Code:
## Builds an address list with bogons based on the
## learned bgp routes which have the specific routing-mark.
:log info "Removing all BOGONS, starting sync."
:foreach subnet in [/ip firewall address-list find list=bogons] do {
/ip firewall address-list remove $subnet
}
:foreach subnet in [/ip route find routing-mark=bogons] do {
:set bogon [/ip route get $subnet dst-address]
:log info ("Found " . $bogon . " as bogon entry.")
/ip firewall address-list add list=bogons address=$bogon
}
Now you can use this type of chain to catch traffic coming from bogon ip addresses. Reference / jump to this chain from wherever you have traffic coming from untrusted networks. You'll notice that the first few entries are bypasses for specific bogons that are allowed.
add chain=BOGONS src-address=10.8.24.1 protocol=icmp action=return \ comment="Bypass for cable modem internal IP \(Traceroutes requires \ this\)" disabled=no add chain=BOGONS src-address=192.168.100.0/24 action=return \ comment="CABLE INTERNAL IP - Bypass also" disabled=no add chain=BOGONS limit=2,5 src-address-list=bogons action=log \ log-prefix="BOGONS" comment="Reference the BOGONS address-list and \ LOG any that are on that list." disabled=no add chain=BOGONS src-address-list=bogons action=drop \ comment="Reference the BOGONS address-list and DROP any that are \ on that list." disabled=no add chain=BOGONS action=return comment="If not, return them to the \ previous chain." disabled=noHere is the current (12/05) chain if you just want to copy and paste it into your ruleset.
/ ip firewall address-list add list=bogons address=1.0.0.0/8 comment="" disabled=no add list=bogons address=2.0.0.0/8 comment="" disabled=no add list=bogons address=5.0.0.0/8 comment="" disabled=no add list=bogons address=7.0.0.0/8 comment="" disabled=no add list=bogons address=10.0.0.0/8 comment="" disabled=no add list=bogons address=23.0.0.0/8 comment="" disabled=no add list=bogons address=27.0.0.0/8 comment="" disabled=no add list=bogons address=31.0.0.0/8 comment="" disabled=no add list=bogons address=36.0.0.0/8 comment="" disabled=no add list=bogons address=37.0.0.0/8 comment="" disabled=no add list=bogons address=39.0.0.0/8 comment="" disabled=no add list=bogons address=42.0.0.0/8 comment="" disabled=no add list=bogons address=49.0.0.0/8 comment="" disabled=no add list=bogons address=50.0.0.0/8 comment="" disabled=no add list=bogons address=77.0.0.0/8 comment="" disabled=no add list=bogons address=78.0.0.0/8 comment="" disabled=no add list=bogons address=79.0.0.0/8 comment="" disabled=no add list=bogons address=92.0.0.0/8 comment="" disabled=no add list=bogons address=93.0.0.0/8 comment="" disabled=no add list=bogons address=94.0.0.0/8 comment="" disabled=no add list=bogons address=95.0.0.0/8 comment="" disabled=no add list=bogons address=96.0.0.0/8 comment="" disabled=no add list=bogons address=97.0.0.0/8 comment="" disabled=no add list=bogons address=98.0.0.0/8 comment="" disabled=no add list=bogons address=99.0.0.0/8 comment="" disabled=no add list=bogons address=100.0.0.0/8 comment="" disabled=no add list=bogons address=101.0.0.0/8 comment="" disabled=no add list=bogons address=102.0.0.0/8 comment="" disabled=no add list=bogons address=103.0.0.0/8 comment="" disabled=no add list=bogons address=104.0.0.0/8 comment="" disabled=no add list=bogons address=105.0.0.0/8 comment="" disabled=no add list=bogons address=106.0.0.0/8 comment="" disabled=no add list=bogons address=107.0.0.0/8 comment="" disabled=no add list=bogons address=108.0.0.0/8 comment="" disabled=no add list=bogons address=109.0.0.0/8 comment="" disabled=no add list=bogons address=110.0.0.0/8 comment="" disabled=no add list=bogons address=111.0.0.0/8 comment="" disabled=no add list=bogons address=112.0.0.0/8 comment="" disabled=no add list=bogons address=113.0.0.0/8 comment="" disabled=no add list=bogons address=114.0.0.0/8 comment="" disabled=no add list=bogons address=115.0.0.0/8 comment="" disabled=no add list=bogons address=116.0.0.0/8 comment="" disabled=no add list=bogons address=117.0.0.0/8 comment="" disabled=no add list=bogons address=118.0.0.0/8 comment="" disabled=no add list=bogons address=119.0.0.0/8 comment="" disabled=no add list=bogons address=120.0.0.0/8 comment="" disabled=no add list=bogons address=121.0.0.0/8 comment="" disabled=no add list=bogons address=122.0.0.0/8 comment="" disabled=no add list=bogons address=123.0.0.0/8 comment="" disabled=no add list=bogons address=169.254.0.0/16 comment="" disabled=no add list=bogons address=172.16.0.0/12 comment="" disabled=no add list=bogons address=173.0.0.0/8 comment="" disabled=no add list=bogons address=174.0.0.0/8 comment="" disabled=no add list=bogons address=175.0.0.0/8 comment="" disabled=no add list=bogons address=176.0.0.0/8 comment="" disabled=no add list=bogons address=177.0.0.0/8 comment="" disabled=no add list=bogons address=178.0.0.0/8 comment="" disabled=no add list=bogons address=179.0.0.0/8 comment="" disabled=no add list=bogons address=180.0.0.0/8 comment="" disabled=no add list=bogons address=181.0.0.0/8 comment="" disabled=no add list=bogons address=182.0.0.0/8 comment="" disabled=no add list=bogons address=183.0.0.0/8 comment="" disabled=no add list=bogons address=184.0.0.0/8 comment="" disabled=no add list=bogons address=185.0.0.0/8 comment="" disabled=no add list=bogons address=186.0.0.0/8 comment="" disabled=no add list=bogons address=187.0.0.0/8 comment="" disabled=no add list=bogons address=192.0.2.0/24 comment="" disabled=no add list=bogons address=192.168.0.0/16 comment="" disabled=no add list=bogons address=197.0.0.0/8 comment="" disabled=no add list=bogons address=198.18.0.0/15 comment="" disabled=no add list=bogons address=223.0.0.0/8 comment="" disabled=no
original script http://wiki.mikrotik.com/wiki/Generate_bogons_firewall_chain_based_on_routing-marks
Tidak ada komentar:
Posting Komentar