LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Server
User Name
Password
Linux - Server This forum is for the discussion of Linux Software used in a server related context.

Notices


Reply
  Search this Thread
Old 10-04-2009, 11:03 AM   #1
foubie
LQ Newbie
 
Registered: Oct 2009
Posts: 4

Rep: Reputation: 0
SQUID: Can anyone help me out with the ACL's


Hey you guys, I have got a question to all you linux wizzards. I can't figure it out by myself, so maybe one of you guys can help me with the squid config file.

I have 2 networks, both used by parents and kids; but they all have a specific adress range.

Wired: parents have the IP range 10.0.0.10 to .100 and the kids have the range 10.0.101 to .200.
Wireless: parents have the range 10.0.1.1 to .10 and the kids from 10.0.1.11 to .100

What i want is that both, parents and kids, to authenticate themselves on the proxysever using the ncsa_auth program. The kids, on both networks are allowed to surf the internet from monday to friday from 16:00 (4pm) to 19:00 (7pm). Saturday they can surf the entire day and on sunday until 20:00 (8pm). The kids are also not allowed to visit websites containing the words in pornwords.txt (acl porno url_regex -i "/etc/squid pornwords.txt").

Can anyone help me correct this or help me set the squid.conf up?





So the squid.conf would be:


Code:
http_port 8080

auth_param basic program /usr/lib/squid/ncsa_auth /etc/squid/squid_passwd

acl alloninternet proxy_auth REQUIRED
acl porn url_regex -i "/etc/squid/pornwords.txt"


acl all src 0.0.0.0/0.0.0.0
acl LANPARENTS src 10.0.0.10-10.0.0.100
acl LANKIDS src 10.0.0.101-10.0.0.200
acl WLANPARENTS src 10.0.1.1-10.0.1.10
acl WLANKIDS src 10.0.1.11-10.0.1.100

acl WEEKTIME time MTWHF 16:00-19:00
acl WEEKENDTIMESATURDAY time A 00:00-00:00
acl WEEKENDTIMESUNDAY time S 00:00-20:00

http_access allow alloninternet
http_access allow LANPARENTS
http_access allow WLANPARENTS
http_access allow LANKIDS WEEKTIME
http_access allow WLANKIDS WEEKTIME
http_access allow LANKIDS WEEKENDTIMESATURDAY
http_access allow WLANKIDS WEEKENDTIMESATURDAY
http_access allow LANKIDS WEEKENDTIMESUNDAY
http_access allow WLANKIDS WEEKENDTIMESUNDAY
http_access deny LANKIDS porn
http_access deny WLANKIDS porn
http_access deny all

Last edited by foubie; 10-04-2009 at 11:20 AM. Reason: title change
 
Old 10-04-2009, 11:55 AM   #2
GlennsPref
Senior Member
 
Registered: Apr 2004
Location: Brisbane, Australia
Distribution: Devuan
Posts: 3,414
Blog Entries: 33

Rep: Reputation: 222Reputation: 222Reputation: 222
Hi, Welcome to LQ!

LQ has a fantastic search function that may save you time waiting for an answer to a popular question.

With over 3 million posts to search it's possible the answer has been given.

I see and error here, in red
Code:
acl WEEKTIME time MTWHF 16:00-19:00
acl WEEKENDTIMESATURDAY time A 00:00-00:00
acl WEEKENDTIMESUNDAY time S 00:00-20:00
MTWTF

Monday, Tuesday, Wednesday, Thursday and Friday

Regards Glenn
 
Old 10-04-2009, 12:04 PM   #3
foubie
LQ Newbie
 
Registered: Oct 2009
Posts: 4

Original Poster
Rep: Reputation: 0
Quote:
Originally Posted by GlennsPref View Post
Hi, Welcome to LQ!

LQ has a fantastic search function that may save you time waiting for an answer to a popular question.

With over 3 million posts to search it's possible the answer has been given.

I see and error here, in red
Code:
acl WEEKTIME time MTWHF 16:00-19:00
acl WEEKENDTIMESATURDAY time A 00:00-00:00
acl WEEKENDTIMESUNDAY time S 00:00-20:00
MTWTF

Monday, Tuesday, Wednesday, Thursday and Friday

Regards Glenn


I can't find the answer, that's why i am asking it here.. I'm so confused about it...
 
Old 10-04-2009, 02:57 PM   #4
foubie
LQ Newbie
 
Registered: Oct 2009
Posts: 4

Original Poster
Rep: Reputation: 0
still don't work

I tried alot to get this to work properly, but it still won't work... anyone here who can help me out... *frustrated *
 
Old 10-05-2009, 07:40 PM   #5
GlennsPref
Senior Member
 
Registered: Apr 2004
Location: Brisbane, Australia
Distribution: Devuan
Posts: 3,414
Blog Entries: 33

Rep: Reputation: 222Reputation: 222Reputation: 222
Hi, although I do not use similar restrictions on my system (one user) I have used squid for some time.

The protocols have undergone changes from version to version, and I may miss the mark, but a few discrepancies I see are notated below with references.

Code:
 Restricting Web Access By Time

You can create access control lists with time parameters. For example, you can allow only business hour access from the home network, while always restricting access to host 192.168.1.23.

#
# Add this to the bottom of the ACL section of squid.conf
#
acl home_network src 192.168.1.0/24
acl business_hours time M T W H F 9:00-17:00
#(edit glenn, not sure if the spaces are required(?), and H is correct for tHursday, sorry, my bad)
acl RestrictedHost src 192.168.1.23

#
# Add this at the top of the http_access section of squid.conf
#
http_access deny RestrictedHost
http_access allow home_network business_hours
ref. http://www.linuxhomenetworking.com/w...Access_By_Time

should "netmask" be appended to the address ranges?
Code:
ACL TYPE src	
Description 	 The IP address of the requesting client, or the clients IP Address
Build Option	 Default
Usage	 acl aclname src ip-address/netmask ... (clients IP address)
         acl aclname src addr1-addr2/netmask ... (range of addresses)

Synopsis Matching done based on clients ip address

Arguments
aclname	 Access list name
ip-address Clients ip address
netmask Network mask
add1-addr2 Range of ip address

Example(s)
acl network1 src 172.16.1.0/24 - refers to the whole Network with address 172.16.1.0
acl source1 src 172.16.1.25/32 - refers to a single source
acl srcrange src 172.16.1.25-172.16.1.35/32 - refers range of IP Addresses from 172.16.1.25-172.16.1.35
ref. http://www.visolve.com/squid/squid30...ntrols.php#acl

In the default squid config file it also mentions netmask
Code:
#  TAG: acl
#	Defining an Access List
#
#	Every access list definition must begin with an aclname and acltype, 
#	followed by either type-specific arguments or a quoted filename that
#	they are read from.
#
#	   acl aclname acltype argument ...
#	   acl aclname acltype "file" ...
#
#	When using "file", the file should contain one item per line.
#
#	By default, regular expressions are CASE-SENSITIVE.  To make
#	them case-insensitive, use the -i option.
#
#
#	***** ACL TYPES AVAILABLE *****
#
#	acl aclname src ip-address/netmask ...		# clients IP address
#	acl aclname src addr1-addr2/netmask ...		# range of addresses
#	acl aclname dst ip-address/netmask ...		# URL host's IP address
#	acl aclname myip ip-address/netmask ...		# local socket IP address
#
#	acl aclname arp      mac-address ... (xx:xx:xx:xx:xx:xx notation)
#	  # The arp ACL requires the special configure option --enable-arp-acl.
#	  # Furthermore, the ARP ACL code is not portable to all operating systems.
#	  # It works on Linux, Solaris, Windows, FreeBSD, and some other *BSD variants.
#	  #
#	  # NOTE: Squid can only determine the MAC address for clients that are on
#	  # the same subnet. If the client is on a different subnet, then Squid cannot
#	  # find out its MAC address.
#
#	acl aclname srcdomain   .foo.com ...    	# reverse lookup, from client IP
#	acl aclname dstdomain   .foo.com ...    	# Destination server from URL
#	acl aclname srcdom_regex [-i] \.foo\.com ...	# regex matching client name
#	acl aclname dstdom_regex [-i] \.foo\.com ...	# regex matching server
#	  # For dstdomain and dstdom_regex a reverse lookup is tried if a IP
#	  # based URL is used and no match is found. The name "none" is used
#	  # if the reverse lookup fails.
#
#	acl aclname src_as number ...
#	acl aclname dst_as number ...
#	  # Except for access control, AS numbers can be used for
#	  # routing of requests to specific caches. Here's an
#	  # example for routing all requests for AS#1241 and only
#	  # those to mycache.mydomain.net:
#	  # acl asexample dst_as 1241
#	  # cache_peer_access mycache.mydomain.net allow asexample
#	  # cache_peer_access mycache_mydomain.net deny all
#
#	acl aclname time [day-abbrevs] [h1:m1-h2:m2]
#	  #  day-abbrevs:
#	  #	S - Sunday
#	  #	M - Monday
#	  #	T - Tuesday
#	  #	W - Wednesday
#	  #	H - Thursday
#	  #	F - Friday
#	  #	A - Saturday
#	  #  h1:m1 must be less than h2:m2
#
I hope this helps, sorry for the bum-steer.

regards Glenn
 
Old 10-07-2009, 09:55 AM   #6
foubie
LQ Newbie
 
Registered: Oct 2009
Posts: 4

Original Poster
Rep: Reputation: 0
Quote:
Originally Posted by GlennsPref View Post
Hi, although I do not use similar restrictions on my system (one user) I have used squid for some time.

The protocols have undergone changes from version to version, and I may miss the mark, but a few discrepancies I see are notated below with references.

Code:
 Restricting Web Access By Time

You can create access control lists with time parameters. For example, you can allow only business hour access from the home network, while always restricting access to host 192.168.1.23.

#
# Add this to the bottom of the ACL section of squid.conf
#
acl home_network src 192.168.1.0/24
acl business_hours time M T W H F 9:00-17:00
#(edit glenn, not sure if the spaces are required(?), and H is correct for tHursday, sorry, my bad)
acl RestrictedHost src 192.168.1.23

#
# Add this at the top of the http_access section of squid.conf
#
http_access deny RestrictedHost
http_access allow home_network business_hours
ref. http://www.linuxhomenetworking.com/w...Access_By_Time

should "netmask" be appended to the address ranges?
Code:
ACL TYPE src	
Description 	 The IP address of the requesting client, or the clients IP Address
Build Option	 Default
Usage	 acl aclname src ip-address/netmask ... (clients IP address)
         acl aclname src addr1-addr2/netmask ... (range of addresses)

Synopsis Matching done based on clients ip address

Arguments
aclname	 Access list name
ip-address Clients ip address
netmask Network mask
add1-addr2 Range of ip address

Example(s)
acl network1 src 172.16.1.0/24 - refers to the whole Network with address 172.16.1.0
acl source1 src 172.16.1.25/32 - refers to a single source
acl srcrange src 172.16.1.25-172.16.1.35/32 - refers range of IP Addresses from 172.16.1.25-172.16.1.35
ref. http://www.visolve.com/squid/squid30...ntrols.php#acl

In the default squid config file it also mentions netmask
Code:
#  TAG: acl
#	Defining an Access List
#
#	Every access list definition must begin with an aclname and acltype, 
#	followed by either type-specific arguments or a quoted filename that
#	they are read from.
#
#	   acl aclname acltype argument ...
#	   acl aclname acltype "file" ...
#
#	When using "file", the file should contain one item per line.
#
#	By default, regular expressions are CASE-SENSITIVE.  To make
#	them case-insensitive, use the -i option.
#
#
#	***** ACL TYPES AVAILABLE *****
#
#	acl aclname src ip-address/netmask ...		# clients IP address
#	acl aclname src addr1-addr2/netmask ...		# range of addresses
#	acl aclname dst ip-address/netmask ...		# URL host's IP address
#	acl aclname myip ip-address/netmask ...		# local socket IP address
#
#	acl aclname arp      mac-address ... (xx:xx:xx:xx:xx:xx notation)
#	  # The arp ACL requires the special configure option --enable-arp-acl.
#	  # Furthermore, the ARP ACL code is not portable to all operating systems.
#	  # It works on Linux, Solaris, Windows, FreeBSD, and some other *BSD variants.
#	  #
#	  # NOTE: Squid can only determine the MAC address for clients that are on
#	  # the same subnet. If the client is on a different subnet, then Squid cannot
#	  # find out its MAC address.
#
#	acl aclname srcdomain   .foo.com ...    	# reverse lookup, from client IP
#	acl aclname dstdomain   .foo.com ...    	# Destination server from URL
#	acl aclname srcdom_regex [-i] \.foo\.com ...	# regex matching client name
#	acl aclname dstdom_regex [-i] \.foo\.com ...	# regex matching server
#	  # For dstdomain and dstdom_regex a reverse lookup is tried if a IP
#	  # based URL is used and no match is found. The name "none" is used
#	  # if the reverse lookup fails.
#
#	acl aclname src_as number ...
#	acl aclname dst_as number ...
#	  # Except for access control, AS numbers can be used for
#	  # routing of requests to specific caches. Here's an
#	  # example for routing all requests for AS#1241 and only
#	  # those to mycache.mydomain.net:
#	  # acl asexample dst_as 1241
#	  # cache_peer_access mycache.mydomain.net allow asexample
#	  # cache_peer_access mycache_mydomain.net deny all
#
#	acl aclname time [day-abbrevs] [h1:m1-h2:m2]
#	  #  day-abbrevs:
#	  #	S - Sunday
#	  #	M - Monday
#	  #	T - Tuesday
#	  #	W - Wednesday
#	  #	H - Thursday
#	  #	F - Friday
#	  #	A - Saturday
#	  #  h1:m1 must be less than h2:m2
#
I hope this helps, sorry for the bum-steer.

regards Glenn
About the H thing, no problem dude We all can make mistakes, it's about being human

The Netmask thing:

Well, i tried this too... no luck at all... the problem seems to be somewhere located near the order of the http_access. I've tried any possible combination... Maybe, it could be because i don't know why the and when the ! sign is used in thoseh a statements.. I know squid reads them from top to bottom and stops when he finds a match, but i still am a little confused about the ! sign. I know squid interpreterps a ! as false, so true & false = false... Due to the complexity of my network layout, it is a little confusing... anyway, up for some more testing... I still got 70 yrs to make it work lol
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



LinuxQuestions.org > Forums > Linux Forums > Linux - Server

All times are GMT -5. The time now is 04:31 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration