nixCraft

kasimani · #1 (**permalink**) 10-07-2006, 12:48 PM

I have problem with squid

I have a network of Ip Range 10.120.1.0/24, and i providing Net Access to clients by SQUID proxy server.

Now i want a acl that restrict some of the above IPs (10.120.1.1 - 10.120.1.50) to access some web sites and full access to some IPs (10.120.1.51 - 10.120.1.100).

I already created a file of web sites that has to be restrict.

That is working well.

But question is here that when i am applying this acl list to my squid all the IPs get restrict to access web sites that is in the list.

Pl. help me to out of this problem.

nixcraft · #2 (**permalink**) 10-07-2006, 07:16 PM

You need to setup ACL as follows

Sample ACL

Code:

acl fullAccess src 10.120.1.51 10.120.1.52 10.120.1.100 
acl RestrictedAccess src 10.120.1.1 10.120.1.2 10.120.1.50
acl RestrictedAccessSites dstdomain "/etc/squid/restrictedsites.txt"
http_access allow localhost
http_access allow fullAccess
http_access allow RestrictedAccess RestrictedAccessSites

Sample file /etc/squid/restrictedsites.txt

Code:

.cyberciti.biz
.yahoo.co.in
.google.co.in
.google.com

IP address 10.120.1.1-50 will allow to access only above four url. It can match both cyberciti.biz and forum.cyberciti.biz domain. And ip address 10.120.1.51-100 will allowed to access anything.

Restart squid. You can also use IP range (10.120.1.1-10.120.1.50/24) or put ips in text file.

If you need furher help just reply back

kasimani · #3 (**permalink**) 10-07-2006, 07:55 PM

Thanks for the solution.

But one thing, that i want to restrict access to those website which are in txt acl file.

tom · #4 (**permalink**) 11-07-2006, 12:14 AM

kasimani,

Have you tried out ACL as described by nixcraft? I am also interested to implement something like this. Let me know if it is working or not…

kasimani · #5 (**permalink**) 11-07-2006, 12:58 PM

It works, but my need is different that i already stated above.

monk · #6 (**permalink**) 11-07-2006, 01:31 PM

I think your ACL is not correct. Especially related to IP address, because above ACL should only allow access to url mentioned in text file. SQUID ACL has one thing the placement of http_access rule should be correct. It is algo is such that if access is not allowed it will deny it or vice-versa. And which results into problem. So paste your complete ACL rule and will correct it out for you.

kasimani · #7 (**permalink**) 11-07-2006, 03:31 PM

Defining an Access List
acl PrivateNet src 192.168.0.0/24 192.168.1.0/24
acl specific src 10.120.1.225-10.120.1.254/24
acl restnetwork src 10.120.1.1-10.120.1.224/24
acl deniedsites dstdomain "/usr/local/squid/etc/denied-sites/restriction.acl"
http_access allow specific
http_access deny restnetwork deniedsites

acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443 563
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 563 # https, snews
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT

http_access allow manager localhost
http_access deny manager

http_access deny CONNECT !SSL_ports

http_access allow localhost
http_access deny all

monk · #8 (**permalink**) 11-07-2006, 06:59 PM

Ok so user belong to ACL specific should only allowed to see deniedsites? Or do you want to block them from visiting all those site listed in ACL deniedsites?

kasimani · #9 (**permalink**) 11-07-2006, 07:36 PM

(acl specific src 10.120.1.225-10.120.1.254/24 ) For this range i want to allow full access on any site even on those site which are in restriction.acl

(acl restnetwork src 10.120.1.1-10.120.1.224/24) For this range i want to restrict those web sites which are listed in restriction.acl and rest of these sites this range can surf any web siets.

monk · #10 (**permalink**) 12-07-2006, 12:49 AM

Ok here is correct ACL for you:

Code:

acl all src 0.0.0.0/0.0.0.0

acl PrivateNet src 192.168.0.0/24 192.168.1.0/24
acl specific src 10.120.1.225-10.120.1.254/24
acl restnetwork src 10.120.1.1-10.120.1.224/24
acl deniedsites dstdomain "/usr/local/squid/etc/denied-sites/restriction.acl"
http_access allow specific
http_access allow restnetwork !deniedsites

acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443 563
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 563 # https, snews
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT

http_access allow manager localhost
http_access deny manager

http_access deny CONNECT !SSL_ports

http_access allow localhost
http_access deny all

Note that how rule is written:

http_access allow restnetwork !deniedsites

It means allow them to browse anything except site specified in deniedsites ACL. This is good to block illegal or pron site. ! act as not.

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode

Similar Threads
Thread	Thread Starter	Forum	Replies	Last Post
Squid configuration problem	jhn_daz@yahoo.com	Networking, Firewalls and Security	1	29-06-2007 01:58 AM
Squid Problem	B!n@ry	Linux software	3	15-04-2007 03:36 PM
problem with Squid	puppen	Linux software	4	04-01-2007 02:45 PM
squid problem	dev_dks	Linux software	1	01-08-2006 01:42 PM
Problem with squid	LRC	Linux software	17	10-06-2006 07:52 PM

nixCraft

SQUID ACL Problem

SQUID ACL Problem

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)

Similar Threads