Windows domain AD, MikroTik 2011iL, and Linux (Ubuntu)

RouterOS Beginner Basics
1

Hi everyone,
First sorry for my bad english.

Just installed a 2011iL as router/firewall for the company. Behind 2011iL is the LAN, where I have a windows domain (AD), and some Linux machines.
Routing and firewall works as a charm, so no problems here.
What I’m interested in: to log on Linux machine all traffic per IP (CEO wants to know where employees surf, who downloads, who uploads, and so on)
In AD DHCP, all IP’s are reserverd by MAC address.

Also, i blocked many sites using transparent proxy in MikroTik, but https (facebook) cannot be blocked (I tried with L7, with facebook IP’s blocked in firewall - in rules)

Any sugestions please?
Thanks in advance.

2

Block all traffic to https (tcp 443) except https directed to trusted sites.

3

On your linux machine you could use a Netflow Collector/Analyser and export flows from the MikroTik for a full rundown per IP etc

Or you could move DHCP to the MikroTik and use RADIUS accounting.

4

The user ask how to block https facebook, not this thing you have described.

5

See the MAIN question of his post (in bold):

Which Netflow will achieve by sending flow information, which includes by which IP, or by RouterOS using RADIUS accounting if it was the DHCP server (not the Domain Controller)

6

Thanks for your answers,

  1. I cannot block https port and then open only for trusted sites, because they are a lot. Is possible to combine the rule like accepting all 443 for content NOT = facebook.com? (something like that):
    chain=forward action=accept protocol=tcp dst-port=443 content=!facebook.com
    and eventually combined with !layer7 = FaceBook (where Facebook = “^.+(facebook.com).*$”)

  2. I cannot move DHCP server on MikroTik - this is done by AD Server, with DHCP and DNS working on it, and also a rule by allowing or not a LAN card MAC address (if MAC address exists in a list (text file) then computer is allowed to get IP from DHCP. If not, it will get a 169.254… - only known computers can get IP from DHCP)

Is a chance to install a Radius server on Linux, and auth on it? As i said, i’m not familiar with RouterOS, i only managed to do a simple config, as router and firewall, with some simple rules on it.

Thanks again

7

In that case, you can use netflow collector/analyser (see ‘ntop’) on linux and have the routerboard send flows for your external interface (if you only want to count data going out to the internet and not internal data). It will be able to display stats by IP etc if you configure it right

8

Thanks, I will try to install on a Linux machine, and will see.

With facebook, I guess i solved:

6 ;;; Filter Rule to block FB adress LIST
chain=forward action=reject reject-with=icmp-net-prohibited protocol=tcp src-address=192.168.1.0/24 fragment=no
src-address-list=!IT dst-address-list=facebook_dns_ips hotspot=“” dst-port=443 port=“”
7 chain=forward action=reject reject-with=icmp-net-prohibited protocol=tcp src-address=192.168.1.0/24
src-address-list=!IT dst-port=443 content=facebook
8 ;;; Filter Rule to block FB adress LIST
chain=forward action=reject reject-with=icmp-admin-prohibited protocol=tcp fragment=no
dst-address-list=facebook_dns_ips hotspot=“” dst-port=443 port=“”

where address-list = facebook_dns_ips is a list generated by a script, which put in the list all IPs found for facebook.com (the script was copied from an article found on net)

I tried to connect to facebook.com from some computers, and I got a “IE cannot display the webpage” what is enough for me.

9

can you share the script that collects facebook ips and put them into an address-list???

10

Google is your friend

http://tinyurl.com/pduxu8o

http://aacable.wordpress.com/2014/02/11/blocking-httphttps-facebook-via-automated-address-list/

11

Thanks you patrikg!
Something like that indeed. I found the script on google, copied as new script, then put a schedule… and it works.

12 
# Script to add Facebook DNS IP addresses
# Syed Jahanzaib / aacable@hotmail.com
# Script Source: N/A / GOOGLE : )
 
:log warning "Script Started ... Adding Facebook DNS ip's to address list name   facebook_dns_ips"
:foreach i in=[/ip dns cache find] do={
:local bNew "true";
:local cacheName [/ip dns cache all get $i name] ;
:if ([:find $cacheName "facebook"] != 0) do={
:local tmpAddress [/ip dns cache get $i address] ;
:put $tmpAddress;
:if ( [/ip firewall address-list find ] = "") do={
:log info ("added entry: $[/ip dns cache get $i name] IP $tmpAddress");
/ip firewall address-list add address=$tmpAddress list=facebook_dns_ips comment=$cacheName;
} else={
:foreach j in=[/ip firewall address-list find ] do={
:if ( [/ip firewall address-list get $j address] = $tmpAddress ) do={
:set bNew "false";
}
}
:if ( $bNew = "true" ) do={
:log info ("added entry: $[/ip dns cache get $i name] IP $tmpAddress");
/ip firewall address-list add address=$tmpAddress list=facebook_dns_ips comment=$cacheName;
}
}
}
}
# FB DNS IP ADD Script Ended ...

this script looks fine… but as far i can see it searches for the key word “facebook” in our dns cache.
that is enough if you want to block facebook but if you want to route facebook to a specific gateway it is not enough.
You have to search for the key words “facebook.com” OR “facebook.net” OR “fbcdn.net”… i don’t know if i’m missing something else.

how can i modify this script to make it search for more than only one key word???

sorry for my poor english

13

Guess you can copy this script many times, each time replacing “facebook” with what do you want.
And run by schedule all scripts.
Just a thought.

14

With scripting can be done better…

If I have the time, I rewrite this mess…

15

I dont know scripting, so for me was enough that it worked.

16

copying the script many times… that’s a solution, but not a good solution
this code must be replaced by an OR … OR… OR.. OR…

:if ([:find $cacheName "fbcdn.net"] != 0)
17

Once writed correctly for only one dns entry,
can be modified to accept array as input, instead of make more “OR”

18

I’ve made some modifications to the script above
here it is…

# Script to add Facebook DNS IP addresses
# Syed Jahanzaib / aacable@hotmail.com / mod by kolorasta
# Script Source: N/A / GOOGLE : )
 
:log warning "Script Started ... Adding Facebook DNS ip's to address list name   facebook_dns_ips"
:foreach i in=[/ip dns cache find] do={
:if ([/ip dns cache all get $i type]="A") do={
:local bNew "true";
:local cacheName [/ip dns cache all get $i name] ;
:if ([:find $cacheName ".fbcdn.net"] != 0 or [:find $cacheName ".facebook.com"] != 0) do={
:local tmpAddress [/ip dns cache get $i address] ;
:put $tmpAddress;
:if ( [/ip firewall address-list find ] = "") do={
:log info ("added entry: $[/ip dns cache get $i name] IP $tmpAddress");
/ip firewall address-list add address=$tmpAddress list=facebook_dns_ips comment=$cacheName;
} else={
:foreach j in=[/ip firewall address-list find ] do={
:if ( [/ip firewall address-list get $j address] = $tmpAddress ) do={
:set bNew "false";
}
}
:if ( $bNew = "true" ) do={
:log info ("added entry: $[/ip dns cache get $i name] IP $tmpAddress");
/ip firewall address-list add address=$tmpAddress list=facebook_dns_ips comment=$cacheName;
}
}
}
}
}
:log warning "Script Finished ... Adding Facebook DNS ip's to address list name   facebook_dns_ips"
# FB DNS IP ADD Script Ended ...

first i added this line

:if ([/ip dns cache all get $i type]="A") do={

because i have to process only A records… without this line, the code will hang when a AAAA record is found

then i modified this line

:if ([:find $cacheName ".fbcdn.net"] != 0 or [:find $cacheName ".facebook.com"] != 0) do={

it is wrong to search for “facebook” key word, because sites like “www.facebooklovers.com” or “facebook.mysite.com” would be included, and i don’t want that. that’s wrong because they are not facebook. I have to search for “.facebook.com” or “.fbcdn.net”. Those are facebook domains.

sorry for my english

19

and facebook.uk, facebook.us, facebook.it, etc.?


and simple “facebook.com” without “www.”?

:wink: