Re: iptables and samba

From:
Date: 10/26/02

Next message: Roeland Th. Jansen: "Re: ISO-Images for SUSE 8.1"
Previous message: David McCarthy: "Re: Snort vs Commercial IDS"
In reply to: Matthias Szusdziara: "Re: iptables and samba"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Sat, 26 Oct 2002 21:32:47 GMT

On 20 Oct 2002 19:49:34 GMT, Matthias Szusdziara
<msz@fire.csn.tu-chemnitz.de> wrote:

>Niy <niy38@hotmail.com> schrob:
>> #########################################################################
>> #!/bin/bash
>>
>> IPTABLES="/sbin/iptables"
>> IP="x.x.x.x"
>>
> BCAST=`ifconfig eth0 | grep -i BCAST | sed s/.*Bcast\:// |sed s/\.*$//`
>>
>> # default of INPUT is DROP
>> $IPTABLES -F INPUT
>> $IPTABLES -P INPUT DROP
>>
>> $IPTABLES -A INPUT -d 127.0.0.1 -j ACCEPT
>> $IPTABLES -A INPUT -i lo -j ACCEPT
>> $IPTABLES -A INPUT -p icmp -j ACCEPT
>
>> $IPTABLES -A OUTPUT -d 127.0.0.1 -j ACCEPT
>> $IPTABLES -A OUTPUT -i lo -j ACCEPT
>> $IPTABLES -A OUTPUT -p icmp -j ACCEPT
>
>>
>>
>> # now accept samba port
>> $IPTABLES -A INPUT -s 0.0.0.0/0 -d $IP -p tcp --dport 137:139 -j ACCEPT
>> $IPTABLES -A INPUT -s 0.0.0.0/0 -d $IP -p udp --dport 137:139 -j ACCEPT
> $IPTABLES -A INPUT -s 0.0.0.0/0 -d $BCAST -p udp --dport 137:139 -j ACCEPT
>
> $IPTABLES -A OUTPUT -s 0.0.0.0/0 -d $BCAST -p udp --dport 137:139 -j ACCEPT
> $IPTABLES -A OUTPUT -s $IP -d 0.0.0.0/0 -p tcp --dport 137:139 -j ACCEPT
> $IPTABLES -A OUTPUT -s $IP -d 0.0.0.0/0 -p udp --dport 137:139 -j ACCEPT
>>
>> #############################################################################
>>
>
>I hope i don't have overseen anything. This should get the whole thing to
>work. (BCAST is the broadcast address of your subnet. I assume that eth0 is
>your used ethernet interface.)
>
>The trick is to enable the braodcasts and outgoing packets to pass behind
>the packet filter.
>
>
>MfG
>Matt

kinda sloppy rules... give this a try!

$IPTABLES -A INPUT -i $LOCIF -p udp -s $LOCNET -d $BCAST --sport 137
--dport 137 -m state --state NEW -j ACCEPT
$IPTABLES -A INPUT -i $LOCIF -p udp -s $LOCNET -d $BCAST --sport 138
--dport 138 -m state --state NEW -j ACCEPT
$IPTABLES -A INPUT -i $LOCIF -p udp -s $LOCNET -d $IP --dport 137:138 -m
state --state NEW -j ACCEPT
$IPTABLES -A INPUT -i $LOCIF -p tcp -s $LOCNET -d $IP --dport 139 --syn
-j ACCEPT

$IPTABLES -A OUTPUT -o $LOCIF -p udp -s $IP -d $BCAST --sport 137
--dport 137 -m state --state NEW -j ACCEPT
$IPTABLES -A OUTPUT -o $LOCIF -p udp -s $IP -d $BCAST --sport 138
--dport 138 -m state --state NEW -j ACCEPT
$IPTABLES -A OUTPUT -o $LOCIF -p udp -s $IP -d $LOCNET --sport 137:138
-m state --state NEW -j ACCEPT
$IPTABLES -A OUTPUT -o $LOCIF -p tcp -s $IP -d $LOCNET --sport 139 --syn
-j ACCEPT

this assumes:
        1) previous rules for ESTABLISHED packets are in place
        2) $LOCNET is your local samba network (i.e. "192.168.1.0/24")
        3) $LOCIF is your local samba interface (i.e. "eth0")

Brad

-- 
"Where the spirit does not work with the hand, there is no art."
                                               Leonardo da Vinci
Bradley W. Olin
http://www.bwo1.com

Next message: Roeland Th. Jansen: "Re: ISO-Images for SUSE 8.1"
Previous message: David McCarthy: "Re: Snort vs Commercial IDS"
In reply to: Matthias Szusdziara: "Re: iptables and samba"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

Re: iptables and samba
... > $IPTABLES -P INPUT DROP ... > # now accept samba port ... The trick is to enable the braodcasts and outgoing packets to pass behind ... MfG ...
(comp.os.linux.security)
Re: How do I know my packets are dropped?
... What if someone send the packets to us, but our iptables is ... configured all outgoing packets go through the 512K? ... > Jason wrote: ...
(comp.os.linux.security)
Re: stateful inspection firewall
... > Does anybody know if the IPTables firewalling subsystem is a real stateful ... feature using a patch distributed with iptables patch-o-matic. ... > performance and feutures between IPTables and Packet Filter? ... differents données des logiciels fonctionnant auparavant sur wwin 95? ...
(comp.unix.bsd.netbsd.misc)
Re: stateful inspection firewall
... > Does anybody know if the IPTables firewalling subsystem is a real stateful ... feature using a patch distributed with iptables patch-o-matic. ... > performance and feutures between IPTables and Packet Filter? ... differents données des logiciels fonctionnant auparavant sur wwin 95? ...
(comp.unix.bsd.freebsd.misc)
Re: stateful inspection firewall
... > Does anybody know if the IPTables firewalling subsystem is a real stateful ... feature using a patch distributed with iptables patch-o-matic. ... > performance and feutures between IPTables and Packet Filter? ... differents données des logiciels fonctionnant auparavant sur wwin 95? ...
(comp.unix.bsd.openbsd.misc)