Friday, March 30, 2012

How to Bind IP to MAC in Squid

Squid, being a full-featured proxy server and cache daemon, provides all the necessary features required for successful content filtering and caching, etc. Binding IP addresses to MAC addresses is in fact one of the most important features. If you've implemented Squid in your environment for content filtering, you would never want to let any of your users bypass the restrictions by switching between different IP addresses. While the same can be achieved through 'iptables' or any other firewall, it is far easier to achieve from within Squid's configuration.

For binding an IP address to a MAC address, you simply need to define the 'src' and 'arp' access control lists ('acl's), and then allow 'http_access' to both of them in a single line.

The configuration file of Squid 2.x is found under '/etc/squid/squid.conf', while that of Squid 3.x is under '/etc/squid3/squid3.conf'. Edit the corresponding configuration file of whichever version you are using:

sudo nano /etc/squid/squid.conf

And add a new entry for both the MAC address and the IP address:

acl pc1_mac arp 00:30:05:e3:ee:f9
acl pc1_ip src 192.168.10.1
http_access allow pc1_mac pc1_ip

Obviously, you need to replace the MAC address and the IP address in the above example with yours. After saving the 'squid.conf' file, restart Squid and test the connectivity. As long as the IP address for a particular MAC address matches the one in Squid's configuration file, there shouldn't be any problems with connectivity. As soon as the IP address bound to a specific MAC address is changed to something else, you would see a very familiar 'access denied' page on the concerning machine.

You might also want to take a look at our older post on how to configure Squid3 as a transparent proxy here:

http://www.tuxgarage.com/2011/01/how-to-setup-transparent-proxy-with.html

Related Posts:

Network , Server