In this how to i describe how to bind MAC with IP to restrict users in your network to change their IP’s to bypass filtering. To ease the setup i will create small scripts to simplify our work. Here i will not describe how to config squid and how to run it. I assume you have already configure it.
1) Grep MAC Addresses
Let suppose we have 10 machines with IPs range 192.168.0.1 – 192.168.0.10, you have to get mac address for them using following command.
Besure your machines are up and pingable, else you will get empty lines and you have to remove them manually.
for i in
seq 1 10; do ping -c 1 192.168.0.$i; arp -n 192.168.0.$i | grep -v Address | grep -v incomplete | awk ‘{print $1 ” ” $3}’ >> ip-mac.txt; done
This command will get required mac address with IP in a file named ip-mac.txt
cat ip-mac.txt
192.168.0.1 00:1D:09:6B:3C:28
192.168.0.2 00:1D:09:6A:EA:02
192.168.0.3 00:1D:09:71:2C:34
192.168.0.4 00:1D:09:6A:CB:85
192.168.0.5 00:1D:09:6A:C3:15
192.168.0.6 00:1D:09:6A:CA:8B
192.168.0.7 00:1D:09:6A:CB:DA
192.168.0.8 00:1D:09:6A:CC:34
192.168.0.9 00:1D:09:6B:11:76
192.168.0.10 00:1D:09:6B:36:6F
2) Create ACL For SQUID.
I will create a small bash script to easy my work.
To get acl for mac
i=1
cat ip-mac.txt | while read a; do b=echo $a | cut -f 2 -d " "; echo “acl mac$i arp $b” >> squid-mac-filter.txt; i=expr $i + 1; done
cat squid-mac-filter.txt
acl mac1 arp 00:1D:09:6B:3C:28
acl mac2 arp 00:1D:09:6A:EA:02
acl mac3 arp 00:1D:09:71:2C:34
acl mac4 arp 00:1D:09:6A:CB:85
acl mac5 arp 00:1D:09:6A:C3:15
acl mac6 arp 00:1D:09:6A:CA:8B
acl mac7 arp 00:1D:09:6A:CB:DA
acl mac8 arp 00:1D:09:6A:CC:34
acl mac9 arp 00:1D:09:6B:11:76
acl mac10 arp 00:1D:09:6B:36:6F
To get acl for ip
i=1
cat ip-mac.txt | while read a; do b=echo $a | cut -f 1 -d " "; echo “acl ip$i src $b” >> squid-ip-filter.txt; i=expr $i + 1; done
cat squid-ip-filter.txt
acl ip1 src 192.168.0.1
acl ip2 src 192.168.0.2
acl ip3 src 192.168.0.3
acl ip4 src 192.168.0.4
acl ip5 src 192.168.0.5
acl ip6 src 192.168.0.6
acl ip7 src 192.168.0.7
acl ip8 src 192.168.0.8
acl ip9 src 192.168.0.9
acl ip10 src 192.168.0.10
To generate http_access allow lines, you have to get the max number of your list of IP’s and MAC’s. Here i have is 10, sure both will be the same 🙂
for i in
seq 1 10; do echo “http_access allow mac$i ip$i” >> http-access-squid.txt; done
cat http-access-squid.txt
http_access allow mac1 ip1
http_access allow mac2 ip2
http_access allow mac3 ip3
http_access allow mac4 ip4
http_access allow mac5 ip5
http_access allow mac6 ip6
http_access allow mac7 ip7
http_access allow mac8 ip8
http_access allow mac9 ip9
http_access allow mac10 ip10
Now concatinate three files i.e squid-ip-filter.txt, squid-mac-filter.txt and http_access_squid.txt
cat squid-mac-filter.txt squid-ip-filter.txt http-access-squid.txt >> acl-final.txt
and copy from acl-final.txt to paste on appropriate location in squid.conf, dont forget to put http_access deny all on the last :).
To get more help on it please use comments.
Thanks alot janab
but i have one query
that how the line will look like?
acl BLOCK acl-final.txt
http_access deny all
if i am wrong then plz correct me. Secondly, it must be place on top of all acl which i defined?
The acl-final.txt contains acl for src and map with http_access to allow by binding mac with IP.
You have to copy and paste the content from acl-final.txt and paste above your acls.
Regards,
Dear Sohail bhai,
A very nice HowTo for newbies.
Let me share a tip to more clear it, and easy add/remove of new ip/mac.
1. vi /etc/squid/whitelistips.txt
192.168.0.1
192.168.0.2
192.168.0.3
192.168.0.4
192.168.0.5
192.168.0.6
192.168.0.7
192.168.0.8
192.168.0.9
192.168.0.10
2. vi /etc/squid/whitelistmacs.txt
00:1D:09:6B:3C:28
00:1D:09:6A:EA:02
00:1D:09:71:2C:34
00:1D:09:6A:CB:85
00:1D:09:6A:C3:15
00:1D:09:6A:CA:8B
00:1D:09:6A:CB:DA
00:1D:09:6A:CC:34
00:1D:09:6B:11:76
00:1D:09:6B:36:6F
insert the following lines just under the ” acl all src 0.0.0.0/0.0.0.0 ”
acl whitelistips src “/etc/squid/whitelistips.txt”
acl whitelistmacs arp -i “/etc/squid/whitelistmacs.txt”
and paste the following line under ” acl CONNECT method CONNECT ”
http_access allow whitelistips whitelistmacs
No need to add deny all, as it is defined down in configuration file.
Correct me, if i am wrong.
Salam
The thing you wrote is for the users can have IPs in specified range i.e 1 to 10 then there is no need of defining mac addresses.
Here i bind mac with one IP address that user can’t change his machine to bypass squid filters.
and acl with http_access allow rules can be written anywhere above http_access deny all.
Regards,
Good. got it now. I guess, it would bind one by one IP with each MAC address in that file.
Thanks.
Hi everybody
I want specific MAC to bypass the proxy..
How I can achieve this task……
I prefer through squid
Peply plz..
hi…sir..i want some help from yourside..
i m using this command
for i in
seq 1 10; do ping -c 1 192.168.0.$i; arp -n 192.168.0.$i | grep -v Address | grep -v incomplete | awk ‘{print $1 ” “ $3}’ >> ip-mac.txt; donebut in ip-mac.txt no information stored about our network…
so plz help how to use this command..& saying awk is not valid..i m using RHEL 5 for squid server..plz help me how i bind mac with ip in our network…my network is 172.0.1.22 to 172.0.1.98
Hi,
I think the problem is in character display…. Kindly check full command before executing because i think single qoute ‘ converts to .
[root@xserver ~]# for i in
seq 21 30; do ping -c 1 172.0.1.$i; arp -n 172.0.1.$i | grep -v Address | grep -v incomplete | awk ‘{print $1 ” “ $3}’ >> ip-mac.txt; donePING 172.0.1.21 (172.0.1.21) 56(84) bytes of data.
64 bytes from 172.0.1.21: icmp_seq=1 ttl=255 time=2.75 ms
— 172.0.1.21 ping statistics —
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 2.758/2.758/2.758/0.000 ms
awk: ‘{print
awk: ^ invalid char ‘�’ in expression
PING 172.0.1.22 (172.0.1.22) 56(84) bytes of data.
— 172.0.1.22 ping statistics —
1 packets transmitted, 0 received, 100% packet loss, time 0ms
awk: ‘{print
awk: ^ invalid char ‘�’ in expression
PING 172.0.1.23 (172.0.1.23) 56(84) bytes of data.
64 bytes from 172.0.1.23: icmp_seq=1 ttl=64 time=0.218 ms
— 172.0.1.23 ping statistics —
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.218/0.218/0.218/0.000 ms
awk: ‘{print
awk: ^ invalid char ‘�’ in expression
PING 172.0.1.24 (172.0.1.24) 56(84) bytes of data.
64 bytes from 172.0.1.24: icmp_seq=1 ttl=64 time=0.240 ms
— 172.0.1.24 ping statistics —
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.240/0.240/0.240/0.000 ms
awk: ‘{print
awk: ^ invalid char ‘�’ in expression
PING 172.0.1.25 (172.0.1.25) 56(84) bytes of data.
64 bytes from 172.0.1.25: icmp_seq=1 ttl=64 time=0.226 ms
— 172.0.1.25 ping statistics —
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.226/0.226/0.226/0.000 ms
awk: ‘{print
awk: ^ invalid char ‘�’ in expression
PING 172.0.1.26 (172.0.1.26) 56(84) bytes of data.
64 bytes from 172.0.1.26: icmp_seq=1 ttl=64 time=0.211 ms
— 172.0.1.26 ping statistics —
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.211/0.211/0.211/0.000 ms
awk: ‘{print
awk: ^ invalid char ‘�’ in expression
………………….
i have done this type of command….& i got this type of result..so would you like to help me please…i m not geeting any information in ip-mac.txt…..its blank…i am using red hat enterprise linux 5……please help me…..
the problem is in this statement
awk ‘{print $1 ” “ $3}’
before { and after } there single quote and you are putting backquote. please change this to single quote and try, it will work find.
awk ‘{print $1 ” ” $3}’
Regards,
hi,
pls help me . m unable to use net via mac.in squid.
is used- acl mac1 arp XX:xx:xx:xx:XX:xx
http_access allow mac1
but when i restart squid,it fails.
Why don’t u go through iptables
through iptables you can also restrict/allow specific users
to bypass/block the traffic
@Tauseef: Please send me your squid.conf file that i can see where it fails. You can also see the error log in /var/log/messages.
@Rashid: First if you have configure squid proxy for sharing, second i want to block user by using there computer. By binding IP with mac, the user will unable to bypass proxy by changing his IP as its mac and IP will be entered in squid to check. If matches then it can be allow or denied. If not just denied.
U r right
but in my scenerio, after configuring squid (with two LAN card setup) users unable to send/receive eamil.. for this purpose I configure IPTables to forward port 25/110
When we say SQUID thats mean only web traffic which includes http and https….
You are right that for other services like smtp, pop, imap or to send/receive emails using outlook you have to enable NAT on your gateway server.
sir i have send u my squid.conf & messages file on your email id….so plzz check it & tekll me the problems….where it is??
is it possible that I can access my proxy server(Fedora) system from my Home PC
please guide
ok
now if your NATing
then users can bypass the proxy easily..
so what I do that only pass port 25/110 traffic through NAT and block port 80 traffic from my internal network side
any idea or suggestion will be appreciated.
Regards,
Rashid
1st: You can easily access your proxy server from any where, just use correct proxy IP and port in broswer.
2nd: I clearly says in start of my howto that i will not show how to config squid. I persume its already configure and use this howto to setup your network to bypass proxy.
Use these command to established transparent proxy and restrict user to use squid for web traffic.
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables -t nat -A PREROUTING -p tcp –dport 80 -s 192.168.0.0/24 -j DNAT –to-port 3128
Regards,
1st:but I dont want the transparent proxy. I want that every user should give proxy configuration.
2nd: whose IP… ? local eth IP or what..?
sry little confusing
and in these iptables commands
I want to know if u cut these commands into peaces and convert it into
e.g.
iptables Switch Nat|abc|xz -A POSTROUTING|PREROUTING -o ………………..
like this b/c this thing will really help a lot to amend the line as required
plz help
Thanks
Rashid
secondly at my home I have same setup(using CentOS(squid) + one client PC
For your configuration
##NAT## -p tcp –dport 3128 -j ACCEPT -p tcp –dport 25 -j ACCEPT -p tcp –dport 143 -j ACCEPT -p tcp –dport 80 -j DROP
iptables -t nat -A POSTROUTING -o eth0|eth1|device -j MASQUERADE
##ACCEPT FOR SQUID##
iptables -t nat -A PREROUTING -s
##ACCEPT FOR SMTP##
iptables -t nat -A PREROUTING -s
##ACCEPT FOR IMAP##
iptables -t nat -A PREROUTING -s
##DROP FOR PORT 80##
iptables -t nat -A PREROUTING -s
ok yesterday At home I have same configuration
while firewall is off net is working everything is fine but when I enable my firewall
then no browsing
and whats about remote access
I want that MSN messanger to run only my computer
plz guide
thanks
your guide is very helpful for me
Aug 20 11:33:49 xserver squid: Bungled squid.conf line 2533: acl mac1 arp 00:21:97:31:83:B0
sir when i change the configuration due to ur guidance….then again same problem is creating….squid service failed…..sir plzz help me i m trying so many days…but not solving this problem…
sir, I want some of users to brows for some time e.g. like one hour in a day( from 11:00 a.m. to 12:00 p.m)
how to configure in squid
through ip or through MAC
plz guide
acl timelock time SMTWHFA 11:00-12:00
acl ip1 src 192.168.1.1
http_access deny ip1 timelock
thanks for the reply
brother, I want that torrent to be blocked
tried but not succeed.
plz help.
FYI
http://www.ipp2p.org/
http://l7-filter.sourceforge.net/
Sir, I want to go for RHCE certification. Please guide me about the curriculum, Paper description e.g. Paper code, etc
thanks in advance..
and that ipp2p still have the bugs.
please suggest any alternatvie
For RHCE Certification and exam code
http://www.redhat.com/certification/rhce/
Its a 3.5 hour exam, consisting of troubleshooting and configuration.
Total practical exam, you will get questions which you have to perform practically on a linux machine.
Be remember the RHCE books from REDHAT is the curriculum of RHCE exam. Exam will be conducted within RHCE Books, so follow the book and practice a lot.
If you want i will help you to setup lab for it.
thanks
Its my pleasure and please tell me the name of the book including the author and other detail.
so referring your ramadan offer ………… hmmmmmmmmmmm
please guide me to setup the lab at my home.
thanks in advance.
regards,
rashid
Rashid, you have to follow RedHat Books.Where do you live in PK?
Techno-Ed is the training partner of RedHat India in Pakistan.
sir after looking deeply in site I found that there are two certifcations, RHCT and RHCE
in RHCT
Exam Preparation
Courses you should take:
RH033
RH131 Red Hat System Administration
or
RH133 Red Hat Linux Administration (and RHCT Exam)
these are syllubus codes but where is exam code
please reply ..
rashid
basically I belong from Pakistan but right now I am in saudi arabia.
There is two certification RHCT and RHCE
You can give RHCT alone but to pass RHCE you have to pass RHCT.
When you sit in RHCE exam, they will conduct RHCT and RHCE both and will certifiy whichever you pass. But be remember to become RHCE you have to pass RHCT.
RH033 Basics
RH133 System Administration
RH253 Network and Securities.
RHCE exam code RH302
I am also Pakistani but live in Saudi Arabia (Al-Khobar), where do you live?
oh what a co incidence… me living in Jubail.
thats greate how we can coordinate with each other
brother whats your cell number
Sohail bhai,
You are always nice.
Dear Brother do you have some study material and lab manuals for Rh302
tomorrow I am coming to khobar for aftari purpose.
please reply at your earliest.
regards,
rashid
@alam: 🙂 thanks.
@rashid: send me an email using contact us, then i will reply you and give you contact details.
Regards,
as prsn u r very nice & u r doc is very helpful
yesterday I tried to install the vlc player in centos
using yum I tried to install but in result he give a lot of dependencies error.
please guide how to resolve this dependency issue.
regards,\
rashid
1) Enable rpmforge respository
###For i386 / i686###
###############
rpm -Uhv http://apt.sw.be/redhat/el5/en/i386/rpmforge/RPMS/rpmforge-release-0.3.6-1.el5.rf.i386.rpm
#############
###For x86_64###
#############
rpm -Uhv http://apt.sw.be/redhat/el5/en/x86_64/rpmforge/RPMS//rpmforge-release-0.3.6-1.el5.rf.x86_64.rpm
############################
Then
yum -y install vlc
vlc-0.8.6a-2.fc1.rf.i386 from vlc-0.8.6a-2.fc1.rf.i386.rpm has depsolving problems
–> Missing Dependency: libFLAC.so.4 is needed by package vlc-0.8.6a-2.fc1.rf.i386 (vlc-0.8.6a-2.fc1.rf.i386.rpm)
Error: Missing Dependency: libFLAC.so.4 is needed by package vlc-0.8.6a-2.fc1.rf.i386 (vlc-0.8.6a-2.fc1.rf.i386.rpm)
[root@localhost softwares]#
at the end only showing the message like this
Fedora 9 (Sulphur), Fedora 10 (Cambridge) and Fedora 11 (Leonidas)
Use RPM Fusion for F9, F10 and F11 (available for x86, x86_64, ppc and ppc64)
Install rpmfusion-free-release-stable.noarch.rpm for F9, F10 and F-11.
$> su –
#> rpm -ivh http://download1.rpmfusion.org/free/fedora/rpmfusion-free-release-stable.noarch.rpm
#> yum install vlc
#> yum install mozilla-vlc (optionnal)
AT LAST SUCCESSFULLY INSTALLED THROUGH ABOVE MENTIONED PROCEDURE
brother I am waiting for your further instructions regarding the certification
rpmfusion is the combination of rpmforge(freshrpms), lavina and some other repository. May be the repository miss something in only rpmforge.
The lab setup i have for RHCE is for version 4 but it can be used with version 5 (current RHCE). I am waiting for the books, at what form you want it.
tell me one things how u know that these repositories are missing………
I want to know that logic…. however please update me as soon as you get the books or any other material now a day I am using the shell commands and working on vi editor
interesting commands
two days before I tried to learn shell scripting at that time dont understand but now little understand that it is only a game of commands
like grep etc…….
interesting thing\
brother today I install apache server with phpMyadmin support
while tryping to login throug http://127.0.0.1/phpmyadmin
he is asking for username/password
I provide the root username/password
but still unable to login…..
please help
What type of connection you are using in your configuration.ini of phpmyadmin.
tcp or socket
Use socket if its socket, and you will be in.
Regards,
brother.. yesterday night my both network card drivers deleted and tried a lot to reinstall but failed..
at the end it comes in my knowledge that Realtek 3139D have old dumsmani with linux and in solution just write black list the 8139cp and add
alias 8139D
now both network card drivers installed…………
but getting this error:
Bringing up interface GigaStorey: RTNETLINK answers: File exists
Error adding address 192.168.xx.x for eth0.
[ OK ]
please help me to solve this issue
@Rashid: Sorry i was out for somedays.
Your system might has ip configuration file (ifcfg-eth0) for it in
/etc/sysconfig/network-scripts
/etc/sysconfig/networking/devices
/etc/sysconfig/networking/profiles
Remove the extra and the error will be gone.
Regards,