LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 08-08-2006, 11:44 AM   #1
AQG
Member
 
Registered: Jun 2005
Distribution: SuSE, Red Hat
Posts: 162

Rep: Reputation: 30
Restriction using MAC address (squid) SuSE


Hi hope yo can help me i need to assign permissions on squid to the pc's that i will give internet access, but i need to use their MAC address? any idea, I've done it with ip restriction but don't know if i can do it by MAC address


Thank you!!!!
 
Old 08-08-2006, 12:51 PM   #2
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 380Reputation: 380Reputation: 380Reputation: 380
Quote:
Originally Posted by AQG
Hi hope yo can help me i need to assign permissions on squid to the pc's that i will give internet access, but i need to use their MAC address? any idea, I've done it with ip restriction but don't know if i can do it by MAC address
yes, you can do it... as long as your squid was compiled with this option:
Code:
--enable-arp-acl
here's an example of mac-based ACL usage:
Code:
acl AQGMAC arp 01:02:03:04:05:06
http_access allow AQGMAC
http_access deny all
here's an example of a mixed mac-based and IP-based ACL usage:
Code:
acl AQGMAC arp 01:02:03:04:05:06
acl AQGIP src 192.168.100.103
http_access allow AQGMAC AQGIP
http_access deny all
just my ...

Last edited by win32sux; 08-08-2006 at 02:09 PM.
 
Old 08-08-2006, 06:13 PM   #3
AQG
Member
 
Registered: Jun 2005
Distribution: SuSE, Red Hat
Posts: 162

Original Poster
Rep: Reputation: 30
Thanks win32sux, just one more question will it work with multiple pc's (i need minumun 500 MAC addresses)?
 
Old 08-08-2006, 09:14 PM   #4
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 380Reputation: 380Reputation: 380Reputation: 380
Quote:
Originally Posted by AQG
Thanks win32sux, just one more question will it work with multiple pc's (i need minumun 500 MAC addresses)?
yeah, it will work with multiple PCs... here's a simple example for 3 PCs:
Code:
# Jenny in Accounting:
acl PC001-MAC arp 01:02:03:04:05:06
acl PC001-IP src 192.168.100.101

# Bob in Sales:
acl PC002-MAC arp 02:02:03:04:05:06
acl PC002-IP src 192.168.100.102

# Cody in Engineering:
acl PC003-MAC arp 03:02:03:04:05:06
acl PC003-IP src 192.168.100.103

http_access allow PC001-MAC PC001-IP
http_access allow PC002-MAC PC002-IP
http_access allow PC003-MAC PC003-IP

http_access deny all
i think there's also a way to have the MACs and IPs listed in text files, and then have squid use them from there... that way you don't have to have a squid.conf with 500 MACs and 500 IPs in it... i'm not exactly sure how that would work, though, cuz i've never tried it... but according to this it might be as easy as using a pipe...

Last edited by win32sux; 08-08-2006 at 09:19 PM.
 
Old 08-09-2006, 12:26 PM   #5
AQG
Member
 
Registered: Jun 2005
Distribution: SuSE, Red Hat
Posts: 162

Original Poster
Rep: Reputation: 30
Thanks win32sux I'll try that.
originally i've had it with it working with text files since Oct 2005 only using IP.

Hope this is not true: Note
Squid can only determine the MAC address for clients that are on the same subnet. If the client is on a different subnet, then Squid cannot find out its MAC address.


Now things have changed, I need this proxy to work for 30 VLAN's. Might you have an example?.
I'll post what i got as soon as i'm sure that works ok..


Thanks once again!!!!!

Last edited by AQG; 08-09-2006 at 12:38 PM.
 
Old 08-09-2006, 12:58 PM   #6
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 380Reputation: 380Reputation: 380Reputation: 380
Quote:
Originally Posted by AQG
Thanks win32sux I'll try that.
originally i've had it with it working with text files since Oct 2005 only using IP.
hehe, cool... BTW, if you can show me how you do that it would be greatly appreciated cuz i've never really done it and i'd like to learn how...

Quote:
Hope this is not true: Note
Squid can only determine the MAC address for clients that are on the same subnet. If the client is on a different subnet, then Squid cannot find out its MAC address.
the thing is that mac addresses don't get routed...

Quote:
Now things have changed, I need this proxy to work for 30 VLAN's. Might you have an example?.
I'll post what i got as soon as i'm sure that works ok..
what's a VLAN??

Quote:
Thanks once again!!!!!
you're very welcome!!
 
Old 08-09-2006, 03:19 PM   #7
AQG
Member
 
Registered: Jun 2005
Distribution: SuSE, Red Hat
Posts: 162

Original Poster
Rep: Reputation: 30
VLAN=Virtual Local Area Network

My server is down, i get it running today and i'll send you an example
 
Old 08-09-2006, 03:47 PM   #8
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 380Reputation: 380Reputation: 380Reputation: 380
Quote:
Originally Posted by AQG
VLAN=Virtual Local Area Network
yeah i had figured that much... i just wasn't sure how that works... after a quick google, it seems VLANs are done at the data link layer (layer 2)... as such, i would expect the MAC addresses to indeed be carried-over, so it should work fine i think... i believe that squid's warning is intended for layers 3 and 4... someone please correct me if i'm wrong...

Quote:
My server is down, i get it running today and i'll send you an example
great!!! i look forward to your post...

Last edited by win32sux; 08-09-2006 at 03:48 PM.
 
Old 08-11-2006, 03:14 PM   #9
AQG
Member
 
Registered: Jun 2005
Distribution: SuSE, Red Hat
Posts: 162

Original Poster
Rep: Reputation: 30
Well still having some problems, this is what i`ve got:

*********************************************************
http_port 3128
http_port 8080

cache_mem 256 MB

cache_dir ufs /var/cache/squid 800 16 256

cache_access_log /var/log/squid/access.log
cache_log /var/log/squid/cache.log
cache_store_log /var/log/squid/store.log

acl manager proto cache_object
acl proxysuse src 127.0.0.1/255.255.255.255


acl full_access_mac arp "/etc/squid/macfree"

acl denied_access_to_web_pages url_regex "/etc/squid/negarfree"


http_access allow full_access_mac !Paginas_Negadas
http_access deny all

icp_access allow proxysuse
icp_access allow full_access__mac
icp_access deny all


ftp_user AQG@myplace.com

cache_mgr AQG@myplace.com

visible_hostname proxysuse

httpd_accel_with_proxy on
httpd_accel_single_host on
httpd_accel_host virtual
httpd_accel_port 8080
cache_effective_user squid
cache_effective_group squid
*************************************************************




and i get the following error:

Initializing the Squid cache with the command squid -f /etc/squid/squid.conf -z ..

2006/10/08 13:03:50| ACL name 'all' not defined!
FATAL: Bungled squid.conf line 23: http_access deny all
Squid Cache (Version 2.5.STABLE10): Terminated abnormally.



but i dont see anyweher in the code a problem with:
ACL name 'all' not defined!


any ideas???


thanks

Last edited by AQG; 08-11-2006 at 03:17 PM.
 
Old 08-11-2006, 06:08 PM   #10
AQG
Member
 
Registered: Jun 2005
Distribution: SuSE, Red Hat
Posts: 162

Original Poster
Rep: Reputation: 30
OK, got it working, but now it gives access to all, it does not respect the mac addresses that i put "macfree" which are supposed to be the only ones to get access to internet.

http_port 3128
http_port 8080

cache_mem 256 MB

cache_dir ufs /var/cache/squid 800 16 256
cache_access_log /var/log/squid/access.log
cache_log /var/log/squid/cache.log
cache_store_log /var/log/squid/store.log



acl manager proto cache_object
acl proxysuse src 127.0.0.1
acl all src 0.0.0.0/0.0.0.0


acl Acceso_Completo_mac arp "/etc/squid/macfree"

acl Paginas_Negadas url_regex "/etc/squid/negarfree"
acl paginas url_regex "/etc/squid/paginas_file"


http_access allow Acceso_Completo_mac paginas !Paginas_Negadas
http_access allow paginas
http_access deny all

icp_access allow proxysuse
icp_access allow Acceso_Completo_mac
icp_access allow Paginas_Negadas
icp_access allow paginas
icp_access deny all



also i have some doubts about the order of the variables..


please help i have a deadline for monday to put this to work. i must restrict access via mac address

any help will be appreciated
 
Old 08-12-2006, 08:02 AM   #11
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 380Reputation: 380Reputation: 380Reputation: 380
try like this:
Code:
acl QUERY urlpath_regex cgi-bin \?
no_cache deny QUERY

acl all src 0.0.0.0/0.0.0.0
acl localhost src 127.0.0.1/255.255.255.255
acl manager proto cache_object

acl Acceso_Completo_mac arp "/etc/squid/macfree"
acl Paginas_Negadas url_regex "/etc/squid/negarfree"
acl Paginas_Permitidas url_regex "/etc/squid/paginas_file"

http_access allow localhost
http_access deny Paginas_Negadas
http_access allow Acceso_Completo_mac Paginas_Permitidas
http_access deny all
http_reply_access allow all
icp_access deny all

http_port 8080
icp_port 0

cache_mem 256 MB
cache_dir ufs /var/cache/squid 800 16 256

cache_access_log /var/log/squid/access.log
cache_log /var/log/squid/cache.log
cache_store_log /var/log/squid/store.log

visible_hostname proxy.example.net
 
Old 08-14-2006, 10:51 AM   #12
AQG
Member
 
Registered: Jun 2005
Distribution: SuSE, Red Hat
Posts: 162

Original Poster
Rep: Reputation: 30
Ok, win32sux, what you sent me looks ok, but its not letting any traffic go through thats the "acceso_completo_mac" file which contains MAC addresses.

also have one questions regarding the code you sent me:

what does this query do? "acl QUERY urlpath_regex cgi-bin \?"


Any ideas?

thanks
 
Old 08-14-2006, 11:17 AM   #13
AQG
Member
 
Registered: Jun 2005
Distribution: SuSE, Red Hat
Posts: 162

Original Poster
Rep: Reputation: 30
In order for it to let traffic out, i need to chage


"http_access deny all" to "http_access allow all"

but it won't filter the mac address file, it will just let all the mac's on my network out

Last edited by AQG; 08-14-2006 at 11:36 AM.
 
Old 08-14-2006, 12:26 PM   #14
AQG
Member
 
Registered: Jun 2005
Distribution: SuSE, Red Hat
Posts: 162

Original Poster
Rep: Reputation: 30
It's definitlly not respecting the filter by MAC address

please anyone, any ideas?


like i said before it does not respect my MAC address file, is there something else that i need to compile on squid in order for it to take MAC address filtering?

I think my main problem is that i don't know how to compile with "--enable-arp-acl" how or where do i do this!!!!
Thanks!!!!

Last edited by AQG; 08-14-2006 at 12:32 PM.
 
Old 08-14-2006, 12:29 PM   #15
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 380Reputation: 380Reputation: 380Reputation: 380
is it respecting the other files?? like, Paginas_Negadas, for example??

Last edited by win32sux; 08-14-2006 at 12:33 PM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Squid User Restriction ajkannan83 Linux - Software 2 06-29-2006 04:41 AM
Web Restriction using Squid Ahmad Gurchani Linux - General 1 03-07-2005 02:18 AM
squid download restriction nithin_bhaskar Linux - Networking 1 09-01-2004 10:14 AM
Mac address restriction PcHammer Linux - Networking 4 12-31-2003 02:22 AM
Squid user restriction andresurzagasti Linux - Networking 1 02-01-2003 08:56 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 10:31 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration