nixCraft Linux Forum

nixCraft

Linux / UNIX Tech Support Forum

SQUID ACL Problem

This is a discussion on SQUID ACL Problem within the Linux software forums, part of the Linux Getting Started category; I have problem with squid I have a network of Ip Range 10.120.1.0/24, and i providing Net Access to clients ...


Go Back   nixCraft Linux Forum > Linux Getting Started > Linux software

Linux answers from nixCraft.


Linux software General questions and discussion about Redhat/Fedora Core/Cent OS, Debian and Ubuntu Linux related to softwares should go here.

Reply

 

LinkBack Thread Tools Display Modes
  #1 (permalink)  
Old 10-07-2006, 12:48 PM
kasimani's Avatar
Senior Member
User
 
Join Date: Jul 2006
Location: India, Delhi
OS: CentOS, RedHat, Fedora, Ubuntu
Posts: 151
Thanks: 3
Thanked 1 Time in 1 Post
Rep Power: 4
kasimani is on a distinguished road
Send a message via Yahoo to kasimani
Default SQUID ACL Problem

I have problem with squid

I have a network of Ip Range 10.120.1.0/24, and i providing Net Access to clients by SQUID proxy server.

Now i want a acl that restrict some of the above IPs (10.120.1.1 - 10.120.1.50) to access some web sites and full access to some IPs (10.120.1.51 - 10.120.1.100).


I already created a file of web sites that has to be restrict.

That is working well.

But question is here that when i am applying this acl list to my squid all the IPs get restrict to access web sites that is in the list.

Pl. help me to out of this problem.
Reply With Quote
  #2 (permalink)  
Old 10-07-2006, 07:16 PM
nixcraft's Avatar
Never say die
User
 
Join Date: Jan 2005
Location: BIOS
OS: RHEL
Scripting language: Bash and Python
Posts: 2,707
Thanks: 11
Thanked 244 Times in 183 Posts
Rep Power: 10
nixcraft has a reputation beyond repute nixcraft has a reputation beyond repute nixcraft has a reputation beyond repute nixcraft has a reputation beyond repute nixcraft has a reputation beyond repute nixcraft has a reputation beyond repute nixcraft has a reputation beyond repute nixcraft has a reputation beyond repute nixcraft has a reputation beyond repute nixcraft has a reputation beyond repute nixcraft has a reputation beyond repute
Default

You need to setup ACL as follows

Sample ACL
Code:
acl fullAccess src 10.120.1.51 10.120.1.52 10.120.1.100 
acl RestrictedAccess src 10.120.1.1 10.120.1.2 10.120.1.50
acl RestrictedAccessSites dstdomain "/etc/squid/restrictedsites.txt"
http_access allow localhost
http_access allow fullAccess
http_access allow RestrictedAccess RestrictedAccessSites
Sample file /etc/squid/restrictedsites.txt
Code:
.cyberciti.biz
.yahoo.co.in
.google.co.in
.google.com
IP address 10.120.1.1-50 will allow to access only above four url. It can match both cyberciti.biz and forum.cyberciti.biz domain. And ip address 10.120.1.51-100 will allowed to access anything.

Restart squid. You can also use IP range (10.120.1.1-10.120.1.50/24) or put ips in text file.

If you need furher help just reply back
__________________
Vivek Gite
Linux Evangelist
Be proud RHEL user, and let the world know about your enterprise choices! Join RedHat user group.
Always use CODE tags for posting system output and commands!
Do you run a Linux? Let's face it, you need help
Reply With Quote
  #3 (permalink)  
Old 10-07-2006, 07:55 PM
kasimani's Avatar
Senior Member
User
 
Join Date: Jul 2006
Location: India, Delhi
OS: CentOS, RedHat, Fedora, Ubuntu
Posts: 151
Thanks: 3
Thanked 1 Time in 1 Post
Rep Power: 4
kasimani is on a distinguished road
Send a message via Yahoo to kasimani
Default

Thanks for the solution.

But one thing, that i want to restrict access to those website which are in txt acl file.
Reply With Quote
  #4 (permalink)  
Old 11-07-2006, 12:14 AM
tom tom is offline
Contributors
User
 
Join Date: Jun 2005
Location: London, UK
Posts: 213
Thanks: 0
Thanked 0 Times in 0 Posts
Rep Power: 5
tom is on a distinguished road
Default

kasimani,

Have you tried out ACL as described by nixcraft? I am also interested to implement something like this. Let me know if it is working or not…
Reply With Quote
  #5 (permalink)  
Old 11-07-2006, 12:58 PM
kasimani's Avatar
Senior Member
User
 
Join Date: Jul 2006
Location: India, Delhi
OS: CentOS, RedHat, Fedora, Ubuntu
Posts: 151
Thanks: 3
Thanked 1 Time in 1 Post
Rep Power: 4
kasimani is on a distinguished road
Send a message via Yahoo to kasimani
Default It works

It works, but my need is different that i already stated above.
Reply With Quote
  #6 (permalink)  
Old 11-07-2006, 01:31 PM
monk's Avatar
Senior Member
User
 
Join Date: Jan 2005
Location: Tibet
OS: Debian GNU/Linux
Posts: 506
Thanks: 0
Thanked 8 Times in 6 Posts
Rep Power: 7
monk has a spectacular aura about monk has a spectacular aura about
Default

I think your ACL is not correct. Especially related to IP address, because above ACL should only allow access to url mentioned in text file. SQUID ACL has one thing the placement of http_access rule should be correct. It is algo is such that if access is not allowed it will deny it or vice-versa. And which results into problem. So paste your complete ACL rule and will correct it out for you.
Reply With Quote
  #7 (permalink)  
Old 11-07-2006, 03:31 PM
kasimani's Avatar
Senior Member
User
 
Join Date: Jul 2006
Location: India, Delhi
OS: CentOS, RedHat, Fedora, Ubuntu
Posts: 151
Thanks: 3
Thanked 1 Time in 1 Post
Rep Power: 4
kasimani is on a distinguished road
Send a message via Yahoo to kasimani
Default Full Squid Acl list

Defining an Access List
acl PrivateNet src 192.168.0.0/24 192.168.1.0/24
acl specific src 10.120.1.225-10.120.1.254/24
acl restnetwork src 10.120.1.1-10.120.1.224/24
acl deniedsites dstdomain "/usr/local/squid/etc/denied-sites/restriction.acl"
http_access allow specific
http_access deny restnetwork deniedsites

acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443 563
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 563 # https, snews
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT

http_access allow manager localhost
http_access deny manager

http_access deny CONNECT !SSL_ports

http_access allow localhost
http_access deny all
Reply With Quote
  #8 (permalink)  
Old 11-07-2006, 06:59 PM
monk's Avatar
Senior Member
User
 
Join Date: Jan 2005
Location: Tibet
OS: Debian GNU/Linux
Posts: 506
Thanks: 0
Thanked 8 Times in 6 Posts
Rep Power: 7
monk has a spectacular aura about monk has a spectacular aura about
Default

Ok so user belong to ACL specific should only allowed to see deniedsites? Or do you want to block them from visiting all those site listed in ACL deniedsites?
Reply With Quote
  #9 (permalink)  
Old 11-07-2006, 07:36 PM
kasimani's Avatar
Senior Member
User
 
Join Date: Jul 2006
Location: India, Delhi
OS: CentOS, RedHat, Fedora, Ubuntu
Posts: 151
Thanks: 3
Thanked 1 Time in 1 Post
Rep Power: 4
kasimani is on a distinguished road
Send a message via Yahoo to kasimani
Default Query

(acl specific src 10.120.1.225-10.120.1.254/24 ) For this range i want to allow full access on any site even on those site which are in restriction.acl

(acl restnetwork src 10.120.1.1-10.120.1.224/24) For this range i want to restrict those web sites which are listed in restriction.acl and rest of these sites this range can surf any web siets.
Reply With Quote
  #10 (permalink)  
Old 12-07-2006, 12:49 AM
monk's Avatar
Senior Member
User
 
Join Date: Jan 2005
Location: Tibet
OS: Debian GNU/Linux
Posts: 506
Thanks: 0
Thanked 8 Times in 6 Posts
Rep Power: 7
monk has a spectacular aura about monk has a spectacular aura about
Default

Ok here is correct ACL for you:

Code:
acl all src 0.0.0.0/0.0.0.0

acl PrivateNet src 192.168.0.0/24 192.168.1.0/24
acl specific src 10.120.1.225-10.120.1.254/24
acl restnetwork src 10.120.1.1-10.120.1.224/24
acl deniedsites dstdomain "/usr/local/squid/etc/denied-sites/restriction.acl"
http_access allow specific
http_access allow restnetwork !deniedsites

acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443 563
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 563 # https, snews
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT

http_access allow manager localhost
http_access deny manager

http_access deny CONNECT !SSL_ports

http_access allow localhost
http_access deny all
Note that how rule is written:

http_access allow restnetwork !deniedsites

It means allow them to browse anything except site specified in deniedsites ACL. This is good to block illegal or pron site. ! act as not.
Reply With Quote
Reply


Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)

 
Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads

Thread Thread Starter Forum Replies Last Post
Squid configuration problem jhn_daz@yahoo.com Networking, Firewalls and Security 1 29-06-2007 01:58 AM
Squid Problem B!n@ry Linux software 3 15-04-2007 03:36 PM
problem with Squid puppen Linux software 4 04-01-2007 02:45 PM
squid problem dev_dks Linux software 1 01-08-2006 01:42 PM
Problem with squid LRC Linux software 17 10-06-2006 07:52 PM


All times are GMT +5.5. The time now is 04:22 PM.


Powered by vBulletin® Version 3.8.5 - Copyright ©2000 - 2010, Jelsoft Enterprises Ltd.
Search Engine Optimization by vBSEO 3.3.2
©2005-2010 nixCraft. All rights reserved

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38