Mikrotik Firewall – A RouterOs script to block a dynamic list of malicious IPs from Firehol_level1

Firetik is a list of malicious IPs that should be blocked on the network. The list is based on Firehol, which is composed of Fullbogons – the unroutable IPs, Spamhaus drop and edrop – Don’t Route Or Peer IPs, Dshield – the top 20 attacking class-C and Malware lists – the Command and Control IPs

The script works like an Antivirus for your network that blocks malicious IPs with Firehol_Level1’s dynamic list as your database.

IMPLEMENTATION:

Code: (copy each block and paste it to terminal)

Script which will download the drop list as a text file


/system script add name="DownloadFirehol" source={ /tool fetch url="https://binary.ph/firehol/firehol.rsc" mode=https; }

Script which will Remove old Firehol list and add new one


/system script add name="ReplaceFirehol" source={/file
:global firehol [/file get firehol.rsc contents];
:if (firehol != "") do={/ip firewall address-list remove [find where comment="firehol"]

/import file-name=firehol.rsc;}}

Schedule the download and application of the Firehol list


/system scheduler add comment="Download Firehol list" interval=1d name="DownloadFireholList" on-event=DownloadFirehol start-date=jan/01/1970 start-time=08:51:27

/system scheduler add comment="Apply Firehol list" interval=1d name="InstallFireholList" on-event=ReplaceFirehol start-date=jan/01/1970 start-time=08:56:27

Run the DownloadFirehol script for first-time setup


/system script run DownloadFirehol

Run the ReplaceFirehol script for first-time setup


/system script run ReplaceFirehol

After copy/pasting the scripts above, add a drop rule for Dst. Address List firehol in forward chain BELOW the accept rule for established, related, untracked connections (defconf). OR you can copy the script below which will create the drop rule and check the connection-state=new. 

This way established connections will be accepted immediately and it will disregard the firehol address list on its 2nd cycle to the filter rules. Meaning, the long firehol address list will have no impact on the performance of your router once the connection passed the 1st cycle.

Script to add the firehol list in Firewall Filter Rules


/ip firewall filter
add chain=forward action=drop comment="Firehol list" connection-state=new dst-address-list=firehol

Note:
This script is only for Firehol_level1, you can read more about other levels here:

Firehol_level1: https://iplists.firehol.org/?ipset=firehol_level1
Firehol_level2: https://iplists.firehol.org/?ipset=firehol_level2
Firehol_level3: https://iplists.firehol.org/?ipset=firehol_level3
Firehol_level4: https://iplists.firehol.org/?ipset=firehol_level4

You may contact me for support in applying other levels, see About page.

#Thanks to Joshaven for sharing his automated scripts and to Firehol.org for sharing their dynamic list of malicious IPs