Syed Jahanzaib Personal Blog to Share Knowledge !

December 9, 2013

Possible Workaround for Blocking SKYPE with Mikrotik

Filed under: Mikrotik Related — Tags: , , — Syed Jahanzaib / Pinochio~:) @ 3:38 PM

skype

SKYPE is using whole block of IP addresses from various ranges. Using Wireshark & some digging I found following pools which skype is using for its various functions.BUT do remember that with new updates/ver more hosts can be added. for this purpose you can use Catch Skype Script on mikrotik to detect new addresses and add them to the list.

Also it is possible that some valid/legitimate sites may get blocked with this approach, just find the right ip address of the particular site, and allow it before the deny rule.

Use following code and then try to connect to SKYPE and watch the results. This is purely Hit & Trial method , try it and post your comments or if you have some better way to block SKYPE do let me know.SKYPE have different server’s for different regions, so probably these destinations may not work for you, but at least they are working in Pakistan.

Regard’s
Syed Jahanzaib

/ip fi ad

add address=111.221.74.0/24 comment=disable_skype disabled=no list=skype_servers_z
add address=111.221.77.0/24 comment=disable_skype disabled=no list=skype_servers_z
add address=157.55.130.0/24 comment=disable_skype disabled=no list=skype_servers_z
add address=157.55.235.0/24 comment=disable_skype disabled=no list=skype_servers_z
add address=157.55.56.0/24 comment=disable_skype disabled=no list=skype_servers_z
add address=157.56.52.0/24 comment=disable_skype disabled=no list=skype_servers_z
add address=194.165.188.0/24 comment=disable_skype disabled=no list=skype_servers_z
add address=195.46.253.0/24 comment=disable_skype disabled=no list=skype_servers_z
add address=213.199.179.0/24 comment=disable_skype disabled=no list=skype_servers_z
add address=63.245.217.0/24 comment=disable_skype disabled=no list=skype_servers_z
add address=64.4.23.0/24 comment=disable_skype disabled=no list=skype_servers_z
add address=65.55.223.0/24 comment=disable_skype disabled=no list=skype_servers_z

/ip firewall filter
add action=drop chain=forward disabled=no dst-address-list=skype_servers_z

After blocking, Result as showed in the image below . . .

skype cannot connect

Also read following …

Script to catch all URL name with SKYPE name using DNS cache , and add them to ADDRESS LIST

Today , a good friend (VirtualIT Support) forwarded me a script which catch all URL IP addresses which have ‘Skype‘ in DNS CACHE and then add it to a address list.

Schedule this script to run after every 10-15 minutes, it will check every dns entry (in dns cache) and will add any URL name which have Skype in it to the address list. then using Firewall FILTER , you can block this list (in FORWARD chain)

Just copy paste the following code in terminal. Then add schedule or manually run it, try to login to skype few times, and run the script, every time it will add few ip addresses to the list : )


/sys script

add name=skype_script policy=ftp,reboot,read,write,policy,test,winbox,password,sniff,sensitive,api source=":foreach i in=[/ip dns cache find] do={\r\
\n    :local bNew \"true\";\r\
\n    :local cacheName [/ip dns cache all get \$i name] ;\r\
\n#    :put \$cacheName;\r\
\n\r\
\n    :if ([:find \$cacheName \"skype\"] != 0) do={\r\
\n\r\
\n        :local tmpAddress [/ip dns cache get \$i address] ;\r\
\n#\t:put \$tmpAddress;\r\
\n\r\
\n# if address list is empty do not check\r\
\n        :if ( [/ip firewall address-list find ] = \"\") do={\r\
\n            :log info (\"added entry: \$[/ip dns cache get \$i name] IP \$tmpAddress\");\r\
\n            /ip firewall address-list add address=\$tmpAddress list=skype_dns_ips comment=\$cacheName;\r\
\n        } else={\r\
\n            :foreach j in=[/ip firewall address-list find ] do={\r\
\n                :if ( [/ip firewall address-list get \$j address] = \$tmpAddress ) do={\r\
\n                    :set bNew \"false\";\r\
\n                }\r\
\n            }\r\
\n            :if ( \$bNew = \"true\" ) do={\r\
\n                :log info (\"added entry: \$[/ip dns cache get \$i name] IP \$tmpAddress\");\r\
\n                /ip firewall address-list add address=\$tmpAddress list=skype_dns_ips comment=\$cacheName;\r\
\n            }\r\
\n        }\r\
\n    }\r\
\n}"

%d bloggers like this: