block facebook or others sites in labor hours

[Megabyte12]

hi, i have a rt-n16 router(3.0.0.4.374.32) and i need to block https://www.facebook.com in labor hours.

Network Services Filter seems to not work, so i think i need other solution.

Can anyone explain-me what i need to do and how ?

 

[PrivateJoker]

What kind of setting is this with what kind of devices/users?

Why is the block only during work hours? Do you have people coming in outside of these hours with legitimate needs to get to that URL? If not, you can do URL blocking in the router, but depending on what websites people go to in the case of normal working hours, a staggering amount of websites have code in them that calls out to Facebook and will load a bit slower with that URL block happening in the router. I know this from my own experience in trying to filter out tracking/cookies/ads I don't need on my personal LAN and it wasn't a good solution due to sluggishness.

Using OpenDNS on the router and setting up an OpenDNS account that blocks Facebook.com is a lot faster in returning a null response for the URL and affects page loads with little negative consequence, but can be defeated in client devices if you do not have ability to lock down their DNS choice.

If you're doing this in a school/work environment it obviously wouldn't affect mobile devices that also have cellular connectivity or even dedicated apps might still work over wifi to "banned" URLs when the app is designed to look for specific IPs instead of domain names. I've seen that a lot in free public wifi, they will often disallow a specific domain but if there is an app for that service it might still work.

Others that have more experience in parental type filter controls might have some useful insight.

 

[coxhaus]

I think PrivateJoker covered a lot of the problems associated with blocking facebook. You will not be able to block iPhones on cell service.

I would probably just google the list of IP addresses for facebook and block all IP addresses and call it good. This is probably as good as you can get. If you block DNS they still can access facebook by using a googled IP address without using DNS.

 

[oversim]

You can use scripts in this thread http://www.smallnetbuilder.com/forums/showthread.php?t=12736

And add facebook.com to the list of 127.0.0.1

 

[coxhaus]

I have never used the scripts but I would guess you need to add the IP addresses to the script. Adding facebook.com will not block a web page using the IP address on the web page instead of facebook.com

PS
Here is a test. Try adding facebook.com to your script to block facebook. Then open a web page with http://173.252.110.27. I bet you can access facebook. Let me know the outcome.

 

[coxhaus]

I think the CDIR you want to block for facebook is 173.252.64.0/18.

PS.

I found another CDIR 69.63.176.0/20. So some research needs to be done to find all CDIRs.

Another CDIR 204.15.20.0/22
More
31.13.24.0/21 31.13.64.0/18 66.220.144.0/20 69.63.176.0/20 69.171.224.0/19 74.119.76.0/22 103.4.96.0/22 173.252.64.0/18 204.15.20.0/22

 

[Megabyte12]

What kind of setting is this with what kind of devices/users?

Why is the block only during work hours? Do you have people coming in outside of these hours with legitimate needs to get to that URL? If not, you can do URL blocking in the router, but depending on what websites people go to in the case of normal working hours, a staggering amount of websites have code in them that calls out to Facebook and will load a bit slower with that URL block happening in the router. I know this from my own experience in trying to filter out tracking/cookies/ads I don't need on my personal LAN and it wasn't a good solution due to sluggishness.

Using OpenDNS on the router and setting up an OpenDNS account that blocks Facebook.com is a lot faster in returning a null response for the URL and affects page loads with little negative consequence, but can be defeated in client devices if you do not have ability to lock down their DNS choice.

If you're doing this in a school/work environment it obviously wouldn't affect mobile devices that also have cellular connectivity or even dedicated apps might still work over wifi to "banned" URLs when the app is designed to look for specific IPs instead of domain names. I've seen that a lot in free public wifi, they will often disallow a specific domain but if there is an app for that service it might still work.

Others that have more experience in parental type filter controls might have some useful insight.

Using OpenDNS to block facebook is good, the problem is that i need to change manualy after work hours.

I think PrivateJoker covered a lot of the problems associated with blocking facebook. You will not be able to block iPhones on cell service.

I would probably just google the list of IP addresses for facebook and block all IP addresses and call it good. This is probably as good as you can get. If you block DNS they still can access facebook by using a googled IP address without using DNS.

This is not a problem, i just want to block the facebook url.

You can use scripts in this thread http://www.smallnetbuilder.com/forums/showthread.php?t=12736

And add facebook.com to the list of 127.0.0.1

I have never used the scripts but I would guess you need to add the IP addresses to the script. Adding facebook.com will not block a web page using the IP address on the web page instead of facebook.com

PS
Here is a test. Try adding facebook.com to your script to block facebook. Then open a web page with http://173.252.110.27. I bet you can access facebook. Let me know the outcome.

I think that this will not unlock after work hours. I already blocked 173.252.110.27 in Network Services Filter i can access with the url of the facebook but with this ip not.

I found this two links
http://www.cyberciti.biz/tips/iptables-for-restricting-access-by-time-of-day.html
http://stackoverflow.com/questions/11164672/list-of-ip-space-used-by-facebook

I am thinking that this is more difficult than I was expecting.

 

[Martineau]

I had success with this crude script, and this appeared to deter casual access to Facebook, although as previously stated, the CIDR range probably isn't complete?

#!/bin/sh

/usr/bin/logger -t "($(basename $0))" $$ "Martineau Facebook access configuration starting..... [$@]"

NOW=$(date +"%Y%m%d-%H%M%S") # current date and time

SUBNET="xxx.xxx.xxx.0/24"

CIDR1="173.252.64.0/18"
CIDR2="31.13.72.0/18"
#CIDR3="31.13.81.97"

#/usr/sbin/cru a FacebookDENY "0 8 * * * /jffs/scripts/Facebook.sh DENY"
#/usr/sbin/cru a FacebookALLOW "0 17 * * * /jffs/scripts/Facebook.sh ALLOW"

if [ $1 = "DENY" ];then

iptables -I FORWARD -p tcp --match multiport --dports 80,443 -s $SUBNET -d $CIDR1 -j DROP
iptables -I FORWARD -p tcp --match multiport --dports 80,443 -s $SUBNET -d $CIDR2 -j DROP
#iptables -I FORWARD -p tcp --match multiport --dports 80,443 -s $SUBNET -d $CIDR3 -j DROP

logger -t "($(basename $0))" $$ "Martineau Facebook access now BLOCKED"

else

if [ $1 = "ALLOW" ];then

iptables -D FORWARD -p tcp --match multiport --dports 80,443 -s $SUBNET -d $CIDR1 -j DROP
iptables -D FORWARD -p tcp --match multiport --dports 80,443 -s $SUBNET -d $CIDR2 -j DROP
#iptables -D FORWARD -p tcp --match multiport --dports 80,443 -s $SUBNET -d $CIDR3 -j DROP


/usr/bin/logger -t "($(basename $0))" $$ "Martineau Facebook access now ALLOWED"

fi

fi


/usr/bin/logger -t "($(basename $0))" $$ "Martineau Facebook access configuration complete....."

Regards,

 

[coxhaus]

The script looks like it could be modified to only block facebook during work hours.