Hello all,

Was curious to know if there is a way to block all IP/Traffic based on location utilizing the Firewall Filter Application within RouterOS?

So for example:

Blocking all requests or pings from a particular Country, etc?

No. Unless you implement county based ip address lists.

ok, Understood! and thank you for the reply. I have a list I acquired from ipdeny.com and its about a list of 4000+ ips

Is there any easier way of performing this through CLI? rather then inputting it block by block through the WebGUI Firewall Filter?

ok, Understood! and thank you for the reply. I have a list I acquired from ipdeny.com and its about a list of 4000+ ips

Is there any easier way of performing this through CLI? rather then inputting it block by block through the WebGUI Firewall Filter?

using telnet o ssh or in winbox you can launch a terminal

ok, Understood! and thank you for the reply. I have a list I acquired from ipdeny.com and its about a list of 4000+ ips

Is there any easier way of performing this through CLI? rather then inputting it block by block through the WebGUI Firewall Filter?

using telnet o ssh or in winbox you can launch a terminal

Would I still need to set filters for each and every single ip/block even through CLI?

No. Name address lists by countries. Then use the address lists as groups in the firewall rules. Note that country assignments are changing quite often...

Why do you need it?

If you don't want to add them one by one, you should take the IP files from that website and automate using PHP, bash, or something else to output a properly formatted .rsc script that can be imported into the router and automatically add the address list entries. You'd also have to add firewall rules to drop traffic from those address lists.

Lines like this: Would become something like this: And then have a firewall rule to drop this traffic: Ideally you would have this done on a server, which would periodically re-download the lists, output fresh scripts, and upload them to the router using ftp and an name.auto.rsc file, or the router could have a schedule to download the new lists and import them. You'd also have to have a script that would clear out old entries.

Or... another more manual option would be to download the IP lists and open them in notepad++. Replace the beginning of the line with the first part of the address lists command. Tutorials here or here for replacing beginning of lines. Then copy script to clipboard.

In router CLI, go to the address-list: ... and paste copied script. Repeat this process with all IP files you want to block. Make sure you have firewall filter rule to drop these like example above. The downside, like Jarda says, is that IP lists may change, and manually updating the lists this way would not be efficient.

I am literally being "Brute Force" attacked daily with IP's attempting to Log in via SSH, Telnet, according to my log.. I have set strict rules but has not detoured whom ever from continuing these attempts at logging in. I was being attacked about 300+ times a day. Now each IP that attempts gets X amount of attempts and becomes Blacklisted for 10 days if its over the threshold set. The IP's seem to be regional specific which is why I would like to block by region/country. I have no business with these countries, neither would I need to communicate with them.

Do you use SSH/telnet often on that router?
If you use winbox to administer your devices, simple disable SSH/telnet in services....

Do you use SSH/telnet often on that router?
If you use winbox to administer your devices, simple disable SSH/telnet in services....

Thank you very much! Didnt think to do that. I am still getting a decent amount of attempts according to the log, for example:

input: in:ether1 out:(none), src-mac XX:XX:XX:XX:XX:fe, proto TCP (SYN), 179.208.166.229:38336->(***My IP***), len 60
input: in:ether1 out:(none), src-mac XX:XX:XX:XX:XX:fe, proto TCP (SYN), 179.208.166.229:38336->(***My IP***), len 60
input: in:ether1 out:(none), src-mac XX:XX:XX:XX:XX:fe, proto TCP (SYN), 179.208.166.229:38336->(***My IP***), len 60
input: in:ether1 out:(none), src-mac XX:XX:XX:XX:XX:fe, proto TCP (SYN), 179.208.166.229:38336->(***My IP***), len 60
input: in:ether1 out:(none), src-mac XX:XX:XX:XX:XX:fe, proto ICMP (type 3, code 10), 218.77.79.43->(***My IP***), len 68
input: in:ether1 out:(none), src-mac XX:XX:XX:XX:XX:fe, proto ICMP (type 3, code 10), 218.77.79.43->(***My IP***), len 68
input: in:ether1 out:(none), src-mac XX:XX:XX:XX:XX:fe, proto ICMP (type 3, code 10), 218.77.79.43->(***My IP***), len 68


Should I be concerned considering i've closed the access routes , in addition to applying firewall filters? or would any fof you suggest any other forms of contingencies?

If you don't want to add them one by one, you should take the IP files from that website and automate using PHP, bash, or something else to output a properly formatted .rsc script that can be imported into the router and automatically add the address list entries. You'd also have to add firewall rules to drop traffic from those address lists.

Lines like this:

Code: Select all

27.116.56.0/22
43.231.131.0/24
43.249.40.0/22

Would become something like this:

Code: Select all

/ip firewall address-list
add list=BLOCK address=27.116.56.0/22
add list=BLOCK address=43.231.131.0/24
add list=BLOCK address=43.249.40.0/22

And then have a firewall rule to drop this traffic:

Code: Select all

/ip firewall filter add action=drop chain=forward src-address-list=BLOCK

Ideally you would have this done on a server, which would periodically re-download the lists, output fresh scripts, and upload them to the router using ftp and an name.auto.rsc file, or the router could have a schedule to download the new lists and import them. You'd also have to have a script that would clear out old entries.

Or... another more manual option would be to download the IP lists and open them in notepad++. Replace the beginning of the line with the first part of the address lists command. Tutorials here or here for replacing beginning of lines. Then copy script to clipboard.

In router CLI, go to the address-list:

Code: Select all

/ip firewall address-list

... and paste copied script. Repeat this process with all IP files you want to block. Make sure you have firewall filter rule to drop these like example above. The downside, like Jarda says, is that IP lists may change, and manually updating the lists this way would not be efficient.

Skot, Thank you so much! your input is greatly appreciated! I will definitely look into this further and try to take a stab at this.

... or just change the ssh / telnet ports.
... or make a whitelist of ip's or classes who are allowed to connect to these routers over telnet/ssh.

both more efficient than blocking a huge dynamic list.
hint: check out /ip services

KillerOPS! you are the man! Thanks a bunch, I just did that and worked like a charm!