How To Bind MAC with IP in SQUID

Sohail Riaz — Sat, 30 May 2009 07:35:21 +0000

In this how to i describe how to bind MAC with IP to restrict users in your network to change their IP’s to bypass filtering. To ease the setup i will create small scripts to simplify our work. Here i will not describe how to config squid and how to run it. I assume you have already configure it.

1) Grep MAC Addresses

Let suppose we have 10 machines with IPs range 192.168.0.1 – 192.168.0.10, you have to get mac address for them using following command.

Besure your machines are up and pingable, else you will get empty lines and you have to remove them manually.

for i in `seq 1 10`; do ping -c 1 192.168.0.$i; arp -n 192.168.0.$i | grep -v Address | grep -v incomplete | awk ‘{print $1 ” “ $3}’ >> ip-mac.txt; done

This command will get required mac address with IP in a file named ip-mac.txt

cat ip-mac.txt
192.168.0.1 00:1D:09:6B:3C:28
192.168.0.2 00:1D:09:6A:EA:02
192.168.0.3 00:1D:09:71:2C:34
192.168.0.4 00:1D:09:6A:CB:85
192.168.0.5 00:1D:09:6A:C3:15
192.168.0.6 00:1D:09:6A:CA:8B
192.168.0.7 00:1D:09:6A:CB:DA
192.168.0.8 00:1D:09:6A:CC:34
192.168.0.9 00:1D:09:6B:11:76
192.168.0.10 00:1D:09:6B:36:6F

2) Create ACL For SQUID.

I will create a small bash script to easy my work.

To get acl for mac

i=1
cat ip-mac.txt | while read a; do b=`echo $a | cut -f 2 -d ” “`; echo “acl mac$i arp $b” >> squid-mac-filter.txt; i=`expr $i + 1`; done

cat squid-mac-filter.txt
acl mac1 arp 00:1D:09:6B:3C:28
acl mac2 arp 00:1D:09:6A:EA:02
acl mac3 arp 00:1D:09:71:2C:34
acl mac4 arp 00:1D:09:6A:CB:85
acl mac5 arp 00:1D:09:6A:C3:15
acl mac6 arp 00:1D:09:6A:CA:8B
acl mac7 arp 00:1D:09:6A:CB:DA
acl mac8 arp 00:1D:09:6A:CC:34
acl mac9 arp 00:1D:09:6B:11:76
acl mac10 arp 00:1D:09:6B:36:6F

To get acl for ip

i=1
cat ip-mac.txt | while read a; do b=`echo $a | cut -f 1 -d ” “`; echo “acl ip$i src $b” >> squid-ip-filter.txt; i=`expr $i + 1`; done

cat squid-ip-filter.txt
acl ip1 arp 192.168.0.1
acl ip2 arp 192.168.0.2
acl ip3 arp 192.168.0.3
acl ip4 arp 192.168.0.4
acl ip5 arp 192.168.0.5
acl ip6 arp 192.168.0.6
acl ip7 arp 192.168.0.7
acl ip8 arp 192.168.0.8
acl ip9 arp 192.168.0.9
acl ip10 arp 192.168.0.10

To generate http_access allow lines, you have to get the max number of your list of IP’s and MAC’s. Here i have is 10, sure both will be the same

for i in `seq 1 10`; do echo “http_access allow mac$i ip$i” >> http-access-squid.txt; done

cat http-access-squid.txt
http_access allow mac1 ip1
http_access allow mac2 ip2
http_access allow mac3 ip3
http_access allow mac4 ip4
http_access allow mac5 ip5
http_access allow mac6 ip6
http_access allow mac7 ip7
http_access allow mac8 ip8
http_access allow mac9 ip9
http_access allow mac10 ip10

Now concatinate three files i.e squid-ip-filter.txt, squid-mac-filter.txt and http_access_squid.txt

cat squid-mac-filter.txt squid-ip-filter.txt http-access-squid.txt >> acl-final.txt

and copy from acl-final.txt to paste on appropriate location in squid.conf, dont forget to put http_access deny all on the last .

To get more help on it please use comments.

Anonymous Proxy using SQUID 3

Sohail Riaz — Sat, 15 Nov 2008 12:06:54 +0000

This howto describe step by step method to install SQUID 3 server as Anonymous Proxy. An anonymous proxy is a tool that attempts to make activity on the Internet untraceable. It accesses the Internet on the user’s behalf, protecting personal information by hiding the source computer’s identifying information. Simply say to hide your IP.The following How To setups CentOS 5 as OS but it can be implemented on CentOS 4, Fedora Core 5-9 with same steps and SQUID version 3. Bydefault SQUID only uses default IP to communicate on internet but we will make use of all IPs available on server to act as anonymous proxy i.e if user connects to IP1 of server then IP1 will be act as proxy and forward same IP, if user connects to IP2 then IP2 will be act proxy and foward same IP and so on and also we will implement ncsa user based authentication to protect server from unauthorized used.

Server = CentOS 5.2, SQUID = version 3, IPs = 192.168.0.1 – 192.168.0.5

1 Installation Of Squid 3:

CentOS 5 comes with SQUID 2.6 but we need squid 3, so we will download source rpm of squid 3 and compile for our OS.

1.1 Install Pre-requisite

Install pre-requisite softwares i.e Development Tools to get all the compilers, libraries and other rpms for compilation of SQUID 3.

yum -y groupinstall “Development Tools”
yum -y install rpm-build openjade linuxdoc-tools openldap-devel pam-devel openssl-devel httpd rpm-devel

1.2 Download Squid 3 Source RPM

Download source rpm of Squid 3 from FEDORA website and install it.

cd /usr/src
wget http://download.fedora.redhat.com/pub/fedora/linux/releases/10/Fedora/source/SRPMS/squid-3.0.STABLE10-1.fc10.src.rpm
rpm -ivh squid-3.0.STABLE10-1.fc10.src.rpm

1.3 Compile Squid 3

Use following commands to start compilation, at end it will generate rpm file to install

cd /usr/src/redhat/SPECS
rpmbuild -bb squid.spec

1.4 Install Squid 3

Install newly build rpm, which will be found in /usr/src/redhat/RPMS/i386 for i686 and /usr/src/redhat/RPMS/x86_64 for x86_64.

rpm -Uvh /usr/src/redhat/RPMS/i386/squid-3.0.STABLE10-1.i386.rpm

2 Configuration

I will use default squid.conf to edit.

vi /etc/squid/squid.conf

2.1 Configure auth_param

We will enable ncsa authentication to access our squid server. Find following lines

#auth_param basic program
#auth_param basic childred 5
#auth_param basic realm Squid proxy-caching web server
#auth_param basic credentialsttl 2 hours

Change to

auth_param basic program /usr/lib/squid/ncsa_auth /etc/squid/squid_passwd
auth_param basic childred 5
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours

2.2 Create proxy_auth acl

Here we will create proxy_auth acl to prompt user/pass to everyone want to use anonymous proxy. Find following line

#INSERT YOUR OWN RULES(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS

We will insert our proxy_auth rule under above line.

#INSERT YOUR OWN RULES(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
acl ncsaauth proxy_auth REQUIRED
http_access allow ncsaauth

2.3 Disable Forwarded Client IP

Bydefault squid forward client IP to respective website, but to setup anonymous proxy we will disable it to hide client IPs and send only IPs which are configured on squid server. Find following line squid.conf

forwarded_for on

Change to

forwarded_for off

2.4 Configure IPs

Now we will generate rules for outgoing IP i.e if any one connects to any IP of my server, so it will go with same IP to destination server. In this way we can connect several clients on different IPs and all IPs act as anonymous proxy. Find following line

# TAG: tcp_outgoing_address

add following lines under it.

acl ip1 myip 192.168.0.1
tcp_outgoing_address 192.168.0.1 ip1
acl ip2 myip 192.168.0.2
tcp_outgoing_address 192.168.0.2 ip2
acl ip3 myip 192.168.0.3
tcp_outgoing_address 192.168.0.4 ip3
acl ip4 myip 192.168.0.4
tcp_outgoing_address 192.168.0.4 ip4
acl ip5 myip 192.168.0.5
tcp_outgoing_address 192.168.0.5 ip5

You can add as many IPs you like, just use the same pattern above.

2.5 Enable Anonymizer (Anonymous Proxy)

Put following lines at the bottom of your squid.conf

request_header_access Allow allow all
request_header_access Authorization allow all
request_header_access WWW-Authenticate allow all
request_header_access Proxy-Authorization allow all
request_header_access Proxy-Authenticate allow all
request_header_access Cache-Control allow all
request_header_access Content-Encoding allow all
request_header_access Content-Length allow all
request_header_access Content-Type allow all
request_header_access Date allow all
request_header_access Expires allow all
request_header_access Host allow all
request_header_access If-Modified-Since allow all
request_header_access Last-Modified allow all
request_header_access Location allow all
request_header_access Pragma allow all
request_header_access Accept allow all
request_header_access Accept-Charset allow all
request_header_access Accept-Encoding allow all
request_header_access Accept-Language allow all
request_header_access Content-Language allow all
request_header_access Mime-Version allow all
request_header_access Retry-After allow all
request_header_access Title allow all
request_header_access Connection allow all
request_header_access Proxy-Connection allow all
request_header_access User-Agent allow all
request_header_access Cookie allow all
request_header_access All deny all

Configuration is finished, save the file.

3 User Management

Now its time to create squid_passwd file, in which we will put our users for authentication using ncsa. For this we need htpasswd command to generate user/pass.

create file to hold username and password

touch /etc/squid/squid_passwd

3.1 Create New User

htpasswd /etc/squid/squid_passwd proxyadmin

Where /etc/squid/squid_passwd is a file, in which all users goes and proxyadmin is a username which will be added with the password given

4 Service Management

Run the squid service and add it up at startup.

service squid start
chkconfig squid on

5 Troubleshooting

5.1 visible_hostname error

If you see visible_hostname error after starting service, then again edit /etc/squid/squid.conf file and give visible_hostname tag with your server hostname.

visible_hostname server1

Your server is ready now and you can use Firefox or IExplorer on your client to check its working. I have used default port 3128 for squid, so put any of the above IP and port to connect. As it connects it will prompt you for user/pass, give the right user/pass and you will start browsing the site. To check the anonymity open http://www.whatsmyipaddress.com. If you have done anything wrong in request_header_access, you proxy can be dedect but if everything is fine. It will just show IP and assume its a direct connection without proxy.

Sohail Riaz, Linux and Open Source Blog » SQUID