Topic: restrict internet access by MAC

[tariqf]

Hi what's the easiest way to restrict internet access so that only certain MAC's on my network are allowed to get out to the internet? i.e. I can set a list of allowd MAC's and have the default to LAN only access (we have some internal web servers).

[Stefano]

I don't know if squid is compiled with --enable-arp-acl flag, but you'd take a look here:

http://wiki.squid-cache.org/SquidFaq/SquidAcl#Can_I_set_up_ACL.27s_based_on_MAC_address_rather_than_IP.3F

then create a custom fragment and try it yourself

if it works, please report here, thank you (can be a usefull improvement..)

[byte]

I don't know if squid is compiled with --enable-arp-acl flag, but you'd take a look here:

http://wiki.squid-cache.org/SquidFaq/SquidAcl#Can_I_set_up_ACL.27s_based_on_MAC_address_rather_than_IP.3F

According to the link above arp acl support is already included in squid 3.2 - SME Server 9.x uses squid 3.1.

[tariqf]

I don't know if squid is compiled with --enable-arp-acl flag

I checked and it is (squid -v). Will make MAC rules and test. Also might make a quick web interface to manage

[Stefano]

According to the link above arp acl support is only included in squid 3.2 - SME Server 9.x uses squid 3.1.

IIUC, it's included by default from 3.2 onwards, but can be used also in 3.1 as long as squid has been compiled with that flag

on a SME9 64 I see:

Code: [Select]

configure options:  '--build=x86_64-redhat-linux-gnu' '--host=x86_64-redhat-linux-gnu' '--target=x86_64-redhat-linux-gnu' '--program-prefix=' '--prefix=/usr' '--exec-prefix=/usr' '--bindir=/usr/bin' '--sbindir=/usr/sbin' '--sysconfdir=/etc' '--datadir=/usr/share' '--includedir=/usr/include' '--libdir=/usr/lib64' '--libexecdir=/usr/libexec' '--sharedstatedir=/var/lib' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--enable-internal-dns' '--disable-strict-error-checking' '--exec_prefix=/usr' '--libexecdir=/usr/lib64/squid' '--localstatedir=/var' '--datadir=/usr/share/squid' '--sysconfdir=/etc/squid' '--with-logdir=$(localstatedir)/log/squid' '--with-pidfile=$(localstatedir)/run/squid.pid' '--disable-dependency-tracking' '--enable-arp-acl' '--enable-follow-x-forwarded-for' '--enable-auth=basic,digest,ntlm,negotiate' '--enable-basic-auth-helpers=LDAP,MSNT,NCSA,PAM,SMB,YP,getpwnam,multi-domain-NTLM,SASL,DB,POP3,squid_radius_auth' '--enable-ntlm-auth-helpers=smb_lm,no_check,fakeauth' '--enable-digest-auth-helpers=password,ldap,eDirectory' '--enable-negotiate-auth-helpers=squid_kerb_auth' '--enable-external-acl-helpers=ip_user,ldap_group,session,unix_group,wbinfo_group' '--enable-cache-digests' '--enable-cachemgr-hostname=localhost' '--enable-delay-pools' '--enable-epoll' '--enable-icap-client' '--enable-ident-lookups' '--enable-linux-netfilter' '--enable-referer-log' '--enable-removal-policies=heap,lru' '--enable-snmp' '--enable-ssl' '--enable-storeio=aufs,diskd,ufs' '--enable-useragent-log' '--enable-wccpv2' '--enable-esi' '--enable-http-violations' '--with-aio' '--with-default-user=squid' '--with-filedescriptors=16384' '--with-dl' '--with-openssl' '--with-pthreads' 'build_alias=x86_64-redhat-linux-gnu' 'host_alias=x86_64-redhat-linux-gnu' 'target_alias=x86_64-redhat-linux-gnu' 'CFLAGS=-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic -fpie' 'LDFLAGS=-pie' 'CXXFLAGS=-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic -fpie' --with-squid=/builddir/build/BUILD/squid-3.1.23


[Stefano]

I checked and it is (squid -v). Will make MAC rules and test. Also might make a quick web interface to manage

well, you can use mac addresses stored in "hostnames and addresses" panel.. premit them, block any other mac address

please, be aware that would not use iptables (i.e. firewall) to block clients, so external access will be possible..

if you need to block at firewall's level (IOW disable access from some internal clients to WAN), you'd not use squid but work on a masq fragment

[byte]

IIUC, it's included by default from 3.2 onwards, but can be used also in 3.1 as long as squid has been compiled with that flag

Correct

on a SME9 64 I see:

[...]

Great