When you’re trying to block certain sites from within a network there are a couple of different things to consider: Is the purpose to just restrict access to a company website, or is the purpose to block everything from a whole site or company? The process is a little different depending on the answer to this question. No matter – both will be covered in this article, in which I’ll show you how to block Facebook, YouTube, MySpace, or any other websites by IP addresses.
There are certainly relatively easy methods that exist to allow the blocking of specific websites by IP address or addresses (IPv4 and IPv6). The real question is: Why not use a more comprehensive solution that can deal with the potential changes in addressing? For those that require this ability this article covers the basics of how to research these addresses.
The blocking of specific large websites via IP can be very troublesome because the IP address being used for the site can be different depending on where the accessing host is located, or whether load balancing is being used across multiple addresses among other things. The best thing to do is to perform a number of Domain Name Service (DNS) lookups to try to determine as many IP addresses being used as possible. Since the majority of the users within a specific company get their DNS services through the same company and/or location, look-ups from that specific location are required to get the most up-to-date information.
Facebook.com is currently serviced by four different IPv4 addresses and a single IPv6 address: IPv4: 184.108.40.206, 220.127.116.11, 18.104.22.168, and 22.214.171.124 and IPv6: 2a03:2880:2110:df01:face:b00c:0:8
Once the targeted IP addresses have been collected, blocking them is rather simple. Take a look a the table below:
|1||Enter global configuration mode||router#configure terminal|
|2||Create an Extended Access Control List (ACL)||router(config)#ip access-list extended name|
|3||Create the statements that will block the destination IP addresses identified. In this case the ACL statement will deny any source from accessing these specific IP addresses||router(config-ext-nacl)#deny ip any host source-ip-address|
|3||router(config-ext-nacl)#deny ip any source-ip-network source-wildcard-mask|
|Repeat step 3 for all identified IP addresses|
|4||Create a statement that allows all other traffic||router(config-ext-nacl)#permit ip any any|
|5||Enter interface configuration mode (the interface to use depends on the specific environment)||router(config-ext-nacl)#interface interface|
|6||Enable the use of the created ACL||router(config-if)#ip access-group name out|
With youtube.com, as it is configured, it is almost easier to block whole network ranges (that is, whole companies). A simple search shows there are over 100 different IP addresses that can be used to access the main Youtube web page.
To block whole companies, the first thing that must be done is an audit of all assigned IP addresses (IPv4 and IPv6); this determines the list of addresses that can be blocked using simple packet filters, as shown in the table above. This determination can be quite complex, as many large companies are assigned many different IPv4 and IPv6 address ranges, so figuring out all of the ones that are currently being used can be a chore. Using the Whois services of your local regional Internet registry (RIR) is one of the first places to go. Check out the American Registry for Internet Numbers (ARIN) to find your registry.
Myspace.com is currently serviced (as of this writing from my Internet connection) by two IP addresses: 126.96.36.199 and 188.8.131.52. Keep in mind that the networking departments of any of these companies can change this with little interruption in service by readdressing and altering the DNS record. These addresses were obtained through two different sources: via a local DNS server using nslookup (which can query the root servers directly) and via DNS Stuff, which offers many DNS service-related tools.
A more comprehensive solution is to use a deep packet inspection feature on a firewall device. These types of systems do not rely on IP assignments, which can change quickly and stick with blocking content based on the presence of a specific domain name in monitored traffic (see this iOS Cisco page).