Squid Proxy Server Mac Address based filtering

Q. I’m using squid proxy server under CentOS Linux version 5. How to filter a particular MAC address under squid?

A. Not all operating system supports Mac address based filtering. For some operating systems. Squid calls these “ARP ACLs” and they are supported on Linux, Solaris, and BSD variants.

How do I set up ACL’s based on MAC address?

Open squid.conf:
# vi /etc/squid/squid.conf
Local acl, section and append ACL as follows:
acl macf1 arp mac-address
acl macf2 arp 00:11:22:33:44:55
http_access allow macf1
http_access allow macf2
http_access deny all

Save and close the file. Restart squid server:
# /etc/init.d/squid restart

🐧 Get the latest tutorials on Linux, Open Source & DevOps via RSS feed or Weekly email newsletter.

🐧 34 comments so far... add one

CategoryList of Unix and Linux commands
Disk space analyzersdf duf ncdu pydf
File Managementcat cp mkdir tree
FirewallAlpine Awall CentOS 8 OpenSUSE RHEL 8 Ubuntu 16.04 Ubuntu 18.04 Ubuntu 20.04
Modern utilitiesbat exa
Network UtilitiesNetHogs dig host ip nmap
OpenVPNCentOS 7 CentOS 8 Debian 10 Debian 8/9 Ubuntu 18.04 Ubuntu 20.04
Package Managerapk apt
Processes Managementbg chroot cron disown fg glances gtop jobs killall kill pidof pstree pwdx time vtop
Searchingag grep whereis which
User Informationgroups id lastcomm last lid/libuser-lid logname members users whoami who w
WireGuard VPNAlpine CentOS 8 Debian 10 Firewall Ubuntu 20.04
34 comments… add one
  • Justus Jan 9, 2008 @ 7:36

    dear all
    i tried to the above but still not able to control using mac
    2008/01/09 10:26:32| aclParseAclLine: Invalid ACL type ‘arp’
    FATAL: Bungled squid.conf line 1882: acl ARP arp
    Squid Cache (Version 2.5.STABLE14): Terminated abnormally.

    please assist

    • gurpreet Mar 3, 2011 @ 7:13

      Use the squid version 3.0

    • Syed Mushtaq Ahemd May 21, 2011 @ 7:58

      first u have to downlaod squid version 2.5 Stable 14 src.rpm then use command rpm -ivh and install
      1. Download ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/os/SRPMS/squ

      load it with

      2. rpm -ivh squid-2.6.STABLE6-5.el5_1.3.src.rpm


      3. updatedb

      4. vim /usr/src/redhat/SPECS/squid.spec

      5. add two line as below at %configure section see last two lines.

      %configure \
      –exec_prefix=/usr \
      –bindir=%{_sbindir} \
      –libexecdir=%{_libdir}/squid \
      –localstatedir=/var \
      –datadir=%{_datadir} \
      –sysconfdir=/etc/squid \
      –enable-epoll \
      –enable-snmp \
      –enable-removal-policies=”heap,lru” \
      –enable-storeio=”aufs,coss,diskd,null,ufs” \
      –enable-ssl \
      –with-openssl=/usr/kerberos \
      –enable-delay-pools \
      –enable-linux-netfilter \
      –with-pthreads \
      –enable-ntlm-auth-helpers=”SMB,fakeauth” \
      –enable-external-acl-helpers=”ip_user,ldap_group,unix_group,wbinfo_group” \
      –enable-auth=”basic,digest,ntlm” \
      –enable-digest-auth-helpers=”password” \
      –with-winbind-auth-challenge \
      –enable-useragent-log \
      –enable-referer-log \
      –disable-dependency-tracking \
      –enable-cachemgr-hostname=localhost \
      –enable-underscores \
      –enable-basic-auth-helpers=”LDAP,MSNT,NCSA,PAM,SMB,YP,getpwnam,multi-domain-NTLM,SASL” \
      –enable-cache-digests \
      –enable-ident-lookups \
      %ifnarch ppc64 ia64 x86_64 s390x
      –with-large-files \
      –enable-follow-x-forwarded-for \
      –enable-wccpv2 \
      –enable-fd-config \
      –with-maxfd=16384 \
      –enable-arp \ <==========added line 1
      –enable-arp-acl \ <==========added line 2

      6. rpmbuild -ba /usr/src/redhat/SPECS/squid.spec

      7. Wait some time let it compile have cup of coffee :)

      then load the rpm

      rpm -ivh /usr/src/redhat/RPMS/i386/squid-2.6.STABLE6-5.3.i386.rpm

      8. Then edit /etc/squid/squid.conf

      #—-the sample code—–
      acl our_networks src
      acl aclmac arp 00:08:A1:95:71:D4
      create blockscripts folder in squid folder allow in squid.conf like this
      acl aclmac arp '/etc/squid/blockscripts/allowmac.txt
      http_access allow aclmac
      http_access deny aclmac
      http_access allow our_network
      #—- end of sample code———

      Have a happy arp / MAC restriction with ACL in squid.

      • Aniruddha Mar 16, 2015 @ 10:16

        Good Day!!!

        I have CentOS 6.6 server installed with Squid proxy 3.5.1 recompiled source RPM with –enable-arp \ & –enable-arp-acl \ options, which are required to enable mac address filtering acl.

        I want to allow internet access to only allowed mac addresses via squid. I have tried with below ACL in squid.conf but its not blocking other mac addresses.

        acl allow_mac arp 01:23:45:AB:E0:CC
        http_access allow allow_mac
        http_access deny !allow_mac <======This is to block other mac address

        Also let me know if this is possible with iptables.

        I need to block internet access to some users but they should able to access samba share on the server.

        Please help me to resolve this issue,

        Thanks in advance.


    • c v k chary Jun 28, 2011 @ 9:33

      you have to download source code for squid and recompile with –enable-arp-acl and use that binary for use with mac address.Many vendors like redhat including cebtos do not compile squid with that option enabled. Suse does compile with the said option. Hence you can use suse linux any version and configure squid in that machine if you have one.


  • pradeep Mar 12, 2008 @ 4:03

    web site is block but i want to open web site ony one ip address
    what is acl rule in squid file in linux

  • vikas kashikar Jun 18, 2008 @ 6:32

    you will have to recompile squid and make it before mac based filtering works.

    add –enable-arp-acl to your original configure command in squid and run the following

    % ./configure –enable-arp-acl …
    % make clean
    % make

    then the above acls in squid.conf will work.

  • Kamran Rashid Jul 12, 2008 @ 4:46

    First of all i would like to thanks for this site producers,how are doing great work.

    I have learnt lot from here. Now I need help regarding MAC Address Filtering I have more then 100 user network i wants give the internet facility to only 30 user how can i do this?

  • Gurpreet Oct 14, 2008 @ 6:19

    dear i create 4 acl that is lab1, lab2, off, block_site & 1 is block.txt file. how to block 3 acl with 3 different block files in squid so that off access different block file its is possible plz reply me

    • Gurpreet Feb 19, 2011 @ 9:08

      create another txt files with changes such as block2.txt. Inser in squid.conf file
      acl sites dstdomain “/etc/squid/block2”

      http_access deny sites aclname

  • bashir Dec 24, 2008 @ 3:58

    Hi to all user with best wishes:
    i using squid 2.6 STABLES18 and found the following error when tying to macaddress :

    aclParseAClline: invalid ACL type ‘arp’
    FATA: Bungled squid.conf line 619: acl macaddress arp “/usr/local/squid/etc/macaddress”
    squid cache (version 2.6 STABLE18): Terminated abnormally

    kindly help

    with best wishes to all

    bashir – islamabad pakistan

    • Gurpreet Feb 19, 2011 @ 9:09

      I am also mac address problem if you find this solution so please get me

      • gurpreet Mar 3, 2011 @ 7:14

        use squid 3.0 . In this squid already enable the ‘arp’

    • adil Jul 14, 2011 @ 10:27

      hello dear how are you dear i try to add this script but i am faing same error plz tell in some info abut this

  • thaabiet Feb 1, 2009 @ 20:54


    How would I redirect the block mac address to a webpage ?


  • sameer kale Apr 5, 2009 @ 8:17

    I want to authenticate user of my network by his username password and MAC address for granting the internet access. Is it possible to do this ????? if yes how???

  • Syed Mushtaq Ahmed Jan 22, 2010 @ 6:47

    This is what i’m thinking of. i would like to deny everyone’s access to use my internet facility. The i would like to give them access through IP Addresses and MAC Addresses and these ip addresses and mac addresses bandwirdth rule list want add in one file e.g Allow-ip-mac.txt plz help how to add this file and where to allow only users through this file plz help i shell ever thankful to u

  • roshankumarr Feb 26, 2010 @ 7:32

    I would like to give them access through IP Addresses and MAC Addresses plz help how to do this.

    • KAWISH Sep 25, 2010 @ 6:49

      vi /home/user_mac
      enter user mac
      control :x save exit
      open squid type this line
      acl allowmac src ‘/home/user_mac’
      acl allowmac arp ‘/home/user_mac’

      • adil Jul 14, 2011 @ 10:42

        dear how do i use this command in linuix b.c i have already use some commands but facing error message suppose that
        FATA: Bungled squid.conf line 619: acl macaddress arp “/usr/local/squid/etc/macaddress”

  • Adnan Oct 8, 2010 @ 6:46

    I have installed RHEL5 server. I am using squid as proxy server.
    I want to block the mac address of some computer that is causing problem in the network.

    I have used this acl:

    acl blockmac arp 00:A7:88:BA:19:OF
    http_access deny blockmac.

    When i reload the squid service. It gives an error.
    aclParseAclLine: Invalid ACL type ‘arp’
    FATAL: Bungled squid.conf line 613: acl macaddress arp 00:A7:88:BA:19:OF
    Squid Cache (Version 2.6.STABLE21): Terminated abnormally.

    I have read the different solutions. like
    but i am not able to do this. i have installed rpm verison of squid.
    Can any body help me how to reslolve this issue

    • rootlurker Dec 7, 2010 @ 4:30

      Hi, its bungled because you put “O” on the mac instead of “0” (zero) .. mac address is only up to “F”.


  • Rizwan Admani Oct 10, 2010 @ 0:05

    Dear ,
    you can do it from firewall option
    only this mac_address drop port 80 only simple.

  • javed Dec 29, 2010 @ 6:00

    how to use the
    to block the mac address

  • lutfi May 8, 2011 @ 3:06

    i’ve already use the 3.1 version but it still give an error:
    2011/05/08 09:57:24| aclParseAclLine: Invalid ACL type ‘arp’
    FATAL: Bungled squid.conf line 33: acl lutfi arp 00:1F:3C:84:14:F3
    Squid Cache (Version 3.1.12): Terminated abnormally.
    CPU Usage: 0.011 seconds = 0.006 user + 0.006 sys
    Maximum Resident Size: 3696 KB
    Page faults with physical i/o: 0
    kovzone# pkg_info | grep squid
    squid-3.1.12 HTTP Caching Proxy

    how could i solve this?

  • lutfi May 8, 2011 @ 4:19

    i’ve found the answer above.. i should’ve do
    ./configure –enable-arp-acl
    before make install
    but what if i’ve already install it?

  • Hussain May 28, 2011 @ 11:45

    which is the good tool to get all Squid reports according each user’s.

  • jalal hajigholamali Jun 27, 2011 @ 17:23

    Very useful and good material…thanks a lot

  • Ali Zaheer Nov 5, 2011 @ 20:07

    i want to block mac addresses using acl. I have done it this way:
    acl badmac arp (mac address)
    http_access deny badmac

    but i want to block multiple addresses. plz tell me the method how i can create a separate file of blocked mac addresses and create one acl for the same.

    • Agung D Fire fist Nov 21, 2011 @ 7:03

      you can copy paste your acl rule like this :
      acl badmac arp (mac address1)
      acl badmac arp (mac address2)
      acl badmac arp (mac address3)
      acl badmac arp (mac address4)
      so on…

      http_access deny badmac

  • Vinit Tyagi Apr 28, 2012 @ 6:42

    I am using Squid version 2.6 on RHEL 5,but i am able to mac filtring.
    Please tell me about ho can i use mac filtring in Squid version 2.6.

    Thanks and Regards
    Vinit Tyagi

  • danielle May 2, 2012 @ 15:27

    i want to allow mac address to access site how can i do this using proxy squid

  • ruwan Nov 29, 2012 @ 8:06

    I want to block some web sites for some MAC Addresses and other MAC addresses want to use some web sites.. How do I do that?

  • arichikirido Jun 6, 2013 @ 8:13

    i would like to know. how can i make first load page to my creations own page with squid for squid clients browser?

    anyone explain to me step by step.

    Many Thanks.

Leave a Reply

Your email address will not be published.

Use HTML <pre>...</pre> for code samples. Still have questions? Post it on our forum