Squid Proxy: Filter clients by IP and MAC

We introduce Squid Proxy rules to filter network client access based on MAC and IP. This way, we can use rules to block specific customers by addressing or filtering content access.

Also, let’s take advantage of the setting used in the post:Squid Proxy Installation and configuration.

List of the Squid and SquidGuard tutorial:

Lesson 1: Squid Proxy Installation and Configuration

Lesson 2: Squid Proxy: Filter clients by IP and MAC

Lesson 3: Squid: User Authentication

Lesson 4: SquidGuard : Installation and Configuration

Lesson 5: SquidGuard : how to import blocklist

Thus, we will stick to only the settings listed below:

1) Rule based on client IP
2) Rule based on client MAC
3) Rule filtering domains by client MACs

Table Of Contents

Squid Proxy Initial Configuration
- Configure the clients' browser:
1) Rule based on client IP
2) Rule based on client MAC
3) Rule filtering domains by client MACs
- Test sceario for Squid Proxy Filter
  - See more:

Squid Proxy Initial Configuration

Here we use the same initial configuration file (squid.conf) that we used in the post: Squid Proxy Installation and configuration.

acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl CONNECT method CONNECT
#----------------------------
## Deny requests to unsafe ports = no Safe_ports
http_access deny !Safe_ports
#----------------------------
## Deny CONNECT to no secure SSL ports
http_access deny CONNECT !SSL_ports
#----------------------------
# Squid listen port
http_port 3128
#----------------------------
#insert rules 

#----------------------------
# only this network is allowed
acl Minha_Rede src 192.168.10.0/24
http_access allow Minha_Rede
#----------------------------
# Block all the rest
http_access deny all

Configure the clients’ browser:

In this case the squid proxy IP is 192.168.10.1 and the port used is 3128.

1) Rule based on client IP

In this case we will create a block list of IPs of the clients we want to block. This is the file: /etc/squid/squid.conf

acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl CONNECT method CONNECT
#----------------------------
## Deny requests to unsafe ports = no Safe_ports
http_access deny !Safe_ports
#----------------------------
## Deny CONNECT to no secure SSL ports
http_access deny CONNECT !SSL_ports
#----------------------------
# Squid listen port
http_port 3128

#----------------------------
#insert rules 
acl SRC_IP src "/etc/squid/SRC_IP.txt"
http_access deny SRC_IP
#----------------------------

# only this network is allowed
acl Minha_Rede src 192.168.10.0/24
http_access allow Minha_Rede
#----------------------------
# Block all the rest
http_access deny all

(acl SRC_IP src “/etc/squid/SRC_IP.txt”) = Here, the ACL (SRC_IP) uses the source IPs (src) stored in the file ( “/etc/squid/SRC_IP.txt”).

Next, we use the (http_access deny SRC_IP) to block http (http_access deny) access to the IPs contained in the ACL (SRC_IP).

Now let’s create the /etc/squid/SRC_IP.txt file. For this we can use an editor:

sudo nano /etc/squid/SRC_IP.txt

Then add the IPs you want to block. Put one IP per line. Example:

192.168.10.5

192.168.10.7

Next, let’s restart squid :

sudo service squid restart

Now clear the client browser cache and try to access.

2) Rule based on client MAC

Now let’s create a MAC block list of the clients we want to block. This is the /etc/squid/squid.conf file:

acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl CONNECT method CONNECT
#----------------------------
## Deny requests to unsafe ports = no Safe_ports
http_access deny !Safe_ports
#----------------------------
## Deny CONNECT to no secure SSL ports
http_access deny CONNECT !SSL_ports
#----------------------------
# Squid listen port
http_port 3128

#----------------------------
#insert rules 
acl SRC_MAC arp "/etc/squid/SRC_MAC.txt"
http_access deny SRC_MAC
#----------------------------

# only this network is allowed
acl Minha_Rede src 192.168.10.0/24
http_access allow Minha_Rede
#----------------------------
# Block all the rest
http_access deny all

(acl SRC_MAC arp “/etc/squid/SRC_MAC.txt”) = Here, the ACL (SRC_MAC) uses the source MACs (arp) stored in the file ( “/etc/squid/SRC_MAC.txt”).

Next, we use (http_access deny SRC_MAC) to block http (http_access deny) access to MACs contained in the ACL (SRC_MAC).

Now let’s create the /etc/squid/SRC_MAC.txt file. For this we can use an editor:

sudo nano /etc/squid/SRC_MAC.txt

Then add the MACs you want to block. Put one MAC per line. Example:

08:00:27:4b:32:42

08:00:27:55:11:11

Next, let’s restart squid :

sudo service squid restart

Now clear the client browser cache and try to access.

3) Rule filtering domains by client MACs

In this case, we want some clients with MAC in the file (/etc/squid/SRC_MAC.txt) not to have permission to access some domains. Other clients on the network will be able to access the domains usually.

This type of domain filtering based on the client’s MAC is interesting when we want to prioritize some clients in the network. This way, priority clients can typically access, while others suffer access restrictions.

acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl CONNECT method CONNECT
#----------------------------
## Deny requests to unsafe ports = no Safe_ports
http_access deny !Safe_ports
#----------------------------
## Deny CONNECT to no secure SSL ports
http_access deny CONNECT !SSL_ports
#----------------------------
# Squid listen port
http_port 3128

#----------------------------
#insert rules 
acl SRC_MAC arp "/etc/squid/SRC_MAC.txt"

acl Dominios_Proibidos dstdomain "/etc/squid/dominios_proibidos.txt"
http_access deny Dominios_Proibidos SRC_MAC
#----------------------------
# only this network is allowed
acl Minha_Rede src 192.168.10.0/24
http_access allow Minha_Rede
#----------------------------
# Block all the rest
http_access deny all

(acl SRC_MAC arp “/etc/squid/SRC_MAC.txt”) = Here, the ACL (SRC_MAC) uses the source MACs (arp) stored in the file ( “/etc/squid/SRC_MAC.txt”).

(acl Dominios_Proibidos dstdomain “/etc/squid/dominios_proibidos.txt”) = Next, we use the ACL (Dominios_Proibidos) to block the destination (dstdomain) domains stored in the file (“/etc/squid/dominios_proibidos.txt”)

Now let’s use (http_access deny Dominios_Proibidos SRC_MAC). In this case, we are blocking http (http_access deny) access to ACL domains (Dominios_Proibidos) and that have their MACs in the ACL (SRC_MAC).

Now let’s create the /etc/squid/SRC_MAC.txt file. For this we can use an editor:

sudo nano /etc/squid/SRC_MAC.txt

Then add the MACs you want to block. Put one MAC per line. Example:

08:00:27:4b:32:42

08:00:27:55:11:11

Now let’s create the file /etc/squid/dominios_proibidos.txt. For this we can use an editor:

sudo nano /etc/squid/dominios_proibidos.txt

Then add the domains you want to block in Squid Proxy Filter. Put one domain per line. Example:

.simplificandoredes.com

Next, let’s restart squid :

sudo service squid restart

Now clear the client browser cache and try to access.

Test sceario for Squid Proxy Filter

See more:

Squid Proxy Installation and Configuration

PfBlockerNG: Exception List for Clients

pfBlockerNG Customize Blocklist

Juliana Mascarenhas

Data Scientist and Master in Computer Modeling by LNCC.
Computer Engineer

Cookie	Duration	Description
cookielawinfo-checkbox-advertisement	1 year	Set by the GDPR Cookie Consent plugin, this cookie is used to record the user consent for the cookies in the "Advertisement" category
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional". O cookie é definido pelo consentimento do cookie GDPR para registrar o consentimento do usuário para os cookies na categoria "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary". Este cookie é definido pelo plug-in GDPR Cookie Consent. Os cookies são usados para armazenar o consentimento do usuário para os cookies na categoria "Necessary",
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other".
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data. O cookie é definido pelo plug-in GDPR Cookie Consent e é usado para armazenar se o usuário consentiu ou não com o uso de cookies. Ele não armazena nenhum dado pessoal.

Cookie	Duration	Description
_tccl_visit	30 minutes	This cookie is set by the web hosting provider GoDaddy. This is a persistent cookie used for monitoring the website usage performance.
_tccl_visitor	1 year	This cookie is set by the web hosting provider GoDaddy. This is a persistent cookie used for monitoring the website usage performance.

Cookie	Duration	Description
__gads	1 year 24 days	The __gads cookie, set by Google, is stored under DoubleClick domain and tracks the number of times users see an advert, measures the success of the campaign and calculates its revenue. This cookie can only be read from the domain they are set on and will not track any data while browsing through other sites.
_ga	2 years	The _ga cookie, installed by Google Analytics, calculates visitor, session and campaign data and also keeps track of site usage for the site's analytics report. The cookie stores information anonymously and assigns a randomly generated number to recognize unique visitors.
_gat_gtag_UA_199766752_1	1 minute	Set by Google to distinguish users.
_gid	1 day	Installed by Google Analytics, _gid cookie stores information on how visitors use a website, while also creating an analytics report of the website's performance. Some of the data that are collected include the number of visitors, their source, and the pages they visit anonymously.

Cookie	Duration	Description
FCCDCF	12 hours	No description available.
GoogleAdServingTest	session	No description

Squid Proxy Initial Configuration

Configure the clients’ browser:

1) Rule based on client IP

2) Rule based on client MAC

3) Rule filtering domains by client MACs

Test sceario for Squid Proxy Filter

See more:

Related Posts