SAMBA SERVER CONFIGURATION

 SAMBA SERVER

 WHAT IS SAMBA SERVER?

          Samba is used to allow users to share and use files, folders and printers between Linux and Windows systems. In this hashrootz tutorial let us see how to install and configure samba server.
     
   Resource sharing, like file systems and printers, in Microsoft Windows systems, is accomplished using a protocol called the Server Message Block or SMB. For working with such shared resources over a network consisting of Windows systems, an RHEL system must support SMB. The technology used for this is called SAMBA. This provides integration between the Windows and Linux systems. In addition, this is used to provide folder sharing between Linux systems. There are two parts to SAMBA, a Samba Server and a Samba Client.

1. What is SMB?

In order to communicate, you and I need a common language, like English or Swahili. Computers are no different. There are a few basic "languages" computers use to communicate on a network, and these languages are called protocols. TCP/IP, NetBEUI, IPX, SNA and Appletalk are examples of protocols. One of the most popular protocols for PCs lets you share files, disks, directories, printers, and (in some cases) even COM ports across a network: this protocol is called the SMB (Server Message Block) standard

My Configurations: Samba server ip:192.168.0.2
                             windows clint ip:192.168.0.5
                            
SERVER SIDE

• install Samba Packages
• create Samba users
• create Password for samba users 
• Edit the Samba configuration file (/etc/samba/smb.conf)

• Restart the services 

CLIENT SIDE (WINDOWS)

• Acess Server using run> //192.168.0.4 

Play with Server//Acess-write-read-browse Data

Configuring the [global] Section

The smb.conf file is divided into sections. The first section is the [global] section where settings can be specified that apply to the entire Samba configuration. Whilst these settings are global, each option may be overridden within other sections of the configuration file.
The first task is to define the name of the Windows workgroup on which the RHEL 6 resources are to be shared. This is controlled via the workgroup = directive of the [global] section which by default is configured as follows:
 

workgroup = MYGROUP

Begin by changing this to the actual name of the workgroup . For example, if the workgroup is named WORKGROUP (the default for most Windows networks):

 workgroup = workgroup

Configuring a Shared Resource

The next step is to configure a shared resource (in other words a resource that will be accessible from other systems on the Windows network). In order to achieve this, the section is given a name by which it will be referred to when shared. For example, if we plan to share the /tmp directory of our RHEL 6 system, we might entitle the section [tmp]. In this section a variety of configuration options are possible. For the purposes of this example, however, we will simply define the directory that is to be shared, indicate that the directory is browsable and writable and declare the users that are allowed to access the shared resource (in this case a user named demo):

[tmp]
 path = /tmp
 writeable = yes
 browseable = yes
valid users = demo

*path             :  path of the shared folder
*writable       :  specify the write access of the client over the shared
                         resources


>> testparm :used to test the syntax error in configuration fiile

Creating a Samba User

Any user that requires access to a Samba shared resource must be configured as a Samba User and assigned a password. This task is achieved using the smbpasswd command line tool. In our example smb.conf file we stated the user demo is entitled to access the /tmp directory of our RHEL 6 system. In order to fulfill this requirement, therefore, we must add demo as a samba user as follows:

# su - 

# smbpasswd -a jishnu
New SMB password:
Retype new SMB password:
Added user jishnu

Now that we have completed the configuration of a very basic Samba server, it is time to test our configuration file and then start the Samba services.

> TO CHECK SAMBA USERS:

          pdbedit -L
             
> TO DELETE SAMBA USERS

          pdbedit -x username

> TO CHANGE SAMBA USER PASSWORD

        smbpasswd username

Testing the smb.conf File

The settings in the smb.conf file may be tested using the testparm command line tool as follows:

# testparm
Load smb config files from /etc/samba/smb.conf
rlimit_max: rlimit_max (1024) below minimum Windows limit (16384)
Processing section "[homes]"
Processing section "[printers]"
Processing section "[tmp]"
Loaded services file OK.
Server role: ROLE_STANDALONE
Press enter to see a dump of your service definitions

[global]
        server string = Samba Server Version %v
        log file = /var/log/samba/log.%m
        max log size = 50
        cups options = raw

[homes]
        comment = Home Directories
        read only = No
        browseable = No

[printers]
        comment = All Printers
        path = /var/spool/samba
        printable = Yes
        browseable = No

[tmp]
        path = /tmp
        valid users = demo
        read only = No 

Accessing Samba Shares

Now that the Samba resources are configured and the services are running, it is time to access the shared resource from a Windows system. On a suitable Windows system on the same workgroup as the RHEL 6 system, open Windows Explorer and navigate to the Network page. At this point, explorer should search the network and list any systems using the SMB protocol that it finds. The following figure illustrates an RHEL 6 system named SAM1 located using Windows Explorer on a Windows 7 system:

LINUX MACHINE AS AN CLINT OF SAMBA

Read More

FTPSERVER CONFIGURATION IN REDHAT/CENT OS

 FTP SERVER CONFIGURATION IN REDHAT/CENT OS  

What Is Ftp?

The File Transfer Protocol (FTP) is a standard network protocol used for the transfer of computer files from a server to a client using the Client–server model on a computer network.

How FTP works

Step a: Client connects to server on port 21.
Step b: Server responds and ask for authentication.
Step c: Client decides weather to connect passively or actively and authenticate with credentials(user name password).
Step d: If it is an active connection, server opens port 20 for data transfer and gives ftp prompt after successful authentication.
Step e: Client call for file and server initiates file transfer.
Following picture shows a simple way of data transfer through ftp.Before setting up FTP server we have to clear our self about active and passive ftp

vsftpd (Very Secure File Transport Protocol Daemon) is a secure, fast FTP server for Unix/Linux systems. In this how-to 
article, let us see how to setup a basic FTP server using vsftpd on 
CentOS 6.5. This procedure will also work on all RHEL CentOS, Scientific
 Linux 6.x versions.

Server side: 

1> Install vsftpd package in server

2> Install ftp package in server 

3> Configure /etc/vsftpd/vsftpd.conf  file baced on your requirement

4> restart vsftp service 

4> test the server and fix selinux restrictions 

client side:

1> Install ftp package in client 

2> Connect to server u,put, sing ftp 

3> upload / download files using get,put,mget,mput 

4> terminate the connection 

My testbox server hostname and IP Address are server.mithz.local and 192.168.0.4  respectively. Change the values as per your scenario. 

installed vsftpd and ftp  package using yum 

yum install vsftpd 

yum install ftp

configure the /etc/vsftp/vsftpd.conf 

#vi /etc/vsftpd/vsftpd.conf


Change the line which contain  
anonymous_enable=YES to anonymous_enable=NO. This will permit any one to access FTP server with authentication.

chroot_local_user=NO to chroot_local_user=YES.    This will permit local user as FTP account. If you add an user, it will be treated as a FTP account as well.

anonymous_enable=YES
Uncomment the following line

local_enable=YES                  allow users in /etc/passwd to login

write_enable=YES                  allow users to write files.

setsebool -P ftp_home_dir=1

1. Anonymous User can't create files,directory its prompt "550 Permission Denied" 

    Solved By " Chmod 777 /var/ftp/pub "

2.

Read More

Disk management

1>  FDISK COMMAND
               DISPLAY PARTITIONS
               CREATE PARTITION
               DELETE PARTITION

2>  FORMATING/CREATE FILE SYSTEM

3>  MOUNTING
                TEMPORARY MOUNTING
                PERMANENT MOUNTING

4> SWAP PARTITION
               LIST SWAP VOLUMES
               CREATE SWAP PARTITION
               FORMATE SWAP VOLUME
               MULTIPLE SWAP PARTITION MANAGEMENT
               REMOVE SWAP PARTITION

Fdisk command 

fdisk stands (for “fixed disk or format disk“) is an most commonly used command-line based disk manipulation utility for a Linux/Unix systems. With the help of fdisk command you can view, create, resize, delete, change, copy and move partitions on a hard drive using its own user friendly text based menu driven interface.

p print the partition table
n create a new partition
d delete a partition
q quit without saving changes
w write the new partition table and exit

Read More

GROUP MANAGEMENT

 

 

 Group information is stored in the /etc/group file. Each record has the following format



[Group name]:[Group password]:[GID]:[Group members]

    [Group name] is the name of group.
    An x in [Group password] indicates group passwords are not being used.
    [GID]: same as in /etc/passwd.
    [Group members]: a comma separated list of users who are members of [Group name].

How to create a group.

To create group use groupadd commands. Group created by this command is called secondary group.
#groupadd test

#groupadd -g 600 -p pro@123 project1

g :gid
p: password
r : system account ( its take the gid value from reserved group id values)

How to add user in groups

To add user in this group use usermod commands

This command will make vinita user to member of test group BY REMOVING FROM ALL OTHER GROUP


#usermod –G test vinita


# usermod -a -G group1 vinita

The -a option is critical. The user is added to group1 while he continues to be a member of other groups. If it’s not used, then the user is added only to group1 and removed from any other groups. So, take note!
How to delete secondary group

You can delete a group by groupdel commands

# #groupdel test


You cannot delete users primary group until user exist for example

 #groupdel nikki


Remove a user from a group



Removing a user from a group is a bit trickier. Unfortunately, there is no direct command, at least not in Fedora or RHEL, that can do that from command line. At first you need to get a list of groups that your user is a member of:

# id -nG username
group1 group2 group3 ....

OR

# id username


Then you need to put all these groups as a comma-separated list to the usermod -G option, except for the group from which you want the user to be removed. So, to remove the user from group2, issue the command:

# usermod -G group1,group3,... username

Read More

TRickZ And TipS

# grep --color 'jishnus account ' /etc/passwd : show the selected colour in colour

pkill -KILL -u {username:: logout any user 

The /etc/rc.d/rc.local : To add startup programs

script is executed by the init command at boot time or when changing runlevels. Adding commands to the
bottom of this script is an easy way to perform necessary tasks like 
starting special services or initialize devices without writing complex 
initialization scripts in the /etc/rc.d/init.d/ directory and creating symbolic links.
   

Read More

Linux Basic File Permissions

Viewing Ownership and Permissions

In Linux, each and every file is owned by a single user and a single group, and has its own access permissions. Let's look at how to view the ownership and permissions of a file.

The most common way to view the permissions of a file is to use ls with the long listing option, e.g. ls -l myfile. If you want to view the permissions of all of the files in your current directory, run the command without an argument, like this.

ls -l   or ll

Understanding File attributes

Here is an example screenshot of what the output might look like, with labels of each column of output:

Note that each file's mode (which contains permissions), owner, group, and name are listed. Aside from theMode column, this listing is fairly easy to understand. To help explain what all of those letters and hyphens mean, let's break down the Mode column into its components.

Understanding Mode

To help explain what all the groupings and letters mean, take a look at this closeup of the mode of the first file in the example above:

File Types

In Linux, there are two basic types of files: normal and special. The file type is indicated by the first character of the mode of a file--in this guide, we refer to this as the file type field.

Normal files can be identified by files with a hyphen (-) in their file type fields. Normal files are just plain files that can contain data. They are called normal, or regular, files to distinguish them from special files.

Special files can be identified by files that have a non-hyphen character, such as a letter, in their file type fields, and are handled by the OS differently than normal files. The character that appears in the file type field indicates the kind of special file a particular file is. For example, a directory, which is the most common kind of special file, is identified by the d character that appears in its file type field (like in the previous screenshot). There are several other kinds of special files but they are not essential what we are learning here.

Examples:

d      : Directory

-       : Files

l       : Link

when applying permissions to directories on Linux, the permission bits have different meanings than on regular files.

• The execute bit allows the affected user to enter the directory, and access files and directories inside
• The write bit allows the affected user to create, rename, or delete files within the directory, and modify the directory's attributes
• The read bit allows the affected user to list the files within the directory (Not get Acess to any inode)
• The sticky bit states that files and directories within that directory may only be 
•  deleted or renamed by their owner (or root)

Assigning Permissions

we can Assign permissons in two methods

1) Symbolic method
2) Absolute method

Symbolic method

The first and probably easiest way is the relative (or symbolic) method, which lets you specify access classes and types with single letter abbreviations. A chmod command with this form of syntax consists of at least three parts from the following lists:

Access Class	Operator	Access Type
u (user)	+ (add access)	r (read)
g (group)	- (remove access)	w (write)
o (other)	= (set exact access)	x (execute)
a (all: u, g, and o)

For example, to add permission for everyone to read a file in the current directory named myfile, at the Unix prompt, you would enter:

  chmod a+r myfile

The a stands for "all", the + for "add", and the r for "read".

Note:

This assumes that everyone already has access to the directory where myfile is located and its parent directories; that is, you must set the directory permissions separately.

If you omit the access class, it's assumed to be all, so you could also enter the previous example as:

  chmod +r myfile

You can also specify multiple classes and types with a single command. For example, to remove read and write permission for group and other users (leaving only yourself with read and write permission) on a file namedmyfile, you would enter:

  chmod go-rw myfile

You can also specify that different permissions be added and removed in the same command. For example, to remove write permission and add execute for all users on myfile, you would enter:

  chmod a-w+x myfile

In each of these examples, the access types that aren't specified are unchanged. The previous command, for example, doesn't change any existing settings specifying whether users besides yourself may have read (r) access to myfile. You could also use the exact form to explicitly state that group and other users' access is set only to read with the = operator:

  chmod go=r myfile

The chmod command also operates on directories. For example, to remove write permission for other users on a subdirectory named mydir, you would enter:

  chmod o-w mydir

To do the same for the current directory, you would enter:

  chmod o-w 

Be careful when setting the permissions of directories, particularly your home directory; you don't want to lock yourself out by removing your own access. Also, you must have execute permission on a directory to switch (cd) to it.

Absolute form

The other way to use the chmod command is the absolute form. In this case, you specify a set of three numbers that together determine all the access classes and types. Rather than being able to change only particular attributes, you must specify the entire state of the file's permissions.

The three numbers are specified in the order: user (or owner), group, other. Each number is the sum of values that specify read (4), write (2), and execute (1) access, with 0 (zero) meaning no access. For example, if you wanted to give yourself read, write, and execute permissions on myfile; give users in your group read and execute permissions; and give others only execute permission, the appropriate number would be calculated as (4+2+1)(4+0+1)(0+0+1) for the three digits 751. You would then enter the command as:

  chmod 751 myfile

As another example, to give only yourself read, write, and execute permission on the current directory, you would calculate the digits as (4+2+1)(0+0+0)(0+0+0) for the sequence 700, and enter the command:

  chmod 700 

If it seems clearer to you, you can also think of the three digit sequence as the sum of attributes you select from the following table:

400	Read by owner
200	Write by owner
100	Execute by owner

040	Read by group
020	Write by group
010	Execute by group

004	Read by others
002	Write by others
001	Execute by others

To create an access mode, sum all the accesses you wish to permit. For example, to give read privileges to all, and write and execute privileges to the owner only for a file, you would sum: 400+200+100+040+004 = 744. Then, at the Unix prompt, you would enter:

  chmod 744 myfile.ext

Some other frequently used examples are:

777	anyone can do anything (read, write, or execute)
755	you can do anything; others can only read and execute
711	you can do anything; others can only execute
644	you can read and write; others can only read

Deep In File Permissions 

1) Directory  "Test" with only read permission

[mithz@localhost ~]$ cd test
bash: cd: test: Permission denied

[mithz@localhost ~]$ ls -l ./test
ls: cannot access ./test/one.txt: Permission denied
ls: cannot access ./test/two.txt: Permission denied
total 0
?????????? ? ? ? ?            ? one.txt?????????? ? ? ? ?            ? two.txt

>Cant enter into Directory
>List only the names but cant acess any information stored in inodes eg:size,permissions,modified time etc:-

 

with only Write permissions :-

 

[mithz@localhost ~]$ cd test
bash: cd: test: Permission denied

[mithz@localhost ~]$ ls test
ls: cannot open directory test: Permission denied

[mithz@localhost ~]$ cat ./test/one.txt
cat: ./test/one.txt: Permission denied

 

with only Execute Permissions:-
 

 [mithz@localhost ~]$ cd test

[mithz@localhost test]$ ls -l
ls: cannot open directory .: Permission denied

[mithz@localhost test]$ cat one.txt
yes u can read me now :-)!!!

One way I use SUID on my machine
I have a few files that I modify through Linux and then before I shutdown Linux I have to transfer them to my Windows partition for further use there. As a normal user I do not have write access to the Windows partitions that I have mounted. So I have to be the superuser to be able to write to that partition. I have created a simple shell script that copies my files to the Windows partitions. This script was created by root user and the SUID bit was set. Access rights to this script have been given to all users. Now whenever I want to copy my files I simply run this script. Even though I have logged in as a normal user, the SUID bit which is set causes this script to execute as if the root was executing it and it allows me to write to the Windows partitions.

Had the SUID bit not been set, I would have to type ' su ' at the prompt and get temporary superuser access to get write access to the Windows partitions. Hope you got the point..
Note : In case you do not know how to access your Windows partitions through Linux, refer to Article No. 3
You may be thinking that since these applications would run as root they can do harmful things and destroy the system. The concept behind SUID bit is that you as the superuser would be able to allow certain applications / scripts to be run by the users as if they were the superuser for the time being. What these application / scripts do when they execute should be completely known to you. Even though the users would be allowed to execute these programs as root they would be able to do ONLY THOSE things that these programs were designed to do. So in case a script was designed to copy 5 files from one place to another. Then the user who would run that script would be able to ONLY copy those 5 files from one place to another. He would not be able to modify that script in any way since he would not have write access to the script. He would only be having execute rights for that script. Hence its an excellent idea to allow users to do some important backup using a script that does only that and by setting the SUID bit for that script. This way the users don't have to know the superuser password but can still use some facilities that are only available to the superuser
Important : Think twice before setting the SUID bit for scripts (owned by root) that take arguments at the command line. Since you never know what parameters a malicious user may pass to your script. Since the script would run as root it could do great damage if misused.

Read More

Swap Memory Management

5.1. What is Swap Space?

Swap space in Linux is used when the amount of physical memory (RAM) is full. If the system needs more memory resources and the RAM is full, inactive pages in memory are moved to the swap space. While swap space can help machines with a small amount of RAM, it should not be considered a replacement for more RAM. Swap space is located on hard drives, which have a slower access time than physical memory.

Swap space can be a dedicated swap partition (recommended), a swap file, or a combination of swap partitions and swap files.

Swap should equal 2x physical RAM for up to 2 GB of physical RAM, and then an additional 1x physical RAM for any amount above 2 GB, but never less than 32 MB.

So, if:

M = Amount of RAM in GB, and S = Amount of swap in GB, then

If M < 2
 S = M *2
Else
 S = M + 2

Using this formula, a system with 2 GB of physical RAM would have 4 GB of swap, while one with 3 GB of physical RAM would have 5 GB of swap. Creating a large swap space partition can be especially helpful if you plan to upgrade your RAM at a later time.

For systems with really large amounts of RAM (more than 32 GB) you can likely get away with a smaller swap partition (around 1x, or less, of physical RAM).

Recommended System Swap Space

Amount of RAM in the System	Recommended Amount of Swap Space
4GB of RAM or less	a minimum of 2GB of swap space
4GB to 16GB of RAM	a minimum of 4GB of swap space
16GB to 64GB of RAM	a minimum of 8GB of swap space
64GB to 256GB of RAM	a minimum of 16GB of swap space
256GB to 512GB of RAM	a minimum of 32GB of swap space

To check The Total Swap,Physical &buffers/cache Space in System

free -m

             total       used       free     shared    buffers     cached
Mem:          3953        315       3637          8         11        107
-/+ buffers/cache:        196       3756
Swap:            0          0       4095

1. Creating Swap Partition

To add an extra swap partition to your system, you first need to prepare it. Step one is to ensure that the partition is marked as a swap partition and step two is to make the swap filesystem. To check that the partition is marked for swap, run as root:

fdisk -l /dev/hdb

Replace /dev/hdb with the device of the hard disk on your system with the swap partition on it. You should see output that looks like this:

Device Boot    Start      End           Blocks  Id      System

/dev/hdb1       2328    2434    859446  82      Linux swap / Solaris

If the partition isn't marked as swap you will need to alter it by running fdisk and using the 't' menu option. Be careful when working with partitions -- you don't want to delete important partitions by mistake or change the id of your system partition to swap by mistake. All data on a swap partition will be lost, so double-check every change you make. Also note that Solaris uses the same ID as Linux swap space for its partitions, so be careful not to kill your Solaris partitions by mistake.

2. Format new Partition Using Swap File  system

Once a partition is marked as swap, you need to prepare it using the mkswap (make swap) command as root:

mkswap /dev/hdb1

3.  Activate The New Swap Partition

If you see no errors, your swap space is ready to use. To activate it immediately, type:

swapon /dev/hdb1

3. Varify The  Swap Partitions

You can verify that it is being used by running   swapon -s. 

swapon -s

4. Mount The Swap partition

 To mount the swap space automatically at boot time, you must add an entry to the  /etc/fstab  file, which contains a list of filesystems and swap spaces that need to be mounted at boot up. The format of each line is:

1. To enable the swap file immediately but not automatically at boot time:

   swapon /swapfile
   

2. To enable it at boot time, edit /etc/fstab to include the following entry:

   /swapfile swap swap defaults 0 0
   

   The next time the system boots, it enables the new swap file.

5. Add New Activated Swap space To Old Swap 

 swapon -v /dev/hdb1

6. Deactivate swap Partition

Sometimes it can be prudent to reduce swap space after installation. For example, say you downgraded the amount of RAM in your system from 1 GB to 512 MB, but there is 2 GB of swap space still assigned. It might be advantageous to reduce the amount of swap space to 1 GB, since the larger 2 GB could be wasting disk space.

swapoff -v /dev/hdb1

Read More

Install and Configure SQUID Proxy Server on CentOS/RHEL 6/5

What is Squid Server?

SQUID is a Proxy server and also used for web filtering. Its widely used for increasing web server speed by caching repeated data.
This article will help you to Install and Configure SQUID Proxy Server on CentOS/RHEL Linux systems.

Squid Proxy Server quick key points

• Packages – squid*.rpm
• Port Numbers – 3128 (default)
• Configuration File – /etc/squid/squid.conf
• Service / Daemon – squid

1. Install Squid

Squid can be easily install using yum command line tool.

# yum install squid

check the previous tutorial for yum Installation 

2. Setup Port and Start Service

Squid by default run on port 3128. If you want to start squid on different port, Edit squid configuration file and change http_port value. For example we are changing squid to run on port 8080.

# vim /etc/squid/squid.conf

http_port 8080

Start/Restart Squid service.

# service squid restart

3. Configure SQUID to Block Specific Website 

 

Add below rules to block specific website before any allow all rules. Below example will block yahoo.com and www.rediff.com.

acl blocksite1 dstdomain yahoo.com
acl blocksite2 dstdomain www.rediff.com
http_access deny blocksite1
http_access deny blocksite2

If you have a long list of domain names,
 Create a file /etc/squid/blockwebsites.lst and put domain names one per line and add below rule in squid configuration file.

acl blocksitelist dstdomain "/etc/squid/blockwebsites.lst"
http_access deny blocksitelist

blockwebsites.lst file content example:

# cat /etc/squid/blockwebsites.lst
yahoo.com
www.rediff.com

4. Configure Squid to Block Specific Keyword

Add below rules to block specific website before any allow all rules. Below example will block all pages having keyword yahoo or gmail.

acl blockkeyword1 url_regex yahoo
acl blockkeyword2 url_regex gmail
http_access deny blockkeyword1
http_access deny blockkeyword2

If you have a long list of keywords, Create a file /etc/squid/blockkeywords.lst and put keywords one per line and add below rule in squid configuration file.

acl blockkeywordlist url_regex "/etc/squid/blockkeywords.lst"
http_access deny blockkeywordlist

blockkeywords.lst file content example:

# cat /etc/squid/blockkeywords.lst
yahoo
gmail
facebook

Congratulation’s you have successfully install and configured Squid proxy server.

Setting Maximum Download Size

Squid can be used to control the maximum downloadable file size. We want to restrict maximum download size to 50 MB for hosts 10.10.10.200 and 10.10.10.201. We have already created the ACL 'custom-denied-list' previously to isolate the traffic from these sources. Now we will use the same access list to restrict download size.

# vim /etc/squid/squid.conf

1	reply_body_max_size 50 MB custom-denied-list

# squid -k reconfigure 

MAC based filtering is useful for networks using DHCP to assign ip addresses to systems. As we know MAC is hard coded on NIC and can’t be changed but IP addresses assigned by DHCP may change on next ip assignment. This tutorial will help you to how to Configure Squid Proxy Server Mac Address Based Filtering.

If you do not have Squid installed, Go to below link for installing squid on CentOS/RHEL/Fedora systems.
Install and Configure SQUID Proxy Server on CentOS/RHEL Linux
ACL rules are need to add in squid configuration file /etc/squid/squid.conf. Remember that squid Squid always applied first matching rules from top to down order and ignore other after matching any rule

1. Block All Sites For Single MAC Address

Following configuration will block all the sites to system having MAC address 01:23:45:AB:CD:EF.
Squid ACL Rule:

acl pcmac1 arp 01:23:45:AB:CD:EF
http_access deny pcmac1

2. Block Single Site for Single MAC Address

Following configuration will block www.example.com site to system having MAC address 01:23:45:AB:CD:EF.
Squid ACL Rule:

acl blocksite1 dstdomain www.example.com
acl pcmac1 arp 01:23:45:AB:CD:EF
http_access deny blocksite1 pcmac1 

3. Block All Sites for Multiple MAC Addresses

Following configuration will block all the sites to systems having MAC addresses 01:23:45:AB:CD:EF and AB:CD:EF:01:23:45.
MAC Addresses List

# cat /etc/squid/mac-addrs.lst
01:23:45:AB:CD:EF
AB:CD:EF:01:23:45

Squid ACL Rule:

acl pcmacs arp "/etc/squid/mac-addrs.lst"
http_access deny pcmacs

4. Block Single Site for Multiple MAC Addresses

Following configuration will block www.example.com to systems having MAC addresses 01:23:45:AB:CD:EF and AB:CD:EF:01:23:45.
MAC Addresses List

# cat /etc/squid/mac-addrs.lst
01:23:45:AB:CD:EF
AB:CD:EF:01:23:45

Squid ACL Rule:

acl blocksite1 dstdomain www.example.com
acl pcmacs arp "/etc/squid/mac-addrs.lst"
http_access deny blocksite1 pcmacs

5. Allow Specific Site for Single MAC Address

Following configuration will allow www.example.com to system having MAC address 01:23:45:AB:CD:EF and deny other sites.
Squid ACL Rule:

acl pcmac1 arp 01:23:45:AB:CD:EF
acl allowsite1 dstdomain www.example.in
http_access allow allowsite1 pcmac1
http_access deny pcmac1

6. Allow Multiple Sites for Single MAC Address

Following configuration will allow all sites added in /etc/squid/allowsites.lst to system having MAC address 01:23:45:AB:CD:EF and deny other sites.
Allowed Sites List

# cat /etc/squid/allowsites.lst
www.google.co.in
yahoo.com
in.yahoo.com

Squid ACL Rule:

acl pcmac1 arp 01:23:45:AB:CD:EF
acl allowsite1 dstdomain "/etc/squid/allowsites.lst"
http_access allow allowsite1 pcmac1
http_access deny pcmac1

7. Allow Specific Site for Multiple MAC Addresses

Following configuration will allow www.example.com to systems having MAC address 01:23:45:AB:CD:EF and and AB:CD:EF:01:23:45 and deny other sites.
MAC Addresses List

# cat /etc/squid/mac-addrs.lst
01:23:45:AB:CD:EF
AB:CD:EF:01:23:45

Squid ACL Rule:

acl blocksite1 dstdomain www.example.com
acl pcmacs arp "/etc/squid/mac-addrs.lst"
http_access allow blocksite1 pcmacs
http_access deny pcmacs

8. Allow Multiple Sites for Multiple MAC Addresses

Following configuration will allow all the sites listed in /etc/squid/allowsites.lst to all systems having MAC address listed in /etc/squid/mac-addrs.lst and deny other sites.
MAC Addresses List

# cat /etc/squid/mac-addrs.lst
01:23:45:AB:CD:EF
AB:CD:EF:01:23:45

Allowed Sites List

# cat /etc/squid/allowsites.lst
www.google.co.in
yahoo.com
in.yahoo.com

Squid ACL Rule:

acl pcmacs arp "/etc/squid/mac-addrs.lst"
acl allowsites dstdomain "/etc/squid/allowsites.lst"
http_access allow allowsites pcmacs
http_access deny pcmacs 

Squid Acl options

1> src      : source Ip Address

2> url_regx : Words in a Destination Web Address

3> dstdomain: Destination Web Address 

Squid restart vs. Squid reconfigure

Whenever Squid configuration is modified, Squid service needs to be restarted. Depending on the number of active connections, restarting the service may take a a while, sometimes several minutes. LAN users will not be able to access the Internet during this time. To avoid such service interruption, we can use the following command instead of

 "service squid restart".

# squid -k reconfigure

This command will allow Squid to run with updated parameters without restarting itself.

Read More