Re: [slack-users] Squid + par mac e ip

Algacir Soares da Silva Fri, 15 Oct 2004 13:16:25 -0700

Beleza??

N�o entendi ainda o objetivo desta restri��o mas sei o
seguinte:


Para amarrar o MAC h� um ip utilizo o DHCP;

No Squid existe a possibilidade de se fazer acl's pelo
MAC, basta compil�-lo com a op��o --enable-arp-acl
Atenciosamente.

Algacir Soares da Silva
Solusol - Solu��es em Software Livre

 --- Nidos <[EMAIL PROTECTED]> escreveu: 
> Ola amigos ...
> 
> Tenho um servidor de rede aqui com duas placas de
> rede, coloque nele um
> controle de mac junto com ip, o par mac ip, quando o
> usuario tracava o ip
> mesmo estando com o seu mac antigo ele n�o navegava
> e nem fazia FTP, emfim
> nada usava internet de maneira alguma,  mais ai
> coloquei um servidor cache
> nesse servidor, squid na porta 3128 OK
> Da a associa��o MAC + IP n�o funciona com o squid,
> se o usuario mudar o ip
> ele  consegue navegar normal, porem as outras
> atividades s�o bloqueadas,
> ,fa�o isso por meu de um scrip que peguei na
> internet:
> IPT=/usr/sbin/iptables
> PROGRAMA=/etc/rc.d/fw/mac_ip
> NET_IFACE=eth0
> LAN_IFACE=eth1
> MACLIST=/etc/rc.d/fw/maclist
> echo 1 > /proc/sys/net/ipv4/ip_forward
> case $1 in
> start)
> $IPT -F
> $IPT -t nat -F
> $IPT -t filter -P FORWARD DROP
> for i in `cat $MACLIST`; do
> STATUS=`echo $i | cut -d ';' -f 1`
> IPSOURCE=`echo $i | cut -d ';' -f 3`
> MACSOURCE=`echo $i | cut -d ';' -f 2`
> #Se status = a ent&#65533;&#65533;o eu libera a
> conexao
> if [ $STATUS = "a" ]; then
> $IPT -t filter -A FORWARD -d 0/0 -s $IPSOURCE -m mac
> --mac-source $MACSOURCE
> -j ACCEPT
> $IPT -t filter -A FORWARD -d $IPSOURCE -s 0/0 -j
> ACCEPT
> $IPT -t nat -A POSTROUTING -s $IPSOURCE -o
> $NET_IFACE -j MASQUERADE
> $IPT -t filter -A INPUT -s $IPSOURCE -d 0/0 -m mac
> --mac-source $MACSOURCE
> -j ACCEPT
> $IPT -t filter -A OUTPUT -s $IPSOURCE -d 0/0 -j
> ACCEPT
> 
> # Se for = b ent&#65533;&#65533;o bloqueia o MAC
> else
> $IPT -t filter -A FORWARD -m mac --mac-source
> $MACSOURCE -j DROP
> $IPT -t filter -A INPUT -m mac --mac-source
> $MACSOURCE -j DROP
> $IPT -t filter -A OUTPUT -m mac --mac-source
> $MACSOURCE -j DROP
> #aqui minhas tentaivas para usar o par mac ip na
> porta 3128!!!
>
###################################################################################
> #$IPT -t filter -A FORWARD -p tcp --dport 3128 -m
> mac --mac-source
> $MACSOURCE -j DROP
> #$IPT -t filter -A INPUT -p tcp --dport 3128 -m mac
> --mac-source $MACSOURCE
> -j DROP
> #$IPT -t filter -A OUTPUT -p tcp --dport 3128 -m mac
> --mac-source $MACSOURCE
> -j DROP
> #
> #$IPT -t filter -A FORWARD -d 0/0 -s $IPSOURCE -m
> mac --mac-source
> $MACSOURCE -j DROP
> #$IPT -t filter -A INPUT -d 0/0 -s $IPSOURCE -m mac
> --mac-source $MACSOURCE
> -j DROP
> #$IPT -t filter -A OUTPUT -d 0/0 -s $IPSOURCE -m mac
> --mac-source $MACSOURCE
> -j DROP
> #
> #$IPT -t filter -A FORWARD -s $IPSOURCE -d 0/0 -m
> mac --mac-source
> $MACSOURCE -j DROP
> #$IPT -t filter -A INPUT -s $IPSOURCE -d 0/0 -m mac
> --mac-source $MACSOURCE
> -j DROP
> #$IPT -t filter -A OUTPUT -s $IPSOURCE -d 0/0 -m mac
> --mac-source $MACSOURCE
> -j DROP
>
####################################################################################
> $IPT -t filter -A FORWARD -p tcp --dport 3128
> $IPSOURCE -m mac --mac-source
> $MACSOURCE -j DROP
> $IPT -t filter -A FORWARD -d $IPSOURCE -p tcp
> --dport 3128 -j DROP
> #
> $IPT -t filter -A INPUT -s $IPSOURCE -p tcp --dport
> 3128 -m mac --mac-source
> $MACSOURCE -j DROP
> $IPT -t filter -A OUTPUT -s $IPSOURCE -p tcp --dport
> 3128 -j DROP
> #
> #aqui fim das minhas tentativas fracassadas!!!
> fi
> done
> echo "PAR MAC IP ATIVADO, SISTEMA PREPARADO !!!"
> ;;
> stop)
> $IPT -F
> $IPT -Z
> $IPT -t nat -F
> $IPT -t filter -P FORWARD ACCEPT
> echo "FIREWALL DESATIVADO !!!"
> ;;
> restart)
> $PROGRAMA stop
> $PROGRAMA start
> ;;
> esac
> ######################
> 
> esse � o arquivo de configura��o:
> a;00:20:E0:10:3E:38;192.168.0.10;note
> a;00:80:AD:8F:7D:8A;192.168.0.2;sinauto
> a;00:e0:7d:86:2e:71;192.168.0.3;pedro
> a;00:d0:09:81:d5:68;192.168.0.4;unipecas
> 
> ############################
> 
> Alguem poderia me dizer se existe uma forma de fazer
> esse associa��o usando
> squid ??
> 
> Ate mais
> 
> Ronildo Marques
> 
> 
> ________________________________________________
> Message sent using REDE SIVnet - Wireless entre
> nessa onda voc� tamb�m 2.7.2
> 
> -- 
> GUS-BR - Grupo de Usuarios Slackware - BR
> http://www.slackwarebrasil.org/
>
http://www.linuxmag.com.br/mailman/listinfo/slack-users
>  


        
        
                
_______________________________________________________ 
Yahoo! Acesso Gr�tis - Internet r�pida e gr�tis. Instale o discador agora! 
http://br.acesso.yahoo.com/
-- 
GUS-BR - Grupo de Usuarios Slackware - BR
http://www.slackwarebrasil.org/
http://www.linuxmag.com.br/mailman/listinfo/slack-users

Re: [slack-users] Squid + par mac e ip

Responder a