Skype Blocking Mikrotik

/ip fi ad
 
add address=111.221.74.0/24 comment=disable_skype disabled=no list=skype_servers_z
add address=111.221.77.0/24 comment=disable_skype disabled=no list=skype_servers_z
add address=157.55.130.0/24 comment=disable_skype disabled=no list=skype_servers_z
add address=157.55.235.0/24 comment=disable_skype disabled=no list=skype_servers_z
add address=157.55.56.0/24 comment=disable_skype disabled=no list=skype_servers_z
add address=157.56.52.0/24 comment=disable_skype disabled=no list=skype_servers_z
add address=194.165.188.0/24 comment=disable_skype disabled=no list=skype_servers_z
add address=195.46.253.0/24 comment=disable_skype disabled=no list=skype_servers_z
add address=213.199.179.0/24 comment=disable_skype disabled=no list=skype_servers_z
add address=63.245.217.0/24 comment=disable_skype disabled=no list=skype_servers_z
add address=64.4.23.0/24 comment=disable_skype disabled=no list=skype_servers_z
add address=65.55.223.0/24 comment=disable_skype disabled=no list=skype_servers_z
 
 
/ip firewall filter
add action=drop chain=forward disabled=no dst-address-list=skype_servers_z
After blocking, Result as showed in the image below . . .
skype cannot connect

Script to catch all URL name with SKYPE name using DNS cache , and add them to ADDRESS LIST

Today , a very good friend (VirtualIT SupporT) shared a script which catches all URL IP addresses which have ‘Skype‘ in DNS CACHE and then add it to a address list. Schedule this script to run after every 10-15 minutes, it will check every dns entry (in dns cache) and will add any URL name which have Skype in it to the address list. then using Firewall FILTER , you can block this list (in FORWARD chain)
Just copy paste the following code in terminal. Then add schedule or manually run it, try to login to skype few times, and run the script, every time it will add few ip addresses to the list : )

/sys script
 
add name=skype_script policy=ftp,reboot,read,write,policy,test,winbox,password,sniff,sensitive,api source=":foreach i in=[/ip dns cache find] do={\r\
\n    :local bNew \"true\";\r\
\n    :local cacheName [/ip dns cache all get \$i name] ;\r\
\n#    :put \$cacheName;\r\
\n\r\
\n    :if ([:find \$cacheName \"skype\"] != 0) do={\r\
\n\r\
\n        :local tmpAddress [/ip dns cache get \$i address] ;\r\
\n#\t:put \$tmpAddress;\r\
\n\r\
\n# if address list is empty do not check\r\
\n        :if ( [/ip firewall address-list find ] = \"\") do={\r\
\n            :log info (\"added entry: \$[/ip dns cache get \$i name] IP \$tmpAddress\");\r\
\n            /ip firewall address-list add address=\$tmpAddress list=skype_dns_ips comment=\$cacheName;\r\
\n        } else={\r\
\n            :foreach j in=[/ip firewall address-list find ] do={\r\
\n                :if ( [/ip firewall address-list get \$j address] = \$tmpAddress ) do={\r\
\n                    :set bNew \"false\";\r\
\n                }\r\
\n            }\r\
\n            :if ( \$bNew = \"true\" ) do={\r\
\n                :log info (\"added entry: \$[/ip dns cache get \$i name] IP \$tmpAddress\");\r\
\n                /ip firewall address-list add address=\$tmpAddress list=skype_dns_ips comment=\$cacheName;\r\
\n            }\r\
\n        }\r\
\n    }\r\
\n}"

Comments

  1. alesantana7September 16, 2016 at 12:01 AM

    Hello friend! Its really works! I was breaking my head to find a solution to block that shit in my network!

    ReplyDelete

Post a Comment

Popular posts from this blog

Mikrotik Webproxy with PCC

Image
Usually when you enable web proxy on pcc, it wont work. To make it work you have to mark web proxy connection in output chain, and exclude port 80 traffic from pre-routing PCC rules. Example is as below. (I assume you have dual wan pcc already configured and in running state Add following rules (Output chain) /ip firewall mangle add action=mark-connection chain=output comment=”Marking Web Proxy Connection for WAN-1″ disabled=no dst-port=80 new-connection-mark=WAN1_conn passthrough=yes per-connection-classifier=\    both-addresses-and-ports:2/0 protocol=tcp     both-addresses-and-ports:2/1 protocol=tcp     per-connection-classifier=both-addresses-and-ports:2/0 protocol=tcp add action=mark-connection chain=prerouting comment=”Excluding Port 80 from PCC – WAN2″ disabled=no dst-address-type=!local  dst-port=!80  in-interface=LAN new-connection-mark=WAN2_conn passthrough=yes \     per-connection-classifier=both-addresses-and-ports:2/1 protocol=tcp     max-server-connections=600 p
Read more

Dual Wan Load balacing with failover mikrotik

Introduction Let us suppose that we have two WAN links, and we want  load balance the two WAN links  and do a fail-over if one of the WAN links fails ( eg: traffic redirected to the link which is up ) . the problem is to monitor, whether the Internet is accessible through each of them. The problem can be everywhere. If your VPN cannot connect – then there’s no problem, your default route with gateway=that-vpn-connection will be inactive. If your ADSL modem is down – then check-gateway=ping is on stage, and no problem again. But what if your modem is up, and telephone line is down? Or one of your ISP has a problem inside it, so traceroute shows only a few hops – and then stops… Some people use NetWatch tool to monitor remote locations. Others use scripts to periodically ping remote hosts. And then disable routes or in some other way change the behaviour of routing. But RouterOS facilities allow us to use only /ip routes to do such checking – no scripting and netwatch at al
Read more

Configure Static IP Address (CLI) on Ubuntu 18.04.5 LTS

 goto: sudo nano /etc/netplan/01-netcfg.yaml Sample Config: # This file describes the network interfaces available on your system # For more information, see netplan(5). network:   version: 2   renderer: networkd   ethernets:         ens160:             dhcp4: no             addresses: ['192.168.1.26/24']             gateway4: 192.168.1.1             nameservers:                 addresses: [8.8.8.8, 8.8.4.4]                 search: [hak786.blogspot.com] sudo netplan apply
Read more