In this how to i describe how to bind MAC with IP to restrict users in your network to change their IP’s to bypass filtering. To ease the setup i will create small scripts to simplify our work. Here i will not describe how to config squid and how to run it. I assume you have already configure it.
1) Grep MAC Addresses
Let suppose we have 10 machines with IPs range 192.168.0.1 – 192.168.0.10, you have to get mac address for them using following command.
Besure your machines are up and pingable, else you will get empty lines and you have to remove them manually.
for i in `seq 1 10`; do ping -c 1 192.168.0.$i; arp -n 192.168.0.$i | grep -v Address | grep -v incomplete | awk ‘{print $1 ” ” $3}’ >> ip-mac.txt; done
This command will get required mac address with IP in a file named ip-mac.txt
cat ip-mac.txt
192.168.0.1 00:1D:09:6B:3C:28
192.168.0.2 00:1D:09:6A:EA:02
192.168.0.3 00:1D:09:71:2C:34
192.168.0.4 00:1D:09:6A:CB:85
192.168.0.5 00:1D:09:6A:C3:15
192.168.0.6 00:1D:09:6A:CA:8B
192.168.0.7 00:1D:09:6A:CB:DA
192.168.0.8 00:1D:09:6A:CC:34
192.168.0.9 00:1D:09:6B:11:76
192.168.0.10 00:1D:09:6B:36:6F
2) Create ACL For SQUID.
I will create a small bash script to easy my work.
To get acl for mac
i=1
cat ip-mac.txt | while read a; do b=`echo $a | cut -f 2 -d ” “`; echo “acl mac$i arp $b” >> squid-mac-filter.txt; i=`expr $i + 1`; done
cat squid-mac-filter.txt
acl mac1 arp 00:1D:09:6B:3C:28
acl mac2 arp 00:1D:09:6A:EA:02
acl mac3 arp 00:1D:09:71:2C:34
acl mac4 arp 00:1D:09:6A:CB:85
acl mac5 arp 00:1D:09:6A:C3:15
acl mac6 arp 00:1D:09:6A:CA:8B
acl mac7 arp 00:1D:09:6A:CB:DA
acl mac8 arp 00:1D:09:6A:CC:34
acl mac9 arp 00:1D:09:6B:11:76
acl mac10 arp 00:1D:09:6B:36:6F
To get acl for ip
i=1
cat ip-mac.txt | while read a; do b=`echo $a | cut -f 1 -d ” “`; echo “acl ip$i src $b” >> squid-ip-filter.txt; i=`expr $i + 1`; done
cat squid-ip-filter.txt
acl ip1 src 192.168.0.1
acl ip2 src 192.168.0.2
acl ip3 src 192.168.0.3
acl ip4 src 192.168.0.4
acl ip5 src 192.168.0.5
acl ip6 src 192.168.0.6
acl ip7 src 192.168.0.7
acl ip8 src 192.168.0.8
acl ip9 src 192.168.0.9
acl ip10 src 192.168.0.10
To generate http_access allow lines, you have to get the max number of your list of IP’s and MAC’s. Here i have is 10, sure both will be the same 🙂
for i in `seq 1 10`; do echo “http_access allow mac$i ip$i” >> http-access-squid.txt; done
cat http-access-squid.txt
http_access allow mac1 ip1
http_access allow mac2 ip2
http_access allow mac3 ip3
http_access allow mac4 ip4
http_access allow mac5 ip5
http_access allow mac6 ip6
http_access allow mac7 ip7
http_access allow mac8 ip8
http_access allow mac9 ip9
http_access allow mac10 ip10
Now concatinate three files i.e squid-ip-filter.txt, squid-mac-filter.txt and http_access_squid.txt
cat squid-mac-filter.txt squid-ip-filter.txt http-access-squid.txt >> acl-final.txt
and copy from acl-final.txt to paste on appropriate location in squid.conf, dont forget to put http_access deny all on the last :).
To get more help on it please use comments.
@Sohail SIr,
I have sent my squid.conf file to you .
Dear sohail,
My question is same as above by Mr. Amir, that how can we authenticate multiple subnets with the presence of L3 switch between users and squied. I can authenticate them with ip+username/password. But i need mac authentication aswell. is there any way so that i can use all ip+mac+username/pass authentication same time.???
regards
Thanks Sohail Riaz
I got exactly what i needed from your website. Thanks a lot . As i am having around 800 machines i was wondering how to bind the all the mac address and ip manually . Your tutorial works great
Thank you