All HowTo's Cybersecurity Linux Redhat, Fedora and CentOS Linux Ubuntu, Mint & Debian Linux Web Servers

Configure Squid to Filter Based on MAC Address

In this article we are going to add some details to squid in order to allow it to filter based on MAC address and block certain clients from having full access. Alternatively you could reverse the rule and only allow the listed clients to have full access.

First we are going to assume that you have a working Squid setup if not then there are other articles that will tell you how to get that going, on Redhat or CentOS it is as simple as:

yum install squid ; /etc/init.d/squid start ; chkconfig squid on

You are going to want to make the following file in /etc/squid/

vi /etc/squid/client_macs

In the above file put the MAC addresses of the clients that you want to filter access. Once you have it should look something like:


Now create another file which will be the list of sites that we do not want these clients to be able to access.

vi /etc/squid/blocked_sites

For this example we don’t want our office staff to be accessing facebook or youtube so the file would look like this:

Now the only things left to do are tell squid conf about these files and then reload or restart squid.

vi /etc/squid/squid.conf

Add the following lines under the other acls

acl clients arp "/etc/squid/client_macs"
acl blockedsites dstdomain "/etc/squid/blocked_sites"
http_access deny blockedsites clients

Now do a restart or reload and test it out, you will find that the clients mentioned in /etc/squid/client_macs cannot get to the sites listed in /etc/squid/blocked_sites, exactly as we wanted

/etc/init.d/squid restart

Time Control

You might want to control the time of day that certain clients will be filtered using this method. A good solution for this has been written up in the below link.Or you can use the Squid builtin time restrictions. Both are discussed below.

Squid’s built-in method:

acl facebooktime time MTWHF 09:00-10:00
acl FBDomain  dstdomain
http_access allow FBDomain facebooktime
http_access deny  FBDomain

Alternatively you could use Cron and Template file this is the quick and dirty way to do this, I might write a script in a later post to do this better.

First we need to make a directory for our templates

mkdir /etc/squid/templates

Now to create our templates

vi /etc/squid/templates/day.txt

In the day template we are going to want our list of MAC addresses as that is when people will be in the office. In our night template it is going to be an empty file because that is when I.T. will be doing maintenance etc, squid will complain about the empty file but ultimately it does not care.

touch /etc/squid/templates/night.txt

Now we just need to make our entries in Cron.

crontab -e

We want our day time filter to kick in at 8:30am and our night time filter to kick in at 6:00pm

30 08 * * *  /etc/init.d/squid stop ; rm -f /etc/squid/client_macs ; ln -s /etc/squid/templates/day.txt /etc/squid/client_macs ; /etc/init.d/squid start
00 18 * * *  /etc/init.d/squid stop ; rm -f /etc/squid/client_macs ; ln -s /etc/squid/templates/night.txt /etc/squid/client_macs ; /etc/init.d/squid start

Leave a Reply

Your email address will not be published. Required fields are marked *