Restriction using MAC address (squid) SuSE

AQG · 08-08-2006, 11:44 AM

Hi hope yo can help me i need to assign permissions on squid to the pc's that i will give internet access, but i need to use their MAC address? any idea, I've done it with ip restriction but don't know if i can do it by MAC address

Thank you!!!!

win32sux · 08-08-2006, 12:51 PM

Quote:

Originally Posted by AQG

Hi hope yo can help me i need to assign permissions on squid to the pc's that i will give internet access, but i need to use their MAC address? any idea, I've done it with ip restriction but don't know if i can do it by MAC address

yes, you can do it... as long as your squid was compiled with this option:

Code:

--enable-arp-acl

here's an example of mac-based ACL usage:

Code:

acl AQGMAC arp 01:02:03:04:05:06
http_access allow AQGMAC
http_access deny all

here's an example of a mixed mac-based and IP-based ACL usage:

Code:

acl AQGMAC arp 01:02:03:04:05:06
acl AQGIP src 192.168.100.103
http_access allow AQGMAC AQGIP
http_access deny all

just my

...

AQG · 08-08-2006, 06:13 PM

Thanks win32sux, just one more question will it work with multiple pc's (i need minumun 500 MAC addresses)?

win32sux · 08-08-2006, 09:14 PM

Quote:

Originally Posted by AQG

Thanks win32sux, just one more question will it work with multiple pc's (i need minumun 500 MAC addresses)?

yeah, it will work with multiple PCs... here's a simple example for 3 PCs:

Code:

# Jenny in Accounting:
acl PC001-MAC arp 01:02:03:04:05:06
acl PC001-IP src 192.168.100.101

# Bob in Sales:
acl PC002-MAC arp 02:02:03:04:05:06
acl PC002-IP src 192.168.100.102

# Cody in Engineering:
acl PC003-MAC arp 03:02:03:04:05:06
acl PC003-IP src 192.168.100.103

http_access allow PC001-MAC PC001-IP
http_access allow PC002-MAC PC002-IP
http_access allow PC003-MAC PC003-IP

http_access deny all

i think there's also a way to have the MACs and IPs listed in text files, and then have squid use them from there... that way you don't have to have a squid.conf with 500 MACs and 500 IPs in it... i'm not exactly sure how that would work, though, cuz i've never tried it... but according to this it might be as easy as using a pipe...

AQG · 08-09-2006, 12:26 PM

Thanks win32sux I'll try that.
originally i've had it with it working with text files since Oct 2005 only using IP.

Hope this is not true: Note
Squid can only determine the MAC address for clients that are on the same subnet. If the client is on a different subnet, then Squid cannot find out its MAC address.

Now things have changed, I need this proxy to work for 30 VLAN's. Might you have an example?.
I'll post what i got as soon as i'm sure that works ok..

Thanks once again!!!!!

win32sux · 08-09-2006, 12:58 PM

Quote:

Originally Posted by AQG

Thanks win32sux I'll try that.
originally i've had it with it working with text files since Oct 2005 only using IP.

hehe, cool... BTW, if you can show me how you do that it would be greatly appreciated cuz i've never really done it and i'd like to learn how...

Quote:

Hope this is not true: Note
Squid can only determine the MAC address for clients that are on the same subnet. If the client is on a different subnet, then Squid cannot find out its MAC address.

the thing is that mac addresses don't get routed...

Quote:

Now things have changed, I need this proxy to work for 30 VLAN's. Might you have an example?.
I'll post what i got as soon as i'm sure that works ok..

what's a VLAN??

Quote:

Thanks once again!!!!!

you're very welcome!!

AQG · 08-09-2006, 03:19 PM

VLAN=Virtual Local Area Network

My server is down, i get it running today and i'll send you an example

win32sux · 08-09-2006, 03:47 PM

Quote:

Originally Posted by AQG

VLAN=Virtual Local Area Network

yeah i had figured that much...

i just wasn't sure how that works... after a quick google, it seems VLANs are done at the data link layer (layer 2)... as such, i would expect the MAC addresses to indeed be carried-over, so it should work fine i think... i believe that squid's warning is intended for layers 3 and 4... someone please correct me if i'm wrong...

Quote:

My server is down, i get it running today and i'll send you an example

great!!! i look forward to your post...

AQG · 08-11-2006, 03:14 PM

Well still having some problems, this is what i`ve got:

*********************************************************
http_port 3128
http_port 8080

cache_mem 256 MB

cache_dir ufs /var/cache/squid 800 16 256

cache_access_log /var/log/squid/access.log
cache_log /var/log/squid/cache.log
cache_store_log /var/log/squid/store.log

acl manager proto cache_object
acl proxysuse src 127.0.0.1/255.255.255.255

acl full_access_mac arp "/etc/squid/macfree"

acl denied_access_to_web_pages url_regex "/etc/squid/negarfree"

http_access allow full_access_mac !Paginas_Negadas
http_access deny all

icp_access allow proxysuse
icp_access allow full_access__mac
icp_access deny all

ftp_user AQG@myplace.com

cache_mgr AQG@myplace.com

visible_hostname proxysuse

httpd_accel_with_proxy on
httpd_accel_single_host on
httpd_accel_host virtual
httpd_accel_port 8080
cache_effective_user squid
cache_effective_group squid
*************************************************************

and i get the following error:

Initializing the Squid cache with the command squid -f /etc/squid/squid.conf -z ..

2006/10/08 13:03:50| ACL name 'all' not defined!
FATAL: Bungled squid.conf line 23: http_access deny all
Squid Cache (Version 2.5.STABLE10): Terminated abnormally.

but i dont see anyweher in the code a problem with:
ACL name 'all' not defined!

any ideas???

thanks

AQG · 08-11-2006, 06:08 PM

OK, got it working, but now it gives access to all, it does not respect the mac addresses that i put "macfree" which are supposed to be the only ones to get access to internet.

http_port 3128
http_port 8080

cache_mem 256 MB

cache_dir ufs /var/cache/squid 800 16 256
cache_access_log /var/log/squid/access.log
cache_log /var/log/squid/cache.log
cache_store_log /var/log/squid/store.log

acl manager proto cache_object
acl proxysuse src 127.0.0.1
acl all src 0.0.0.0/0.0.0.0

acl Acceso_Completo_mac arp "/etc/squid/macfree"

acl Paginas_Negadas url_regex "/etc/squid/negarfree"
acl paginas url_regex "/etc/squid/paginas_file"

http_access allow Acceso_Completo_mac paginas !Paginas_Negadas
http_access allow paginas
http_access deny all

icp_access allow proxysuse
icp_access allow Acceso_Completo_mac
icp_access allow Paginas_Negadas
icp_access allow paginas
icp_access deny all

also i have some doubts about the order of the variables..

please help i have a deadline for monday to put this to work. i must restrict access via mac address

any help will be appreciated

win32sux · 08-12-2006, 08:02 AM

try like this:

Code:

acl QUERY urlpath_regex cgi-bin \?
no_cache deny QUERY

acl all src 0.0.0.0/0.0.0.0
acl localhost src 127.0.0.1/255.255.255.255
acl manager proto cache_object

acl Acceso_Completo_mac arp "/etc/squid/macfree"
acl Paginas_Negadas url_regex "/etc/squid/negarfree"
acl Paginas_Permitidas url_regex "/etc/squid/paginas_file"

http_access allow localhost
http_access deny Paginas_Negadas
http_access allow Acceso_Completo_mac Paginas_Permitidas
http_access deny all
http_reply_access allow all
icp_access deny all

http_port 8080
icp_port 0

cache_mem 256 MB
cache_dir ufs /var/cache/squid 800 16 256

cache_access_log /var/log/squid/access.log
cache_log /var/log/squid/cache.log
cache_store_log /var/log/squid/store.log

visible_hostname proxy.example.net

AQG · 08-14-2006, 10:51 AM

Ok, win32sux, what you sent me looks ok, but its not letting any traffic go through thats the "acceso_completo_mac" file which contains MAC addresses.

also have one questions regarding the code you sent me:

what does this query do? "acl QUERY urlpath_regex cgi-bin \?"

Any ideas?

thanks

AQG · 08-14-2006, 11:17 AM

In order for it to let traffic out, i need to chage

"http_access deny all" to "http_access allow all"

but it won't filter the mac address file, it will just let all the mac's on my network out

AQG · 08-14-2006, 12:26 PM

It's definitlly not respecting the filter by MAC address

please anyone, any ideas?

like i said before it does not respect my MAC address file, is there something else that i need to compile on squid in order for it to take MAC address filtering?

I think my main problem is that i don't know how to compile with "--enable-arp-acl" how or where do i do this!!!!
Thanks!!!!

win32sux · 08-14-2006, 12:29 PM

is it respecting the other files?? like, Paginas_Negadas, for example??