In this how to i describe how to bind MAC with IP to restrict users in your network to change their IP’s to bypass filtering. To ease the setup i will create small scripts to simplify our work. Here i will not describe how to config squid and how to run it. I assume you have already configure it.
1) Grep MAC Addresses
Let suppose we have 10 machines with IPs range 192.168.0.1 – 192.168.0.10, you have to get mac address for them using following command.
Besure your machines are up and pingable, else you will get empty lines and you have to remove them manually.
for i in
seq 1 10; do ping -c 1 192.168.0.$i; arp -n 192.168.0.$i | grep -v Address | grep -v incomplete | awk ‘{print $1 ” ” $3}’ >> ip-mac.txt; done
This command will get required mac address with IP in a file named ip-mac.txt
cat ip-mac.txt
192.168.0.1 00:1D:09:6B:3C:28
192.168.0.2 00:1D:09:6A:EA:02
192.168.0.3 00:1D:09:71:2C:34
192.168.0.4 00:1D:09:6A:CB:85
192.168.0.5 00:1D:09:6A:C3:15
192.168.0.6 00:1D:09:6A:CA:8B
192.168.0.7 00:1D:09:6A:CB:DA
192.168.0.8 00:1D:09:6A:CC:34
192.168.0.9 00:1D:09:6B:11:76
192.168.0.10 00:1D:09:6B:36:6F
2) Create ACL For SQUID.
I will create a small bash script to easy my work.
To get acl for mac
i=1
cat ip-mac.txt | while read a; do b=echo $a | cut -f 2 -d " "; echo “acl mac$i arp $b” >> squid-mac-filter.txt; i=expr $i + 1; done
cat squid-mac-filter.txt
acl mac1 arp 00:1D:09:6B:3C:28
acl mac2 arp 00:1D:09:6A:EA:02
acl mac3 arp 00:1D:09:71:2C:34
acl mac4 arp 00:1D:09:6A:CB:85
acl mac5 arp 00:1D:09:6A:C3:15
acl mac6 arp 00:1D:09:6A:CA:8B
acl mac7 arp 00:1D:09:6A:CB:DA
acl mac8 arp 00:1D:09:6A:CC:34
acl mac9 arp 00:1D:09:6B:11:76
acl mac10 arp 00:1D:09:6B:36:6F
To get acl for ip
i=1
cat ip-mac.txt | while read a; do b=echo $a | cut -f 1 -d " "; echo “acl ip$i src $b” >> squid-ip-filter.txt; i=expr $i + 1; done
cat squid-ip-filter.txt
acl ip1 src 192.168.0.1
acl ip2 src 192.168.0.2
acl ip3 src 192.168.0.3
acl ip4 src 192.168.0.4
acl ip5 src 192.168.0.5
acl ip6 src 192.168.0.6
acl ip7 src 192.168.0.7
acl ip8 src 192.168.0.8
acl ip9 src 192.168.0.9
acl ip10 src 192.168.0.10
To generate http_access allow lines, you have to get the max number of your list of IP’s and MAC’s. Here i have is 10, sure both will be the same 🙂
for i in
seq 1 10; do echo “http_access allow mac$i ip$i” >> http-access-squid.txt; done
cat http-access-squid.txt
http_access allow mac1 ip1
http_access allow mac2 ip2
http_access allow mac3 ip3
http_access allow mac4 ip4
http_access allow mac5 ip5
http_access allow mac6 ip6
http_access allow mac7 ip7
http_access allow mac8 ip8
http_access allow mac9 ip9
http_access allow mac10 ip10
Now concatinate three files i.e squid-ip-filter.txt, squid-mac-filter.txt and http_access_squid.txt
cat squid-mac-filter.txt squid-ip-filter.txt http-access-squid.txt >> acl-final.txt
and copy from acl-final.txt to paste on appropriate location in squid.conf, dont forget to put http_access deny all on the last :).
To get more help on it please use comments.
@Rashid: If you need books for RHCE, kindly call me for it that we can decide how to give you ?
Sohail bhai: Umrah Mubarik.
I solved that problem that made little amendments in ifcfg-eth0 file and restart and then again put IPs so problem solved.
How to configure the DNS and
like active directory can we create users in Linux and authenticate the windows clients through him……..
seconly in squid access.log file he shows only IP address
Is there any way to specifically see that which user is downloading and how much and can username appears in log file………..
1) You have to configure NIS Server for centralized login. You can find good DNS articles from google.com, use one and we will discuss if there is any problem. I have written dynamic dns post, you can find it here.
http://www.sohailriaz.com/how-to-configure-dynamic-dns-fedora-core-4-setup/
#############################
#############################
2)It depends on what access list you have defined. If you defined access list using IP addresses, you will only see IP addresses. To see which user seeing what enable user authentication in squid and it can also be seen by using my another post.
http://www.sohailriaz.com/anonymous-proxy-using-squid-3/
hi sir…how will i configure –enable-arp-acl in squid……i m not getting correct path so please help me…..
hi sir, happy eid mubarik
sir I want to know about disk partition in Linux and also want to install the RHCE enterprise edition 5
have two partitions with one 80 G.B harddisk
/dev/hda1 and /dev/hda2
Device Boot Start end Blocks id system
/dev/hda1 * 1 15 83 linux
/dev/hda2 16 9729 8e linux LVM
DO I HAVE SOME REMAINING SPACE…….?
and If I want to do further partitions in existing then how……?
here their is any concept of primary and secondary(logical) partitions………?
kindly help to understand this concept and if there is any relevant video then its very helpful for me………..
Kind regards,
OOOOppps
I delete the /dev/hda2 partition and again create the extended partition through fdisk……..and then create further logical partitions…….
now after restarting he give me below mentioned error
kernel panic– not syncing: attempted to kill init!
now sir,,
how to resolve this problem
please help me
@Rashid: You have done already. what i see from your partition table i.e
/dev/hda1 was /boot partition and /dev/hda2 is was LVM and which was further divided to hold / and other partition.
Now as you already deleted everything, please reinstall your desired OS.
You need to learn what/when and how to delete partition in linux.
————–
Regards,
sir, /dev/hda1 is my boot partition and i think operating system should reside on that partition….
if I deleted /dev/hds2 then what I do wrong
kindly brief me OR JUST refer me some documentation about LVM …….
and sir where is my books……
best regards,
Rashid
and sir, Can you please provide me the RHCE enterprise edition CD…………
@Rashid, I will give books on saturday for photostate as i went to makkah and didnt get time on return to give it for photostate.
For RedHat CD’s i have them in my computer in office. How can i deliver to you.
———————
Regards,
sir I will ask my friend to collect the CD’s from you on saturday sir if it is possible then plz give the books to photocopier for photocopies by saturday morning so he done his job till evening and then My friend will collect the books along with the CD’s from you in the evening at 7 to p p.m.
sir, I will also call you Saturday early morning……
sir whats about the solution of this problem theory wise
Sir, I start reading the first book……… interesting and not difficult too………..
sir, I need the cd’s for hands on the labs
please upload and forward me the link…
Thanks
Rashid
sir, where r u ………………
how to copy the folder containing files and many other folders with cp command..
any switch
me try but only copy the files not the directories.
Sir, Yesterday I tried to logon through user account
he gives me below error:
GDM could not write to your authorization file. this could mean that you are out of disk space or that your home directory could not be opened for writing. in any case it is not possible to log in. please contact your system administrator.
i think the /usr directory have not enough space..
kindly guide me
thanks
Dear Sohail Bhai
please suggest a good and comprehensive book of Redhat Linux which is covered all things and where can i get it from Karachi?????/
Dear Sohail,
AOA
i have followed you web site and you squid section for MAC to IP bind
but it dont work on my system plz check my squid file and comment plz
acl manager proto cache_object
acl localhost src 127.0.0.1/32
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443
acl CONNECT method CONNECT
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
acl mac1 arp 00:1C:23:0B:70:8E
acl ip1 src 172.16.0.2
http_access allow ip1 mac1
http_access allow localnet
http_access allow localhost
http_access deny all
icp_access allow localnet
icp_access deny all
htcp_access allow localnet
htcp_access deny all
http_port 3128
hierarchy_stoplist cgi-bin ?
cache_mem 1024 MB
cache_dir ufs /var/spool/squid 10280 16 256
access_log /var/log/squid/access.log squid
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern (cgi-bin|\?) 0 0% 0
refresh_pattern . 0 20% 4320
cache_effective_user squid
cache_effective_group squid
visible_hostname testproxy.kust.edu.pk
icp_port 3130
coredump_dir /var/spool/squid
Does my mac adresse change if I upgrade my computer with some other hardware? For example change the graphic card?
@peter: Every Network Card has unique MAC Address and it associate to it only. If you change anything else will not change it. Yes if you changed your Network Card then the MAC address will be change and it will be associate to new Network Card.
————–
Regards,
hi sir
i want to know how to configure bandwidth manege in squid i want to cape bandwidth on particular ip in squid
please help me out in this.
thanks
sunil sharma
hello ever one i need some help regarding ncsa_auth, how can i encrypt its clear text password so that it can’t not sanaffied by the users.
@Kamran: FYI
http://wiki.squid-cache.org/Features/Authentication#Are_passwords_stored_in_clear_text_or_encrypted.3F
————–
Regards,
Thnx for you kind reply, i m using htpasswd -m /etc/squid/passwd aslam to creat user password but some users are still getting the passwords, could you please guide me how can i scure my server.
User are using Cain & Abel for this.
Regards,
hi sir…after a long tym i want to help from your side regarding ftp server…..i have a http server with domain http://www.example.com..i want to configure ftp server on he same domain…..i access that domain by ip address but not by domain name….would u help me hw i configure for that….please help me sir
what is the script to be introduced to the ACL (acl-finat.txt) in squid.conf
What is your contact number?
I live in MADAGASCAR, my problem is that how writing the script in to connect with squid.conf file acl-final. txt, I’m using squid 3.0 stable
@phoenix: You have to copy paste the entire acl-final.txt file in squid.conf. Best is to paste at end of file.
———-
Regards,
Very Helpful…..
Thanks Sohail Riaz ,I want to know if it’s possible to create an external acl function for acl-final.txt because I’m almost managed 150 clients computer and is too long to copy any address in the squid.conf
a small piece of script is written above, and this is one time effort which you have to do that.
Hy and thanks for helping people 🙂
I’m trying to use your script without success. After running the first script line to get the ip-mac.txt, i got the following:
awk: ‘{print
awk: ^ invalid char ‘�’ in expression
PING 192.168.0.83 (192.168.0.83) 56(84) bytes of data.
— 192.168.0.83 ping statistics —
1 packets transmitted, 0 received, 100% packet loss, time 0ms
So what could be the error, since i just copied your script line and past it !!
Thanks a lot for helping 🙂
red
Copy the script into notepad or gedit text editor and then run it on command prompt. it should be all okey 🙂
I am binding my mac with IP but its not working bellow are my configuration of squid.conf on RHEL 5
http_port 10.132.0.162:8080
cache_dir ufs /cache 10240 16 256
visible_hostname srv-proxy1
cache_access_log /var/log/access.log
acl all src 0.0.0.0/0.0.0.0
acl mymac arp 70:71:bc:ad:92:25
acl myip src 10.132.0.10
http_access allow mymac myip
http_access deny all
——————-
Squid version
2.6.STABLE21
plz helpme out
@Amir: Not working is very small two words. Give us more detail on it.
1) Whats not working a) all PC’s are getting access b) all PC’s are getting denied?
2) Whats your access.log file says when you access any website using the allow PC etc.
3) It might not make any sense but can you change your MAC address from small alpha to capital alpha like this.
acl mymac arp 70:71:BC:AD:92:25
and test it again.
————-
Regards,
Sorry riaz
Its working fine actually my network have 2 subnet one for servers and othe for clients and my poxy is on servers subnet , now i am able to filter mac address on server subnet but not on clients subnet machines.
Is there is any solutions regarding different subnet mac address filtering. Plz let me know
Many thnx for replying.
JazakALLAH
@Amir: Now there is a question regarding 2 subnet. If your both subnets are differentiated using router means there is a router between your both routers then MAC address will change when it going from one subnet to another as MAC address always comes in play when host to host connection is seeing.
or if your subnets are not differentiated using router then you need to provide more details regarding your network.
——-
Regards,
Yes you are right , we have two subnets they are connected through L3 switch. 22 and 21 subntes we are using means /22 is server subnet and /21 is our clients subnet. is there is any possibility that we can achive the results without touching L3 router.
As L3 have only echo ping is allowed….
regard
MAJ
Perfect automation Mr. Sohail. Keep up the good work. May Allah Bless You.
how to store IP and MAc address on separate file and do the same thing, something similar to url blocking
Dear Sohail,
Accessing Exchange Server is not working using Squid 3.0 source RPM. please guide what to do?
Dear Gul,
For troubleshooting please check first
that DNS is resloving
secondly gateway is squid proxy address and DNS is pointing to DNS server
after that check that Exchange is not working within the network or not accessible from outside the network(internet)
if from not accessible from internet then you have to forward the IMAP/POP/s and SMTP/s traffic to exchange server
One more thing which exchange server are you using…….?
Dear Sohail
I have problem with squid 3.0 with transparent proxy i.e. my users are unable to open SSL connection (https e.g. https://www.gmail.com etc ) please help in this regard.
Gul Nawaz
Asslamoalikum Sohail Bhai,
I have configured Squid and apply Mac Address binding with Its IP.
I want to Deny some website Internet access for perticular MAC ADDRESS , After Apply MAC ADDRESS Binding ACL is working fine ,
But When I change IP of this , My All site is open,
Then What is benifit of MAC ADDRESS BInding..
@sahil: Waalaikum wassalam,
When u put all http_access with configured mac and ip, then in last write
http_access deny all
The above will let all block even it tries to change ip
When I put http_access deny all , Below my http_access allow mac1 ip1
Then Its deny all the Network Internet
Send me your squid.conf