have you tried doing a
You need to block the IP Addresses that facebook.com resolves to in your location. It may not be the two ranges you have blocked there.
For example I see
Serenity:Mikrotik alexander$ dig @184.108.40.206 facebook.com
; <<>> DiG 9.8.3-P1 <<>> @220.127.116.11 facebook.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 22045
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;facebook.com. IN A
;; ANSWER SECTION:
facebook.com. 69 IN A 18.104.22.168
;; Query time: 49 msec
;; SERVER: 22.214.171.124#53(8.8.8.
;; WHEN: Tue Aug 27 20:09:22 2013
;; MSG SIZE rcvd: 46
When I do a dig and therefore my facebook surfing wouldn't be blocked
which when I do a whois comes from the following IP Block given to facebook: 126.96.36.199/18
You would need to try find all of them. I think he.net would be a good place to be looking for these addresses.
This page here lists the IPv4 Addresses and you can click the link for IPv6 ones as well
So I would suggest to block facebook for right now you would need to block this entire list. My advice would be to create an address list call "facebook" or something similar and create a rule that allows from permitted IP address to that address list. Then one that blocks all traffic to that address list. This keeps your rule list simpler and I think will also make the rules more efficient.
One more thing to look at is the chain you are using. from what I can see you are using some kind of NAT as you are using RFC1918 space for internal addresses so you may have to put the rules in another chain to catch the traffic (sorry I can't check this out right now and my brain not working 100% - toothache)
I may look at writing a guide to blocking things like this for future use making use of address lists. I may even look at creating a BGP feed of popular block entities so people can screen these things automatically from BGP.