In this article we are going to add some details to squid in order to allow it to filter based on MAC address and block certain clients from having full access. Alternatively you could reverse the rule and only allow the listed clients to have full access.
First we are going to assume that you have a working Squid setup if not then there are other articles that will tell you how to get that going, on Redhat or CentOS it is as simple as:
yum install squid ; /etc/init.d/squid start ; chkconfig squid on
You are going to want to make the following file in /etc/squid/
vi /etc/squid/client_macs
In the above file put the MAC addresses of the clients that you want to filter access. Once you have it should look something like:
52:54:00:AA:BB:CC 52:54:00:DD:EE:FF
Now create another file which will be the list of sites that we do not want these clients to be able to access.
vi /etc/squid/blocked_sites
For this example we don’t want our office staff to be accessing facebook or youtube so the file would look like this:
.facebook.com .youtube.com
Now the only things left to do are tell squid conf about these files and then reload or restart squid.
vi /etc/squid/squid.conf
Add the following lines under the other acls
acl clients arp "/etc/squid/client_macs" acl blockedsites dstdomain "/etc/squid/blocked_sites" http_access deny blockedsites clients
Now do a restart or reload and test it out, you will find that the clients mentioned in /etc/squid/client_macs cannot get to the sites listed in /etc/squid/blocked_sites, exactly as we wanted
/etc/init.d/squid restart
Time Control
You might want to control the time of day that certain clients will be filtered using this method. A good solution for this has been written up in the below link.Or you can use the Squid builtin time restrictions. Both are discussed below.
http://serverfault.com/questions/249622/allow-facebook-access-only-in-specific-hours-of-the-day-with-squid
Squid’s built-in method:
acl facebooktime time MTWHF 09:00-10:00 acl FBDomain dstdomain .facebook.com http_access allow FBDomain facebooktime http_access deny FBDomain
Alternatively you could use Cron and Template file this is the quick and dirty way to do this, I might write a script in a later post to do this better.
First we need to make a directory for our templates
mkdir /etc/squid/templates
Now to create our templates
vi /etc/squid/templates/day.txt
In the day template we are going to want our list of MAC addresses as that is when people will be in the office. In our night template it is going to be an empty file because that is when I.T. will be doing maintenance etc, squid will complain about the empty file but ultimately it does not care.
touch /etc/squid/templates/night.txt
Now we just need to make our entries in Cron.
crontab -e
We want our day time filter to kick in at 8:30am and our night time filter to kick in at 6:00pm
30 08 * * * /etc/init.d/squid stop ; rm -f /etc/squid/client_macs ; ln -s /etc/squid/templates/day.txt /etc/squid/client_macs ; /etc/init.d/squid start 00 18 * * * /etc/init.d/squid stop ; rm -f /etc/squid/client_macs ; ln -s /etc/squid/templates/night.txt /etc/squid/client_macs ; /etc/init.d/squid start