Koozali.org: home of the SME Server

Obsolete Releases => SME Server 9.x => Topic started by: tariqf on January 18, 2016, 10:47:46 AM

Title: restrict internet access by MAC
Post by: tariqf on January 18, 2016, 10:47:46 AM: Hi what's the easiest way to restrict internet access so that only certain MAC's on my network are allowed to get out to the internet? i.e. I can set a list of allowd MAC's and have the default to LAN only access (we have some internal web servers).
Title: Re: restrict internet access by MAC
Post by: Stefano on January 18, 2016, 12:20:52 PM: I don't know if squid is compiled with --enable-arp-acl flag, but you'd take a look here:

http://wiki.squid-cache.org/SquidFaq/SquidAcl#Can_I_set_up_ACL.27s_based_on_MAC_address_rather_than_IP.3F

then create a custom fragment and try it yourself

if it works, please report here, thank you (can be a usefull improvement..)
Title: Re: restrict internet access by MAC
Post by: byte on January 18, 2016, 01:40:11 PM: Quote from: Stefano on January 18, 2016, 12:20:52 PM
I don't know if squid is compiled with --enable-arp-acl flag, but you'd take a look here:

http://wiki.squid-cache.org/SquidFaq/SquidAcl#Can_I_set_up_ACL.27s_based_on_MAC_address_rather_than_IP.3F

According to the link above arp acl support is already included in squid 3.2 - SME Server 9.x uses squid 3.1.
Title: Re: restrict internet access by MAC
Post by: tariqf on January 18, 2016, 01:41:49 PM: Quote from: Stefano on January 18, 2016, 12:20:52 PM
I don't know if squid is compiled with --enable-arp-acl flag

I checked and it is (squid -v). Will make MAC rules and test. Also might make a quick web interface to manage
Title: Re: restrict internet access by MAC
Post by: Stefano on January 18, 2016, 01:44:54 PM: Quote from: byte on January 18, 2016, 01:40:11 PM
According to the link above arp acl support is only included in squid 3.2 - SME Server 9.x uses squid 3.1.

IIUC, it's included by default from 3.2 onwards, but can be used also in 3.1 as long as squid has been compiled with that flag

on a SME9 64 I see:

Code: [Select]
configure options: '--build=x86_64-redhat-linux-gnu' '--host=x86_64-redhat-linux-gnu' '--target=x86_64-redhat-linux-gnu' '--program-prefix=' '--prefix=/usr' '--exec-prefix=/usr' '--bindir=/usr/bin' '--sbindir=/usr/sbin' '--sysconfdir=/etc' '--datadir=/usr/share' '--includedir=/usr/include' '--libdir=/usr/lib64' '--libexecdir=/usr/libexec' '--sharedstatedir=/var/lib' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--enable-internal-dns' '--disable-strict-error-checking' '--exec_prefix=/usr' '--libexecdir=/usr/lib64/squid' '--localstatedir=/var' '--datadir=/usr/share/squid' '--sysconfdir=/etc/squid' '--with-logdir=$(localstatedir)/log/squid' '--with-pidfile=$(localstatedir)/run/squid.pid' '--disable-dependency-tracking' '--enable-arp-acl' '--enable-follow-x-forwarded-for' '--enable-auth=basic,digest,ntlm,negotiate' '--enable-basic-auth-helpers=LDAP,MSNT,NCSA,PAM,SMB,YP,getpwnam,multi-domain-NTLM,SASL,DB,POP3,squid_radius_auth' '--enable-ntlm-auth-helpers=smb_lm,no_check,fakeauth' '--enable-digest-auth-helpers=password,ldap,eDirectory' '--enable-negotiate-auth-helpers=squid_kerb_auth' '--enable-external-acl-helpers=ip_user,ldap_group,session,unix_group,wbinfo_group' '--enable-cache-digests' '--enable-cachemgr-hostname=localhost' '--enable-delay-pools' '--enable-epoll' '--enable-icap-client' '--enable-ident-lookups' '--enable-linux-netfilter' '--enable-referer-log' '--enable-removal-policies=heap,lru' '--enable-snmp' '--enable-ssl' '--enable-storeio=aufs,diskd,ufs' '--enable-useragent-log' '--enable-wccpv2' '--enable-esi' '--enable-http-violations' '--with-aio' '--with-default-user=squid' '--with-filedescriptors=16384' '--with-dl' '--with-openssl' '--with-pthreads' 'build_alias=x86_64-redhat-linux-gnu' 'host_alias=x86_64-redhat-linux-gnu' 'target_alias=x86_64-redhat-linux-gnu' 'CFLAGS=-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic -fpie' 'LDFLAGS=-pie' 'CXXFLAGS=-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic -fpie' --with-squid=/builddir/build/BUILD/squid-3.1.23
:-)
Title: Re: restrict internet access by MAC
Post by: Stefano on January 18, 2016, 01:48:54 PM: Quote from: tariqf on January 18, 2016, 01:41:49 PM
I checked and it is (squid -v). Will make MAC rules and test. Also might make a quick web interface to manage

well, you can use mac addresses stored in "hostnames and addresses" panel.. premit them, block any other mac address

please, be aware that would not use iptables (i.e. firewall) to block clients, so external access will be possible..

if you need to block at firewall's level (IOW disable access from some internal clients to WAN), you'd not use squid but work on a masq fragment
Title: Re: restrict internet access by MAC
Post by: byte on January 18, 2016, 02:00:06 PM: Quote from: Stefano on January 18, 2016, 01:44:54 PM
IIUC, it's included by default from 3.2 onwards, but can be used also in 3.1 as long as squid has been compiled with that flag

Correct :)

Quote
on a SME9 64 I see:

[...]

:-)

Great 8-)