blocking specific site on ASUS RT N66R

[jbl100]

How can I block a specific site, say facebook.com, for certain time of the day, on ASUS RT N66R (with the latest firmware)? For example, I want to restrict facebook access for certain time of a day.

I see that "Firewall - Network Services Filter" allow me to put target IP and ports, I tried put:

destination IP: 67.63.55.3
port: 1:9999

but I can still load http://facebook.com

I would appreciate your help. Thanks!

(p.s., I can use keyword filter or url filter tabs to filter out facebook.com, but there is no control on time, it is either completely blocked or completely open)

 

[ColinTaylor]

I believe Facebook also uses ports in the range 32768 to 61000. So try blocking all ports.

If you leave the Port Range empty it should block all ports otherwise you would have to specify 1:65535.

Also make sure the protocol is TCP, not TCP ALL.

Are you sure 67.63.55.3 is facebook.com. It doesn't seem to be assigned to them.

 

[jbl100]

Actually I am not sure what address to enter either. Search on line, various sites say that facebook can have many different ip address, e.g.,

66.220.144.0 - 66.220.159.255
69.63.176.0 - 69.63.191.255
69.171.224.0 - 69.171.255.255

I tried blocking by enter

66.220.*.*
69.63.*.*
69.170.*.*

as destinations, selected TCP as protocols, clicked "apply". But I can still access facebook.com after this.

How can I achieve what I want to achieve, which is to block facebook for certain time of the day?

I wish asus can give the option to specify time in their "url filter" tab.

 

[ColinTaylor]

Large companies will have different IP addresses in different parts of the world. They usually have more than one IP in each region so it can change from day to day or even minute to minute.

Use nslookup to find out the IP address in your region at this moment in time. i.e.

C:\Users\Colin>nslookup [B]facebook.com[/B]
Server:  router.asus.com
Address:  192.168.1.1

Non-authoritative answer:
Name:    facebook.com
Addresses:  2a03:2880:2130:cf05:face:b00c:0:1
          [B]173.252.120.6[/B]


C:\Users\Colin>nslookup [B]www.facebook.com[/B]
Server:  router.asus.com
Address:  192.168.1.1

Non-authoritative answer:
Name:    star.c10r.facebook.com
Addresses:  2a03:2880:f01c:f01:face:b00c:0:1
          [B]31.13.93.97[/B]
Aliases:  www.facebook.com

 

[user2k10]

Facebook IP addresses can be obtained with the following command:-

whois -h whois.radb.net -- '-i origin AS32934' | awk '/^route:/ {print $2;}' | sort -n -t . -k 1,1 -k 2,2 -k 3,3 -k 4,4 | uniq

whois -h whois.radb.net -- '-i origin AS32934' | awk '/^route:/ {print $2;}' | \
sort -n -t . -k 1,1 -k 2,2 -k 3,3 -k 4,4 | uniq > facebook.lst

ipset -N Facebook nethash
for IP in `cat facebook.lst`
do
    ipset -A Facebook $IP
done

iptables -I FORWARD -m set --match-set Facebook src,dst -j DROP

facebook.lst

31.13.24.0/21
31.13.64.0/18
31.13.64.0/19
31.13.64.0/24
31.13.65.0/24
31.13.66.0/24
31.13.67.0/24
31.13.68.0/24
31.13.69.0/24
31.13.70.0/24
31.13.71.0/24
31.13.72.0/24
31.13.73.0/24
31.13.74.0/24
31.13.75.0/24
31.13.76.0/24
31.13.77.0/24
31.13.78.0/24
31.13.79.0/24
31.13.80.0/24
31.13.81.0/24
31.13.82.0/24
31.13.83.0/24
31.13.84.0/24
31.13.85.0/24
31.13.86.0/24
31.13.87.0/24
31.13.88.0/24
31.13.89.0/24
31.13.90.0/24
31.13.91.0/24
31.13.92.0/24
31.13.93.0/24
31.13.94.0/24
31.13.95.0/24
31.13.96.0/19
45.64.40.0/22
66.220.144.0/20
66.220.144.0/21
66.220.152.0/21
66.220.159.0/24
69.63.176.0/20
69.63.176.0/21
69.63.176.0/24
69.63.178.0/24
69.63.184.0/21
69.63.186.0/24
69.171.224.0/19
69.171.224.0/20
69.171.239.0/24
69.171.240.0/20
69.171.253.0/24
69.171.255.0/24
74.119.76.0/22
103.4.96.0/22
173.252.64.0/18
173.252.64.0/19
173.252.70.0/24
173.252.96.0/19
179.60.192.0/22
179.60.192.0/24
179.60.193.0/24
179.60.194.0/24
179.60.195.0/24
185.60.216.0/22
204.15.20.0/22

 

[ColinTaylor]

Thanks for the tip user2k10. Although I don't think many people will have whois installed on their computers.

 

[user2k10]

You can also get the Facebook IP addresses from this site:-

http://bgp.he.net/AS32934#_prefixes