mirror.MikroTik/eworm.routeros-scripts
1
0
Fork 0
mirror of https://git.eworm.de/cgit/routeros-scripts synced 2025-07-13 11:34:31 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions

fw-addr-lists: add support for IPv6

Browse source
This commit is contained in:
Christian Hesse 2024-02-23 11:19:56 +01:00
parent 0125f102b4
commit 62790ae091
4 changed files with 68 additions and 4 deletions
Download patch file Download diff file Expand all files Collapse all files

35
doc/fw-addr-lists.md
View file

@ -56,8 +56,12 @@ available in my repository and downloaded automatically. Import it manually
(menu `/certificate/`) if missing.
Create firewall rules to process the packets that are related to addresses
from address-lists. This rejects the packets from and to ip addresses listed
in address-list `block`.
from address-lists.
### IPv4 rules
This rejects the packets from and to IPv4 addresses listed in
address-list `block`.
/ip/firewall/filter/add chain=input src-address-list=block action=reject reject-with=icmp-admin-prohibited;
/ip/firewall/filter/add chain=forward src-address-list=block action=reject reject-with=icmp-admin-prohibited;
@ -85,6 +89,33 @@ Alternatively handle the packets in firewall's raw section if you prefer:
> ⚠️ **Warning**: Just again... The order of firewall rules is important. Make
> sure they actually take effect as expected!
### IPv6 rules
These are the same rules, but for IPv6.
Reject packets in address-list `block`:
/ipv6/firewall/filter/add chain=input src-address-list=block action=reject reject-with=icmp-admin-prohibited;
/ipv6/firewall/filter/add chain=forward src-address-list=block action=reject reject-with=icmp-admin-prohibited;
/ipv6/firewall/filter/add chain=forward dst-address-list=block action=reject reject-with=icmp-admin-prohibited;
/ipv6/firewall/filter/add chain=output dst-address-list=block action=reject reject-with=icmp-admin-prohibited;
Allow packets in address-list `allow`:
/ipv6/firewall/filter/add chain=input src-address-list=allow action=accept;
/ipv6/firewall/filter/add chain=forward src-address-list=allow action=accept;
/ipv6/firewall/filter/add chain=forward dst-address-list=allow action=accept;
/ipv6/firewall/filter/add chain=output dst-address-list=allow action=accept;
Drop packets in firewall's raw section:
/ipv6/firewall/raw/add chain=prerouting src-address-list=block action=drop;
/ipv6/firewall/raw/add chain=prerouting dst-address-list=block action=drop;
/ipv6/firewall/raw/add chain=output dst-address-list=block action=drop;
> ⚠️ **Warning**: Just again... The order of firewall rules is important. Make
> sure they actually take effect as expected!
---
[⬅️ Go back to main README](../README.md)
[⬆️ Go back to top](#top)