Syed Jahanzaib Personal Blog to Share Knowledge !

December 9, 2013

Possible Workaround for Blocking SKYPE with Mikrotik

Filed under: Mikrotik Related — Tags: , , — Syed Jahanzaib / Pinochio~:) @ 3:38 PM

skype

SKYPE is using whole block of IP addresses from various ranges. Using Wireshark & some digging I found following pools which skype is using for its various functions.BUT do remember that with new updates/ver more hosts can be added. for this purpose you can use Catch Skype Script on mikrotik to detect new addresses and add them to the list.

Also it is possible that some valid/legitimate sites may get blocked with this approach, just find the right ip address of the particular site, and allow it before the deny rule.

Use following code and then try to connect to SKYPE and watch the results. This is purely Hit & Trial method , try it and post your comments or if you have some better way to block SKYPE do let me know.SKYPE have different server’s for different regions, so probably these destinations may not work for you, but at least they are working in Pakistan.

Regard’s
Syed Jahanzaib

/ip fi ad

add address=111.221.74.0/24 comment=disable_skype disabled=no list=skype_servers_z
add address=111.221.77.0/24 comment=disable_skype disabled=no list=skype_servers_z
add address=157.55.130.0/24 comment=disable_skype disabled=no list=skype_servers_z
add address=157.55.235.0/24 comment=disable_skype disabled=no list=skype_servers_z
add address=157.55.56.0/24 comment=disable_skype disabled=no list=skype_servers_z
add address=157.56.52.0/24 comment=disable_skype disabled=no list=skype_servers_z
add address=194.165.188.0/24 comment=disable_skype disabled=no list=skype_servers_z
add address=195.46.253.0/24 comment=disable_skype disabled=no list=skype_servers_z
add address=213.199.179.0/24 comment=disable_skype disabled=no list=skype_servers_z
add address=63.245.217.0/24 comment=disable_skype disabled=no list=skype_servers_z
add address=64.4.23.0/24 comment=disable_skype disabled=no list=skype_servers_z
add address=65.55.223.0/24 comment=disable_skype disabled=no list=skype_servers_z

/ip firewall filter
add action=drop chain=forward disabled=no dst-address-list=skype_servers_z

After blocking, Result as showed in the image below . . .

skype cannot connect

Also read following …

Script to catch all URL name with SKYPE name using DNS cache , and add them to ADDRESS LIST

Today , a good friend (VirtualIT Support) forwarded me a script which catch all URL IP addresses which have ‘Skype‘ in DNS CACHE and then add it to a address list.

Schedule this script to run after every 10-15 minutes, it will check every dns entry (in dns cache) and will add any URL name which have Skype in it to the address list. then using Firewall FILTER , you can block this list (in FORWARD chain)

Just copy paste the following code in terminal. Then add schedule or manually run it, try to login to skype few times, and run the script, every time it will add few ip addresses to the list : )


/sys script

add name=skype_script policy=ftp,reboot,read,write,policy,test,winbox,password,sniff,sensitive,api source=":foreach i in=[/ip dns cache find] do={\r\
\n    :local bNew \"true\";\r\
\n    :local cacheName [/ip dns cache all get \$i name] ;\r\
\n#    :put \$cacheName;\r\
\n\r\
\n    :if ([:find \$cacheName \"skype\"] != 0) do={\r\
\n\r\
\n        :local tmpAddress [/ip dns cache get \$i address] ;\r\
\n#\t:put \$tmpAddress;\r\
\n\r\
\n# if address list is empty do not check\r\
\n        :if ( [/ip firewall address-list find ] = \"\") do={\r\
\n            :log info (\"added entry: \$[/ip dns cache get \$i name] IP \$tmpAddress\");\r\
\n            /ip firewall address-list add address=\$tmpAddress list=skype_dns_ips comment=\$cacheName;\r\
\n        } else={\r\
\n            :foreach j in=[/ip firewall address-list find ] do={\r\
\n                :if ( [/ip firewall address-list get \$j address] = \$tmpAddress ) do={\r\
\n                    :set bNew \"false\";\r\
\n                }\r\
\n            }\r\
\n            :if ( \$bNew = \"true\" ) do={\r\
\n                :log info (\"added entry: \$[/ip dns cache get \$i name] IP \$tmpAddress\");\r\
\n                /ip firewall address-list add address=\$tmpAddress list=skype_dns_ips comment=\$cacheName;\r\
\n            }\r\
\n        }\r\
\n    }\r\
\n}"

5 Comments »

  1. Dead Sayd

    I use a small bash script to get this AS informations, see the example:

    echo “/ip firewall filter” ; whois -h whois.radb.net — ‘-i origin AS32934’ | grep ‘^route:’ | sort -n | uniq | awk ‘{print “add action=drop chain=forward comment=AS FACEBOOK dst-address=”$2}’

    I guess you’ll have other idea above.

    Congrat.

    Comment by int21int21 — December 12, 2013 @ 1:08 AM

  2. How to male skype work better with mikrotik ?

    Comment by yousef mohamed — December 22, 2013 @ 10:06 AM

  3. nice it is working good thanks mr

    Comment by mohamed — January 10, 2014 @ 9:49 PM

  4. A O A sir i hope u will be fine i have a problem in my network i have 200+ client but my skype not work properly call drop or ended so plzx i need for help

    Comment by saad — January 23, 2014 @ 12:43 PM

  5. yar agr kasi ka masla hal hoo jay too pls mujy zaror baty ga mara bi skype bhot problem karta he

    Comment by azhar farooq — November 2, 2015 @ 8:20 PM


RSS feed for comments on this post. TrackBack URI

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Blog at WordPress.com.

%d bloggers like this: