Solved

IP-tables and SAMBA

Posted on 2004-08-22
4
272 Views
Last Modified: 2010-04-09
I have recently installed SAMBA on my network, and need to modify my IP-tables script so that everything on my local lan is allowed access, and one external IP - (for example 205.204.112.125).

The lan IP-range is 192.168.0.1 - 199. My current script looks something like this:
==================================================
#!/bin/sh
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables --flush        
iptables --delete-chain
iptables -P FORWARD DROP
iptables -P INPUT DROP
iptables -A INPUT -i lo --source 127.0.0.1 --destination 127.0.0.1 -j ACCEPT
iptables -A INPUT -m state --state "ESTABLISHED,RELATED" -j ACCEPT
iptables -A INPUT -p icmp --icmp-type destination-unreachable -j ACCEPT
iptables -A INPUT -p icmp --icmp-type time-exceeded -j ACCEPT
iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
iptables -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT
iptables -A INPUT -p all -s localhost -d localhost -j ACCEPT
iptables -A INPUT -p tcp --destination-port 3306 -j REJECT  
iptables -A OUTPUT -p icmp --icmp-type echo-reply -j DROP
iptables -A INPUT -j LOG -m limit --limit 40/minute
iptables -A INPUT -j DROP
# Save
iptables-save > /etc/sysconfig/iptables
echo "$0: Done."
=================================================
Any suggestions.?
0
Comment
Question by:dansker69
  • 2
4 Comments
 
LVL 6

Expert Comment

by:bloemkool1980
ID: 11869841
Is your samba located on the same machine as the firewall ?
Assume the samba server is on the same machine do the following

FOR LAN ACCESS
iptables -A INPUT -p tcp -s 192.168.0.1/24 --dport 139,445 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p udp -s 192.168.0.1/24 --dport 137,138 -j ACCEPT

FOR EXTERNAL ACCESS
iptables -A INPUT -p tcp -s 205.204.112.125/32 --dport 139,445 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p udp -s 205.204.112.125/32 --dport 137,138 -j ACCEPT


goodluck

If your samba server is not on the same machine please tell me. And do provide the name of the external interface and the one from the internal so we can add anti spoofing.
The script I run at home allows anything from inside to outside and to the firewall too.
It rejects anything from outside.

http://users.skynet.be/bk392628/S93iptables.


0
 

Expert Comment

by:theaussie
ID: 11871240
Samba is on the same machine. What do you mean by "name of the external interface and the one from the internal" ? Do you mean IP addresses.?
0
 

Author Comment

by:dansker69
ID: 11871657
I get a syntax error on the comma seperating "--dport 139,445". Should this be
--dport 139:445.?  
0
 
LVL 6

Accepted Solution

by:
bloemkool1980 earned 125 total points
ID: 11878339
the name of the interface is something like eth0 or ppp0
if that syntax does not work just add a line per port meaning
FOR LAN ACCESS
iptables -A INPUT -p tcp -s 192.168.0.1/24 --dport 139 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p tcp -s 192.168.0.1/24 --dport 445 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p udp -s 192.168.0.1/24 --dport 137 -j ACCEPT
iptables -A INPUT -p udp -s 192.168.0.1/24 --dport 138 -j ACCEPT

FOR EXTERNAL ACCESS
iptables -A INPUT -p tcp -s 205.204.112.125/32 --dport 139 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p tcp -s 205.204.112.125/32 --dport 445 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p udp -s 205.204.112.125/32 --dport 138 -j ACCEPT
iptables -A INPUT -p udp -s 205.204.112.125/32 --dport 137 -j ACCEPT
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The DROP (Spamhaus Don't Route Or Peer List) is a small list of IP address ranges that have been stolen or hijacked from their rightful owners. The DROP list is not a DNS based list.  It is designed to be downloaded as a file, with primary intention…
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
Along with being a a promotional video for my three-day Annielytics Dashboard Seminor, this Micro Tutorial is an intro to Google Analytics API data.

896 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now