Some routers can block Facebook (or any other page) with an URL keyword. Yet, this becomes a problem when the page reverts to a secure connection (https).
Lately, iptables supports so called Layer 7 protocol, to adress issues like this, and it would look something like down below. Let’s suppose that you have a Linux router, in which case you will be using the FORWARD chain to control which packets are allowed to which users.
Generally, this is how it looks:
-A FORWARD -p tcp -m tcp --sport 443 -m string --string "facebook" --algo bm -j DROP -A FORWARD -p tcp -m tcp --sport 80 -m string --string "facebook" --algo bm -j DROP -A FORWARD -p tcp -m tcp --dport 443 -m string --string "facebook" --algo bm -j DROP -A FORWARD -p tcp -m tcp --dport 80 -m string --string "facebook" --algo bm -j DROP
The rules above will literally “eat” every packet coming in and out from ports 80 and 443 that contains the word “facebook”. I limited the rules to the ports 80 and 443 deliberately, because otherwise – in a general case it could also block mails that contains the word “facebook” and this way you won’t have any log about it.
Furthermore, you can create a special chain instead of using just DROP, that filters out users IP addresses that you want to allow to access Facebook and then log and drop all the others.
It is good to log what you’re doing all the time, just in case.