You don't really need Squid for this task, especially if your intention is to block all external connections from the unprivileged machines. Squid only handles Web browsing; it wouldn't block a Bittorent connection or connections to a remote mail server, for instance.
For a robust solution you're much better off using iptables. First, you'll need to set up the DHCP server to assign pre-designated IP addresses to the clients with the MAC addresses you wish to allow. You do the with the "host" directive in
dhcpd.conf. For simplicity, let's suppose you only want to permit one machine to connect to the Internet and block everyone else. Set up dhcpd to give the permitted machine a specific IP address, say, 192.168.1.100. Then you would add these iptables rules on the router:
Code:
/sbin/iptables -A INPUT -s 192.168.1.100 -j ACCEPT
/sbin/iptables -A INPUT -s 192.168.1.0/24 -j REJECT
That's it. Now the permitted machine has full access to the Internet, and everyone else has none. You can create more subtle policies by using rules based on ports. For instance, here are some rules that let the privileged machine browse the Web using both HTTP and HTTPS but nothing else.
Code:
/sbin/iptables -A INPUT -p tcp -s 192.168.1.100 --dport 80 -j ACCEPT
/sbin/iptables -A INPUT -p tcp -s 192.168.1.100 --dport 443 -j ACCEPT
/sbin/iptables -A INPUT -s 192.168.1.0/24 -j REJECT
You can also specify machines by MAC address in iptables; see "man iptables" for details, specifically the "mac" match extension and its associated "--mac-source" parameter.
Finally, here's a useful rule to block things like torrents and streaming video, but enable other types of services. It takes advantage of the fact that most any such service runs on "unprivileged" ports above 1023.
Code:
iptables -A INPUT -p tcp --sport 1024:65535 --dport 1024:65535 -j REJECT
iptables -A INPUT -p udp --sport 1024:65535 --dport 1024:65535 -j REJECT
Bookmarks