Recently I was working at a remote network of GHANA where a hotspot was deployed for school students and it was a school policy to have a central Filter policy to block access to adult web sites and facebook. Blocking adult web sites was easy by using OPENDNS and force users dns traffic to pass from it, but blocking facebook was a bit tricky as it uses HTTPS and web proxy cannot filter secure traffic. In the past I used few method to block facebook (or likewise) with various methods like .content / L7 filtering, but personally I prefer to have a address-list with the FB server’s ip addresses using automated script.This way I have more control over the block policy.
The below script (which can be scheduled to run after every few 5 or hourly/required basis) will create a address list and later a filter rule will block request going to this address list.
First create the script which will catch facebook.com from the DNS cache and will add it in “facebook_dns_ips” address list.
Open Terminal and paste the following script.
↓
1) SCRIPT:
# Script to add Facebook DNS IP addresses
# Syed Jahanzaib / aacable@hotmail.com
# Script Source: N/A / GOOGLE : )
:log warning "Script Started ... Adding Facebook DNS ip's to address list name facebook_dns_ips"
:foreach i in=[/ip dns cache find] do={
:local bNew "true";
:local cacheName [/ip dns cache all get $i name] ;
:if ([:find $cacheName "facebook"] != 0) do={
:local tmpAddress [/ip dns cache get $i address] ;
:put $tmpAddress;
:if ( [/ip firewall address-list find ] = "") do={
:log info ("added entry: $[/ip dns cache get $i name] IP $tmpAddress");
/ip firewall address-list add address=$tmpAddress list=facebook_dns_ips comment=$cacheName;
} else={
:foreach j in=[/ip firewall address-list find ] do={
:if ( [/ip firewall address-list get $j address] = $tmpAddress ) do={
:set bNew "false";
}
}
:if ( $bNew = "true" ) do={
:log info ("added entry: $[/ip dns cache get $i name] IP $tmpAddress");
/ip firewall address-list add address=$tmpAddress list=facebook_dns_ips comment=$cacheName;
}
}
}
}
# FB DNS IP ADD Script Ended ...
↓
2) SCHEDULER:
Schedule the script to run after every 5 minutes (or hourly basis)
/system scheduler add disabled=no interval=5m name=fb-script-run-schedule on-event=facebook-list policy=ftp,reboot,read,write,policy,test,winbox,password,sniff,sensitive,api start-date=feb/11/2014 start-time=00:00:00
↓
3) FILTER RULE:
Now create a FIREWALL FILTER rule which will actually DROP the request going to facebook_dns_ips address list.
[Make sure to move this rule on TOP , or before any general accept rule in Filter section)
/ip firewall filter add action=drop chain=forward comment="Filter Rule to block FB adress LIST : )" disabled=no dst-address-list=facebook_dns_ips
Now try to access the facebook, it will open as usual, but as soon as the script will run, a address lsit will be created with the FB ip address list, & its access will be blocked.
As showed in the image below …
↓
.
↓
TIME BASE FILTER RULE
You can also use this technique to block FB in some specific timings only. For example you want to block access to FB from 9am to 10:am then use the following filter rule.
/ip firewall filter add action=drop chain=forward comment="Filter Rule to block FB address LIST : )" disabled=no dst-address-list=facebook_dns_ips time=9h-10h,sun,mon,tue,wed,thu,fri,sat
.
↓
Force / Redirect users to use your DNS
/ip firewall nat add chain=dstnat action=dst-nat to-addresses=192.168.1.1 to-ports=53 protocol=tcp dst-port=53 add chain=dstnat action=dst-nat to-addresses=192.168.1.1 to-ports=53 protocol=udp dst-port=53
Regard’s
Syed Jahanzaib
Filed under: Mikrotik Related
