routeros封域名的相关操作

我们首先，先建立一个IP库和域名库：建立方法如下：建立IP病毒库方法为：

/ip firewall filter add chain=forward action=drop dst-address-list=jiqigou (机器狗拼音，这里大家随便命名)

/ip firewall address-list add name=jiqigou address=恶意IP地址

建立恶意域名库方法：/ip firewall filter add chain=forward action=jump jump-target=jiqigou

/ip firewall filter add chain=jiqigou content=要封的域名 action=drop (该行命令如果没有建立域名库的话，你是封不了域名的)切记。

我相信大家都用了红字那部分的命令但是就是不管用，如果不相信自己试试。恶意域名依然可以通过你的路由进入你的LAN破坏你的网吧。必须进行域名过滤才可以。所以要先建立域名库

还有一种方法：

/ ip firewall filter add chain=forward dst-address=IP地址/32 action=drop comment="封IP"
/ ip firewall filter add chain=forward content=域名 action=reject comment="封域名"
1、封IP
/ ip firewall filter add chain=forward dst-address=127.0.0.1(请把这里换为你想封的IP) action=drop comment="这里注释,中文的好像不行"
2、封域名
/ ip firewall filter add chain=forward content=www.XXXXXX.com(这里换为你想封的域名) action=reject comment="这里注释,中文的好像不行"
3、封端口
/ ip firewall filter add chain=forward protocol=tcp dst-port=21(这里知道换什么了吧) action=drop comment="这里注释,中文的好像不行"
使用方法：
用winbox登录-->Terminal 进入命令窗口，把上面这些脚本（按照自己的要求已经改好的）复制进去就OK了。效果可以在IP-firewall中见到!

学习了 支持一下

技术支持

Use host names in firewall rules



From MikroTik Wiki



Jump to: [要查看本链接请先注册并登录], [要查看本链接请先注册并登录]
The problem


You would like to create firewall filter rules which refer to host names rather than IP addresses. This may be, for example, because the host name is dynamic such as would be created by a dyndns service. For several very good reasons, it is not possible to put host names directly into firewall rules. For example, the following doesn't work:
/ip firewall filter add chain=ouput dst-address=www.mikrotik.com action=accept

Whilst at first glance, it would seem like a good idea to allow this configuration, the additional traffic and load which would be created if the router had to resolve (in this case) '[要查看本链接请先注册并登录] for every single packet passing through shows that in reality it is simply not practical.

The solution


It is possible to implement host name based firewall rules with a little lateral thinking. If one considers that DNS resolutions are cached (in theory for as short a time as the record's TTL, but in reality for the amount of time the resolver's sysadmin has permitted), there is very little point in resolving the host name for every single packet.

For this reason, we can quite easily write a script which does the resolving and stores the values somewhere they can be used by the filter rules. This script can be run as regularly as required.

The best place to store the host names and associated IP addresses is the address list as this allows these addresses to be used from within the filter rules directly. The use of address lists also allows a greater degree of flexibility than would be available if the filter rules were updated individually. The address list feature allows the storage of three values - a comment, the list name and the IP address. The following example assumes the fields are used as follows:

• comment - The host name to use
  
• list name - Starting with 'host_' and ending with any description
  
• address - The IP address (either 0.0.0.0 when the entry is created or the result of the resolution if not)
  

The reason the comment is used for the host name rather than the list name is that using a description in the list name easily allows multiple host names to be grouped together. So, for example, entries may be added as follows:
/ip firewall address-list add address=0.0.0.0 comment=www.mikrotik.com list=host_mikrotik
/ip firewall address-list add address=0.0.0.0 comment=forum.mikrotik.com list=host_mikrotik
/ip firewall address-list add address=0.0.0.0 comment=wiki.mikrotik.com list=host_mikrotik

and a firewall rule as follows:
/ip firewall filter add chain=ouput dst-address-list=host_mikrotik action=accept

This allows all outbound traffic to any of the IP addresses defined in the address list 'host_mikrotik'.

As things stand, nothing will be achieved by this rule since the IP addresses allowed are all '0.0.0.0'. We need to write a script which parses all the address list entries and resolves the ones which need resolving.
/system script add \
name=resolvehostnames policy=write,read \
source="# define variables\r\
\n:local list\r\
\n:local comment\r\
\n:local newip\r\
\n\r\
\n# Loop through each entry in the address list.\r\
\n:foreach i in=[/ip firewall address-list find] do={\r\
\n\r\
\n# Get the first five characters of the list name\r\
\n :set list [:pick [/ip firewall address-list get \$i list] 0 5]\r\
\n\r\
\n# If they're 'host_', then we've got a match - process it\r\
\n :if (\$list = "host_") do={\r\
\n\r\
\n# Get the comment for this address list item (this is the host name to u\
se)\r\
\n :set comment [/ip firewall address-list get \$i comment]\r\
\n\r\
\n# Resolve it and set the address list entry accordingly.\r\
\n :set newip [:resolve \$comment]\r\
\n /ip firewall address-list set \$i address=\$newip\r\
\n }\r\
\n }"

Once the script is in place, it can be scheduled. Try every hour to see if that gives you what you need:
/system scheduler add \
comment="" disabled=no interval=1h name=updatehostnames on-event=resolvehostnames \
start-date=jan/01/1970 start-time=00:00:00

Caveat


The script uses a RouterOS function 'resolve'. Unfortunately (as at 3.25), if the hostname being resolved doesn't exist or if the resolvers fail for whatever reason, the script returns error message and stops immediately. It is not possible to trap this error message to code around it. Extreme care must therefore be taken that host names are correctly entered (and do not include any leading or trailing spaces).

Also, note that for obvious reasons, this may not work for host names which resolve to multiple IP addresses.