Dear All, I've one Transparent Squid Proxy server with two NIC cards: eth1 (192.168.10.2 gateway, connected to router) and eth0 (192.168.1.1 connected to LAN). ACLs, configured in squid.conf block some IPs (192.168.1.30-80) to access unwanted sites while allows other IPs to do anything. Some naughtly users who's IP is in block list sometimes change their IP and got full access which is causing problems. I want to implement iptables rules so that packets should be dropped for some IPs whose match with IP and MAC failed. The -mac match module exist in iptables. I searched a lot and got ideas but still not very clear about how to implement, e.g. I found a command like this to match IP: 192.168.1.20 with its MAC: iptables -A INPUT -s 192.168.1.20 -i eth1 -m mac --mac 00:80:C8:77:46C -j ACCEPT I would like to confirm: 1) Whether above command/rule is correct for the purpose? 2) where exactly I should put that rules? should I make a script OR put them in /etc/fw.proxy where some iptables settings are already there for squid. contents of fw.proxy: ----------------------------------------------------------------------------------------------------------- SQUID_SERVER="192.168.10.2" INTERNET="eth1" LAN_IN="eth0" SQUID_PORT="3128" iptables -F iptables -X iptables -t nat -F iptables -t nat -X iptables -t mangle -F iptables -t mangle -X modprobe ip_conntrack modprobe ip_conntrack_ftp modprobe ip_nat_ftp echo 1 > /proc/sys/net/ipv4/ip_forward iptables -P INPUT DROP iptables -P OUTPUT ACCEPT iptables -A INPUT -i lo -j ACCEPT iptables -A OUTPUT -o lo -j ACCEPT iptables -A INPUT -i $INTERNET -m state --state ESTABLISHED,RELATED -j ACCEPT iptables --table nat --append POSTROUTING --out-interface $INTERNET -j MASQUERADE iptables --append FORWARD --in-interface $LAN_IN -j ACCEPT iptables -A INPUT -i $LAN_IN -j ACCEPT iptables -A OUTPUT -o $LAN_IN -j ACCEPT iptables -t nat -A PREROUTING -i $LAN_IN -p tcp --dport 80 -j DNAT --to $SQUID_SERVER:$SQUID_PORT iptables -t nat -A PREROUTING -i $INTERNET -p tcp --dport 80 -j REDIRECT --to-port $SQUID_PORT iptables -A INPUT -j DROP ---------------------------------------------------------------------------------------------------- I will be highly thankful for all your help/hints. Regards, Jagbir