Match IP with MAC using iptables for squid block

Discussion in 'Server Operation' started by cooljai, Aug 30, 2007.

  1. cooljai

    cooljai New Member

    Dear All,

    I've one Transparent Squid Proxy server with two NIC cards: eth1 (192.168.10.2 gateway, connected to router) and eth0 (192.168.1.1 connected to LAN). ACLs, configured in squid.conf block some IPs (192.168.1.30-80) to access unwanted sites while allows other IPs to do anything. Some naughtly users who's IP is in block list sometimes change their IP and got full access which is causing problems.

    I want to implement iptables rules so that packets should be dropped for some IPs whose match with IP and MAC failed. The -mac match module exist in iptables. I searched a lot and got ideas but still not very clear about how to implement, e.g. I found a command like this to match IP: 192.168.1.20 with its MAC:

    iptables -A INPUT -s 192.168.1.20 -i eth1 -m mac --mac 00:80:C8:77:46:DC -j ACCEPT

    I would like to confirm:

    1) Whether above command/rule is correct for the purpose?
    2) where exactly I should put that rules? should I make a script OR put them in /etc/fw.proxy where some iptables settings are already there for squid.
    contents of fw.proxy:
    -----------------------------------------------------------------------------------------------------------
    SQUID_SERVER="192.168.10.2"
    INTERNET="eth1"
    LAN_IN="eth0"
    SQUID_PORT="3128"
    iptables -F
    iptables -X
    iptables -t nat -F
    iptables -t nat -X
    iptables -t mangle -F
    iptables -t mangle -X
    modprobe ip_conntrack
    modprobe ip_conntrack_ftp
    modprobe ip_nat_ftp
    echo 1 > /proc/sys/net/ipv4/ip_forward
    iptables -P INPUT DROP
    iptables -P OUTPUT ACCEPT
    iptables -A INPUT -i lo -j ACCEPT
    iptables -A OUTPUT -o lo -j ACCEPT
    iptables -A INPUT -i $INTERNET -m state --state ESTABLISHED,RELATED -j ACCEPT
    iptables --table nat --append POSTROUTING --out-interface $INTERNET -j MASQUERADE
    iptables --append FORWARD --in-interface $LAN_IN -j ACCEPT
    iptables -A INPUT -i $LAN_IN -j ACCEPT
    iptables -A OUTPUT -o $LAN_IN -j ACCEPT
    iptables -t nat -A PREROUTING -i $LAN_IN -p tcp --dport 80 -j DNAT --to $SQUID_SERVER:$SQUID_PORT
    iptables -t nat -A PREROUTING -i $INTERNET -p tcp --dport 80 -j REDIRECT --to-port $SQUID_PORT
    iptables -A INPUT -j DROP
    ----------------------------------------------------------------------------------------------------

    I will be highly thankful for all your help/hints.


    Regards,

    Jagbir
     

Share This Page