LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 02-08-2011, 12:31 AM   #1
amartlk
Member
 
Registered: Sep 2010
Location: Nagpur India
Posts: 347

Rep: Reputation: 1
squid ACL


hi sir

i have squid 2.6 installed on centos i created acl which should apply to this ip range i.e 192.168.1.10-192.168.1.15
and excluded 192.168.1.13 how can i do pls suggest
 
Old 02-08-2011, 04:19 AM   #2
bathory
LQ Guru
 
Registered: Jun 2004
Location: Piraeus
Distribution: Slackware
Posts: 11,598

Rep: Reputation: 1532Reputation: 1532Reputation: 1532Reputation: 1532Reputation: 1532Reputation: 1532Reputation: 1532Reputation: 1532Reputation: 1532Reputation: 1532Reputation: 1532
Hi,

You can use the following:
Code:
acl FOO src 192.168.1.10-192.168.1.12 192.168.1.14-192.168.1.15
Regards
 
Old 02-08-2011, 06:24 AM   #3
amartlk
Member
 
Registered: Sep 2010
Location: Nagpur India
Posts: 347

Original Poster
Rep: Reputation: 1
thanks for reply


but i have one query if i have 192.168.1.10-192.16.1.50, i want some ips randomly to be excuded from the acl then in such cases my acl increases for example if want 192.16.1.35,192.16.1.15,192.16.1.22 excluded then i have make
acl foo 192.16.1.10-192.16.1.14
acl bar 192.16.1.16-192.16.1.21
acl test 192.16.1.23-192.16.1.34
acl test1 192.16.1.36-192.16.1.50

hence acl increase is there any way so that we write acl as

acl foo 192.16.1.10-192.16.1.50
and after acl for excluded ips like 22,15,22

Regards
amar
 
Old 02-08-2011, 06:51 AM   #4
bathory
LQ Guru
 
Registered: Jun 2004
Location: Piraeus
Distribution: Slackware
Posts: 11,598

Rep: Reputation: 1532Reputation: 1532Reputation: 1532Reputation: 1532Reputation: 1532Reputation: 1532Reputation: 1532Reputation: 1532Reputation: 1532Reputation: 1532Reputation: 1532
You can use:
Code:
acl goodguys  192.16.1.35 192.16.1.15 192.16.1.22
http_access allow goodguys
http_access deny all
 
Old 02-08-2011, 08:12 AM   #5
amartlk
Member
 
Registered: Sep 2010
Location: Nagpur India
Posts: 347

Original Poster
Rep: Reputation: 1
thanks

i am rearranging according to my requirment .

i created files download and mgdownload in etc/squid here i mentions some sites which need to block i want to allow download to foo,bar,test,test1
and deny mgdownload
and allow mgdownload and download to excluded ips

acl download url_regex -i "/etc/squid/download"
acl mgdownload url_regex -i "/etc/squid/mgdownload"
acl foo 192.16.1.10-192.16.1.14
acl bar 192.16.1.16-192.16.1.21
acl test 192.16.1.23-192.16.1.34
acl test1 192.16.1.36-192.16.1.50
acl goodguys 192.16.1.35 192.16.1.15 192.16.1.22
http_access allow foo download
http_access allow bar download
http_access allow test download
http_access allow test1 download
http_access deny foo mgdownload
http_access deny bar mgdownload
http_access deny test mgdownload
http_access deny test1 mgdownload
http_access allow goodguys mgdownload
http_access allow goodguys download

is it correct or any suggestion to minimized this configuration
 
Old 02-08-2011, 09:07 AM   #6
bathory
LQ Guru
 
Registered: Jun 2004
Location: Piraeus
Distribution: Slackware
Posts: 11,598

Rep: Reputation: 1532Reputation: 1532Reputation: 1532Reputation: 1532Reputation: 1532Reputation: 1532Reputation: 1532Reputation: 1532Reputation: 1532Reputation: 1532Reputation: 1532
Isn't it more easy to use:
Code:
acl foo 192.16.1.10-192.16.1.14 192.16.1.16-192.16.1.21 192.16.1.23-192.16.1.34 1 192.16.1.36-192.16.1.50
acl goodguys 192.16.1.35 192.16.1.15 192.16.1.22
http_access allow foo download
http_access deny foo mgdownload
http_access allow goodguys mgdownload
http_access allow goodguys download
 
Old 02-09-2011, 04:18 AM   #7
amartlk
Member
 
Registered: Sep 2010
Location: Nagpur India
Posts: 347

Original Poster
Rep: Reputation: 1
thanks very much !!!
i will use it and check
 
Old 02-11-2011, 12:43 AM   #8
amartlk
Member
 
Registered: Sep 2010
Location: Nagpur India
Posts: 347

Original Poster
Rep: Reputation: 1
hi sir
i created acl to block the below sites, is it write or can be minimized pls suggest

acl gmail dstdomain .gmail.com
acl gmail dstdomain .gmail.google.com
acl gmail dstdomain .mail.google.com
acl gmail dstdomain .login.yahoo.com
acl gmail dstdomain .messenger.yahoo.com
acl gmail dstdomain .mail.rediff.com
second query-- as

i created acl download url_regex -i "/etc/squid/download" ,in download file i enter www.yahoo.com and more sites , but due to this acl user are unable to open www.yahoo.com but able to open from http://yahoo.com pls suggest
 
Old 02-11-2011, 04:20 AM   #9
bathory
LQ Guru
 
Registered: Jun 2004
Location: Piraeus
Distribution: Slackware
Posts: 11,598

Rep: Reputation: 1532Reputation: 1532Reputation: 1532Reputation: 1532Reputation: 1532Reputation: 1532Reputation: 1532Reputation: 1532Reputation: 1532Reputation: 1532Reputation: 1532
Hi,

You should use your creativity to group together similar URLs. For example:
Code:
acl gmail dstdom_regex (.*)mail.(google|rediff).com
Note that this will work also for www.gmail.com, because this URL is redirected to mail.google.com

For the 2nd part you should put a dot "." in front of yahoo.com (.yahoo.com), so it matches www.yahoo.com and yahoo.com.
Note that this will also match foo.yahoo.com, bar.yahoo.com, so it this is not what you want, you should explicitly use www.yahoo.com and yahoo.com (without the leading dot)

Regards
 
Old 02-11-2011, 05:33 AM   #10
amartlk
Member
 
Registered: Sep 2010
Location: Nagpur India
Posts: 347

Original Poster
Rep: Reputation: 1
Thanks sir its work for me!!!!

1 query--
in squid how to restrict https sites like banking,etc

2 query -

in squid acl is applied as per IP address base , but if some one change ip to the ip which having full access then in that case how we can restrict it , i think in squid we cannot map mac address to ip , so for this any suggestion

thanks in advance

Last edited by amartlk; 02-11-2011 at 05:42 AM.
 
Old 02-11-2011, 08:44 AM   #11
bathory
LQ Guru
 
Registered: Jun 2004
Location: Piraeus
Distribution: Slackware
Posts: 11,598

Rep: Reputation: 1532Reputation: 1532Reputation: 1532Reputation: 1532Reputation: 1532Reputation: 1532Reputation: 1532Reputation: 1532Reputation: 1532Reputation: 1532Reputation: 1532
Take a look here to understand how acls work. Or better yes read the whole manual, if you want to administer a squid proxy.
Anyway regarding your questions:
1. You can use:
Code:
acl banks dstdomain .bank1.com .bank2.com
acl https port 443
http_access deny https banks

2.
If squid was compiled with the "-enable-arp-acl" it can use mac addresses to restrict access. See the acl arp in the 1st link above.
Other than that you can use some sort of restrictions based on users. For this you need to authenticate your users (through ldap for example) and based on the attributes assigned to them (in ldap), you can restrict or allow access to specific URLs
 
Old 02-12-2011, 01:28 AM   #12
amartlk
Member
 
Registered: Sep 2010
Location: Nagpur India
Posts: 347

Original Poster
Rep: Reputation: 1
thanks sir
your first solution works
regarding second query that acl arp, i created acl arp like
acl foo arp 00:80:48:06:E0
http_access allow foo
but it shows error invalid acl fatal bungled squid.conf i think that i should compile squid with arp enable option for this if i have to reinstalled squid ? or possible in existing installed squid

in ip bases acl we define groups like acl foo 172.16.1.21-172.16.1.50, but if i used mac based acl then how the groups are possible? means how i define range of mac address as it not random pls suggest
 
Old 02-12-2011, 04:18 AM   #13
bathory
LQ Guru
 
Registered: Jun 2004
Location: Piraeus
Distribution: Slackware
Posts: 11,598

Rep: Reputation: 1532Reputation: 1532Reputation: 1532Reputation: 1532Reputation: 1532Reputation: 1532Reputation: 1532Reputation: 1532Reputation: 1532Reputation: 1532Reputation: 1532
The squid you're running was compiled without the "-enable-arp-acl option". If you want it, you have to recompile it
Note that filtering based on mac addresses works only inside a lan. If you have clients in different lans this is not going to work, as the mac address shown, is the one of the intermediate switch.
And of course you cannot short mac addresses in groups
 
Old 02-12-2011, 07:11 AM   #14
amartlk
Member
 
Registered: Sep 2010
Location: Nagpur India
Posts: 347

Original Poster
Rep: Reputation: 1
hi sir

if i use mac based filtering and i have 250 user in that case i have to created 250 ACL , which is very hektik, while in ip based we can minimized acl in groups is it rights

thanks in advance
 
Old 02-12-2011, 08:59 AM   #15
bathory
LQ Guru
 
Registered: Jun 2004
Location: Piraeus
Distribution: Slackware
Posts: 11,598

Rep: Reputation: 1532Reputation: 1532Reputation: 1532Reputation: 1532Reputation: 1532Reputation: 1532Reputation: 1532Reputation: 1532Reputation: 1532Reputation: 1532Reputation: 1532
Exactly.
That is why filtering based on mac addresses is not compiled by default.

Cheers
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
squid acl amartlk Linux - Newbie 15 01-03-2011 05:41 AM
squid acl fernfrancis Linux - Newbie 1 10-21-2010 08:48 AM
squid ACL andycol Linux - Server 8 10-31-2009 06:58 AM
squid acl Winanjaya Linux - Server 1 04-23-2009 12:03 PM
Squid ACL dfctve_end_user Linux - Networking 2 01-13-2003 10:30 AM


All times are GMT -5. The time now is 01:54 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration