How to Deny Access Based on MAC Address in Squid
In many cases system admins want to control internet access based on users MAC addresses, such as if you running a DHCP server in your network to distribute a TCP/IP settings, in such environment restricting users with IP address is difficult because an IP assigned by a DHCP server may change on next IP assignment. And we all know that MAC is hard-coded on NIC by the manufacturer, for identification and it can’t be changed. Now let’s see how we can deny access based on MAC address in squid proxy server.
How to Deny Access Based on MAC Address in Squid
Fortunately, squid provides a special ACL type called “arp” to filter requests based on MAC addresses which is generally represented as XX:XX:XX:XX:XX:XX, where X is a hexadecimal number.
`This ACL type is available only if Squid was compiled with the –enable-eui or
You can check if your squid version is build with one of these options or not by using following commands
squid -v | grep "enable-eui"
Or
squid -v | grep "enable-arp-acl"
I assume that you have a working Squid setup if don’t please follow this article : Squid RPM base installation using yum.
Configure ACL
We need to add an arp ACL rule in /etc/squid/squid.conf file. Please note that squid ACL mechanism always applied first matching rule from top to bottom and it will ignore after matching any rule, so carefully place the ALC to avoid any difficulty.
As safe practice to backup your configuration file before edit.
cp /etc/squid/squid.conf /etc/squid/squid.conf.bk-11-09-2017
Now open squid.conf and use below mentioned ACLs as per your requirement:
vi /etc/squid/squid.conf
Block All Websites for Single MAC Addresses
Squid ACL
acl mac_addr arp 08:00:27:9e:fb:16 http_access deny mac_acl,
Save and close the file and restart squid server:
systemctl restart squid
The above ACL mac_addr will match all requests originating from a client with the MAC address 08:00:27:9e:fb:16 and block all the requests as per the rule defined. Below you can see different examples to allow or deny access based on MAC address in squid proxy.
Block All Sites for Multiple MAC Addresses
Create a file and create a list of multiple MAC addresses you wish to restrict.
MAC List
# cat /etc/squid/mac_addresses.txt 08:00:27:9e:fb:16 08:00:27:9f:bb:43
Now point this file in your acl rule as follows.
acl mac_addr arp " /etc/squid/mac_addresses.txt" http_access deny mac_addr
Block A Single Website for Multiple MAC Addresses
Let’s say you want to block www.badsite.com for multiple mac addresses in your network. To do that follow below configuration.
List of multiple MAC addresses you wish to restrict.
# cat /etc/squid/mac_addresses.txt 08:00:27:9e:fb:16 08:00:27:9f:bb:43
Squid ACL
acl bad_site dstdomain www.badsite.com acl mac_addr arp "/etc/squid/mac_addresses.txt" http_access deny bad_site mac_addr