i need to match 2 access list into 1 access list action

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

i need to match 2 access list into 1 access list action

--Ahmad--
he folks
=======

i have acl as  :

acl ip1 myip 12.58.120.72
tcp_outgoing_address 1.1.1.1 ip1


but ACL above will match all src ip addresses .
the game i want is i just need to allow the from  src specific ip address to match the acl above .


so what i want to do is :

acl hhh src 12.58.70.10/32

and  tcp_outgoing_address 1.1.1.1 ( if the src was  12.58.70.10 matching the ip  12.58.120.72 )


do squid support what i need above ?

how will the directive be ?




chers


_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: i need to match 2 access list into 1 access list action

Amos Jeffries
Administrator
On 06/08/17 22:17, --Ahmad-- wrote:

> he folks
> =======
>
> i have acl as  :
>
> acl ip1 myip 12.58.120.72
> tcp_outgoing_address 1.1.1.1 ip1
>
>
> but ACL above will match all src ip addresses .

No. It will only match traffic where the "myip" value is 12.58.120.72.
It has nothing to do with the TCP src-IP.


> the game i want is i just need to allow the from  src specific ip address to match the acl above .
>
>
> so what i want to do is :
>
> acl hhh src 12.58.70.10/32
>
> and  tcp_outgoing_address 1.1.1.1 ( if the src was  12.58.70.10 matching the ip  12.58.120.72 )
>

Do you mean to detect traffic from the 12.58.70.10/32 going to dst-IP
12.58.120.72 ?

Or do you mean to detect traffic from the 12.58.70.10/32 going to
squid-IP 12.58.120.72 ?


Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: i need to match 2 access list into 1 access list action

--Ahmad--
the game I’m looking for may be complex a bit .


well here is the game :


i have squid ruling on IPV6 and 1 ipv4

so i have an ipv4  1.1.1.1 address which go to null 0 network  which mean a fake route .

buy that i prevent the IPV4 websites from loading .
so  above is sufficient for that :


>> acl ip1 myip 12.58.120.72
>> tcp_outgoing_address 1.1.1.1 ip1



but sometimes i want to allow the IPV4 websites but for certain source of ips but i cant match the src ip address with the acl “myip” so that some ips get ipv6 websites only and other get both ipv4/ipv6


thats why i posted the question , I’m sure amos u will give me magical solution next post :)



> On Aug 6, 2017, at 3:38 PM, Amos Jeffries <[hidden email]> wrote:
>
> On 06/08/17 22:17, --Ahmad-- wrote:
>> he folks
>> =======
>> i have acl as  :
>> acl ip1 myip 12.58.120.72
>> tcp_outgoing_address 1.1.1.1 ip1
>> but ACL above will match all src ip addresses .
>
> No. It will only match traffic where the "myip" value is 12.58.120.72. It has nothing to do with the TCP src-IP.
>
>
>> the game i want is i just need to allow the from  src specific ip address to match the acl above .
>> so what i want to do is :
>> acl hhh src 12.58.70.10/32
>> and  tcp_outgoing_address 1.1.1.1 ( if the src was  12.58.70.10 matching the ip  12.58.120.72 )
>
> Do you mean to detect traffic from the 12.58.70.10/32 going to dst-IP 12.58.120.72 ?
>
> Or do you mean to detect traffic from the 12.58.70.10/32 going to squid-IP 12.58.120.72 ?
>
>
> Amos
> _______________________________________________
> squid-users mailing list
> [hidden email]
> http://lists.squid-cache.org/listinfo/squid-users

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: i need to match 2 access list into 1 access list action

Amos Jeffries
Administrator
In reply to this post by Amos Jeffries
On 07/08/17 10:05, Ahmed Alzaeem wrote:

> the game I’m looking for may be complex a bit .
>
>
> well here is the game :
>
>
> i have squid ruling on IPV6 and 1 ipv4
>
> so i have an ipv4  1.1.1.1 address which go to null 0 network  which mean a fake route .
>
> buy that i prevent the IPV4 websites from loading .
> so  above is sufficient for that :
>
>
>>> acl ip1 myip 12.58.120.72
>>> tcp_outgoing_address 1.1.1.1 ip1
>
>
>
> but sometimes i want to allow the IPV4 websites but for certain source of ips but i cant match the src ip address with the acl “myip” so that some ips get ipv6 websites only and other get both ipv4/ipv6

Ah. Maybe understanding now.

The current Squid compare the IP address type on tcp_outgoing_address
with the IP type of the server connection. So lines containing an IPv4
are never applied to IPv6 outbound traffic, and lines with a v6 are
never used for IPv4 outbound traffic.

So, to let every body reach IPv6 servers, just do not set
tcp_outgoing_address lines with IPv6 address. That includes any IPv4
clients using Squid to reach IPv6 servers.


For the clients that you want to block IPv4 outgoing connections, since
you have two criteria (X clients going to Y domains) you need two ACLs;
one to match the clients IPs and one to match the domains.

  # the clients which might be allowed
  acl special_clients src 12.58.70.10/32

  # the domains those clients are allowed to visit over IPv4
  acl special_domains dstdomain .example.com

  # ... and maybe some servers only known by their IPv4
  acl special_domain_ips dst 192.168.0.1


  # match if both client AND domain criteria match
  acl allow_ipv4 all-of special_clients special_domains

  # or, match if both client and domain-IP criteria match
  acl allow_ipv4 all-of special_clients special_domain_ips

  # ... send other clients (non-allowed) out the nul-route IPv4
  tcp_outgoing_address 1.1.1.1 !allow_ipv4


If you have a Squid lacking the 'all-of' ACL type (older than 3.4) the
below should work instead of those last three lines, though I have not
tried it:


   tcp_outgoing_address 0.0.0.0 special_clients special_domains
   tcp_outgoing_address 0.0.0.0 special_clients special_domain_ips

   # otherwise use the nul-routed outgoing IP
   tcp_outgoing_address 1.1.1.1




>
>
> thats why i posted the question , I’m sure amos u will give me magical solution next post :)
>

:-) maybe, I'm still not sure I understand you completely yet. But the
above certainly seems like magic.

Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users