How To Bind MAC with IP in SQUID

on May 30 | in Hosting / Servers, Linux | by | with 103 Comments

In this how to i describe how to bind MAC with IP to restrict users in your network to change their IP’s to bypass filtering. To ease the setup i will create small scripts to simplify our work. Here i will not describe how to config squid and how to run it. I assume you have already configure it.

1) Grep MAC Addresses

Let suppose we have 10 machines with IPs range 192.168.0.1 – 192.168.0.10, you have to get mac address for them using following command.

Besure your machines are up and pingable, else you will get empty lines and you have to remove them manually.

for i in seq 1 10; do ping -c 1 192.168.0.$i; arp -n 192.168.0.$i | grep -v Address | grep -v incomplete | awk ‘{print $1 ” ”Β  $3}’ >> ip-mac.txt; done

This command will get required mac address with IP in a file named ip-mac.txt

cat ip-mac.txt
192.168.0.1 00:1D:09:6B:3C:28
192.168.0.2 00:1D:09:6A:EA:02
192.168.0.3 00:1D:09:71:2C:34
192.168.0.4 00:1D:09:6A:CB:85
192.168.0.5 00:1D:09:6A:C3:15
192.168.0.6 00:1D:09:6A:CA:8B
192.168.0.7 00:1D:09:6A:CB:DA
192.168.0.8 00:1D:09:6A:CC:34
192.168.0.9 00:1D:09:6B:11:76
192.168.0.10 00:1D:09:6B:36:6F

2) Create ACL For SQUID.

I will create a small bash script to easy my work.

To get acl for mac

i=1
cat ip-mac.txt | while read a; do b=echo $a | cut -f 2 -d " "; echo “acl mac$i arp $b” >> squid-mac-filter.txt; i=expr $i + 1; done

cat squid-mac-filter.txt
acl mac1 arp 00:1D:09:6B:3C:28
acl mac2 arp 00:1D:09:6A:EA:02
acl mac3 arp 00:1D:09:71:2C:34
acl mac4 arp 00:1D:09:6A:CB:85
acl mac5 arp 00:1D:09:6A:C3:15
acl mac6 arp 00:1D:09:6A:CA:8B
acl mac7 arp 00:1D:09:6A:CB:DA
acl mac8 arp 00:1D:09:6A:CC:34
acl mac9 arp 00:1D:09:6B:11:76
acl mac10 arp 00:1D:09:6B:36:6F

To get acl for ip

i=1
cat ip-mac.txt | while read a; do b=echo $a | cut -f 1 -d " "; echo “acl ip$i src $b” >> squid-ip-filter.txt; i=expr $i + 1; done

cat squid-ip-filter.txt
acl ip1 src 192.168.0.1
acl ip2 src 192.168.0.2
acl ip3 src 192.168.0.3
acl ip4 src 192.168.0.4
acl ip5 src 192.168.0.5
acl ip6 src 192.168.0.6
acl ip7 src 192.168.0.7
acl ip8 src 192.168.0.8
acl ip9 src 192.168.0.9
acl ip10 src 192.168.0.10

To generate http_access allow lines, you have to get the max number of your list of IP’s and MAC’s. Here i have is 10, sure both will be the same πŸ™‚

for i in seq 1 10; do echo “http_access allow mac$i ip$i” >> http-access-squid.txt; done

cat http-access-squid.txt
http_access allow mac1 ip1
http_access allow mac2 ip2
http_access allow mac3 ip3
http_access allow mac4 ip4
http_access allow mac5 ip5
http_access allow mac6 ip6
http_access allow mac7 ip7
http_access allow mac8 ip8
http_access allow mac9 ip9
http_access allow mac10 ip10

Now concatinate three files i.e squid-ip-filter.txt, squid-mac-filter.txt and http_access_squid.txt

cat squid-mac-filter.txt squid-ip-filter.txt http-access-squid.txt >> acl-final.txt

and copy from acl-final.txt to paste on appropriate location in squid.conf, dont forget to put http_access deny all on the last :).

To get more help on it please use comments.

Pin It

related posts

103 Responses to How To Bind MAC with IP in SQUID

  1. Asad Siddiqui says:

    Thanks alot janab
    but i have one query
    that how the line will look like?

    acl BLOCK acl-final.txt
    http_access deny all

    if i am wrong then plz correct me. Secondly, it must be place on top of all acl which i defined?

  2. admin says:

    The acl-final.txt contains acl for src and map with http_access to allow by binding mac with IP.

    You have to copy and paste the content from acl-final.txt and paste above your acls.

    Regards,

  3. Alam says:

    Dear Sohail bhai,
    A very nice HowTo for newbies.
    Let me share a tip to more clear it, and easy add/remove of new ip/mac.

    1. vi /etc/squid/whitelistips.txt
    192.168.0.1
    192.168.0.2
    192.168.0.3
    192.168.0.4
    192.168.0.5
    192.168.0.6
    192.168.0.7
    192.168.0.8
    192.168.0.9
    192.168.0.10

    2. vi /etc/squid/whitelistmacs.txt
    00:1D:09:6B:3C:28
    00:1D:09:6A:EA:02
    00:1D:09:71:2C:34
    00:1D:09:6A:CB:85
    00:1D:09:6A:C3:15
    00:1D:09:6A:CA:8B
    00:1D:09:6A:CB:DA
    00:1D:09:6A:CC:34
    00:1D:09:6B:11:76
    00:1D:09:6B:36:6F

    insert the following lines just under the ” acl all src 0.0.0.0/0.0.0.0 ”
    acl whitelistips src “/etc/squid/whitelistips.txt”
    acl whitelistmacs arp -i “/etc/squid/whitelistmacs.txt”

    and paste the following line under ” acl CONNECT method CONNECT ”
    http_access allow whitelistips whitelistmacs

    No need to add deny all, as it is defined down in configuration file.

    Correct me, if i am wrong.

    Salam

  4. admin says:

    The thing you wrote is for the users can have IPs in specified range i.e 1 to 10 then there is no need of defining mac addresses.

    Here i bind mac with one IP address that user can’t change his machine to bypass squid filters.

    and acl with http_access allow rules can be written anywhere above http_access deny all.

    Regards,

  5. Alam says:

    Good. got it now. I guess, it would bind one by one IP with each MAC address in that file.

    Thanks.

  6. Rashid Iqbal says:

    Hi everybody

    I want specific MAC to bypass the proxy..
    How I can achieve this task……
    I prefer through squid

    Peply plz..

  7. Tauseef says:

    hi…sir..i want some help from yourside..
    i m using this command
    for i in seq 1 10; do ping -c 1 192.168.0.$i; arp -n 192.168.0.$i | grep -v Address | grep -v incomplete | awk β€˜{print $1 ” β€œ $3}’ >> ip-mac.txt; done
    but in ip-mac.txt no information stored about our network…
    so plz help how to use this command..& saying awk is not valid..i m using RHEL 5 for squid server..plz help me how i bind mac with ip in our network…my network is 172.0.1.22 to 172.0.1.98

  8. admin says:

    Hi,

    I think the problem is in character display…. Kindly check full command before executing because i think single qoute ‘ converts to .

  9. Tauseef says:

    [root@xserver ~]# for i in seq 21 30; do ping -c 1 172.0.1.$i; arp -n 172.0.1.$i | grep -v Address | grep -v incomplete | awk β€˜{print $1 ” β€œ $3}’ >> ip-mac.txt; done
    PING 172.0.1.21 (172.0.1.21) 56(84) bytes of data.
    64 bytes from 172.0.1.21: icmp_seq=1 ttl=255 time=2.75 ms

    — 172.0.1.21 ping statistics —
    1 packets transmitted, 1 received, 0% packet loss, time 0ms
    rtt min/avg/max/mdev = 2.758/2.758/2.758/0.000 ms
    awk: β€˜{print
    awk: ^ invalid char ‘οΏ½’ in expression
    PING 172.0.1.22 (172.0.1.22) 56(84) bytes of data.

    — 172.0.1.22 ping statistics —
    1 packets transmitted, 0 received, 100% packet loss, time 0ms

    awk: β€˜{print
    awk: ^ invalid char ‘οΏ½’ in expression
    PING 172.0.1.23 (172.0.1.23) 56(84) bytes of data.
    64 bytes from 172.0.1.23: icmp_seq=1 ttl=64 time=0.218 ms

    — 172.0.1.23 ping statistics —
    1 packets transmitted, 1 received, 0% packet loss, time 0ms
    rtt min/avg/max/mdev = 0.218/0.218/0.218/0.000 ms
    awk: β€˜{print
    awk: ^ invalid char ‘οΏ½’ in expression
    PING 172.0.1.24 (172.0.1.24) 56(84) bytes of data.
    64 bytes from 172.0.1.24: icmp_seq=1 ttl=64 time=0.240 ms

    — 172.0.1.24 ping statistics —
    1 packets transmitted, 1 received, 0% packet loss, time 0ms
    rtt min/avg/max/mdev = 0.240/0.240/0.240/0.000 ms
    awk: β€˜{print
    awk: ^ invalid char ‘οΏ½’ in expression
    PING 172.0.1.25 (172.0.1.25) 56(84) bytes of data.
    64 bytes from 172.0.1.25: icmp_seq=1 ttl=64 time=0.226 ms

    — 172.0.1.25 ping statistics —
    1 packets transmitted, 1 received, 0% packet loss, time 0ms
    rtt min/avg/max/mdev = 0.226/0.226/0.226/0.000 ms
    awk: β€˜{print
    awk: ^ invalid char ‘οΏ½’ in expression
    PING 172.0.1.26 (172.0.1.26) 56(84) bytes of data.
    64 bytes from 172.0.1.26: icmp_seq=1 ttl=64 time=0.211 ms

    — 172.0.1.26 ping statistics —
    1 packets transmitted, 1 received, 0% packet loss, time 0ms
    rtt min/avg/max/mdev = 0.211/0.211/0.211/0.000 ms
    awk: β€˜{print
    awk: ^ invalid char ‘οΏ½’ in expression
    ………………….
    i have done this type of command….& i got this type of result..so would you like to help me please…i m not geeting any information in ip-mac.txt…..its blank…i am using red hat enterprise linux 5……please help me…..

  10. admin says:

    the problem is in this statement

    awk β€˜{print $1 ” β€œ $3}’

    before { and after } there single quote and you are putting backquote. please change this to single quote and try, it will work find.

    awk ‘{print $1 ” ” $3}’

    Regards,

  11. Tauseef says:

    hi,
    pls help me . m unable to use net via mac.in squid.
    is used- acl mac1 arp XX:xx:xx:xx:XX:xx
    http_access allow mac1

    but when i restart squid,it fails.

  12. Rashid Iqbal says:

    Why don’t u go through iptables

    through iptables you can also restrict/allow specific users
    to bypass/block the traffic

  13. admin says:

    @Tauseef: Please send me your squid.conf file that i can see where it fails. You can also see the error log in /var/log/messages.

    @Rashid: First if you have configure squid proxy for sharing, second i want to block user by using there computer. By binding IP with mac, the user will unable to bypass proxy by changing his IP as its mac and IP will be entered in squid to check. If matches then it can be allow or denied. If not just denied.

  14. Rashid Iqbal says:

    U r right

    but in my scenerio, after configuring squid (with two LAN card setup) users unable to send/receive eamil.. for this purpose I configure IPTables to forward port 25/110

  15. admin says:

    When we say SQUID thats mean only web traffic which includes http and https….

    You are right that for other services like smtp, pop, imap or to send/receive emails using outlook you have to enable NAT on your gateway server.

  16. Tauseef says:

    sir i have send u my squid.conf & messages file on your email id….so plzz check it & tekll me the problems….where it is??

  17. Rashid Iqbal says:

    is it possible that I can access my proxy server(Fedora) system from my Home PC

    please guide

  18. Rashid Iqbal says:

    ok
    now if your NATing
    then users can bypass the proxy easily..
    so what I do that only pass port 25/110 traffic through NAT and block port 80 traffic from my internal network side

    any idea or suggestion will be appreciated.

    Regards,

    Rashid

  19. admin says:

    1st: You can easily access your proxy server from any where, just use correct proxy IP and port in broswer.

    2nd: I clearly says in start of my howto that i will not show how to config squid. I persume its already configure and use this howto to setup your network to bypass proxy.

    Use these command to established transparent proxy and restrict user to use squid for web traffic.
    iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
    iptables -t nat -A PREROUTING -p tcp –dport 80 -s 192.168.0.0/24 -j DNAT –to-port 3128

    Regards,

  20. Rashid Iqbal says:

    1st:but I dont want the transparent proxy. I want that every user should give proxy configuration.

    2nd: whose IP… ? local eth IP or what..?
    sry little confusing

    and in these iptables commands
    I want to know if u cut these commands into peaces and convert it into
    e.g.
    iptables Switch Nat|abc|xz -A POSTROUTING|PREROUTING -o ………………..

    like this b/c this thing will really help a lot to amend the line as required

    plz help

    Thanks

    Rashid

    secondly at my home I have same setup(using CentOS(squid) + one client PC

  21. admin says:

    For your configuration

    ##NAT##
    iptables -t nat -A POSTROUTING -o eth0|eth1|device -j MASQUERADE
    ##ACCEPT FOR SQUID##
    iptables -t nat -A PREROUTING -s -p tcp –dport 3128 -j ACCEPT
    ##ACCEPT FOR SMTP##
    iptables -t nat -A PREROUTING -s
    -p tcp –dport 25 -j ACCEPT
    ##ACCEPT FOR IMAP##
    iptables -t nat -A PREROUTING -s
    -p tcp –dport 143 -j ACCEPT
    ##DROP FOR PORT 80##
    iptables -t nat -A PREROUTING -s
    -p tcp –dport 80 -j DROP

  22. Rashid Iqbal says:

    ok yesterday At home I have same configuration
    while firewall is off net is working everything is fine but when I enable my firewall

    then no browsing

    and whats about remote access

    I want that MSN messanger to run only my computer

    plz guide

    thanks

    your guide is very helpful for me

  23. Tauseef says:

    Aug 20 11:33:49 xserver squid: Bungled squid.conf line 2533: acl mac1 arp 00:21:97:31:83:B0
    sir when i change the configuration due to ur guidance….then again same problem is creating….squid service failed…..sir plzz help me i m trying so many days…but not solving this problem…

  24. Rashid Iqbal says:

    sir, I want some of users to brows for some time e.g. like one hour in a day( from 11:00 a.m. to 12:00 p.m)

    how to configure in squid
    through ip or through MAC

    plz guide

  25. admin says:

    acl timelock time SMTWHFA 11:00-12:00
    acl ip1 src 192.168.1.1

    http_access deny ip1 timelock

  26. Rashid Iqbal says:

    thanks for the reply

    brother, I want that torrent to be blocked
    tried but not succeed.

    plz help.

  27. rashid Iqbal says:

    Sir, I want to go for RHCE certification. Please guide me about the curriculum, Paper description e.g. Paper code, etc

    thanks in advance..

    and that ipp2p still have the bugs.
    please suggest any alternatvie

  28. admin says:

    For RHCE Certification and exam code
    http://www.redhat.com/certification/rhce/
    Its a 3.5 hour exam, consisting of troubleshooting and configuration.
    Total practical exam, you will get questions which you have to perform practically on a linux machine.
    Be remember the RHCE books from REDHAT is the curriculum of RHCE exam. Exam will be conducted within RHCE Books, so follow the book and practice a lot.
    If you want i will help you to setup lab for it.

  29. Rashid Iqbal says:

    thanks

    Its my pleasure and please tell me the name of the book including the author and other detail.

    so referring your ramadan offer ………… hmmmmmmmmmmm

    please guide me to setup the lab at my home.

    thanks in advance.

    regards,

    rashid

  30. Alam says:

    Rashid, you have to follow RedHat Books.Where do you live in PK?
    Techno-Ed is the training partner of RedHat India in Pakistan.

  31. Rashid Iqbal says:

    sir after looking deeply in site I found that there are two certifcations, RHCT and RHCE
    in RHCT
    Exam Preparation
    Courses you should take:
    RH033
    RH131 Red Hat System Administration
    or
    RH133 Red Hat Linux Administration (and RHCT Exam)

    these are syllubus codes but where is exam code

    please reply ..

    rashid

  32. Rashid Iqbal says:

    basically I belong from Pakistan but right now I am in saudi arabia.

  33. admin says:

    There is two certification RHCT and RHCE
    You can give RHCT alone but to pass RHCE you have to pass RHCT.
    When you sit in RHCE exam, they will conduct RHCT and RHCE both and will certifiy whichever you pass. But be remember to become RHCE you have to pass RHCT.

    RH033 Basics
    RH133 System Administration
    RH253 Network and Securities.

    RHCE exam code RH302

    I am also Pakistani but live in Saudi Arabia (Al-Khobar), where do you live?

  34. Rashid Iqbal says:

    oh what a co incidence… me living in Jubail.

    thats greate how we can coordinate with each other

    brother whats your cell number

  35. Alam says:

    Sohail bhai,

    You are always nice.

  36. rashid Iqbal says:

    Dear Brother do you have some study material and lab manuals for Rh302

    tomorrow I am coming to khobar for aftari purpose.

    please reply at your earliest.

    regards,

    rashid

  37. @alam: πŸ™‚ thanks.

    @rashid: send me an email using contact us, then i will reply you and give you contact details.

    Regards,

  38. rupali says:

    as prsn u r very nice & u r doc is very helpful

  39. Rashid Iqbal says:

    yesterday I tried to install the vlc player in centos
    using yum I tried to install but in result he give a lot of dependencies error.

    please guide how to resolve this dependency issue.

    regards,\

    rashid

  40. 1) Enable rpmforge respository
    ###For i386 / i686###
    ###############
    rpm -Uhv http://apt.sw.be/redhat/el5/en/i386/rpmforge/RPMS/rpmforge-release-0.3.6-1.el5.rf.i386.rpm
    #############
    ###For x86_64###
    #############
    rpm -Uhv http://apt.sw.be/redhat/el5/en/x86_64/rpmforge/RPMS//rpmforge-release-0.3.6-1.el5.rf.x86_64.rpm
    ############################
    Then
    yum -y install vlc

  41. rashid Iqbal says:

    vlc-0.8.6a-2.fc1.rf.i386 from vlc-0.8.6a-2.fc1.rf.i386.rpm has depsolving problems
    –> Missing Dependency: libFLAC.so.4 is needed by package vlc-0.8.6a-2.fc1.rf.i386 (vlc-0.8.6a-2.fc1.rf.i386.rpm)

    Error: Missing Dependency: libFLAC.so.4 is needed by package vlc-0.8.6a-2.fc1.rf.i386 (vlc-0.8.6a-2.fc1.rf.i386.rpm)
    [root@localhost softwares]#

    at the end only showing the message like this

  42. rashid Iqbal says:

    Fedora 9 (Sulphur), Fedora 10 (Cambridge) and Fedora 11 (Leonidas)

    Use RPM Fusion for F9, F10 and F11 (available for x86, x86_64, ppc and ppc64)
    Install rpmfusion-free-release-stable.noarch.rpm for F9, F10 and F-11.

    $> su –
    #> rpm -ivh http://download1.rpmfusion.org/free/fedora/rpmfusion-free-release-stable.noarch.rpm
    #> yum install vlc
    #> yum install mozilla-vlc (optionnal)

    AT LAST SUCCESSFULLY INSTALLED THROUGH ABOVE MENTIONED PROCEDURE

  43. Rashid Iqbal says:

    brother I am waiting for your further instructions regarding the certification

  44. rpmfusion is the combination of rpmforge(freshrpms), lavina and some other repository. May be the repository miss something in only rpmforge.

    The lab setup i have for RHCE is for version 4 but it can be used with version 5 (current RHCE). I am waiting for the books, at what form you want it.

  45. rashid Iqbal says:

    tell me one things how u know that these repositories are missing………
    I want to know that logic…. however please update me as soon as you get the books or any other material now a day I am using the shell commands and working on vi editor
    interesting commands

    two days before I tried to learn shell scripting at that time dont understand but now little understand that it is only a game of commands
    like grep etc…….

    interesting thing\

  46. rashid Iqbal says:

    brother today I install apache server with phpMyadmin support
    while tryping to login throug http://127.0.0.1/phpmyadmin

    he is asking for username/password
    I provide the root username/password

    but still unable to login…..
    please help

  47. What type of connection you are using in your configuration.ini of phpmyadmin.

    tcp or socket

    Use socket if its socket, and you will be in.

    Regards,

  48. Rashid Iqbal says:

    brother.. yesterday night my both network card drivers deleted and tried a lot to reinstall but failed..

    at the end it comes in my knowledge that Realtek 3139D have old dumsmani with linux and in solution just write black list the 8139cp and add
    alias 8139D

    now both network card drivers installed…………
    but getting this error:
    Bringing up interface GigaStorey: RTNETLINK answers: File exists
    Error adding address 192.168.xx.x for eth0.
    [ OK ]

    please help me to solve this issue

  49. @Rashid: Sorry i was out for somedays.
    Your system might has ip configuration file (ifcfg-eth0) for it in
    /etc/sysconfig/network-scripts
    /etc/sysconfig/networking/devices
    /etc/sysconfig/networking/profiles

    Remove the extra and the error will be gone.

    Regards,

Leave a Reply

Your email address will not be published. Required fields are marked *

« »