Mikrotik Firewall Script: Block Malicious IPs Using Firehol Level 1

Firetik is a network firewall script that utilizes a dynamic blacklist of malicious IP addresses. The blacklist is primarily sourced from Firehol, which aggregates data from multiple threat intelligence feeds. These feeds include:

Fullbogons: Unroutable IP addresses.
Spamhaus DROP and EDROP: Known spam and abuse sources.
Dshield: Top 20 attacking Class C networks.
Malware lists: Command and Control (C&C) IP addresses associated with malware.

Firetik provides robust protection against a wide range of network threats by leveraging the Firehol Levels 1-4 datasets.

IMPLEMENTATION:

Code: (copy each block and paste it to terminal)

Script which will download the drop list as a text file


/system script add name="DownloadFirehol" source={ /tool fetch url="https://binary.ph/firehol/firehol.rsc" mode=https; }

Script which will Remove old Firehol list and add new one


/system script add name="ReplaceFirehol" source={/file
:global firehol [/file get firehol.rsc contents];
:if (firehol != "") do={/ip firewall address-list remove [find where comment="firehol"]

/import file-name=firehol.rsc;}}

Schedule the download and application of the Firehol list


/system scheduler add comment="Download Firehol list" interval=1d name="DownloadFireholList" on-event=DownloadFirehol start-date=jan/01/1970 start-time=08:51:27

/system scheduler add comment="Apply Firehol list" interval=1d name="InstallFireholList" on-event=ReplaceFirehol start-date=jan/01/1970 start-time=08:56:27

Run the DownloadFirehol script for first-time setup


/system script run DownloadFirehol

Run the ReplaceFirehol script for first-time setup


/system script run ReplaceFirehol

Script to add the firehol list in Firewall Filter Rules


/ip firewall filter
add chain=forward action=drop comment="Firehol list" connection-state=new dst-address-list=firehol

Note:
This script is only for Firehol_level1, you can read more about other levels here:

Firehol_level1: https://iplists.firehol.org/?ipset=firehol_level1
Firehol_level2: https://iplists.firehol.org/?ipset=firehol_level2
Firehol_level3: https://iplists.firehol.org/?ipset=firehol_level3
Firehol_level4: https://iplists.firehol.org/?ipset=firehol_level4

IPv6 Firewall: https://binary.ph/ipv6

You may contact me for support in applying other levels, see About page.

#Thanks to Joshaven for sharing his automated scripts and to Firehol.org for sharing their dynamic list of malicious IPs