block all net but some sites no proxy

mifk · December 15, 2014, 11:30pm

Hello!
I need to block all traffic for specified ips in my network but allow them to enter 4 or 5 websites only!
i know i can be done using mikrotiks proxy but already try it and mess up my qos configuration. sow how to do it with firewall filter
is the question.
i have been reading post and info and managed to do some blocking but not like i want, and most of the internet material is about proxy T_T so a little help would be aprecciated!

PD:Sory for my english.

bingo220 · December 16, 2014, 1:22pm

/ip firewall address-list
add list=blocked-comp address=192.168.1.20-192.168.1.35 comment="Blocked computers"
add list=allow-www address=159.148.147.196 comment="Allow http://www.mikrotik.com"
/ip firewall filter
add chain=forward src-address-list=blocked-comp dst-address-list=allow-www protocol=tcp dst-port=80 action=accept comment="Allow http for some sites"
add chain=forward src-address-list=blocked-comp protocol=tcp dst-port=80 action=drop comment="Block http for other sites"

mifk · December 19, 2014, 5:37pm

thats a great idea!thanks! but just one catch: its there a way to dynamically add allowed sites to the list or using a dns? because if they change the numeric ip i will have to manually update them in the rules with nslookup (but some of them can and most likely will change).maybe with scripting? im just guessing here, but it would be the final solution.

bingo220 · December 20, 2014, 12:22am

/ip firewall address-list
add list=blocked-comp address=192.168.1.20-192.168.1.35 comment="Blocked computers"
/ip firewall filter
add chain=forward src-address-list=blocked-comp dst-address-list=allow-www protocol=tcp dst-port=80 action=accept comment="Allow http for some sites"
add chain=forward src-address-list=blocked-comp protocol=tcp dst-port=80 action=drop comment="Block http for other sites"

[/size]
System-Scripts:
Name: temp-ip
Policy: write,test,read
Source:

/ip firewall address-list remove [find comment="temporary-IP"];
/ip firewall address-list add list=allow-www  address=[:resolve "google.com"] comment="temporary-IP";
/ip firewall address-list add list=allow-www  address=[:resolve "www.mikrotik.com"] comment="temporary-IP";
/ip firewall address-list add list=allow-www  address=[:resolve "www.anyname.org"] comment="temporary-IP"

[/size]
System-Sheduler:
Name: temp-ip
Start Date: Dec/20/2014
Start Time: 00:01:00
Interval: 03:00:00
On Event: /system script run temp-ip
Policy: write,test,read

mifk · December 21, 2014, 5:12am

bingo220:

/ip firewall address-list
add list=blocked-comp address=192.168.1.20-192.168.1.35 comment="Blocked computers"
/ip firewall filter
add chain=forward src-address-list=blocked-comp dst-address-list=allow-www protocol=tcp dst-port=80 action=accept comment="Allow http for some sites"
add chain=forward src-address-list=blocked-comp protocol=tcp dst-port=80 action=drop comment="Block http for other sites"

[/size]
System-Scripts:
Name: temp-ip
Policy: write,test,read
Source:

/ip firewall address-list remove [find comment="temporary-IP"];
/ip firewall address-list add list=allow-www  address=[:resolve "google.com"] comment="temporary-IP";
/ip firewall address-list add list=allow-www  address=[:resolve "www.mikrotik.com"] comment="temporary-IP";
/ip firewall address-list add list=allow-www  address=[:resolve "www.anyname.org"] comment="temporary-IP"

[/size]
System-Sheduler:
Name: temp-ip
Start Date: Dec/20/2014
Start Time: 00:01:00
Interval: 03:00:00
On Event: /system script run temp-ip
Policy: write,test,read

hey thanks! i did it already with filter rules and layer 7 protocol and its working with the first rules you gave me
like this;
ip firewall layer 7 protocol
add name= facebook regexp=^.+(facebook.com).*$
ip firewall filter
add chain=forward source adress list=block layer 7 protocol=facebook action=add dst to address list adress list=facebookips
time out= 1:00:00
do you think this should work fine? it sure look like it does but i dont want to give a bad advice.
many thanks for your help!
EDIT: the catching ips part its working fine, but when i try to enter one of the allowed sites it takes a lot of time to fully load, but eventually it does. i added in the original rules in dst port 80,443 to block https requests as well. do you think this has something to do with my problem? i did it because any site with https conection would still work with the original rule

mifk · December 25, 2014, 12:28am

well a lot has happen since my last post so here is the update
with the rules you gave there was no way to make it work correctly, the problem i posted before was beyond solution, someone for other forum give me the idea of doing it at dns lvl so the conection would be marked for udp por 53 and layer 7 protocol. well it has more or less the same problem. it blocks everything(unlike the rule before that allowed 443 navigation) and the allowed sites open quickly but not fully, i.e. youtube loads but some adds say “cant resolve dns”, some video previews appear as broken, etc. and it happens in every single site.
the rules i have are the next:
ip/firewall/nat
add chain=dst nat src add list=block(the ips i try to allow/block websurfing) prot=udp dst port=53 action=redirect to port=53
ip/firewall/layer 7 protocol
name= facebook regexp= ^.+(facebook.com).*$
ip firewall filter
add chain=input in-interface=lan src add list=block prot=udp dst port=53 layer 7 protocol=facebook action= accept
add chain=input in-interface=lan src add list=block prot=udp dst port=53 action= drop
the same rules repeat for all the sites i want to allow.
here is the problem, i had to do the accept and drop rules in the output or forward chains, but they only mark packets in the input chain so i get the problem from before, is there someone who can tell me why is this happening?
thanks and merry christmas for everyone!