Go Back   HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials > Linux Forums > Server Operation

Do you like HowtoForge? Please consider supporting us by becoming a subscriber.
Thread Tools Display Modes
Old 30th August 2007, 19:30
cooljai cooljai is offline
Join Date: May 2007
Location: /dev/random
Posts: 31
Thanks: 0
Thanked 0 Times in 0 Posts
Send a message via Yahoo to cooljai
Question Match IP with MAC using iptables for squid block

Dear All,

I've one Transparent Squid Proxy server with two NIC cards: eth1 ( gateway, connected to router) and eth0 ( connected to LAN). ACLs, configured in squid.conf block some IPs ( to access unwanted sites while allows other IPs to do anything. Some naughtly users who's IP is in block list sometimes change their IP and got full access which is causing problems.

I want to implement iptables rules so that packets should be dropped for some IPs whose match with IP and MAC failed. The -mac match module exist in iptables. I searched a lot and got ideas but still not very clear about how to implement, e.g. I found a command like this to match IP: with its MAC:

iptables -A INPUT -s -i eth1 -m mac --mac 00:80:C8:77:46C -j ACCEPT

I would like to confirm:

1) Whether above command/rule is correct for the purpose?
2) where exactly I should put that rules? should I make a script OR put them in /etc/fw.proxy where some iptables settings are already there for squid.
contents of fw.proxy:
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
modprobe ip_conntrack
modprobe ip_conntrack_ftp
modprobe ip_nat_ftp
echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -P INPUT DROP
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
iptables -A INPUT -i $INTERNET -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables --table nat --append POSTROUTING --out-interface $INTERNET -j MASQUERADE
iptables --append FORWARD --in-interface $LAN_IN -j ACCEPT
iptables -A INPUT -i $LAN_IN -j ACCEPT
iptables -A OUTPUT -o $LAN_IN -j ACCEPT
iptables -t nat -A PREROUTING -i $LAN_IN -p tcp --dport 80 -j DNAT --to $SQUID_SERVER:$SQUID_PORT
iptables -t nat -A PREROUTING -i $INTERNET -p tcp --dport 80 -j REDIRECT --to-port $SQUID_PORT
iptables -A INPUT -j DROP

I will be highly thankful for all your help/hints.


Reply With Quote
Sponsored Links


Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
About iptables rules satimis Technical 0 24th August 2007 18:32
iptables tommytomato Installation/Configuration 3 25th June 2007 18:01
iptables issue with xen perfect setup - debian alexnz HOWTO-Related Questions 3 25th November 2006 14:49
The Perfect Xen 3.0 Setup For Debian | IPTABLES rocket30 HOWTO-Related Questions 7 25th July 2006 15:18
configuring IPTABLES firewall adityavpratap HOWTO-Related Questions 9 27th May 2006 22:42

All times are GMT +2. The time now is 18:48.

Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.