LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Server (https://www.linuxquestions.org/questions/linux-server-73/)
-   -   SQUID: Can anyone help me out with the ACL's (https://www.linuxquestions.org/questions/linux-server-73/squid-can-anyone-help-me-out-with-the-acls-759605/)

foubie 10-04-2009 10:03 AM
SQUID: Can anyone help me out with the ACL's
 
Hey you guys, I have got a question to all you linux wizzards. I can't figure it out by myself, so maybe one of you guys can help me with the squid config file.

I have 2 networks, both used by parents and kids; but they all have a specific adress range.

Wired: parents have the IP range 10.0.0.10 to .100 and the kids have the range 10.0.101 to .200.
Wireless: parents have the range 10.0.1.1 to .10 and the kids from 10.0.1.11 to .100

What i want is that both, parents and kids, to authenticate themselves on the proxysever using the ncsa_auth program. The kids, on both networks are allowed to surf the internet from monday to friday from 16:00 (4pm) to 19:00 (7pm). Saturday they can surf the entire day and on sunday until 20:00 (8pm). The kids are also not allowed to visit websites containing the words in pornwords.txt (acl porno url_regex -i "/etc/squid pornwords.txt").

Can anyone help me correct this or help me set the squid.conf up?





So the squid.conf would be:

Code:
http_port 8080

auth_param basic program /usr/lib/squid/ncsa_auth /etc/squid/squid_passwd

acl alloninternet proxy_auth REQUIRED
acl porn url_regex -i "/etc/squid/pornwords.txt"


acl all src 0.0.0.0/0.0.0.0
acl LANPARENTS src 10.0.0.10-10.0.0.100
acl LANKIDS src 10.0.0.101-10.0.0.200
acl WLANPARENTS src 10.0.1.1-10.0.1.10
acl WLANKIDS src 10.0.1.11-10.0.1.100

acl WEEKTIME time MTWHF 16:00-19:00
acl WEEKENDTIMESATURDAY time A 00:00-00:00
acl WEEKENDTIMESUNDAY time S 00:00-20:00

http_access allow alloninternet
http_access allow LANPARENTS
http_access allow WLANPARENTS
http_access allow LANKIDS WEEKTIME
http_access allow WLANKIDS WEEKTIME
http_access allow LANKIDS WEEKENDTIMESATURDAY
http_access allow WLANKIDS WEEKENDTIMESATURDAY
http_access allow LANKIDS WEEKENDTIMESUNDAY
http_access allow WLANKIDS WEEKENDTIMESUNDAY
http_access deny LANKIDS porn
http_access deny WLANKIDS porn
http_access deny all

GlennsPref 10-04-2009 10:55 AM
Hi, Welcome to LQ!

LQ has a fantastic search function that may save you time waiting for an answer to a popular question.

With over 3 million posts to search it's possible the answer has been given. :)

I see and error here, in red
Code:
acl WEEKTIME time MTWHF 16:00-19:00
acl WEEKENDTIMESATURDAY time A 00:00-00:00
acl WEEKENDTIMESUNDAY time S 00:00-20:00
MTWTF

Monday, Tuesday, Wednesday, Thursday and Friday

Regards Glenn

foubie 10-04-2009 11:04 AM
Quote:
Originally Posted by GlennsPref (Post 3707258)
Hi, Welcome to LQ!

LQ has a fantastic search function that may save you time waiting for an answer to a popular question.

With over 3 million posts to search it's possible the answer has been given. :)

I see and error here, in red
Code:
acl WEEKTIME time MTWHF 16:00-19:00
acl WEEKENDTIMESATURDAY time A 00:00-00:00
acl WEEKENDTIMESUNDAY time S 00:00-20:00
MTWTF

Monday, Tuesday, Wednesday, Thursday and Friday

Regards Glenn


I can't find the answer, that's why i am asking it here.. I'm so confused about it...

foubie 10-04-2009 01:57 PM
still don't work
 
I tried alot to get this to work properly, but it still won't work... anyone here who can help me out... *frustrated :(*

GlennsPref 10-05-2009 06:40 PM
Hi, although I do not use similar restrictions on my system (one user) I have used squid for some time.

The protocols have undergone changes from version to version, and I may miss the mark, but a few discrepancies I see are notated below with references.

Code:
Restricting Web Access By Time

You can create access control lists with time parameters. For example, you can allow only business hour access from the home network, while always restricting access to host 192.168.1.23.

#
# Add this to the bottom of the ACL section of squid.conf
#
acl home_network src 192.168.1.0/24
acl business_hours time M T W H F 9:00-17:00
#(edit glenn, not sure if the spaces are required(?), and H is correct for tHursday, sorry, my bad)
acl RestrictedHost src 192.168.1.23

#
# Add this at the top of the http_access section of squid.conf
#
http_access deny RestrictedHost
http_access allow home_network business_hours
ref. http://www.linuxhomenetworking.com/w...Access_By_Time

should "netmask" be appended to the address ranges?
Code:
ACL TYPE src       
Description          The IP address of the requesting client, or the clients IP Address
Build Option        Default
Usage        acl aclname src ip-address/netmask ... (clients IP address)
        acl aclname src addr1-addr2/netmask ... (range of addresses)

Synopsis Matching done based on clients ip address

Arguments
aclname        Access list name
ip-address Clients ip address
netmask Network mask
add1-addr2 Range of ip address

Example(s)
acl network1 src 172.16.1.0/24 - refers to the whole Network with address 172.16.1.0
acl source1 src 172.16.1.25/32 - refers to a single source
acl srcrange src 172.16.1.25-172.16.1.35/32 - refers range of IP Addresses from 172.16.1.25-172.16.1.35
ref. http://www.visolve.com/squid/squid30...ntrols.php#acl

In the default squid config file it also mentions netmask
Code:
#  TAG: acl
#        Defining an Access List
#
#        Every access list definition must begin with an aclname and acltype,
#        followed by either type-specific arguments or a quoted filename that
#        they are read from.
#
#          acl aclname acltype argument ...
#          acl aclname acltype "file" ...
#
#        When using "file", the file should contain one item per line.
#
#        By default, regular expressions are CASE-SENSITIVE.  To make
#        them case-insensitive, use the -i option.
#
#
#        ***** ACL TYPES AVAILABLE *****
#
#        acl aclname src ip-address/netmask ...                # clients IP address
#        acl aclname src addr1-addr2/netmask ...                # range of addresses
#        acl aclname dst ip-address/netmask ...                # URL host's IP address
#        acl aclname myip ip-address/netmask ...                # local socket IP address
#
#        acl aclname arp      mac-address ... (xx:xx:xx:xx:xx:xx notation)
#          # The arp ACL requires the special configure option --enable-arp-acl.
#          # Furthermore, the ARP ACL code is not portable to all operating systems.
#          # It works on Linux, Solaris, Windows, FreeBSD, and some other *BSD variants.
#          #
#          # NOTE: Squid can only determine the MAC address for clients that are on
#          # the same subnet. If the client is on a different subnet, then Squid cannot
#          # find out its MAC address.
#
#        acl aclname srcdomain  .foo.com ...            # reverse lookup, from client IP
#        acl aclname dstdomain  .foo.com ...            # Destination server from URL
#        acl aclname srcdom_regex [-i] \.foo\.com ...        # regex matching client name
#        acl aclname dstdom_regex [-i] \.foo\.com ...        # regex matching server
#          # For dstdomain and dstdom_regex a reverse lookup is tried if a IP
#          # based URL is used and no match is found. The name "none" is used
#          # if the reverse lookup fails.
#
#        acl aclname src_as number ...
#        acl aclname dst_as number ...
#          # Except for access control, AS numbers can be used for
#          # routing of requests to specific caches. Here's an
#          # example for routing all requests for AS#1241 and only
#          # those to mycache.mydomain.net:
#          # acl asexample dst_as 1241
#          # cache_peer_access mycache.mydomain.net allow asexample
#          # cache_peer_access mycache_mydomain.net deny all
#
#        acl aclname time [day-abbrevs] [h1:m1-h2:m2]
#          #  day-abbrevs:
#          #        S - Sunday
#          #        M - Monday
#          #        T - Tuesday
#          #        W - Wednesday
#          #        H - Thursday
#          #        F - Friday
#          #        A - Saturday
#          #  h1:m1 must be less than h2:m2
#
I hope this helps, sorry for the bum-steer.

regards Glenn

foubie 10-07-2009 08:55 AM
Quote:
Originally Posted by GlennsPref (Post 3708852)
Hi, although I do not use similar restrictions on my system (one user) I have used squid for some time.

The protocols have undergone changes from version to version, and I may miss the mark, but a few discrepancies I see are notated below with references.

Code:
Restricting Web Access By Time

You can create access control lists with time parameters. For example, you can allow only business hour access from the home network, while always restricting access to host 192.168.1.23.

#
# Add this to the bottom of the ACL section of squid.conf
#
acl home_network src 192.168.1.0/24
acl business_hours time M T W H F 9:00-17:00
#(edit glenn, not sure if the spaces are required(?), and H is correct for tHursday, sorry, my bad)
acl RestrictedHost src 192.168.1.23

#
# Add this at the top of the http_access section of squid.conf
#
http_access deny RestrictedHost
http_access allow home_network business_hours
ref. http://www.linuxhomenetworking.com/w...Access_By_Time

should "netmask" be appended to the address ranges?
Code:
ACL TYPE src       
Description          The IP address of the requesting client, or the clients IP Address
Build Option        Default
Usage        acl aclname src ip-address/netmask ... (clients IP address)
        acl aclname src addr1-addr2/netmask ... (range of addresses)

Synopsis Matching done based on clients ip address

Arguments
aclname        Access list name
ip-address Clients ip address
netmask Network mask
add1-addr2 Range of ip address

Example(s)
acl network1 src 172.16.1.0/24 - refers to the whole Network with address 172.16.1.0
acl source1 src 172.16.1.25/32 - refers to a single source
acl srcrange src 172.16.1.25-172.16.1.35/32 - refers range of IP Addresses from 172.16.1.25-172.16.1.35
ref. http://www.visolve.com/squid/squid30...ntrols.php#acl

In the default squid config file it also mentions netmask
Code:
#  TAG: acl
#        Defining an Access List
#
#        Every access list definition must begin with an aclname and acltype,
#        followed by either type-specific arguments or a quoted filename that
#        they are read from.
#
#          acl aclname acltype argument ...
#          acl aclname acltype "file" ...
#
#        When using "file", the file should contain one item per line.
#
#        By default, regular expressions are CASE-SENSITIVE.  To make
#        them case-insensitive, use the -i option.
#
#
#        ***** ACL TYPES AVAILABLE *****
#
#        acl aclname src ip-address/netmask ...                # clients IP address
#        acl aclname src addr1-addr2/netmask ...                # range of addresses
#        acl aclname dst ip-address/netmask ...                # URL host's IP address
#        acl aclname myip ip-address/netmask ...                # local socket IP address
#
#        acl aclname arp      mac-address ... (xx:xx:xx:xx:xx:xx notation)
#          # The arp ACL requires the special configure option --enable-arp-acl.
#          # Furthermore, the ARP ACL code is not portable to all operating systems.
#          # It works on Linux, Solaris, Windows, FreeBSD, and some other *BSD variants.
#          #
#          # NOTE: Squid can only determine the MAC address for clients that are on
#          # the same subnet. If the client is on a different subnet, then Squid cannot
#          # find out its MAC address.
#
#        acl aclname srcdomain  .foo.com ...            # reverse lookup, from client IP
#        acl aclname dstdomain  .foo.com ...            # Destination server from URL
#        acl aclname srcdom_regex [-i] \.foo\.com ...        # regex matching client name
#        acl aclname dstdom_regex [-i] \.foo\.com ...        # regex matching server
#          # For dstdomain and dstdom_regex a reverse lookup is tried if a IP
#          # based URL is used and no match is found. The name "none" is used
#          # if the reverse lookup fails.
#
#        acl aclname src_as number ...
#        acl aclname dst_as number ...
#          # Except for access control, AS numbers can be used for
#          # routing of requests to specific caches. Here's an
#          # example for routing all requests for AS#1241 and only
#          # those to mycache.mydomain.net:
#          # acl asexample dst_as 1241
#          # cache_peer_access mycache.mydomain.net allow asexample
#          # cache_peer_access mycache_mydomain.net deny all
#
#        acl aclname time [day-abbrevs] [h1:m1-h2:m2]
#          #  day-abbrevs:
#          #        S - Sunday
#          #        M - Monday
#          #        T - Tuesday
#          #        W - Wednesday
#          #        H - Thursday
#          #        F - Friday
#          #        A - Saturday
#          #  h1:m1 must be less than h2:m2
#
I hope this helps, sorry for the bum-steer.

regards Glenn
About the H thing, no problem dude :) We all can make mistakes, it's about being human ;)

The Netmask thing:

Well, i tried this too... no luck at all... the problem seems to be somewhere located near the order of the http_access. I've tried any possible combination... Maybe, it could be because i don't know why the and when the ! sign is used in thoseh a statements.. I know squid reads them from top to bottom and stops when he finds a match, but i still am a little confused about the ! sign. I know squid interpreterps a ! as false, so true & false = false... Due to the complexity of my network layout, it is a little confusing... anyway, up for some more testing... I still got 70 yrs to make it work ;) lol


All times are GMT -5. The time now is 02:10 AM.