View Single Post
Old 30th August 2007, 19:30
cooljai cooljai is offline
Join Date: May 2007
Location: /dev/random
Posts: 31
Thanks: 0
Thanked 0 Times in 0 Posts
Send a message via Yahoo to cooljai
Question Match IP with MAC using iptables for squid block

Dear All,

I've one Transparent Squid Proxy server with two NIC cards: eth1 ( gateway, connected to router) and eth0 ( connected to LAN). ACLs, configured in squid.conf block some IPs ( to access unwanted sites while allows other IPs to do anything. Some naughtly users who's IP is in block list sometimes change their IP and got full access which is causing problems.

I want to implement iptables rules so that packets should be dropped for some IPs whose match with IP and MAC failed. The -mac match module exist in iptables. I searched a lot and got ideas but still not very clear about how to implement, e.g. I found a command like this to match IP: with its MAC:

iptables -A INPUT -s -i eth1 -m mac --mac 00:80:C8:77:46C -j ACCEPT

I would like to confirm:

1) Whether above command/rule is correct for the purpose?
2) where exactly I should put that rules? should I make a script OR put them in /etc/fw.proxy where some iptables settings are already there for squid.
contents of fw.proxy:
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
modprobe ip_conntrack
modprobe ip_conntrack_ftp
modprobe ip_nat_ftp
echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -P INPUT DROP
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
iptables -A INPUT -i $INTERNET -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables --table nat --append POSTROUTING --out-interface $INTERNET -j MASQUERADE
iptables --append FORWARD --in-interface $LAN_IN -j ACCEPT
iptables -A INPUT -i $LAN_IN -j ACCEPT
iptables -A OUTPUT -o $LAN_IN -j ACCEPT
iptables -t nat -A PREROUTING -i $LAN_IN -p tcp --dport 80 -j DNAT --to $SQUID_SERVER:$SQUID_PORT
iptables -t nat -A PREROUTING -i $INTERNET -p tcp --dport 80 -j REDIRECT --to-port $SQUID_PORT
iptables -A INPUT -j DROP

I will be highly thankful for all your help/hints.


Reply With Quote
Sponsored Links