1. 导入中国IP列表。将文件上传到RouterOS后，运行 import China_IP.rsc

2. 创建防火墙规则

# 限制非中国IP直接到路由器的访问
/ip firewall filter
add action=drop chain=input connection-state=new dst-address-type=local src-address-list="!China_IP"

# 限制非中国IP所有NAT访问 (与下方规则二选一)
/ip firewall filter
add action=drop chain=forward connection-state=new dst-address-type=local src-address-list="!China_IP"

# 限制非中国IP指定端口的NAT访问
/ip firewall nat
add action=dst-nat chain=dstnat dst-address-type=local dst-port=80 protocol=tcp src-address-list="China_IP" to-addresses=192.168.88.100 to-ports=80