Different IP Groups for different networks
Different IP Groups for different networks
Salam,
I want to create different IP based groups so that I may assign different settings according to that group.
For example
Group1
172.16.1.x For Officers
Group2
172.16.5.x For officials
Group3
172.16.8.x For Hostels
and so one
So according to this group settings i will allow the bandwidth, accessing of audio/video site.
So i just need help how I may configure these groups
Regards
Asad
I want to create different IP based groups so that I may assign different settings according to that group.
For example
Group1
172.16.1.x For Officers
Group2
172.16.5.x For officials
Group3
172.16.8.x For Hostels
and so one
So according to this group settings i will allow the bandwidth, accessing of audio/video site.
So i just need help how I may configure these groups
Regards
Asad
Asad Zia Siddiqui
Peshawar
Peshawar
Let me add few more data
Group1
172.16.1.x For Officers
In this group i want to limit and add some restrictions along with bandwidth limitations. So that other group may not be effected with these settings
So I want to repeat this for each group with different policies/restrictions. Keeping these all factors, I need help that how to create or define these IP groups and how restrictions be added in each group
Group1
172.16.1.x For Officers
In this group i want to limit and add some restrictions along with bandwidth limitations. So that other group may not be effected with these settings
So I want to repeat this for each group with different policies/restrictions. Keeping these all factors, I need help that how to create or define these IP groups and how restrictions be added in each group
Asad Zia Siddiqui
Peshawar
Peshawar
-
- Subedar
- Posts: 355
- Joined: Sat May 07, 2005 11:54 am
- Location: Lahore
- Contact:
what is your purpose of doing this ?
there are many ways you can implement policies restrictions.
there are many ways you can implement policies restrictions.
Regards
Rana Tanveer
+923224194457
Linux Student
For Affordable Web Development http://www.affordableprogrammers.com
http://www.qualityprogrammers.com
Rana Tanveer
+923224194457
Linux Student
For Affordable Web Development http://www.affordableprogrammers.com
http://www.qualityprogrammers.com
Purpose is to have separate restrictions for each group.
Meaning by
If Faculty is able to browse youtube then other staff may not be able to do so. So for this i need to define different IP's groups so that each policies may be applied separately.
If there is any other way to do that then please let me know too.
Meaning by
If Faculty is able to browse youtube then other staff may not be able to do so. So for this i need to define different IP's groups so that each policies may be applied separately.
If there is any other way to do that then please let me know too.
Asad Zia Siddiqui
Peshawar
Peshawar
Hi,
There are many ways to implement this.
Like this can be done with DHCP + Squid.
DHCP can assign different IP subnets to selected MAC Addresses, and that subnet can later to used for web access control and bandwidth control.
It you want to do the same dynamically without having to take MAC addresses, then you will have to divide the network physically and attach each network to different LAN card on Server, then create DHCP server for different subnets and same for squid. (not a preferred method from my side).
Create virtual interfaces on Linux, then setup DHCP for different Subnets, in this scenario also you will require MAC addresses of the Systems.
If you want to assign manual IP's to each system then only Squid will come in consideration. Squid can easily be configured to handle multiple networks and apply different rules to each network.
There can be more ways, but which method to use is up to you.
There are many ways to implement this.
Like this can be done with DHCP + Squid.
DHCP can assign different IP subnets to selected MAC Addresses, and that subnet can later to used for web access control and bandwidth control.
It you want to do the same dynamically without having to take MAC addresses, then you will have to divide the network physically and attach each network to different LAN card on Server, then create DHCP server for different subnets and same for squid. (not a preferred method from my side).
Create virtual interfaces on Linux, then setup DHCP for different Subnets, in this scenario also you will require MAC addresses of the Systems.
If you want to assign manual IP's to each system then only Squid will come in consideration. Squid can easily be configured to handle multiple networks and apply different rules to each network.
There can be more ways, but which method to use is up to you.
Kind Regards
Mudasir Mirza (RHCE)
(+971)55-1045754
http://www.crystalnetworks.org
http://www.diglinux.com
Mudasir Mirza (RHCE)
(+971)55-1045754
http://www.crystalnetworks.org
http://www.diglinux.com
Present situation is
a) Static IP's are assigned to all the PC's connected to network for network as well as for Internet access
b) MAC addresses are also with me of all those connected PC's
Keeping this factor in mind , how may i configure my squid according to that so that I may apply seetings for each group as well as no user can interfere by changing its IP to get access of those banned sites to its group
a) Static IP's are assigned to all the PC's connected to network for network as well as for Internet access
b) MAC addresses are also with me of all those connected PC's
Keeping this factor in mind , how may i configure my squid according to that so that I may apply seetings for each group as well as no user can interfere by changing its IP to get access of those banned sites to its group
Asad Zia Siddiqui
Peshawar
Peshawar
Hi,
This can be easily done.
1. Make different text files of MAC different MAC addresses based on rights that you want to give.
2. Make ACLs's in squid ( ARP ACL, also make sure that squid has this function enables "--enable-arp-acl")
3. Then use "http_access" to allow and deny sites.
This can be easily done.
1. Make different text files of MAC different MAC addresses based on rights that you want to give.
2. Make ACLs's in squid ( ARP ACL, also make sure that squid has this function enables "--enable-arp-acl")
3. Then use "http_access" to allow and deny sites.
Kind Regards
Mudasir Mirza (RHCE)
(+971)55-1045754
http://www.crystalnetworks.org
http://www.diglinux.com
Mudasir Mirza (RHCE)
(+971)55-1045754
http://www.crystalnetworks.org
http://www.diglinux.com
Step 1.
Make different files having MAC addresses of different groups.
/etc/squid/mac.addresses.accounts
/etc/squid/mac.addresses.adminstration
/etc/squid/mac.addresses.marketing
/etc/squid/mac.addresses.hr
Syntex of files shoudl be like
Step 2.
Make ACL in squid for different groups.
I have not tested the above config, but i think it should work...
Make different files having MAC addresses of different groups.
/etc/squid/mac.addresses.accounts
/etc/squid/mac.addresses.adminstration
/etc/squid/mac.addresses.marketing
/etc/squid/mac.addresses.hr
Syntex of files shoudl be like
Code: Select all
XX:XX:XX:XX:XX:XX # comment
XX:XX:XX:XX:XX:XX # comment
XX:XX:XX:XX:XX:XX # comment
Make ACL in squid for different groups.
Code: Select all
# ARP ACLs for different groups
acl accounts_mac arp /etc/squid/mac.addresses.accounts
acl administration_mac arp /etc/squid/mac.addresses.administration
acl marketing_mac arp /etc/squid/mac.addresses.marketing
acl hr_mac arp /etc/squid/mac.addresses.hr
# DSTDOMAIN ACL for different groups
acl accounts_allow dstdomain .google.com .gmail.com .hotmail.com
acl administration_allow dstdomain .google.com .gmail.com .hotmail.com
acl marketing_allow dstdomain .google.com .gmail.com .hotmail.com
acl hr_allow dstdomain .google.com .gmail.com .hotmail.com
# HTTP_ACCESS rules to allow specified group ACL only to specified DSTDOMAIN
http_access allow accounts_mac accounts_allow
http_access allow administration_mac administration_allow
http_access allow marketing_mac marketing_allow
http_access allow hr_mac hr_allow
http_access deny all
Kind Regards
Mudasir Mirza (RHCE)
(+971)55-1045754
http://www.crystalnetworks.org
http://www.diglinux.com
Mudasir Mirza (RHCE)
(+971)55-1045754
http://www.crystalnetworks.org
http://www.diglinux.com
I need only this two rules to be allowed to Accounts and Administration and these are
acl audiovideo rep_mime_type ^video/x-ms-asf ^video/x-ms-sf ^audio/mpeg ^audio/x-mpeg ^audio/x-pn-realaudio ^audio/x-ms-wma ^application/x-mms framed ^application/vnd.ms.wms-hdr.asfv1 ^application/x-shockwave-flash ^application/x-mplayer2 ^application/vnd.google-earth.kmz kmz ^application/vnd.google-earth.kml+xml kml ^application/vnd.google-earth.kmz ^application/vnd.google-earth.kml
http_reply_access deny audiovideo
And the same rule denied for other two groups
Meaning by Accounts and administration be able to to browse videos and all stuff and i don't want the other two groups to be able to to these.
So how i adjust these settings in STEP2?
acl audiovideo rep_mime_type ^video/x-ms-asf ^video/x-ms-sf ^audio/mpeg ^audio/x-mpeg ^audio/x-pn-realaudio ^audio/x-ms-wma ^application/x-mms framed ^application/vnd.ms.wms-hdr.asfv1 ^application/x-shockwave-flash ^application/x-mplayer2 ^application/vnd.google-earth.kmz kmz ^application/vnd.google-earth.kml+xml kml ^application/vnd.google-earth.kmz ^application/vnd.google-earth.kml
http_reply_access deny audiovideo
And the same rule denied for other two groups
Meaning by Accounts and administration be able to to browse videos and all stuff and i don't want the other two groups to be able to to these.
So how i adjust these settings in STEP2?
Asad Zia Siddiqui
Peshawar
Peshawar
Dear i have given you almost complete configuration and still you are asking me to provide you more detail.
Please go through the these steps and then make your own rules....
Its not that difficult..
Please go through the these steps and then make your own rules....
Its not that difficult..
Kind Regards
Mudasir Mirza (RHCE)
(+971)55-1045754
http://www.crystalnetworks.org
http://www.diglinux.com
Mudasir Mirza (RHCE)
(+971)55-1045754
http://www.crystalnetworks.org
http://www.diglinux.com
I applied the following rules as per my understanding but it din't worked.
Browsing stopped.
# ARP ACLs for different groups
acl faculty_mac arp /etc/squid/mac.addresses.faculty
acl hostels_mac arp /etc/squid/mac.addresses.hostels
# DSTDOMAIN ACL for different groups
acl faculty_allow dstdomain .google.com .gmail.com .hotmail.com
acl hostels_deny audiovideo rep_mime_type ^video/x-ms-asf ^video/x-ms-sf ^audio/mpeg ^audio/x-mpeg ^audio/mp3 ^audio/x-mp3 ^audio/x-pn-realaudio ^audio/x-ms-wma ^application/x-mms framed ^application/vnd.ms.wms-hdr.asfv1 ^application/x-shockwave-flash ^application/x-mplayer2 ^application/vnd.google-earth.kmz kmz ^application/vnd.google-earth.kml+xml kml ^application/vnd.google-earth.kmz ^application/vnd.google-earth.kml
# HTTP_ACCESS rules to allow specified group ACL only to specified DSTDOMAIN
http_access allow faculty_mac faculty_allow
http_access deny hostels_mac hostels_deny
http_access deny all
Please correct me if there is any problem in sequence or any other thing
Browsing stopped.
# ARP ACLs for different groups
acl faculty_mac arp /etc/squid/mac.addresses.faculty
acl hostels_mac arp /etc/squid/mac.addresses.hostels
# DSTDOMAIN ACL for different groups
acl faculty_allow dstdomain .google.com .gmail.com .hotmail.com
acl hostels_deny audiovideo rep_mime_type ^video/x-ms-asf ^video/x-ms-sf ^audio/mpeg ^audio/x-mpeg ^audio/mp3 ^audio/x-mp3 ^audio/x-pn-realaudio ^audio/x-ms-wma ^application/x-mms framed ^application/vnd.ms.wms-hdr.asfv1 ^application/x-shockwave-flash ^application/x-mplayer2 ^application/vnd.google-earth.kmz kmz ^application/vnd.google-earth.kml+xml kml ^application/vnd.google-earth.kmz ^application/vnd.google-earth.kml
# HTTP_ACCESS rules to allow specified group ACL only to specified DSTDOMAIN
http_access allow faculty_mac faculty_allow
http_access deny hostels_mac hostels_deny
http_access deny all
Please correct me if there is any problem in sequence or any other thing
Asad Zia Siddiqui
Peshawar
Peshawar
I applied the following rules as per my understanding but it din't worked.
Browsing stopped.
# ARP ACLs for different groups
acl faculty_mac arp /etc/squid/mac.addresses.faculty
acl hostels_mac arp /etc/squid/mac.addresses.hostels
# DSTDOMAIN ACL for different groups
acl faculty_allow dstdomain .google.com .gmail.com .hotmail.com
acl hostels_deny audiovideo rep_mime_type ^video/x-ms-asf ^video/x-ms-sf ^audio/mpeg ^audio/x-mpeg ^audio/mp3 ^audio/x-mp3 ^audio/x-pn-realaudio ^audio/x-ms-wma ^application/x-mms framed ^application/vnd.ms.wms-hdr.asfv1 ^application/x-shockwave-flash ^application/x-mplayer2 ^application/vnd.google-earth.kmz kmz ^application/vnd.google-earth.kml+xml kml ^application/vnd.google-earth.kmz ^application/vnd.google-earth.kml
# HTTP_ACCESS rules to allow specified group ACL only to specified DSTDOMAIN
http_access allow faculty_mac faculty_allow
http_access deny hostels_mac hostels_deny
http_access deny all
Please correct me if there is any problem in sequence or any other thing
Browsing stopped.
# ARP ACLs for different groups
acl faculty_mac arp /etc/squid/mac.addresses.faculty
acl hostels_mac arp /etc/squid/mac.addresses.hostels
# DSTDOMAIN ACL for different groups
acl faculty_allow dstdomain .google.com .gmail.com .hotmail.com
acl hostels_deny audiovideo rep_mime_type ^video/x-ms-asf ^video/x-ms-sf ^audio/mpeg ^audio/x-mpeg ^audio/mp3 ^audio/x-mp3 ^audio/x-pn-realaudio ^audio/x-ms-wma ^application/x-mms framed ^application/vnd.ms.wms-hdr.asfv1 ^application/x-shockwave-flash ^application/x-mplayer2 ^application/vnd.google-earth.kmz kmz ^application/vnd.google-earth.kml+xml kml ^application/vnd.google-earth.kmz ^application/vnd.google-earth.kml
# HTTP_ACCESS rules to allow specified group ACL only to specified DSTDOMAIN
http_access allow faculty_mac faculty_allow
http_access deny hostels_mac hostels_deny
http_access deny all
Please correct me if there is any problem in sequence or any other thing
Asad Zia Siddiqui
Peshawar
Peshawar
link to mime table http://www.crystalnetworks.org/mime.conf
try above config....i think it should work..
Code: Select all
# Mime Table (make sure that you have mime table defined in squid.conf)
mime_table /etc/squid/mime.conf
# ARP ACLs for different groups
acl faculty_mac arp /etc/squid/mac.addresses.faculty
acl hostels_mac arp /etc/squid/mac.addresses.hostels
# DSTDOMAIN ACL for different groups
acl faculty_allow dstdomain .google.com .gmail.com .hotmail.com
acl hostels_deny rep_mime_type ^video/x-ms-asf ^video/x-ms-sf ^audio/mpeg ^audio/x-mpeg ^audio/mp3 ^audio/x-mp3 ^audio/x-pn-realaudio ^audio/x-ms-wma ^application/x-mms framed ^application/vnd.ms.wms-hdr.asfv1 ^application/x-shockwave-flash ^application/x-mplayer2 ^application/vnd.google-earth.kmz kmz ^application/vnd.google-earth.kml+xml kml ^application/vnd.google-earth.kmz ^application/vnd.google-earth.kml
# HTTP_ACCESS rules to allow specified group ACL only to specified DSTDOMAIN
http_access allow faculty_allow faculty_mac
http_access deny hostels_deny hostels_mac
http_access deny all
try above config....i think it should work..
Kind Regards
Mudasir Mirza (RHCE)
(+971)55-1045754
http://www.crystalnetworks.org
http://www.diglinux.com
Mudasir Mirza (RHCE)
(+971)55-1045754
http://www.crystalnetworks.org
http://www.diglinux.com