Different IP Groups for different networks

Taking care of your Linux box.
asadsq
Lance Naik
Posts: 48
Joined: Fri Feb 22, 2008 3:10 pm
Location: Peshawar
Contact:

Different IP Groups for different networks

Post by asadsq »

Salam,

I want to create different IP based groups so that I may assign different settings according to that group.
For example

Group1
172.16.1.x For Officers

Group2
172.16.5.x For officials

Group3
172.16.8.x For Hostels

and so one
So according to this group settings i will allow the bandwidth, accessing of audio/video site.

So i just need help how I may configure these groups

Regards
Asad
Asad Zia Siddiqui
Peshawar
asadsq
Lance Naik
Posts: 48
Joined: Fri Feb 22, 2008 3:10 pm
Location: Peshawar
Contact:

Post by asadsq »

Let me add few more data

Group1
172.16.1.x For Officers

In this group i want to limit and add some restrictions along with bandwidth limitations. So that other group may not be effected with these settings

So I want to repeat this for each group with different policies/restrictions. Keeping these all factors, I need help that how to create or define these IP groups and how restrictions be added in each group
Asad Zia Siddiqui
Peshawar
ranatanveer
Subedar
Posts: 355
Joined: Sat May 07, 2005 11:54 am
Location: Lahore
Contact:

Post by ranatanveer »

what is your purpose of doing this ?

there are many ways you can implement policies restrictions.
Regards

Rana Tanveer
+923224194457
Linux Student

For Affordable Web Development http://www.affordableprogrammers.com
http://www.qualityprogrammers.com
asadsq
Lance Naik
Posts: 48
Joined: Fri Feb 22, 2008 3:10 pm
Location: Peshawar
Contact:

Post by asadsq »

Purpose is to have separate restrictions for each group.
Meaning by
If Faculty is able to browse youtube then other staff may not be able to do so. So for this i need to define different IP's groups so that each policies may be applied separately.

If there is any other way to do that then please let me know too.
Asad Zia Siddiqui
Peshawar
mudasir
Captain
Posts: 565
Joined: Tue Oct 17, 2006 5:23 am
Location: Dubai
Contact:

Post by mudasir »

Hi,

There are many ways to implement this.
Like this can be done with DHCP + Squid.


DHCP can assign different IP subnets to selected MAC Addresses, and that subnet can later to used for web access control and bandwidth control.


It you want to do the same dynamically without having to take MAC addresses, then you will have to divide the network physically and attach each network to different LAN card on Server, then create DHCP server for different subnets and same for squid. (not a preferred method from my side).


Create virtual interfaces on Linux, then setup DHCP for different Subnets, in this scenario also you will require MAC addresses of the Systems.


If you want to assign manual IP's to each system then only Squid will come in consideration. Squid can easily be configured to handle multiple networks and apply different rules to each network.


There can be more ways, but which method to use is up to you.
Kind Regards
Mudasir Mirza (RHCE)
(+971)55-1045754
http://www.crystalnetworks.org
http://www.diglinux.com
asadsq
Lance Naik
Posts: 48
Joined: Fri Feb 22, 2008 3:10 pm
Location: Peshawar
Contact:

Post by asadsq »

Present situation is
a) Static IP's are assigned to all the PC's connected to network for network as well as for Internet access

b) MAC addresses are also with me of all those connected PC's

Keeping this factor in mind , how may i configure my squid according to that so that I may apply seetings for each group as well as no user can interfere by changing its IP to get access of those banned sites to its group
Asad Zia Siddiqui
Peshawar
mudasir
Captain
Posts: 565
Joined: Tue Oct 17, 2006 5:23 am
Location: Dubai
Contact:

Post by mudasir »

Hi,

This can be easily done.

1. Make different text files of MAC different MAC addresses based on rights that you want to give.
2. Make ACLs's in squid ( ARP ACL, also make sure that squid has this function enables "--enable-arp-acl")
3. Then use "http_access" to allow and deny sites.
Kind Regards
Mudasir Mirza (RHCE)
(+971)55-1045754
http://www.crystalnetworks.org
http://www.diglinux.com
asadsq
Lance Naik
Posts: 48
Joined: Fri Feb 22, 2008 3:10 pm
Location: Peshawar
Contact:

Post by asadsq »

Can you please give me some hint or preview of these instructions/commands that how it will look like?
Asad Zia Siddiqui
Peshawar
mudasir
Captain
Posts: 565
Joined: Tue Oct 17, 2006 5:23 am
Location: Dubai
Contact:

Post by mudasir »

Step 1.
Make different files having MAC addresses of different groups.

/etc/squid/mac.addresses.accounts
/etc/squid/mac.addresses.adminstration
/etc/squid/mac.addresses.marketing
/etc/squid/mac.addresses.hr

Syntex of files shoudl be like

Code: Select all

XX:XX:XX:XX:XX:XX    # comment
XX:XX:XX:XX:XX:XX    # comment
XX:XX:XX:XX:XX:XX    # comment
Step 2.
Make ACL in squid for different groups.

Code: Select all

# ARP ACLs for different groups
acl accounts_mac arp /etc/squid/mac.addresses.accounts
acl administration_mac arp /etc/squid/mac.addresses.administration
acl marketing_mac arp /etc/squid/mac.addresses.marketing
acl hr_mac arp /etc/squid/mac.addresses.hr

# DSTDOMAIN ACL for different groups
acl accounts_allow dstdomain .google.com .gmail.com .hotmail.com
acl administration_allow dstdomain .google.com .gmail.com .hotmail.com
acl marketing_allow dstdomain .google.com .gmail.com .hotmail.com
acl hr_allow dstdomain .google.com .gmail.com .hotmail.com

# HTTP_ACCESS rules to allow specified group ACL only to specified DSTDOMAIN
http_access allow accounts_mac accounts_allow
http_access allow administration_mac administration_allow
http_access allow marketing_mac marketing_allow
http_access allow hr_mac hr_allow
http_access deny all
I have not tested the above config, but i think it should work...
Kind Regards
Mudasir Mirza (RHCE)
(+971)55-1045754
http://www.crystalnetworks.org
http://www.diglinux.com
asadsq
Lance Naik
Posts: 48
Joined: Fri Feb 22, 2008 3:10 pm
Location: Peshawar
Contact:

Post by asadsq »

I need only this two rules to be allowed to Accounts and Administration and these are

acl audiovideo rep_mime_type ^video/x-ms-asf ^video/x-ms-sf ^audio/mpeg ^audio/x-mpeg ^audio/x-pn-realaudio ^audio/x-ms-wma ^application/x-mms framed ^application/vnd.ms.wms-hdr.asfv1 ^application/x-shockwave-flash ^application/x-mplayer2 ^application/vnd.google-earth.kmz kmz ^application/vnd.google-earth.kml+xml kml ^application/vnd.google-earth.kmz ^application/vnd.google-earth.kml

http_reply_access deny audiovideo


And the same rule denied for other two groups

Meaning by Accounts and administration be able to to browse videos and all stuff and i don't want the other two groups to be able to to these.

So how i adjust these settings in STEP2?
Asad Zia Siddiqui
Peshawar
mudasir
Captain
Posts: 565
Joined: Tue Oct 17, 2006 5:23 am
Location: Dubai
Contact:

Post by mudasir »

Dear i have given you almost complete configuration and still you are asking me to provide you more detail.
Please go through the these steps and then make your own rules....
Its not that difficult..
Kind Regards
Mudasir Mirza (RHCE)
(+971)55-1045754
http://www.crystalnetworks.org
http://www.diglinux.com
asadsq
Lance Naik
Posts: 48
Joined: Fri Feb 22, 2008 3:10 pm
Location: Peshawar
Contact:

Post by asadsq »

Ok let me try this
If any problem faced i will let you know
Asad Zia Siddiqui
Peshawar
asadsq
Lance Naik
Posts: 48
Joined: Fri Feb 22, 2008 3:10 pm
Location: Peshawar
Contact:

Post by asadsq »

I applied the following rules as per my understanding but it din't worked.
Browsing stopped.

# ARP ACLs for different groups
acl faculty_mac arp /etc/squid/mac.addresses.faculty
acl hostels_mac arp /etc/squid/mac.addresses.hostels


# DSTDOMAIN ACL for different groups
acl faculty_allow dstdomain .google.com .gmail.com .hotmail.com
acl hostels_deny audiovideo rep_mime_type ^video/x-ms-asf ^video/x-ms-sf ^audio/mpeg ^audio/x-mpeg ^audio/mp3 ^audio/x-mp3 ^audio/x-pn-realaudio ^audio/x-ms-wma ^application/x-mms framed ^application/vnd.ms.wms-hdr.asfv1 ^application/x-shockwave-flash ^application/x-mplayer2 ^application/vnd.google-earth.kmz kmz ^application/vnd.google-earth.kml+xml kml ^application/vnd.google-earth.kmz ^application/vnd.google-earth.kml



# HTTP_ACCESS rules to allow specified group ACL only to specified DSTDOMAIN
http_access allow faculty_mac faculty_allow
http_access deny hostels_mac hostels_deny
http_access deny all


Please correct me if there is any problem in sequence or any other thing
Asad Zia Siddiqui
Peshawar
asadsq
Lance Naik
Posts: 48
Joined: Fri Feb 22, 2008 3:10 pm
Location: Peshawar
Contact:

Post by asadsq »

I applied the following rules as per my understanding but it din't worked.
Browsing stopped.

# ARP ACLs for different groups
acl faculty_mac arp /etc/squid/mac.addresses.faculty
acl hostels_mac arp /etc/squid/mac.addresses.hostels


# DSTDOMAIN ACL for different groups
acl faculty_allow dstdomain .google.com .gmail.com .hotmail.com
acl hostels_deny audiovideo rep_mime_type ^video/x-ms-asf ^video/x-ms-sf ^audio/mpeg ^audio/x-mpeg ^audio/mp3 ^audio/x-mp3 ^audio/x-pn-realaudio ^audio/x-ms-wma ^application/x-mms framed ^application/vnd.ms.wms-hdr.asfv1 ^application/x-shockwave-flash ^application/x-mplayer2 ^application/vnd.google-earth.kmz kmz ^application/vnd.google-earth.kml+xml kml ^application/vnd.google-earth.kmz ^application/vnd.google-earth.kml



# HTTP_ACCESS rules to allow specified group ACL only to specified DSTDOMAIN
http_access allow faculty_mac faculty_allow
http_access deny hostels_mac hostels_deny
http_access deny all


Please correct me if there is any problem in sequence or any other thing
Asad Zia Siddiqui
Peshawar
mudasir
Captain
Posts: 565
Joined: Tue Oct 17, 2006 5:23 am
Location: Dubai
Contact:

Post by mudasir »

link to mime table http://www.crystalnetworks.org/mime.conf

Code: Select all

# Mime Table (make sure that you have mime table defined in squid.conf)
mime_table /etc/squid/mime.conf

# ARP ACLs for different groups
acl faculty_mac arp /etc/squid/mac.addresses.faculty
acl hostels_mac arp /etc/squid/mac.addresses.hostels


# DSTDOMAIN ACL for different groups
acl faculty_allow dstdomain .google.com .gmail.com .hotmail.com

acl hostels_deny rep_mime_type ^video/x-ms-asf ^video/x-ms-sf ^audio/mpeg ^audio/x-mpeg ^audio/mp3 ^audio/x-mp3 ^audio/x-pn-realaudio ^audio/x-ms-wma ^application/x-mms framed ^application/vnd.ms.wms-hdr.asfv1 ^application/x-shockwave-flash ^application/x-mplayer2 ^application/vnd.google-earth.kmz kmz ^application/vnd.google-earth.kml+xml kml ^application/vnd.google-earth.kmz ^application/vnd.google-earth.kml


# HTTP_ACCESS rules to allow specified group ACL only to specified DSTDOMAIN
http_access allow faculty_allow faculty_mac 
http_access deny hostels_deny hostels_mac 
http_access deny all 

try above config....i think it should work..
Kind Regards
Mudasir Mirza (RHCE)
(+971)55-1045754
http://www.crystalnetworks.org
http://www.diglinux.com
Post Reply