How to Deny Access Based on MAC Address in Squid

In many cases system admins want to control internet access based on users MAC addresses, such as if you running a DHCP server in your network to distribute a TCP/IP settings, in such environment restricting users with IP address is difficult because an IP assigned by a DHCP server may change on next IP assignment. And we all know that MAC is hard-coded on NIC by the manufacturer, for identification and it can’t be changed. Now let’s see how we can deny access based on MAC address in squid proxy server.


block users based on mac address in squid proxy server
squid mac based acl

How to Deny Access Based on MAC Address in Squid

Fortunately, squid provides a special ACL type called “arp” to filter requests based on MAC addresses which is generally represented as XX:XX:XX:XX:XX:XX, where X is a hexadecimal number.

`

This ACL type is available only if Squid was compiled with the –enable-eui or option, depending on the Squid version we have.

You can check if your squid version is build with one of these options or not by using following commands

squid -v | grep "enable-eui"

Or

squid -v | grep "enable-arp-acl"

I assume that you have a working Squid setup if don’t please follow this article : Squid RPM base installation using yum.

Configure ACL

We need to add an arp ACL rule in /etc/squid/squid.conf file. Please note that squid ACL mechanism always applied first matching rule from top to bottom and it will ignore after matching any rule, so carefully place the ALC to avoid any difficulty.

As safe practice to backup your configuration file before edit.

cp /etc/squid/squid.conf /etc/squid/squid.conf.bk-11-09-2017

Now open squid.conf and use below mentioned ACLs as per your requirement:

vi /etc/squid/squid.conf

Block All Websites for Single MAC Addresses

Squid ACL
acl mac_addr arp 08:00:27:9e:fb:16
http_access deny mac_acl,

Save and close the file and restart squid server:

systemctl restart squid

The above ACL mac_addr will match all requests originating from a client with the MAC address 08:00:27:9e:fb:16 and block all the requests as per the rule defined. Below you can see different examples to allow or deny access based on MAC address in squid proxy.

Block All Sites for Multiple MAC Addresses

Create a file and create a list of multiple MAC addresses you wish to restrict.

MAC List
# cat /etc/squid/mac_addresses.txt
08:00:27:9e:fb:16
08:00:27:9f:bb:43

Now point this file in your acl rule as follows.

acl mac_addr arp " /etc/squid/mac_addresses.txt"
http_access deny mac_addr

Block A Single Website for Multiple MAC Addresses

Let’s say you want to block www.badsite.com for multiple mac addresses in your network. To do that follow below configuration.

List of multiple MAC addresses you wish to restrict.

# cat /etc/squid/mac_addresses.txt
08:00:27:9e:fb:16
08:00:27:9f:bb:43
Squid ACL
acl bad_site dstdomain www.badsite.com
acl mac_addr arp "/etc/squid/mac_addresses.txt"
http_access deny bad_site mac_addr

Similar Posts