Restrict network access by time or IP address with Squid


There are a number of reasons why you would want to restrict network access. You run a cafe with web access or you have young or teenage children and you want them to only be able to use the network at certain times. Their are certainly tools out there to do this on a PC-by-PC basis, but why not employ a proxy server instead? One of the best (and most robust) proxy servers available for the Linux operating system is theSquid Proxy server. But don’t let the name fool you, you do not have to install Squid on a server. You can just as easily install squid on a Linux desktop machine and control network access from your LAN.
Of course when you open up your /etc/squid/squid.conf file you might be a bit overwhelmed. So in this article I am going to show you two ways to limit access with Squid (instead of tossing the whole configuration file at you at once). I will also show you the quick and dirty method of installing Squid on a Fedora 13 machine. Once done with this article, you will at least be able to control network access by time or by IP address. In later articles we will discuss other ways to control network access with Squid.

Installation
Installation is quite simple. You can do this two ways: Command line or using the Add/Remove Software tool. Let’s take a look at the latter first.
In order to install Squid from the Add/Remove Software tool follow these steps:
  1. Click System > Administration > Add/Remove Software
  2. Search for “squid” (no quotes).
  3. Select the Squid application for installation.
  4. Click Apply to install.
That’s it. Now let’s take a look at the command line version of the same task. To do this, follow these steps:
  1. Open up a terminal window by clicking Applications > System Tools > Terminal.
  2. Issue the command su and then enter your root password.
  3. Issue the command yum install squid.
  4. If your system requires dependencies, allow them as well as the installation to continue.
  5. When finished exit out of the root prompt by issuing the command exit.
That’s it. Squid is now installed. Now, on to the configuration.
Configuration
The configuration file you need to edit is /etc/squid/squid.conf. Open that file up with your favorite text editor and get ready to configure. The first set up I am going to show you is how to restrict access by time. To do this you are going to create Access Control Lists (ACLs).
Let’s assume you are restricting access on an internal LAN with an IP scheme of 192.168.1.0 with a subnet mask of 255.255.255.0. And let’s say you are restricting access for your teenage children such that they can only access the network from the hours of 3:00pm until 7:00pm (just a random time I used for example). For this you will need to add two ACLs to your configuration file. Add this first section to the bottom of the ACL section of the file (You will see a long list of lines that start out acl). For restricting to the times I prescribed above the ACLs would look like:
acl home_network src 192.168.1.0/24
acl kids_hours time M T W H F 15:00-19:00
The first line defines the source of the connection and the second line defines the allowed time period.
To finish off this configuration you will need to add another line, this time you will add this section at the bottom of the http_access section (Under the Insert your own rules… here section). This line looks like:
http_access allow home_network kids_hours
NOTE: You could also create an acl for weekend hours to allow more access during those days.
Now, let’s say one of those teens has had trouble with grades and you want to completely restrict access to only that one machine (say the IP address for that child is 192.168.1.10), while continuing to control access to the other machines. To do this you could add a third ACL like so:
acl RestrictedHost src 192.168.1.10
Back to the http_access section you would then add this line:
http_access deny RestrictedHost
Save and close that file. Now restart Squid with the command (run as the root user):
/etc/rc.d/init.d/squid restart
The last thing you need to do is to configure the PCs of those who need to go through the Proxy server. Remember, Squid uses port 3128.
Final thoughts
Squid is a very powerful tool that can be used to to limit access in numerous ways. What I have shown you is only scratching the surface of Squid’s power, but it give you a good idea where to start and how far it can go.