MikroTik: Setup SquidBlackList Web Proxy

Earlier this year I started using both free and subscription-based blacklists from Squidblacklists.org. The blacklists were incredibly simple to implement into RouterOS and once configured, the lists can be scheduled to update at regular intervals via the RouterOS system scheduler. Squidblacklist.org provides a list of available blacklists, but make sure to review the blacklist compatibility chart first before implementing the list into your RouterOS configuration. In this example, it is important to note that this blacklist is only accessible via a Squidblacklist.org subscription account and that both YOUR_SBL_USERNAME and YOUR_SBL_PASSWORD values will need to be changed to reflect your Squidblacklist.org account credentials. In addition, you will most likely need to change the “dst-path” value to an existing path for the script to work. If you want to download the blacklist to the root of your MikroTik you can delete the “dst-path” property and its value entirely. Should you choose the “All-In-One Web Proxy Setup” script (via copy/paste in the MikroTik terminal), you will need to enable the scheduled tasks, since they are disabled by default in the script.

All-In-One Web Proxy Setup

/ip proxy
#CREATE TRANSPARENT WEB PROXY
set enabled=yes cache-administrator=webmaster max-cache-size=unlimited

/ip firewall nat
#REDIRECTION TO TRANSPARENT WEB PROXY
add action=redirect chain=dstnat dst-port=80 protocol=tcp to-ports=8080 comment="Redirect to Transparent Web Proxy"

/ip firewall filter
#DROP WEB PROXY REQUESTS FROM WAN
add action=drop chain=input dst-port=8080 in-interface-list=WAN protocol=tcp log=yes log-prefix="Drop_Web Proxy" comment="Drop Web Proxy requests from WAN."

/system script
#CREATE DOWNLOAD BLACKLISTS SCRIPT
add comment=Proxy name=Blacklist_SquidBlacklist_Download_tik-malicious.rsc owner=tritonb7 policy=read,test source=":log warning \"START - Download blacklist (tik-malicious.rsc) updates.\";\r\
    \n/tool fetch address=www.squidblacklist.org host=www.squidblacklist.org mode=http src-path=/downloads/tik-malicious.rsc user=YOUR_SBL_USERNAME password=YOUR_SBL_PASSWORD dst-path=/disk1/blacklists/tik-malicious.rsc\r\
    \n:log warning \"END- Download blacklist (tik-malicious.rsc) updates.\";"

#CREATE IMPORT BLACKLISTS SCRIPT
add comment=Proxy name=Blacklist_SquidBlacklist_Import_tik-malicious.rsc owner=tritonb7 policy=read,write source=":log warning \"START - Import blacklist (tik-malicious.rsc) update.\";\r\
    \nimport /disk1/blacklists/tik-malicious.rsc\r\
    \n:log warning \"END - Import blacklist (tik-malicious.rsc) update.\";"

/system scheduler
#CREATE DOWNLOAD BLACKLISTS SCHEDULER
add comment=Proxy interval=1d name=Blacklist_SquidBlacklist_Download_tik-malicious.rsc on-event="/system script run Blacklist_SquidBlacklist_Download_tik-malicious.rsc" policy=read,test start-date=jan/01/2017 start-time=03:00:00 disabled=yes

#CREATE IMPORT BLACKLISTS SCHEDULER
add comment=Proxy interval=1d name=Blacklist_SquidBlacklist_Import_tik-malicious.rsc on-event="/system script run Blacklist_SquidBlacklist_Import_tik-malicious.rsc" policy=read,write start-date=jan/01/2017 start-time=03:15:00 disabled=yes

Manual Setup

If you would like to setup everything manually via GUI/Winbox (System > Scheduler), you can use the following System Scheduler “On Event” commands to download and import the blacklist. Also, don’t forget to create the NAT redirect and enable/configure the Web Proxy required for the blacklist, I’ll include an additional code snippet for this at the bottom.

Script: Download Blacklist

:log warning "START - Download blacklist (tik-malicious.rsc) updates.";
/tool fetch address=www.squidblacklist.org host=www.squidblacklist.org mode=http src-path=/downloads/tik-malicious.rsc user=YOUR_SBL_USERNAME password=YOUR_SBL_PASSWORD dst-path=/disk1/blacklists/tik-malicious.rsc
:log warning "END- Download blacklist (tik-malicious.rsc) updates.";

Script: Import Blacklist

:log warning "START - Import blacklist (tik-malicious.rsc) update.";
import /disk1/blacklists/tik-malicious.rsc
:log warning "END - Import blacklist (tik-malicious.rsc) update.";

Scheduler: Execute Download Blacklist Script

/system script run Blacklist_SquidBlacklist_Download_tik-malicious.rsc

Scheduler: Execute Import Blacklist Script

/system script run Blacklist_SquidBlacklist_Import_tik-malicious.rsc

Firewall: Create Web Proxy, NAT Redirect, and Filter Drop (WAN) Rules

/ip proxy
#CREATE TRANSPARENT WEB PROXY
set enabled=yes cache-administrator=webmaster max-cache-size=unlimited

/ip firewall nat
#REDIRECTION TO TRANSPARENT WEB PROXY
add action=redirect chain=dstnat dst-port=80 protocol=tcp to-ports=8080 comment="Redirect to Transparent Web Proxy"

/ip firewall filter
#DROP WEB PROXY REQUESTS FROM WAN
add action=drop chain=input dst-port=8080 in-interface-list=WAN protocol=tcp log=yes log-prefix="Drop_Web Proxy" comment="Drop Web Proxy requests from WAN."

Leave a Comment

Your email address will not be published. Required fields are marked *