I have a network connected to the internet by satellite. I need to restict access to the web in varied ways. I have successfully restricted access to web browsing by using an ip address ICL but at times there is a problem when the dhcp server hands out the same ip to another client and though this hasnt happened, if a smart user guessed and assigned an authoried IP they would surf. Maybe I could sort that by adding arp.

The main question though is even when squid blocks browsing, clients can still pass through to email ports and perhaps FTP. Can squid block that? I have read elsewhere in the forum that iptables can help me filter specific ip or mac addresses. How do I do that?

Hi,
I don't know much about this but had the same problem a while ago,

I know you can have ACL (Access control lists) for your users, and also you may use the "Delay pools" feature of your Proxi ( squid ) to kind of manage the bandwidth.

This is if you may want to give some restricted lowbandwidth access to some users.

you may either place static ip addresses or filter via the mac address of each station with iptables, and block ftp and smtp ports with iptables aswell, either for all or for some mac addresses too.

For example we blocked all web, smtp, ftp ports to go directly through the firewall, so anyone who want's to go out must go through the proxy.

you will definately find answers to this very common questions by searching the forum

I'm sorry didn't answer your especific question but hope this helps somehow

I can control using a rule like this:

-A PREROUTING -p tcp -m tcp -i eth0 -m mac --mac-source XX:02:0D:81:67:49 --dport 25 -j DROP

but would I need to list all the mac addresses to allow? Unlike squid, i wonder if iptables can read a list of allowed macs from a separate file and if this would have impact on the network speed.

Of course I have a rule that directs all port 80 requests from the network to the proxy.

Hi,

have a look at ebtables, much more performant for layer 2 trafic : http://ebtables.sourceforge.net/