws
but i dont see any scripting utilities to automatically pull out the relavent lines and change them like grep and sed
i did this manually and uploaded to my router but this is all amazon ip blocks as off today..
i also would like only us-east but didnt see how to easily extract only those lines so this is all of them
https://github.com/lgkahn/hubitat/blob/master/amazonaws
Re: amazon address list import
Perhaps didn’t quite understand the question, I’ll try to describe options for using address lists.
Register and download ASN database from https://lite.ip2location.com/database-download
Go to page http://syo.su expand the section "Create subnets from CSV files with network addresses in any form", open downloaded and unpacked CSV file and set:
File delimiter: , (comma)
Files contains headers: uncheck
First or only addresses range column: 1
Second addresses range column: 2
Addresses format: integer
Addresses mask column: none
Files have joined data tables: uncheck
JavaScript expression of list names values:
JavaScript expression of comments values: not set
Header row value: not set
Merge ranges with same list name into the same subnet, if possible: check
Also group by comments: no difference when comment is empty
Set output file name
Limit file size: empty or 0
Select output file template: MikroTik firewall RSC only lists
Click button Get file by template - this is how we get a file with addresses to upload to firewall lists
Change output file name and select template: MikroTik search array by lists
Click button Get file by template - this is how we get an array declaration that allows us to quickly search for an address in scripts
Change output file name and select template: MikroTik search array
Click button Get file by template - this way we get an array for quick search in scripts, more productive if you need to search for an address among several lists in one database
All three options in finished form can be downloaded from the link: MikroTikIpLocationAmazonSearchExample
All three file options are used for downloading to the device and execution by the command:
The option to load addresses into firewall lists is used for use in firewall rules, for example
If you need this use case, there is a section "Difference between two MikroTik firewall RSC files" on the http://syo.su page where you can get a file to upload to the firewall lists based on the difference between the current list and a new file generated as needed.
Search arrays can only be used in scripts, but in some cases they can be useful because they take the load off the firewall
I don’t think that the Amazon address database is updated too often, it’s enough to update your database on the device once every 2-3 months. Can automate the filling of a firewall list or a search array using an API that makes it possible to obtain lists of addresses by matching the name of the provider, but my API does not yet have such a feature, perhaps I will implement it later, then can think about a script.
http://syo.su - is a one-page document, code is in pure JavaScript without the use of external resources. Save page to your disk and the application will always work, even if something happens to my page. Only the Whois API requires an Internet connection, the rest of the tools work offline.
Updated 2024-02-05 - fixed bug in first step of address searching in example file and in application template.
Register and download ASN database from https://lite.ip2location.com/database-download
Go to page http://syo.su expand the section "Create subnets from CSV files with network addresses in any form", open downloaded and unpacked CSV file and set:
File delimiter: , (comma)
Files contains headers: uncheck
First or only addresses range column: 1
Second addresses range column: 2
Addresses format: integer
Addresses mask column: none
Files have joined data tables: uncheck
JavaScript expression of list names values:
Code: Select all
COLUMN[5].indexOf('Amazon') >= 0 ? 'Amazon' : ''Header row value: not set
Merge ranges with same list name into the same subnet, if possible: check
Also group by comments: no difference when comment is empty
Set output file name
Limit file size: empty or 0
Select output file template: MikroTik firewall RSC only lists
Click button Get file by template - this is how we get a file with addresses to upload to firewall lists
Change output file name and select template: MikroTik search array by lists
Click button Get file by template - this is how we get an array declaration that allows us to quickly search for an address in scripts
Change output file name and select template: MikroTik search array
Click button Get file by template - this way we get an array for quick search in scripts, more productive if you need to search for an address among several lists in one database
All three options in finished form can be downloaded from the link: MikroTikIpLocationAmazonSearchExample
All three file options are used for downloading to the device and execution by the command:
Code: Select all
import file=FileName.rscThe option to load addresses into firewall lists is used for use in firewall rules, for example
Code: Select all
/ip firewall mangle add chain=prerouting action=route route-dst=GATEWAY_ADDRESS passthrough=no dst-address-list=Amazon
/ip firewall mangle add chain=prerouting action=mark-routing new-routing-mark=ROUTING_MARK passthrough=no dst-address-list=AmazonSearch arrays can only be used in scripts, but in some cases they can be useful because they take the load off the firewall
Code: Select all
# Using search array by lists
:global ipIsAmazon
:local allConn [/ip firewall connection print detail as-value]
:foreach conn in=$allConn do={
:local dst [:toip [:pick ($conn->"dst-address") 0 [:find ($conn->"dst-address") ":"]]]
:if (!($dst & 255.0.0.0 = 10.0.0.0 || $dst & 255.255.0.0 = 192.168.0.0 || $dst & 255.240.0.0 = 172.16.0.0)) do={
:if ([$ipIsAmazon $dst]) do={
:put ($dst)
# /ip firewall address-list add address=$dst list=Amazon dynamic=yes timeout="02:00:00"
}
}
}
# Using search array
:global ipGetLocation
:foreach conn in=$allConn do={
:local dst [:toip [:pick ($conn->"dst-address") 0 [:find ($conn->"dst-address") ":"]]]
:if (!($dst & 255.0.0.0 = 10.0.0.0 || $dst & 255.255.0.0 = 192.168.0.0 || $dst & 255.240.0.0 = 172.16.0.0)) do={
:if ([$ipGetLocation $dst] = "Amazon") do={
:put ($dst)
# /ip firewall address-list add address=$dst list=Amazon dynamic=yes timeout="02:00:00"
}
}
}I don’t think that the Amazon address database is updated too often, it’s enough to update your database on the device once every 2-3 months. Can automate the filling of a firewall list or a search array using an API that makes it possible to obtain lists of addresses by matching the name of the provider, but my API does not yet have such a feature, perhaps I will implement it later, then can think about a script.
http://syo.su - is a one-page document, code is in pure JavaScript without the use of external resources. Save page to your disk and the application will always work, even if something happens to my page. Only the Whois API requires an Internet connection, the rest of the tools work offline.
Updated 2024-02-05 - fixed bug in first step of address searching in example file and in application template.
Re: amazon address list import
thanks waiting for this..
i was able to code this up in unix to get and format the proper file.. i guess i can run it every few months..
here it is if it helps others
[/share/CACHEDEV1_DATA/qnapshared/amazonaws] # cat prepareaws.sh
#!/bin/bash
cd /share/qnapshared/amazonaws
wget -O aws1 https://ip-ranges.amazonaws.com/ip-ranges.json
cat aws1 | grep ip_prefix > aws2
cat aws2 | sed s/[[:space:]]//g > aws3
cat aws3 | sed s#\"ip_prefix\":\"#:do\ {\ add\ address=# > aws4
echo '/log info "Loading Amazon AWS address list"' > amazonaws
echo '/ip firewall address-list remove [/ip firewall address-list find list=AmazonAWS]' >> amazonaws
echo '/ip firewall address-list' >> amazonaws
cat aws4 | sed s#\",#\ list=AmazonAWS\ }\ on-error={}# >> amazonaws
[/share/CACHEDEV1_DATA/qnapshared/amazonaws] # head amazonaws
/log info "Loading Amazon AWS address list"
/ip firewall address-list remove [/ip firewall address-list find list=AmazonAWS]
/ip firewall address-list
:do { add address=3.2.34.0/26 list=AmazonAWS } on-error={}
:do { add address=3.5.140.0/22 list=AmazonAWS } on-error={}
:do { add address=13.34.37.64/27 list=AmazonAWS } on-error={}
:do { add address=13.34.65.64/27 list=AmazonAWS } on-error={}
:do { add address=13.34.66.0/27 list=AmazonAWS } on-error={}
:do { add address=13.34.78.160/27 list=AmazonAWS } on-error={}
:do { add address=13.34.103.96/27 list=AmazonAWS } on-error={}
[/share/CACHEDEV1_DATA/qnapshared/amazonaws] #
i was able to code this up in unix to get and format the proper file.. i guess i can run it every few months..
here it is if it helps others
[/share/CACHEDEV1_DATA/qnapshared/amazonaws] # cat prepareaws.sh
#!/bin/bash
cd /share/qnapshared/amazonaws
wget -O aws1 https://ip-ranges.amazonaws.com/ip-ranges.json
cat aws1 | grep ip_prefix > aws2
cat aws2 | sed s/[[:space:]]//g > aws3
cat aws3 | sed s#\"ip_prefix\":\"#:do\ {\ add\ address=# > aws4
echo '/log info "Loading Amazon AWS address list"' > amazonaws
echo '/ip firewall address-list remove [/ip firewall address-list find list=AmazonAWS]' >> amazonaws
echo '/ip firewall address-list' >> amazonaws
cat aws4 | sed s#\",#\ list=AmazonAWS\ }\ on-error={}# >> amazonaws
[/share/CACHEDEV1_DATA/qnapshared/amazonaws] # head amazonaws
/log info "Loading Amazon AWS address list"
/ip firewall address-list remove [/ip firewall address-list find list=AmazonAWS]
/ip firewall address-list
:do { add address=3.2.34.0/26 list=AmazonAWS } on-error={}
:do { add address=3.5.140.0/22 list=AmazonAWS } on-error={}
:do { add address=13.34.37.64/27 list=AmazonAWS } on-error={}
:do { add address=13.34.65.64/27 list=AmazonAWS } on-error={}
:do { add address=13.34.66.0/27 list=AmazonAWS } on-error={}
:do { add address=13.34.78.160/27 list=AmazonAWS } on-error={}
:do { add address=13.34.103.96/27 list=AmazonAWS } on-error={}
[/share/CACHEDEV1_DATA/qnapshared/amazonaws] #
Last edited by lgkahn on Mon Feb 05, 2024 8:53 pm, edited 1 time in total.
Re: amazon address list import
since i did this on my nas i will automate generating this once a week and pull it via ftp ...
Re: amazon address list import
To my opinion it's better to use the rest api to update the address list.
You can use a simple curl command to fetch the current list and then using a diff to find out if and what you might need to add or remove from the address list.
Less overhead inside the RouterOS scripting area.
You can use a simple curl command to fetch the current list and then using a diff to find out if and what you might need to add or remove from the address list.
Less overhead inside the RouterOS scripting area.