mirror of
https://github.com/eworm-de/routeros-scripts
synced 2024-05-14 10:04:19 +02:00
Compare commits
20 commits
9162f13b80
...
eca57b937d
Author | SHA1 | Date | |
---|---|---|---|
eca57b937d | |||
4869d74edf | |||
50a6914907 | |||
20d1ad17d7 | |||
62790ae091 | |||
0125f102b4 | |||
31966479dc | |||
1687e2780f | |||
b9e0ffac1d | |||
a924de274c | |||
6f29c640e4 | |||
01d2c3ea7e | |||
93bed1b081 | |||
c2f5272f18 | |||
45875ad68e | |||
b1199ca50a | |||
1344694708 | |||
1c2048628d | |||
471e0ead05 | |||
361933b2c0 |
|
@ -56,8 +56,12 @@ available in my repository and downloaded automatically. Import it manually
|
|||
(menu `/certificate/`) if missing.
|
||||
|
||||
Create firewall rules to process the packets that are related to addresses
|
||||
from address-lists. This rejects the packets from and to ip addresses listed
|
||||
in address-list `block`.
|
||||
from address-lists.
|
||||
|
||||
### IPv4 rules
|
||||
|
||||
This rejects the packets from and to IPv4 addresses listed in
|
||||
address-list `block`.
|
||||
|
||||
/ip/firewall/filter/add chain=input src-address-list=block action=reject reject-with=icmp-admin-prohibited;
|
||||
/ip/firewall/filter/add chain=forward src-address-list=block action=reject reject-with=icmp-admin-prohibited;
|
||||
|
@ -85,6 +89,33 @@ Alternatively handle the packets in firewall's raw section if you prefer:
|
|||
> ⚠️ **Warning**: Just again... The order of firewall rules is important. Make
|
||||
> sure they actually take effect as expected!
|
||||
|
||||
### IPv6 rules
|
||||
|
||||
These are the same rules, but for IPv6.
|
||||
|
||||
Reject packets in address-list `block`:
|
||||
|
||||
/ipv6/firewall/filter/add chain=input src-address-list=block action=reject reject-with=icmp-admin-prohibited;
|
||||
/ipv6/firewall/filter/add chain=forward src-address-list=block action=reject reject-with=icmp-admin-prohibited;
|
||||
/ipv6/firewall/filter/add chain=forward dst-address-list=block action=reject reject-with=icmp-admin-prohibited;
|
||||
/ipv6/firewall/filter/add chain=output dst-address-list=block action=reject reject-with=icmp-admin-prohibited;
|
||||
|
||||
Allow packets in address-list `allow`:
|
||||
|
||||
/ipv6/firewall/filter/add chain=input src-address-list=allow action=accept;
|
||||
/ipv6/firewall/filter/add chain=forward src-address-list=allow action=accept;
|
||||
/ipv6/firewall/filter/add chain=forward dst-address-list=allow action=accept;
|
||||
/ipv6/firewall/filter/add chain=output dst-address-list=allow action=accept;
|
||||
|
||||
Drop packets in firewall's raw section:
|
||||
|
||||
/ipv6/firewall/raw/add chain=prerouting src-address-list=block action=drop;
|
||||
/ipv6/firewall/raw/add chain=prerouting dst-address-list=block action=drop;
|
||||
/ipv6/firewall/raw/add chain=output dst-address-list=block action=drop;
|
||||
|
||||
> ⚠️ **Warning**: Just again... The order of firewall rules is important. Make
|
||||
> sure they actually take effect as expected!
|
||||
|
||||
---
|
||||
[⬅️ Go back to main README](../README.md)
|
||||
[⬆️ Go back to top](#top)
|
||||
|
|
|
@ -83,9 +83,9 @@ with a resolvable name:
|
|||
|
||||
/tool/netwatch/add comment="notify, name=example.com, resolve=example.com";
|
||||
|
||||
But be warned: Dynamic updates will probably cause issues if the name has
|
||||
more than one record in dns - a high rate of configuration changes (and flash
|
||||
writes) at least.
|
||||
This supports multiple A or AAAA records for a name just fine, even a CNAME
|
||||
to those. An update happens only if no more record with the configured host
|
||||
address is found.
|
||||
|
||||
### No notification on host down
|
||||
|
||||
|
|
|
@ -24,7 +24,7 @@
|
|||
:global WaitFullyConnected;
|
||||
|
||||
:local FindDelim do={
|
||||
:local ValidChars "0123456789./ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz-";
|
||||
:local ValidChars "0123456789.:/ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz-";
|
||||
:for I from=0 to=[ :len $1 ] do={
|
||||
:if ([ :typeof [ :find $ValidChars [ :pick ($1 . " ") $I ] ] ] != "num") do={
|
||||
:return $I;
|
||||
|
@ -38,10 +38,11 @@ $WaitFullyConnected;
|
|||
:local ListComment ("managed by " . $0);
|
||||
|
||||
:foreach FwListName,FwList in=$FwAddrLists do={
|
||||
:local Addresses ({});
|
||||
:local CntAdd 0;
|
||||
:local CntRenew 0;
|
||||
:local CntRemove 0;
|
||||
:local IPv4Addresses ({});
|
||||
:local IPv6Addresses ({});
|
||||
:local Failure false;
|
||||
|
||||
:foreach List in=$FwList do={
|
||||
|
@ -85,7 +86,11 @@ $WaitFullyConnected;
|
|||
:local Address ([ :pick $Line 0 [ $FindDelim $Line ] ] . ($List->"cidr"));
|
||||
:if ($Address ~ "^[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}(/[0-9]{1,2})?\$" || \
|
||||
$Address ~ "^[\\.a-zA-Z0-9-]+\\.[a-zA-Z]{2,}\$") do={
|
||||
:set ($Addresses->$Address) $TimeOut;
|
||||
:set ($IPv4Addresses->$Address) $TimeOut;
|
||||
}
|
||||
:if ($Address ~ "^[0-9a-zA-Z]*:[0-9a-zA-Z:\\.]+(/[0-9]{1,3})?\$" || \
|
||||
$Address ~ "^[\\.a-zA-Z0-9-]+\\.[a-zA-Z]{2,}\$") do={
|
||||
:set ($IPv6Addresses->$Address) $TimeOut;
|
||||
}
|
||||
:set Data [ :pick $Data ([ :len $Line ] + 1) [ :len $Data ] ];
|
||||
}
|
||||
|
@ -93,28 +98,55 @@ $WaitFullyConnected;
|
|||
|
||||
:foreach Entry in=[ /ip/firewall/address-list/find where list=$FwListName comment=$ListComment ] do={
|
||||
:local Address [ /ip/firewall/address-list/get $Entry address ];
|
||||
:if ([ :typeof ($Addresses->$Address) ] = "time") do={
|
||||
$LogPrintExit2 debug $0 ("Renewing for " . ($Addresses->$Address) . ": " . $Address) false;
|
||||
/ip/firewall/address-list/set $Entry timeout=($Addresses->$Address);
|
||||
:set ($Addresses->$Address);
|
||||
:if ([ :typeof ($IPv4Addresses->$Address) ] = "time") do={
|
||||
$LogPrintExit2 debug $0 ("Renewing IPv4 address for " . ($IPv4Addresses->$Address) . ": " . $Address) false;
|
||||
/ip/firewall/address-list/set $Entry timeout=($IPv4Addresses->$Address);
|
||||
:set ($IPv4Addresses->$Address);
|
||||
:set CntRenew ($CntRenew + 1);
|
||||
} else={
|
||||
:if ($Failure = false) do={
|
||||
$LogPrintExit2 debug $0 ("Removing: " . $Address) false;
|
||||
$LogPrintExit2 debug $0 ("Removing IPv4 address: " . $Address) false;
|
||||
/ip/firewall/address-list/remove $Entry;
|
||||
:set CntRemove ($CntRemove + 1);
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
:foreach Address,Ignore in=$Addresses do={
|
||||
$LogPrintExit2 debug $0 ("Adding for " . ($Addresses->$Address) . ": " . $Address) false;
|
||||
:foreach Entry in=[ /ipv6/firewall/address-list/find where list=$FwListName comment=$ListComment ] do={
|
||||
:local Address [ /ipv6/firewall/address-list/get $Entry address ];
|
||||
:if ([ :typeof ($IPv6Addresses->$Address) ] = "time") do={
|
||||
$LogPrintExit2 debug $0 ("Renewing IPv6 address for " . ($IPv6Addresses->$Address) . ": " . $Address) false;
|
||||
/ipv6/firewall/address-list/set $Entry timeout=($IPv6Addresses->$Address);
|
||||
:set ($IPv6Addresses->$Address);
|
||||
:set CntRenew ($CntRenew + 1);
|
||||
} else={
|
||||
:if ($Failure = false) do={
|
||||
$LogPrintExit2 debug $0 ("Removing: " . $Address) false;
|
||||
/ipv6/firewall/address-list/remove $Entry;
|
||||
:set CntRemove ($CntRemove + 1);
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
:foreach Address,Timeout in=$IPv4Addresses do={
|
||||
$LogPrintExit2 debug $0 ("Adding IPv4 address for " . $Timeout . ": " . $Address) false;
|
||||
:do {
|
||||
/ip/firewall/address-list/add list=$FwListName comment=$ListComment address=$Address timeout=($Addresses->$Address);
|
||||
:set ($Addresses->$Address);
|
||||
/ip/firewall/address-list/add list=$FwListName comment=$ListComment address=$Address timeout=$Timeout;
|
||||
:set ($IPv4Addresses->$Address);
|
||||
:set CntAdd ($CntAdd + 1);
|
||||
} on-error={
|
||||
$LogPrintExit2 warning $0 ("Failed to add address " . $Address . " to list '" . $FwListName . "'.") false;
|
||||
$LogPrintExit2 warning $0 ("Failed to add IPv4 address " . $Address . " to list '" . $FwListName . "'.") false;
|
||||
}
|
||||
}
|
||||
|
||||
:foreach Address,Timeout in=$IPv6Addresses do={
|
||||
$LogPrintExit2 debug $0 ("Adding IPv6 address for " . $Timeout . ": " . $Address) false;
|
||||
:do {
|
||||
/ipv6/firewall/address-list/add list=$FwListName comment=$ListComment address=$Address timeout=$Timeout;
|
||||
:set ($IPv6Addresses->$Address);
|
||||
:set CntAdd ($CntAdd + 1);
|
||||
} on-error={
|
||||
$LogPrintExit2 warning $0 ("Failed to add IPv6 address " . $Address . " to list '" . $FwListName . "'.") false;
|
||||
}
|
||||
}
|
||||
|
||||
|
|
|
@ -12,7 +12,7 @@
|
|||
:local 0 [ :jobname ];
|
||||
|
||||
# expected configuration version
|
||||
:global ExpectedConfigVersion 118;
|
||||
:global ExpectedConfigVersion 119;
|
||||
|
||||
# global variables not to be changed by user
|
||||
:global GlobalFunctionsReady false;
|
||||
|
|
124
mod/dns-adblock
Normal file
124
mod/dns-adblock
Normal file
|
@ -0,0 +1,124 @@
|
|||
#!rsc by RouterOS
|
||||
|
||||
:global UpdateAdblock;
|
||||
:global HelpAdblock;
|
||||
:global ShowAdblockHost;
|
||||
:global AddAdblockHost;
|
||||
:global RemoveAdblockHost;
|
||||
|
||||
:global RunAdblockHost do={
|
||||
# store hostlist as script
|
||||
:if ([:len [/system script find where name=adblockhostlist]] = 0) do={
|
||||
/system script add name=adblockhostlist source=":global AdblockHost"
|
||||
}
|
||||
:if ($1 = "update") do={
|
||||
:global NewAdblockHost;
|
||||
/system script set [find where name=adblockhostlist] source=(":global AdblockHost $NewAdblockHost");
|
||||
}
|
||||
/system script run adblockhostlist
|
||||
}
|
||||
|
||||
:set $HelpAdblock do={
|
||||
:local HelpAdblockList {\
|
||||
"\$UpdateAdblock - Update static DNS entries";\
|
||||
"\$ShowAdblockHost - Show current sources";\
|
||||
"\$AddAdblockHost [URL] - Add new sources, eg: https://adaway.org/hosts.txt";\
|
||||
"\$RemoveAdblockHost [Number] - Remove specified source, eg: 0"\
|
||||
}
|
||||
:foreach x in=$HelpAdblockList do={
|
||||
:put $x
|
||||
}
|
||||
}
|
||||
|
||||
:set $ShowAdblockHost do={
|
||||
:global AdblockHost;
|
||||
:if ([:len $AdblockHost] = 0) do={
|
||||
:error "No source found"
|
||||
}
|
||||
:foreach x,y in=$AdblockHost do={
|
||||
:put ("$x $y")
|
||||
}
|
||||
}
|
||||
|
||||
:set $AddAdblockHost do={
|
||||
:if ([:len $1] < 1) do={
|
||||
:error "No URL specified!"
|
||||
}
|
||||
:global AdblockHost;
|
||||
:global RunAdblockHost;
|
||||
:global NewAdblockHost;
|
||||
:local CurAdblockHost;
|
||||
:if ([:len $AdblockHost] != 0) do={
|
||||
:foreach x in=$AdblockHost do={
|
||||
:set CurAdblockHost ("$CurAdblockHost\"$x\";")
|
||||
}
|
||||
:set NewAdblockHost ("{$CurAdblockHost\"$1\"}")
|
||||
} else={
|
||||
:set NewAdblockHost "{\"$1\"}"
|
||||
}
|
||||
$RunAdblockHost "update"
|
||||
:put ("Added new source: $1")
|
||||
}
|
||||
|
||||
:set $RemoveAdblockHost do={
|
||||
:if ([:len $1] < 1) do={
|
||||
:error "No number specified!"
|
||||
}
|
||||
:global AdblockHost;
|
||||
:global RunAdblockHost;
|
||||
:global NewAdblockHost;
|
||||
:local CurAdblockHost;
|
||||
:if ([:len $AdblockHost] = 0) do={
|
||||
:error "No source found"
|
||||
}
|
||||
:foreach x,y in=$AdblockHost do={
|
||||
:if ($x != $1) do={
|
||||
:set CurAdblockHost ("$CurAdblockHost\"$y\";")
|
||||
} else={
|
||||
:put ("Removed source: $y")
|
||||
}
|
||||
}
|
||||
:if ([:len $AdblockHost] <= 1) do={
|
||||
:set AdblockHost ""
|
||||
:set NewAdblockHost ""
|
||||
} else={
|
||||
:set NewAdblockHost ("{$CurAdblockHost}")
|
||||
}
|
||||
$RunAdblockHost "update"
|
||||
}
|
||||
|
||||
:set $UpdateAdblock do={
|
||||
:global AdblockHost;
|
||||
:if ([:len $AdblockHost] = 0) do={
|
||||
:error "Add source first!"
|
||||
}
|
||||
:local AdblockHostList;
|
||||
:foreach x in=$AdblockHost do={
|
||||
:set AdblockHostList ("$AdblockHostList$x,")
|
||||
}
|
||||
:set $AdblockHostList [:pick $AdblockHostList 0 ([:len $AdblockHostList]-1)]
|
||||
# https://github.com/tarampampam/mikrotik-hosts-parser
|
||||
:local parserVer "4.4.0";
|
||||
:local adblockLimit "5000";
|
||||
:local redirectTo "127.0.0.1";
|
||||
:local excludedHost "localhost,localhost.localdomain,broadcasthost,local,ip6-localhost,ip6-loopback,ip6-localnet,ip6-mcastprefix,ip6-allnodes,ip6-allrouters,ip6-allhosts";
|
||||
:local hostScriptUrl ("https://stopad.cgood.ru/script/source\?format=routeros&version=$parserVer&redirect_to=$redirectTo&limit=$adblockLimit&sources_urls=$AdblockHostList&excluded_hosts=$excludedHost");
|
||||
:local scriptName "stop_ad.script";
|
||||
do {
|
||||
/tool fetch check-certificate=no mode=https url=$hostScriptUrl dst-path=$scriptName
|
||||
:delay 3s;
|
||||
} on-error={
|
||||
:error "Fetch source failed"
|
||||
}
|
||||
:if ([:find [/file get $scriptName contents] "Script generation failed"]) do={
|
||||
:error "Invalid/unsupported source"
|
||||
} else={
|
||||
/ip dns static remove [/ip dns static find comment=ADBlock]
|
||||
/import file-name=$scriptName
|
||||
/file remove $scriptName
|
||||
:put "Static DNS entries updated successfully"
|
||||
}
|
||||
}
|
||||
|
||||
# Initialize adblockhostlist
|
||||
$RunAdblockHost
|
|
@ -52,6 +52,24 @@
|
|||
:return ("Ran hook:\n" . $Hook);
|
||||
}
|
||||
|
||||
:local ResolveExpected do={
|
||||
:local Name [ :tostr $1 ];
|
||||
:local Expected [ :tostr $2 ];
|
||||
|
||||
:global GetRandom20CharAlNum;
|
||||
|
||||
:local FwAddrList ($0 . "-" . [ $GetRandom20CharAlNum ]);
|
||||
/ip/firewall/address-list/add address=$Name list=$FwAddrList dynamic=yes timeout=1s;
|
||||
/ipv6/firewall/address-list/add address=$Name list=$FwAddrList dynamic=yes timeout=1s;
|
||||
:delay 20ms;
|
||||
:if ([ :len [ /ip/firewall/address-list/find where list=$FwAddrList address=$Expected ] ] > 0 || \
|
||||
[ :len [ /ipv6/firewall/address-list/find where list=$FwAddrList address=$Expected ] ] > 0) do={
|
||||
:return true;
|
||||
}
|
||||
|
||||
:return false;
|
||||
}
|
||||
|
||||
$ScriptLock $0;
|
||||
|
||||
:local ScriptFromTerminalCached [ $ScriptFromTerminal $0 ];
|
||||
|
@ -79,14 +97,16 @@ $ScriptLock $0;
|
|||
:if ([ $IsDNSResolving ] = true) do={
|
||||
:do {
|
||||
:local Resolve [ :resolve ($HostInfo->"resolve") ];
|
||||
:if ($Resolve != $HostVal->"host" and \
|
||||
[ :len [ /ip/dns/cache/find where name=($HostInfo->"resolve") data=[ :tostr ($HostVal->"host") ] ] ] = 0) do={
|
||||
$LogPrintExit2 info $0 ("Name '" . $HostInfo->"resolve" . [ $IfThenElse \
|
||||
($HostInfo->"resolve" != $HostInfo->"name") ("' for " . $Type . " '" . \
|
||||
$HostInfo->"name") "" ] . "' resolves to different address " . $Resolve . \
|
||||
", updating.") false;
|
||||
/tool/netwatch/set host=$Resolve $Host;
|
||||
:set ($Metric->"resolve-failcnt") 0;
|
||||
:if ($Resolve != $HostVal->"host") do={
|
||||
:if ([ $ResolveExpected ($HostInfo->"resolve") ($HostVal->"host") ] = false) do={
|
||||
$LogPrintExit2 info $0 ("Name '" . $HostInfo->"resolve" . [ $IfThenElse \
|
||||
($HostInfo->"resolve" != $HostInfo->"name") ("' for " . $Type . " '" . \
|
||||
$HostInfo->"name") "" ] . "' resolves to different address " . $Resolve . \
|
||||
", updating.") false;
|
||||
/tool/netwatch/set host=$Resolve $Host;
|
||||
:set ($Metric->"resolve-failcnt") 0;
|
||||
:set ($HostVal->"status") "unknown";
|
||||
}
|
||||
}
|
||||
} on-error={
|
||||
:set ($Metric->"resolve-failcnt") ($Metric->"resolve-failcnt" + 1);
|
||||
|
@ -125,7 +145,9 @@ $ScriptLock $0;
|
|||
:set ($Metric->"notified") false;
|
||||
:set ($Metric->"parent") ($HostInfo->"parent");
|
||||
:set ($Metric->"since");
|
||||
} else={
|
||||
}
|
||||
|
||||
:if ($HostVal->"status" = "down") do={
|
||||
:set ($Metric->"count-down") ($Metric->"count-down" + 1);
|
||||
:set ($Metric->"count-up") 0;
|
||||
:set ($Metric->"parent") ($HostInfo->"parent");
|
||||
|
@ -178,6 +200,7 @@ $ScriptLock $0;
|
|||
:set ($Metric->"notified") true;
|
||||
}
|
||||
}
|
||||
|
||||
:set ($NetwatchNotify->$Name) {
|
||||
"count-down"=($Metric->"count-down");
|
||||
"count-up"=($Metric->"count-up");
|
||||
|
|
|
@ -43,6 +43,7 @@
|
|||
[ $IfThenElse ($Resource->"total-hdd-space" < 16000000) ("Your " . $Resource->"board-name" . " is specifically affected! ") \
|
||||
[ $IfThenElse ($Resource->"free-hdd-space" > 4000000) ("(Your " . $Resource->"board-name" . " does not suffer this issue.) ") ] ] . \
|
||||
"Huge configuration and lots of scripts give an extra risk. Take care!");
|
||||
119="Added support for IPv6 to script 'fw-addr-lists'.";
|
||||
};
|
||||
|
||||
# Migration steps to be applied on script updates
|
||||
|
|
Loading…
Reference in a new issue