Squid and the iptables -mac filtering

decay · n00b Joined: 09 Jul 2003 Posts: 36

hey

i'm curently using mac filtering to set up access to the internet to a medium network.
This is a sample of the iptables script.

adaptr · Posted: Mon Jan 10, 2005 12:01 pm Post subject:

I'm having troble understanding exactly what you want to achieve with such a setup.
If you plan on using Squid on your network then surely everyone benefits from using the proxy - why restrict it to people who cannot get a straight connection to the outside ?
If you want to deny access to certain people - and why do this with MAC filtering at all ? - then just deny them - don't set up Squid in such a backward manner!

So I guess I'm looking for an explanation to two issues:
- why use MAC filtering ?
- why bypass Squid, ever ?

If you realise this is not necessary (or, in a few extreme cases, it is reallty the only way for you - but you would already know how to do this stuff if your case was that extreme) the "problem" becomes much simpler...
_________________
>>> emerge (3 of 7) mcse/70-293 to /
Essential tools: gentoolkit eix profuse screen

decay · n00b Joined: 09 Jul 2003 Posts: 36

i have to use mac filtering in order to give internet access to somme users from my LAN ... but not to all.
for example i have 100 users on my LAN and i want to grant access only to about 80 of them ... how can i do that if not by mac filtering ?..
The iptables -t nat -A POSTROUTING -s 10.0.0.2/32 -j MASQUERADE or other rule like that is out of the questions because if let's say the computer who has that ip is shuted down .. and another user that doesn't hav internet access takes that ip ... it will then have access ...

So this is the reason i have to do the mac filtering

and now about the squid question ...

i've set up squid so that the users who HAVE internet access will use it (mainly for cache-ing) and so i'll have some gain on the speed the web sites will be displayed.
But the nasty thing is that squid doesn't look up for the iptables rules and gives access for all the class (if the acl is set up for the whole /24 class)
i've done acl's for all the users ... with theyr ip's (with the /32 mask) and so hopping that my problem will be solved .. and it was not
If an unwanted user (one that does't have access to the internet) takes an ip that has internet access (let's say that the comp. that had it is turned off) .. even if the iptables rules deny trafic from that computer (based on the mac filters) squid will grant access to that ip (no mather what the mac of the interface is) and so the unwanted user will go out the internet (using the proxy for all the connections that he wants)

I hope i was more explicit this time

Casper Gasper · Posted: Mon Jan 10, 2005 8:58 pm Post subject:

I think I get what you're trying to do, but there seem to be quite a few easier ways to do it:

1. Filter by ip address, and use your DHCP server to hand out fixed leases to given MAC addresses.

2. Squid on linux can filter by MAC addresses on its own. Setup ACLs for them.

3. Force your web users to login with a username and password to squid.

Casper.