Difference between revisions of "Manual:IP/Firewall/Address list"

From MikroTik Wiki
Jump to: navigation, search
m
 
(10 intermediate revisions by 4 users not shown)
Line 10: Line 10:
  
 
<p>
 
<p>
Firewall address lists allow user to create lists of IP addresses grouped together. Firewall filter, mangle and NAT facilities can use address lists to match packets against them.
+
Firewall address lists allow a user to create lists of IP addresses grouped together under a common name. Firewall filter, mangle and NAT facilities can then use those address lists to match packets against them.  
 
</p>
 
</p>
  
 
<p>
 
<p>
The address list records could be updated dynamically via the <code>action=add-src-to-address-list</code> or <code>action=add-dst-to-address-list</code> items found in [[M:IP/Firewall/NAT | NAT]], [[M:IP/Firewall/Mangle | mangle]] and [[M:IP/Firewall/Filter | filter]] facilities.
+
The address list records can also be updated dynamically via the <var>action=add-src-to-address-list</var> or <var>action=add-dst-to-address-list</var> items found in [[M:IP/Firewall/NAT | NAT]], [[M:IP/Firewall/Mangle | Mangle]] and [[M:IP/Firewall/Filter | Filter]] facilities.
 
</p>
 
</p>
  
 
+
<p>
 +
Firewall rules with action add-src-to-address-list or add-dst-to-address-list works in passthrough mode, which means that the matched packets will be passed to next firewall rules.
 +
</p>
 
==Properties==
 
==Properties==
  
Line 27: Line 29:
 
{{Mr-arg-table
 
{{Mr-arg-table
 
|arg=address
 
|arg=address
|type=<nowiki>IP address/netmask | IP-IP</nowiki>
+
|type=<nowiki>DNS Name | IP address/netmask | IP-IP</nowiki>
 
|default=
 
|default=
|desc=IP address or range to add to address list
+
|desc=A single IP address or range of IPs to add to address list or DNS name. You can input for example, '192.168.0.0-192.168.1.255' and it will auto modify the typed entry to 192.168.0.0/23 on saving.
 
}}
 
}}
  
Line 36: Line 38:
 
|type=string
 
|type=string
 
|default=
 
|default=
|desc=Name of the address list where to add IP address
+
|desc=Name for the address list of the added IP address
 +
}}
 +
 
 +
{{Mr-arg-table
 +
|arg=timeout
 +
|type=time
 +
|default=
 +
|desc=Time after address will be removed from address list. If timeout is not specified, the address will be stored into the address list permanently.
 
}}
 
}}
  
 
</table>
 
</table>
 +
 +
{{ Note | If the timeout parameter is not specified, then the address will be saved to the list permanently to the disk. If a timeout is specified, the address will be stored on the RAM and will be removed after a system's reboot. }}
  
 
==Example==
 
==Example==
  
The following example creates an address list of people thet are connecting to port 23 (telnet) on the router and drops all further traffic from them. Additionaly, the address list will contain one static entry of address=192.0.34.166/32 (www.example.com):
+
The following example creates a dynamic address list of people that are connecting to port 23 (telnet) on the router and drops all further traffic from them for 5 minutes. Additionally, the address list will also contain one static address list entry of 192.0.34.166/32 (www.example.com):
 +
<pre>
 +
/ip firewall address-list add list=drop_traffic address=192.0.34.166/32
 +
</pre>
 +
 
 
<pre>
 
<pre>
[admin@MikroTik] > /ip firewall address-list add list=drop_traffic address=192.0.34.166/32
+
/ip firewall address-list print
[admin@MikroTik] > /ip firewall address-list print
 
 
Flags: X - disabled, D - dynamic
 
Flags: X - disabled, D - dynamic
 
  #  LIST        ADDRESS
 
  #  LIST        ADDRESS
 
  0  drop_traffic 192.0.34.166
 
  0  drop_traffic 192.0.34.166
[admin@MikroTik] > /ip firewall mangle add chain=prerouting protocol=tcp dst-port=23 \
+
</pre>
\... action=add-src-to-address-list address-list=drop_traffic
+
 
[admin@MikroTik] > /ip firewall filter add action=drop chain=input src-address-list=drop_traffic
+
<pre>
[admin@MikroTik] > /ip firewall address-list print
+
/ip firewall mangle add action=add-src-to-address-list address-list=drop_traffic \
 +
    address-list-timeout=5m chain=prerouting dst-port=23 protocol=tcp
 +
/ip firewall filter add action=drop chain=input src-address-list=drop_traffic
 +
</pre>
 +
 
 +
<pre>
 +
/ip firewall address-list print
 
Flags: X - disabled, D - dynamic
 
Flags: X - disabled, D - dynamic
 
  #  LIST        ADDRESS
 
  #  LIST        ADDRESS
Line 59: Line 79:
 
  1 D drop_traffic 1.1.1.1
 
  1 D drop_traffic 1.1.1.1
 
  2 D drop_traffic 10.5.11.8
 
  2 D drop_traffic 10.5.11.8
[admin@MikroTik] >
 
 
</pre>
 
</pre>
As seen in the output of the last print command, two new dynamic entries appeared in the address list. Hosts with these IP addresses tried to initialize a telnet session to the router.
+
 
 +
As seen in the output of the last print command, two new dynamic entries appeared in the address list (marked with a status of 'D'). Hosts with these IP addresses tried to initialize a telnet session to the router and were then subsequently dropped by the filter rule.
  
 
</div>
 
</div>

Latest revision as of 06:57, 24 April 2019

Version.png

Applies to RouterOS: 2.9, v3, v4 +

Summary

Sub-menu: /ip firewall address-list


Firewall address lists allow a user to create lists of IP addresses grouped together under a common name. Firewall filter, mangle and NAT facilities can then use those address lists to match packets against them.

The address list records can also be updated dynamically via the action=add-src-to-address-list or action=add-dst-to-address-list items found in NAT, Mangle and Filter facilities.

Firewall rules with action add-src-to-address-list or add-dst-to-address-list works in passthrough mode, which means that the matched packets will be passed to next firewall rules.

Properties

Property Description
address (DNS Name | IP address/netmask | IP-IP; Default: ) A single IP address or range of IPs to add to address list or DNS name. You can input for example, '192.168.0.0-192.168.1.255' and it will auto modify the typed entry to 192.168.0.0/23 on saving.
list (string; Default: ) Name for the address list of the added IP address
timeout (time; Default: ) Time after address will be removed from address list. If timeout is not specified, the address will be stored into the address list permanently.
Icon-note.png

Note: If the timeout parameter is not specified, then the address will be saved to the list permanently to the disk. If a timeout is specified, the address will be stored on the RAM and will be removed after a system's reboot.


Example

The following example creates a dynamic address list of people that are connecting to port 23 (telnet) on the router and drops all further traffic from them for 5 minutes. Additionally, the address list will also contain one static address list entry of 192.0.34.166/32 (www.example.com):

/ip firewall address-list add list=drop_traffic address=192.0.34.166/32
/ip firewall address-list print
Flags: X - disabled, D - dynamic
 #   LIST         ADDRESS
 0   drop_traffic 192.0.34.166
/ip firewall mangle add action=add-src-to-address-list address-list=drop_traffic \
    address-list-timeout=5m chain=prerouting dst-port=23 protocol=tcp
/ip firewall filter add action=drop chain=input src-address-list=drop_traffic
/ip firewall address-list print
Flags: X - disabled, D - dynamic
 #   LIST         ADDRESS
 0   drop_traffic 192.0.34.166
 1 D drop_traffic 1.1.1.1
 2 D drop_traffic 10.5.11.8

As seen in the output of the last print command, two new dynamic entries appeared in the address list (marked with a status of 'D'). Hosts with these IP addresses tried to initialize a telnet session to the router and were then subsequently dropped by the filter rule.


[ Top | Back to Content ]