HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials

HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials (http://www.howtoforge.com/forums/index.php)
-   Server Operation (http://www.howtoforge.com/forums/forumdisplay.php?f=5)
-   -   Match IP with MAC using iptables for squid block (http://www.howtoforge.com/forums/showthread.php?t=15182)

cooljai 30th August 2007 18:30

Match IP with MAC using iptables for squid block
 
Dear All,

I've one Transparent Squid Proxy server with two NIC cards: eth1 (192.168.10.2 gateway, connected to router) and eth0 (192.168.1.1 connected to LAN). ACLs, configured in squid.conf block some IPs (192.168.1.30-80) to access unwanted sites while allows other IPs to do anything. Some naughtly users who's IP is in block list sometimes change their IP and got full access which is causing problems.

I want to implement iptables rules so that packets should be dropped for some IPs whose match with IP and MAC failed. The -mac match module exist in iptables. I searched a lot and got ideas but still not very clear about how to implement, e.g. I found a command like this to match IP: 192.168.1.20 with its MAC:

iptables -A INPUT -s 192.168.1.20 -i eth1 -m mac --mac 00:80:C8:77:46:DC -j ACCEPT

I would like to confirm:

1) Whether above command/rule is correct for the purpose?
2) where exactly I should put that rules? should I make a script OR put them in /etc/fw.proxy where some iptables settings are already there for squid.
contents of fw.proxy:
-----------------------------------------------------------------------------------------------------------
SQUID_SERVER="192.168.10.2"
INTERNET="eth1"
LAN_IN="eth0"
SQUID_PORT="3128"
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
modprobe ip_conntrack
modprobe ip_conntrack_ftp
modprobe ip_nat_ftp
echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
iptables -A INPUT -i $INTERNET -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables --table nat --append POSTROUTING --out-interface $INTERNET -j MASQUERADE
iptables --append FORWARD --in-interface $LAN_IN -j ACCEPT
iptables -A INPUT -i $LAN_IN -j ACCEPT
iptables -A OUTPUT -o $LAN_IN -j ACCEPT
iptables -t nat -A PREROUTING -i $LAN_IN -p tcp --dport 80 -j DNAT --to $SQUID_SERVER:$SQUID_PORT
iptables -t nat -A PREROUTING -i $INTERNET -p tcp --dport 80 -j REDIRECT --to-port $SQUID_PORT
iptables -A INPUT -j DROP
----------------------------------------------------------------------------------------------------

I will be highly thankful for all your help/hints.


Regards,

Jagbir


All times are GMT +2. The time now is 17:47.

Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.