How to block all websites except special website

NorouziFar · July 23, 2017, 8:49am

hi

i have a router RB750 with update 6.39.2
i have 1 lan and 3 wan link
lan =192.168.10.0/24
wan1=192.168.1.2 dns=192.168.1.1
wan2=192.168.2.2 Dns = 192.168.2.1
wan3=192.168.3.2 dns=192.168.3.1

now i want to block all website except :
188.209.176.6
188.209.176.7
188.209.176.6:462
188.209.176.9:7302
farzin.com
google.com
mikrotik.com

i have rule in magle for divided clients to 3 group for example :
ip firewall magle → chain:prerouting → src.address : 192.168.10.125 → action : mark routing → new routing mark : Group A

Route → Gatwaye : 192.168.1.1 → routing mark : Group A
how can i do it ?
i read a lot of topic but i was unsuccessful

steinbergs · July 24, 2017, 8:29am

You could use Web Proxy if it’s not HTTPS.

aarango · July 25, 2017, 12:49pm

If you block all except google they can’t search anything because you are dropping all searchs.

BTW, why can’t you block it if to use HTTPS?

steinbergs · July 26, 2017, 4:55am

I ment: you can’t use https on a transparent proxy.

aarango · July 26, 2017, 7:07am

Okey! now yes. I have a question about that, maybe you can reply me correctly. If I want to use a transparent proxy (squid for example), I will see all traffic on my net, right? Don’t care that they use port 80 or 443 (https), or will I see only traffic using port 80 without SSL?
Thanks.

normis · July 26, 2017, 7:10am

No. Your transparent proxy setup involves a NAT rule where you redirect only TCP Port 80 to the proxy. You will not redirect port 443, because SSL can’t be proxied like that.

aarango · July 26, 2017, 7:31am

Thanks normis, what way could I audit SSL traffic? not content of course.

steinbergs · July 26, 2017, 9:19am

I use GPO to force proxy settings on my users. This way I can use proxy for port 80, 443…

NorouziFar · July 29, 2017, 7:47am

please answer my question ???

Comutelperu · July 29, 2017, 9:28am

Is more easy with out Webproxy, because You can use another services in any port (443, etc).
Step 1: Make an address list with a correct sites, remember now is possible add domain mame directly Ver. 6.34 over the address list. (Aproved)
Step 2: An address list with your local network addresses. (Local-lan)
Step 3: Make a filter rule (On first order) for accept the trafic for all local-lan ti local-lan. Any port, any protocol.
Step 4: Make a filter rule (On second order) for drop all trafic diferent to ! Aproved address list. Remember ! Aproved. (Any port, any protocol)
In this moment I’m writing frontera my cell phone and nota is possible send you the script, but maybe more later is possible.

xaman · May 25, 2018, 10:43am

Yeah! it is really good solution that you have provided.
Thank you for sharing.

Xaman