Re: [squid-users] Squid 3.2 problem to log mac address from Amos Jeffries on 2012-10-19 (squid-users)

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Fri, 19 Oct 2012 19:25:14 +1300

On 19/10/2012 4:38 a.m., Alexandre Rubert wrote:
> Hello,
> I have a chillispot server and a squid 3.2 server on my machine. I'd
> like to log all traffic from my hotspot client (visited website, hour,
> addr mac). I compiled squid with --enable-eui. When I see log file,
> mac address is 00:00:00:00:00:00.

EUI-48 is only available if you have ARP-relay on the network, or the
client device is directly cabled to the Squid device (hub or switch
between is fine).

EUI-64 are only available if they are embeded in the IPv6 address (SLAAC
auto-conf address). IPv6 so-called "privacy" addresses erase that
information. Manually configured and DHCP sequentially assigned static
IPv6 also do not contain it.

>
> My squid.conf looks like :
> http_port 8888 intercept
> http_access allow all
> eui_lookup on
> logformat squid %ts.%03tu %6tr %>a %Ss/%03>Hs %<st %rm %ru %un %Sh/%<A
> %mt %>eui
> access_log stdio:/usr/local/squid/var/logs/squid/access.log squid
>
> My iptables :
>
> IPTABLES="/sbin/iptables"
> EXTIF="eth0"
> INTIF="eth1"
> $IPTABLES -P INPUT DROP
> $IPTABLES -P FORWARD ACCEPT
> $IPTABLES -P OUTPUT ACCEPT
> $IPTABLES -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
> #Allow releated, established and ssh on $EXTIF. Reject everything else.
> $IPTABLES -A INPUT -i $EXTIF -p tcp -m tcp --dport 22 --syn -j ACCEPT
> #$IPTABLES -A INPUT -i $EXTIF -j REJECT
> #SQUID
> $IPTABLES -A INPUT -p tcp -m tcp --dport 8888 --syn -j ACCEPT
> $IPTABLES -t nat -A PREROUTING -i tun0 -p tcp -m tcp --dport 8888
> --syn -j DROP

This one is better:
$IPTABLES -t raw -A PREROUTING -p tcp -m tcp --dport 8888 -j DROP

It blocks attacks coming from other places than tun0, including requests
for http://localhost:8888/ by malicious clients and such like.

Amos

> $IPTABLES -t nat -A PREROUTING -i tun0 -p tcp -m tcp --dport 80 -j
> REDIRECT --to-ports 8888
> #Allow related and established from $INTIF. Drop everything else.
> #Allow http and https on other interfaces (input)
> $IPTABLES -A INPUT -p tcp -m tcp --dport 80 --syn -j ACCEPT
> $IPTABLES -A INPUT -p tcp -m tcp --dport 443 --syn -j ACCEPT
> #Allow 3990 on other interfaces (input).
> $IPTABLES -A INPUT -p tcp -m tcp --dport 3990 --syn -j ACCEPT
> #Allow everything on loopback interface.
> $IPTABLES -A INPUT -i lo -j ACCEPT
> $IPTABLES -A FORWARD -o $INTIF -j DROP
> #Enable NAT on output device
> $IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE
>
Received on Fri Oct 19 2012 - 06:25:19 MDT

This archive was generated by hypermail 2.2.0 : Fri Oct 19 2012 - 12:00:05 MDT