block all TCP connections on port 80 at example.comin place of example.com there should be an IP address, but as we already understood, example.com corresponds not to one, but several IP addresses. To save us from the torment of creating and maintaining a heap of similar rules, the developers of RouterOS made it possible to create a rule like this:
block all TCP connections on port 80 to any address from the list with the name DenyThisThe case remains for the small - automatically generate this very list. Who else did not get tired of my scribbling invite under Habrakat.
:local DNSList {"example.com";"non-exist.domain.net";"server.local";"hostname"} :local ListName "MyList" :local DNSServers ( [ip dns get dynamic-servers], [ip dns get servers ], 8.8.8.8 ) :foreach addr in $DNSList do={ :foreach DNSServer in $DNSServers do={ :do {:resolve server=$DNSServer $addr} on-error={:log debug ("failed to resolve $addr on $DNSServer")} } } /ip firewall address-list remove [find where list~$ListName] /ip dns cache all :foreach i in=[find type="A"] do={ :local bNew true :local cacheName [get $i name] :local match false :foreach addr in=$DNSList do={ :if (:typeof [:find $cacheName $addr] >= 0) do={ :set $match true } } :if ( $match ) do={ :local tmpAddress [/ip dns cache get $i address] :if ( [/ip firewall address-list find ] = "") do={ :log debug ("added entry: $[/ip dns cache get $i name] IP $tmpAddress") /ip firewall address-list add address=$tmpAddress list=$ListName comment=$cacheName } else={ :foreach j in=[/ip firewall address-list find ] do={ :if ( [/ip firewall address-list get $j address] = $tmpAddress ) do={ :set bNew false } } :if ( $bNew ) do={ :log debug ("added entry: $[/ip dns cache get $i name] IP $tmpAddress") /ip firewall address-list add address=$tmpAddress list=$ListName comment=$cacheName } } } }
[prefix] [path] command [uparam] [param=[value]] .. [param=[value]]
[prefix] - ":" - for global commands, the command line starts with the "/" symbol, which will be executed relative to the configuration root, the prefix may be missing, then the command line is executed relative to the current configuration section; :local DNSList {"example.com";"non-exist.domain.net";"server.local";"hostname"} :local ListName "MyList" :local DNSServers ( [ip dns get dynamic-servers], [ip dns get servers ], 8.8.8.8 )
The variable DNSList contains an array of domains that we want to work with. The variable ListName contains a string, which will be the resulting address-list. Variable DNSServers - contains an array of DNS server addresses assigned on the router or received from the provider when connecting, plus the “eights” in case the router does not use DNS, which will be used to obtain information about domain records. :foreach addr in $DNSList do={ :foreach DNSServer in $DNSServers do={ :do {:resolve server=$DNSServer $addr} on-error={:log debug ("failed to resolve $addr on $DNSServer")} } }
In the cycle “for everyone” we will go around the array of domains and cut off their IP addresses on each DNS server in case different DNS give different IPs. Design :do {command} on-error={command}
serves to catch runtime errors. If you do not use it, the script may be interrupted by an error resolving a nonexistent or erroneous address. /ip firewall address-list remove [find where list~$ListName]
/ip dns cache all :foreach i in=[find type="A"] do={
go to the configuration section / ip dns cahe all. It contains the router's DNS cache in the form of a table Name - Type - Data - TTL. Perform a selection by type - we only need A-records. And we will bypass the result of the selection in the cycle “for everyone”. This will be the main loop of our script. :local bNew true :local cacheName [get $i name] :local match false
:foreach addr in=$DNSList do={ :if (:typeof [:find $cacheName $addr] >= 0) do={ :set $match true } }
:if ( $match ) do={ :local tmpAddress [/ip dns cache get $i address] :if ( [/ip firewall address-list find ] = "") do={ :log debug ("added entry: $[/ip dns cache get $i name] IP $tmpAddress") /ip firewall address-list add address=$tmpAddress list=$ListName comment=$cacheName } else={ :foreach j in=[/ip firewall address-list find ] do={ :if ( [/ip firewall address-list get $j address] = $tmpAddress ) do={ :set bNew false } } :if ( $bNew ) do={ :log debug ("added entry: $[/ip dns cache get $i name] IP $tmpAddress") /ip firewall address-list add address=$tmpAddress list=$ListName comment=$cacheName } } }
/system scheduler add interval=5m name=MyScript on-event="/system script run MyScript" policy=\ ftp,reboot,read,write,policy,test,password,sniff,sensitive start-date=may/08/2014 \ start-time=10:10:00
/ip firewall filter add chain=forward protocol=tcp dst-port=80 address-list=DenyThis \ action=drop
/ip firewall mangle add action=mark-routing chain=prerouting dst-address-list=AntiZapret \ in-interface=bridge_lan new-routing-mark=RouteMe /ip route add distance=1 gateway=172.16.10.2 routing-mark=RouteMe
/ip firewall mangle add action=add-src-to-address-list address-list=FUPer chain=prerouting \ dst-address-list=Pron log=yes log-prefix=critical
Source: https://habr.com/ru/post/242143/
All Articles