Community discussions

 
bdusmanu
just joined
Topic Author
Posts: 6
Joined: Wed May 07, 2014 1:27 pm
Location: Bucharest, Romania
Contact:

Windows domain AD, MikroTik 2011iL, and Linux (Ubuntu)

Fri May 09, 2014 9:41 am

Hi everyone,
First sorry for my bad english.

Just installed a 2011iL as router/firewall for the company. Behind 2011iL is the LAN, where I have a windows domain (AD), and some Linux machines.
Routing and firewall works as a charm, so no problems here.
What I'm interested in: to log on Linux machine all traffic per IP (CEO wants to know where employees surf, who downloads, who uploads, and so on)
In AD DHCP, all IP's are reserverd by MAC address.

Also, i blocked many sites using transparent proxy in MikroTik, but https (facebook) cannot be blocked (I tried with L7, with facebook IP's blocked in firewall - in rules)

Any sugestions please?
Thanks in advance.
Best Regards,

-----------------------
RB2011iL - at work
RB751U-2HnD - at home
-----------------------
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 2946
Joined: Tue Feb 25, 2014 12:49 pm
Location: Capalbio, Tuscany, Italy

Re: Windows domain AD, MikroTik 2011iL, and Linux (Ubuntu)

Sun May 11, 2014 4:24 am

Block all traffic to https (tcp 443) except https directed to trusted sites.
I'm Italian, not English. Sorry for my imperfect grammar.
 
joegoldman
Member
Member
Posts: 498
Joined: Mon May 27, 2013 2:05 am

Re: Windows domain AD, MikroTik 2011iL, and Linux (Ubuntu)

Sun May 11, 2014 12:02 pm

On your linux machine you could use a Netflow Collector/Analyser and export flows from the MikroTik for a full rundown per IP etc

Or you could move DHCP to the MikroTik and use RADIUS accounting.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 2946
Joined: Tue Feb 25, 2014 12:49 pm
Location: Capalbio, Tuscany, Italy

Re: Windows domain AD, MikroTik 2011iL, and Linux (Ubuntu)

Sun May 11, 2014 5:49 pm

On your linux machine you could use a Netflow Collector/Analyser and export flows from the MikroTik for a full rundown per IP etc

Or you could move DHCP to the MikroTik and use RADIUS accounting.
The user ask how to block https facebook, not this thing you have described.
I'm Italian, not English. Sorry for my imperfect grammar.
 
joegoldman
Member
Member
Posts: 498
Joined: Mon May 27, 2013 2:05 am

Re: Windows domain AD, MikroTik 2011iL, and Linux (Ubuntu)

Mon May 12, 2014 7:27 am

The user ask how to block https facebook, not this thing you have described.
See the MAIN question of his post (in bold):
Hi everyone,
First sorry for my bad english.

Just installed a 2011iL as router/firewall for the company. Behind 2011iL is the LAN, where I have a windows domain (AD), and some Linux machines.
Routing and firewall works as a charm, so no problems here.
What I'm interested in: to log on Linux machine all traffic per IP (CEO wants to know where employees surf, who downloads, who uploads, and so on)
In AD DHCP, all IP's are reserverd by MAC address.


Also, i blocked many sites using transparent proxy in MikroTik, but https (facebook) cannot be blocked (I tried with L7, with facebook IP's blocked in firewall - in rules)

Any sugestions please?
Thanks in advance.
Which Netflow will achieve by sending flow information, which includes by which IP, or by RouterOS using RADIUS accounting if it was the DHCP server (not the Domain Controller)
 
bdusmanu
just joined
Topic Author
Posts: 6
Joined: Wed May 07, 2014 1:27 pm
Location: Bucharest, Romania
Contact:

Re: Windows domain AD, MikroTik 2011iL, and Linux (Ubuntu)

Mon May 12, 2014 9:07 am

Thanks for your answers,

1. I cannot block https port and then open only for trusted sites, because they are a lot. Is possible to combine the rule like accepting all 443 for content NOT = facebook.com? (something like that):
chain=forward action=accept protocol=tcp dst-port=443 content=!facebook.com
and eventually combined with !layer7 = FaceBook (where Facebook = "^.+(facebook.com).*$")

2. I cannot move DHCP server on MikroTik - this is done by AD Server, with DHCP and DNS working on it, and also a rule by allowing or not a LAN card MAC address (if MAC address exists in a list (text file) then computer is allowed to get IP from DHCP. If not, it will get a 169.254...... - only known computers can get IP from DHCP)

Is a chance to install a Radius server on Linux, and auth on it? As i said, i'm not familiar with RouterOS, i only managed to do a simple config, as router and firewall, with some simple rules on it.

Thanks again
Best Regards,

-----------------------
RB2011iL - at work
RB751U-2HnD - at home
-----------------------
 
joegoldman
Member
Member
Posts: 498
Joined: Mon May 27, 2013 2:05 am

Re: Windows domain AD, MikroTik 2011iL, and Linux (Ubuntu)

Mon May 12, 2014 1:29 pm

2. I cannot move DHCP server on MikroTik - this is done by AD Server, with DHCP and DNS working on it, and also a rule by allowing or not a LAN card MAC address (if MAC address exists in a list (text file) then computer is allowed to get IP from DHCP. If not, it will get a 169.254...... - only known computers can get IP from DHCP)
In that case, you can use netflow collector/analyser (see 'ntop') on linux and have the routerboard send flows for your external interface (if you only want to count data going out to the internet and not internal data). It will be able to display stats by IP etc if you configure it right
 
bdusmanu
just joined
Topic Author
Posts: 6
Joined: Wed May 07, 2014 1:27 pm
Location: Bucharest, Romania
Contact:

Re: Windows domain AD, MikroTik 2011iL, and Linux (Ubuntu)

Mon May 12, 2014 2:21 pm

Thanks, I will try to install on a Linux machine, and will see.

With facebook, I guess i solved:

6 ;;; Filter Rule to block FB adress LIST
chain=forward action=reject reject-with=icmp-net-prohibited protocol=tcp src-address=192.168.1.0/24 fragment=no
src-address-list=!IT dst-address-list=facebook_dns_ips hotspot="" dst-port=443 port=""
7 chain=forward action=reject reject-with=icmp-net-prohibited protocol=tcp src-address=192.168.1.0/24
src-address-list=!IT dst-port=443 content=facebook
8 ;;; Filter Rule to block FB adress LIST
chain=forward action=reject reject-with=icmp-admin-prohibited protocol=tcp fragment=no
dst-address-list=facebook_dns_ips hotspot="" dst-port=443 port=""

where address-list = facebook_dns_ips is a list generated by a script, which put in the list all IPs found for facebook.com (the script was copied from an article found on net)

I tried to connect to facebook.com from some computers, and I got a "IE cannot display the webpage" what is enough for me.
Best Regards,

-----------------------
RB2011iL - at work
RB751U-2HnD - at home
-----------------------
 
User avatar
kolorasta
Member Candidate
Member Candidate
Posts: 299
Joined: Sun Jun 25, 2006 11:55 pm
Location: Argentina

Re: Windows domain AD, MikroTik 2011iL, and Linux (Ubuntu)

Fri May 23, 2014 11:52 pm

can you share the script that collects facebook ips and put them into an address-list???
 
User avatar
patrikg
Member Candidate
Member Candidate
Posts: 155
Joined: Thu Feb 07, 2013 6:38 pm
Location: Stockholm, Sweden

Re: Windows domain AD, MikroTik 2011iL, and Linux (Ubuntu)

Sat May 24, 2014 11:24 am

 
bdusmanu
just joined
Topic Author
Posts: 6
Joined: Wed May 07, 2014 1:27 pm
Location: Bucharest, Romania
Contact:

Re: Windows domain AD, MikroTik 2011iL, and Linux (Ubuntu)

Sat May 24, 2014 3:24 pm

Thanks you patrikg!
Something like that indeed. I found the script on google, copied as new script, then put a schedule... and it works.
Best Regards,

-----------------------
RB2011iL - at work
RB751U-2HnD - at home
-----------------------
 
User avatar
kolorasta
Member Candidate
Member Candidate
Posts: 299
Joined: Sun Jun 25, 2006 11:55 pm
Location: Argentina

Re: Windows domain AD, MikroTik 2011iL, and Linux (Ubuntu)

Sat May 24, 2014 3:29 pm

# Script to add Facebook DNS IP addresses
# Syed Jahanzaib / aacable@hotmail.com
# Script Source: N/A / GOOGLE : )
 
:log warning "Script Started ... Adding Facebook DNS ip's to address list name   facebook_dns_ips"
:foreach i in=[/ip dns cache find] do={
:local bNew "true";
:local cacheName [/ip dns cache all get $i name] ;
:if ([:find $cacheName "facebook"] != 0) do={
:local tmpAddress [/ip dns cache get $i address] ;
:put $tmpAddress;
:if ( [/ip firewall address-list find ] = "") do={
:log info ("added entry: $[/ip dns cache get $i name] IP $tmpAddress");
/ip firewall address-list add address=$tmpAddress list=facebook_dns_ips comment=$cacheName;
} else={
:foreach j in=[/ip firewall address-list find ] do={
:if ( [/ip firewall address-list get $j address] = $tmpAddress ) do={
:set bNew "false";
}
}
:if ( $bNew = "true" ) do={
:log info ("added entry: $[/ip dns cache get $i name] IP $tmpAddress");
/ip firewall address-list add address=$tmpAddress list=facebook_dns_ips comment=$cacheName;
}
}
}
}
# FB DNS IP ADD Script Ended ...
this script looks fine... but as far i can see it searches for the key word "facebook" in our dns cache.
that is enough if you want to block facebook but if you want to route facebook to a specific gateway it is not enough.
You have to search for the key words "facebook.com" OR "facebook.net" OR "fbcdn.net"... i don't know if i'm missing something else.

how can i modify this script to make it search for more than only one key word???

sorry for my poor english
Last edited by kolorasta on Sat May 24, 2014 3:43 pm, edited 1 time in total.
 
bdusmanu
just joined
Topic Author
Posts: 6
Joined: Wed May 07, 2014 1:27 pm
Location: Bucharest, Romania
Contact:

Re: Windows domain AD, MikroTik 2011iL, and Linux (Ubuntu)

Sat May 24, 2014 3:33 pm

Guess you can copy this script many times, each time replacing "facebook" with what do you want.
And run by schedule all scripts.
Just a thought.
Best Regards,

-----------------------
RB2011iL - at work
RB751U-2HnD - at home
-----------------------
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 2946
Joined: Tue Feb 25, 2014 12:49 pm
Location: Capalbio, Tuscany, Italy

Re: Windows domain AD, MikroTik 2011iL, and Linux (Ubuntu)

Sat May 24, 2014 3:38 pm

With scripting can be done better...

If I have the time, I rewrite this mess...
I'm Italian, not English. Sorry for my imperfect grammar.
 
bdusmanu
just joined
Topic Author
Posts: 6
Joined: Wed May 07, 2014 1:27 pm
Location: Bucharest, Romania
Contact:

Re: Windows domain AD, MikroTik 2011iL, and Linux (Ubuntu)

Sat May 24, 2014 3:42 pm

I dont know scripting, so for me was enough that it worked.
Best Regards,

-----------------------
RB2011iL - at work
RB751U-2HnD - at home
-----------------------
 
User avatar
kolorasta
Member Candidate
Member Candidate
Posts: 299
Joined: Sun Jun 25, 2006 11:55 pm
Location: Argentina

Re: Windows domain AD, MikroTik 2011iL, and Linux (Ubuntu)

Sat May 24, 2014 3:46 pm

copying the script many times... that's a solution, but not a good solution
this code must be replaced by an OR ... OR.... OR.. OR...
:if ([:find $cacheName "fbcdn.net"] != 0) 
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 2946
Joined: Tue Feb 25, 2014 12:49 pm
Location: Capalbio, Tuscany, Italy

Re: Windows domain AD, MikroTik 2011iL, and Linux (Ubuntu)

Sat May 24, 2014 4:11 pm

Once writed correctly for only one dns entry,
can be modified to accept array as input, instead of make more "OR"
I'm Italian, not English. Sorry for my imperfect grammar.
 
User avatar
kolorasta
Member Candidate
Member Candidate
Posts: 299
Joined: Sun Jun 25, 2006 11:55 pm
Location: Argentina

Re: Windows domain AD, MikroTik 2011iL, and Linux (Ubuntu)

Tue May 27, 2014 5:59 am

I've made some modifications to the script above
here it is...
# Script to add Facebook DNS IP addresses
# Syed Jahanzaib / aacable@hotmail.com / mod by kolorasta
# Script Source: N/A / GOOGLE : )
 
:log warning "Script Started ... Adding Facebook DNS ip's to address list name   facebook_dns_ips"
:foreach i in=[/ip dns cache find] do={
:if ([/ip dns cache all get $i type]="A") do={
:local bNew "true";
:local cacheName [/ip dns cache all get $i name] ;
:if ([:find $cacheName ".fbcdn.net"] != 0 or [:find $cacheName ".facebook.com"] != 0) do={
:local tmpAddress [/ip dns cache get $i address] ;
:put $tmpAddress;
:if ( [/ip firewall address-list find ] = "") do={
:log info ("added entry: $[/ip dns cache get $i name] IP $tmpAddress");
/ip firewall address-list add address=$tmpAddress list=facebook_dns_ips comment=$cacheName;
} else={
:foreach j in=[/ip firewall address-list find ] do={
:if ( [/ip firewall address-list get $j address] = $tmpAddress ) do={
:set bNew "false";
}
}
:if ( $bNew = "true" ) do={
:log info ("added entry: $[/ip dns cache get $i name] IP $tmpAddress");
/ip firewall address-list add address=$tmpAddress list=facebook_dns_ips comment=$cacheName;
}
}
}
}
}
:log warning "Script Finished ... Adding Facebook DNS ip's to address list name   facebook_dns_ips"
# FB DNS IP ADD Script Ended ...
first i added this line
:if ([/ip dns cache all get $i type]="A") do={
because i have to process only A records... without this line, the code will hang when a AAAA record is found

then i modified this line
:if ([:find $cacheName ".fbcdn.net"] != 0 or [:find $cacheName ".facebook.com"] != 0) do={
it is wrong to search for "facebook" key word, because sites like "www.facebooklovers.com" or "facebook.mysite.com" would be included, and i don't want that. that's wrong because they are not facebook. I have to search for ".facebook.com" or ".fbcdn.net". Those are facebook domains.

sorry for my english
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 2946
Joined: Tue Feb 25, 2014 12:49 pm
Location: Capalbio, Tuscany, Italy

Re: Windows domain AD, MikroTik 2011iL, and Linux (Ubuntu)

Tue May 27, 2014 8:30 pm

and facebook.uk, facebook.us, facebook.it, etc.?


and simple "facebook.com" without "www."?

:wink:
I'm Italian, not English. Sorry for my imperfect grammar.

Who is online

Users browsing this forum: No registered users and 23 guests