In this how to i describe how to bind MAC with IP to restrict users in your network to change their IP’s to bypass filtering. To ease the setup i will create small scripts to simplify our work. Here i will not describe how to config squid and how to run it. I assume you have already configure it.

1) Grep MAC Addresses

Let suppose we have 10 machines with IPs range 192.168.0.1 – 192.168.0.10, you have to get mac address for them using following command.

Besure your machines are up and pingable, else you will get empty lines and you have to remove them manually.

for i in `seq 1 10`; do ping -c 1 192.168.0.$i; arp -n 192.168.0.$i | grep -v Address | grep -v incomplete | awk ‘{print $1 ” ”  $3}’ >> ip-mac.txt; done

This command will get required mac address with IP in a file named ip-mac.txt

cat ip-mac.txt
192.168.0.1 00:1D:09:6B:3C:28
192.168.0.2 00:1D:09:6A:EA:02
192.168.0.3 00:1D:09:71:2C:34
192.168.0.4 00:1D:09:6A:CB:85
192.168.0.5 00:1D:09:6A:C3:15
192.168.0.6 00:1D:09:6A:CA:8B
192.168.0.7 00:1D:09:6A:CB:DA
192.168.0.8 00:1D:09:6A:CC:34
192.168.0.9 00:1D:09:6B:11:76
192.168.0.10 00:1D:09:6B:36:6F

2) Create ACL For SQUID.

I will create a small bash script to easy my work.

To get acl for mac

i=1
cat ip-mac.txt | while read a; do b=`echo $a | cut -f 2 -d ” “`; echo “acl mac$i arp $b” >> squid-mac-filter.txt; i=`expr $i + 1`; done

cat squid-mac-filter.txt
acl mac1 arp 00:1D:09:6B:3C:28
acl mac2 arp 00:1D:09:6A:EA:02
acl mac3 arp 00:1D:09:71:2C:34
acl mac4 arp 00:1D:09:6A:CB:85
acl mac5 arp 00:1D:09:6A:C3:15
acl mac6 arp 00:1D:09:6A:CA:8B
acl mac7 arp 00:1D:09:6A:CB:DA
acl mac8 arp 00:1D:09:6A:CC:34
acl mac9 arp 00:1D:09:6B:11:76
acl mac10 arp 00:1D:09:6B:36:6F

To get acl for ip

i=1
cat ip-mac.txt | while read a; do b=`echo $a | cut -f 1 -d ” “`; echo “acl ip$i src $b” >> squid-ip-filter.txt; i=`expr $i + 1`; done

cat squid-ip-filter.txt
acl ip1 src 192.168.0.1
acl ip2 src 192.168.0.2
acl ip3 src 192.168.0.3
acl ip4 src 192.168.0.4
acl ip5 src 192.168.0.5
acl ip6 src 192.168.0.6
acl ip7 src 192.168.0.7
acl ip8 src 192.168.0.8
acl ip9 src 192.168.0.9
acl ip10 src 192.168.0.10

To generate http_access allow lines, you have to get the max number of your list of IP’s and MAC’s. Here i have is 10, sure both will be the same 🙂

for i in `seq 1 10`; do echo “http_access allow mac$i ip$i” >> http-access-squid.txt; done

cat http-access-squid.txt
http_access allow mac1 ip1
http_access allow mac2 ip2
http_access allow mac3 ip3
http_access allow mac4 ip4
http_access allow mac5 ip5
http_access allow mac6 ip6
http_access allow mac7 ip7
http_access allow mac8 ip8
http_access allow mac9 ip9
http_access allow mac10 ip10

Now concatinate three files i.e squid-ip-filter.txt, squid-mac-filter.txt and http_access_squid.txt

cat squid-mac-filter.txt squid-ip-filter.txt http-access-squid.txt >> acl-final.txt

and copy from acl-final.txt to paste on appropriate location in squid.conf, dont forget to put http_access deny all on the last :).

To get more help on it please use comments.

By Sohail Riaz

I am a First Red Hat Certified Architect - RHCA (ID # 110-082-666) from Pakistan with over 14 years industry experience in several disciplines including LINUX/UNIX System Administration, Virtualization, Network, Storage, Load Balances, HA Clusters and High Performance Computing.

103 thoughts on “How To Bind MAC with IP in SQUID”
  1. Sohail bhai: Umrah Mubarik.

    I solved that problem that made little amendments in ifcfg-eth0 file and restart and then again put IPs so problem solved.

  2. How to configure the DNS and
    like active directory can we create users in Linux and authenticate the windows clients through him……..

  3. seconly in squid access.log file he shows only IP address
    Is there any way to specifically see that which user is downloading and how much and can username appears in log file………..

  4. 1) You have to configure NIS Server for centralized login. You can find good DNS articles from google.com, use one and we will discuss if there is any problem. I have written dynamic dns post, you can find it here.
    http://www.sohailriaz.com/how-to-configure-dynamic-dns-fedora-core-4-setup/
    #############################
    #############################
    2)It depends on what access list you have defined. If you defined access list using IP addresses, you will only see IP addresses. To see which user seeing what enable user authentication in squid and it can also be seen by using my another post.
    http://www.sohailriaz.com/anonymous-proxy-using-squid-3/

  5. hi sir…how will i configure –enable-arp-acl in squid……i m not getting correct path so please help me…..

  6. hi sir, happy eid mubarik

    sir I want to know about disk partition in Linux and also want to install the RHCE enterprise edition 5

    have two partitions with one 80 G.B harddisk

    /dev/hda1 and /dev/hda2

    Device Boot Start end Blocks id system
    /dev/hda1 * 1 15 83 linux
    /dev/hda2 16 9729 8e linux LVM

    DO I HAVE SOME REMAINING SPACE…….?

    and If I want to do further partitions in existing then how……?

    here their is any concept of primary and secondary(logical) partitions………?

    kindly help to understand this concept and if there is any relevant video then its very helpful for me………..

    Kind regards,

  7. OOOOppps

    I delete the /dev/hda2 partition and again create the extended partition through fdisk……..and then create further logical partitions…….

    now after restarting he give me below mentioned error

    kernel panic– not syncing: attempted to kill init!

  8. @Rashid: You have done already. what i see from your partition table i.e
    /dev/hda1 was /boot partition and /dev/hda2 is was LVM and which was further divided to hold / and other partition.
    Now as you already deleted everything, please reinstall your desired OS.
    You need to learn what/when and how to delete partition in linux.
    ————–
    Regards,

  9. sir, /dev/hda1 is my boot partition and i think operating system should reside on that partition….

    if I deleted /dev/hds2 then what I do wrong
    kindly brief me OR JUST refer me some documentation about LVM …….

    and sir where is my books……

    best regards,

    Rashid

  10. @Rashid, I will give books on saturday for photostate as i went to makkah and didnt get time on return to give it for photostate.
    For RedHat CD’s i have them in my computer in office. How can i deliver to you.
    ———————
    Regards,

  11. sir I will ask my friend to collect the CD’s from you on saturday sir if it is possible then plz give the books to photocopier for photocopies by saturday morning so he done his job till evening and then My friend will collect the books along with the CD’s from you in the evening at 7 to p p.m.

    sir, I will also call you Saturday early morning……

    sir whats about the solution of this problem theory wise

  12. Sir, I start reading the first book……… interesting and not difficult too………..

    sir, I need the cd’s for hands on the labs

    please upload and forward me the link…

    Thanks

    Rashid

  13. how to copy the folder containing files and many other folders with cp command..

    any switch

    me try but only copy the files not the directories.

  14. Sir, Yesterday I tried to logon through user account
    he gives me below error:

    GDM could not write to your authorization file. this could mean that you are out of disk space or that your home directory could not be opened for writing. in any case it is not possible to log in. please contact your system administrator.

    i think the /usr directory have not enough space..

    kindly guide me

    thanks

  15. Dear Sohail Bhai

    please suggest a good and comprehensive book of Redhat Linux which is covered all things and where can i get it from Karachi?????/

  16. Dear Sohail,

    AOA

    i have followed you web site and you squid section for MAC to IP bind
    but it dont work on my system plz check my squid file and comment plz

    acl manager proto cache_object
    acl localhost src 127.0.0.1/32
    acl to_localhost dst 127.0.0.0/8
    acl SSL_ports port 443
    acl CONNECT method CONNECT
    http_access allow manager localhost
    http_access deny manager
    http_access deny !Safe_ports
    http_access deny CONNECT !SSL_ports

    acl mac1 arp 00:1C:23:0B:70:8E
    acl ip1 src 172.16.0.2

    http_access allow ip1 mac1

    http_access allow localnet
    http_access allow localhost
    http_access deny all
    icp_access allow localnet
    icp_access deny all
    htcp_access allow localnet
    htcp_access deny all
    http_port 3128
    hierarchy_stoplist cgi-bin ?
    cache_mem 1024 MB
    cache_dir ufs /var/spool/squid 10280 16 256
    access_log /var/log/squid/access.log squid
    refresh_pattern ^ftp: 1440 20% 10080
    refresh_pattern ^gopher: 1440 0% 1440
    refresh_pattern (cgi-bin|\?) 0 0% 0
    refresh_pattern . 0 20% 4320
    cache_effective_user squid
    cache_effective_group squid
    visible_hostname testproxy.kust.edu.pk
    icp_port 3130
    coredump_dir /var/spool/squid

  17. @peter: Every Network Card has unique MAC Address and it associate to it only. If you change anything else will not change it. Yes if you changed your Network Card then the MAC address will be change and it will be associate to new Network Card.
    ————–
    Regards,

  18. hi sir
    i want to know how to configure bandwidth manege in squid i want to cape bandwidth on particular ip in squid
    please help me out in this.

    thanks
    sunil sharma

  19. hello ever one i need some help regarding ncsa_auth, how can i encrypt its clear text password so that it can’t not sanaffied by the users.

  20. Thnx for you kind reply, i m using htpasswd -m /etc/squid/passwd aslam to creat user password but some users are still getting the passwords, could you please guide me how can i scure my server.
    User are using Cain & Abel for this.

    Regards,

  21. hi sir…after a long tym i want to help from your side regarding ftp server…..i have a http server with domain http://www.example.com..i want to configure ftp server on he same domain…..i access that domain by ip address but not by domain name….would u help me hw i configure for that….please help me sir

  22. I live in MADAGASCAR, my problem is that how writing the script in to connect with squid.conf file acl-final. txt, I’m using squid 3.0 stable

  23. Thanks Sohail Riaz ,I want to know if it’s possible to create an external acl function for acl-final.txt because I’m almost managed 150 clients computer and is too long to copy any address in the squid.conf

  24. Hy and thanks for helping people 🙂

    I’m trying to use your script without success. After running the first script line to get the ip-mac.txt, i got the following:

    awk: ‘{print
    awk: ^ invalid char ‘�’ in expression
    PING 192.168.0.83 (192.168.0.83) 56(84) bytes of data.

    — 192.168.0.83 ping statistics —
    1 packets transmitted, 0 received, 100% packet loss, time 0ms

    So what could be the error, since i just copied your script line and past it !!

    Thanks a lot for helping 🙂

    red

  25. I am binding my mac with IP but its not working bellow are my configuration of squid.conf on RHEL 5

    http_port 10.132.0.162:8080

    cache_dir ufs /cache 10240 16 256

    visible_hostname srv-proxy1

    cache_access_log /var/log/access.log

    acl all src 0.0.0.0/0.0.0.0

    acl mymac arp 70:71:bc:ad:92:25
    acl myip src 10.132.0.10

    http_access allow mymac myip
    http_access deny all
    ——————-
    Squid version
    2.6.STABLE21

    plz helpme out

  26. @Amir: Not working is very small two words. Give us more detail on it.
    1) Whats not working a) all PC’s are getting access b) all PC’s are getting denied?
    2) Whats your access.log file says when you access any website using the allow PC etc.
    3) It might not make any sense but can you change your MAC address from small alpha to capital alpha like this.
    acl mymac arp 70:71:BC:AD:92:25
    and test it again.

    ————-
    Regards,

  27. Sorry riaz

    Its working fine actually my network have 2 subnet one for servers and othe for clients and my poxy is on servers subnet , now i am able to filter mac address on server subnet but not on clients subnet machines.

    Is there is any solutions regarding different subnet mac address filtering. Plz let me know

    Many thnx for replying.

    JazakALLAH

  28. @Amir: Now there is a question regarding 2 subnet. If your both subnets are differentiated using router means there is a router between your both routers then MAC address will change when it going from one subnet to another as MAC address always comes in play when host to host connection is seeing.
    or if your subnets are not differentiated using router then you need to provide more details regarding your network.

    ——-
    Regards,

  29. Yes you are right , we have two subnets they are connected through L3 switch. 22 and 21 subntes we are using means /22 is server subnet and /21 is our clients subnet. is there is any possibility that we can achive the results without touching L3 router.

    As L3 have only echo ping is allowed….

    regard
    MAJ

  30. how to store IP and MAc address on separate file and do the same thing, something similar to url blocking

  31. Dear Sohail,

    Accessing Exchange Server is not working using Squid 3.0 source RPM. please guide what to do?

  32. Dear Gul,
    For troubleshooting please check first
    that DNS is resloving
    secondly gateway is squid proxy address and DNS is pointing to DNS server
    after that check that Exchange is not working within the network or not accessible from outside the network(internet)
    if from not accessible from internet then you have to forward the IMAP/POP/s and SMTP/s traffic to exchange server
    One more thing which exchange server are you using…….?

  33. Asslamoalikum Sohail Bhai,

    I have configured Squid and apply Mac Address binding with Its IP.
    I want to Deny some website Internet access for perticular MAC ADDRESS , After Apply MAC ADDRESS Binding ACL is working fine ,
    But When I change IP of this , My All site is open,

    Then What is benifit of MAC ADDRESS BInding..

  34. @sahil: Waalaikum wassalam,

    When u put all http_access with configured mac and ip, then in last write

    http_access deny all

    The above will let all block even it tries to change ip

  35. When I put http_access deny all , Below my http_access allow mac1 ip1

    Then Its deny all the Network Internet

Leave a Reply

Your email address will not be published. Required fields are marked *