Solved

IP-tables and SAMBA

Posted on 2004-08-22
4
282 Views
Last Modified: 2010-04-09
I have recently installed SAMBA on my network, and need to modify my IP-tables script so that everything on my local lan is allowed access, and one external IP - (for example 205.204.112.125).

The lan IP-range is 192.168.0.1 - 199. My current script looks something like this:
==================================================
#!/bin/sh
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables --flush        
iptables --delete-chain
iptables -P FORWARD DROP
iptables -P INPUT DROP
iptables -A INPUT -i lo --source 127.0.0.1 --destination 127.0.0.1 -j ACCEPT
iptables -A INPUT -m state --state "ESTABLISHED,RELATED" -j ACCEPT
iptables -A INPUT -p icmp --icmp-type destination-unreachable -j ACCEPT
iptables -A INPUT -p icmp --icmp-type time-exceeded -j ACCEPT
iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
iptables -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT
iptables -A INPUT -p all -s localhost -d localhost -j ACCEPT
iptables -A INPUT -p tcp --destination-port 3306 -j REJECT  
iptables -A OUTPUT -p icmp --icmp-type echo-reply -j DROP
iptables -A INPUT -j LOG -m limit --limit 40/minute
iptables -A INPUT -j DROP
# Save
iptables-save > /etc/sysconfig/iptables
echo "$0: Done."
=================================================
Any suggestions.?
0
Comment
Question by:dansker69
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
4 Comments
 
LVL 6

Expert Comment

by:bloemkool1980
ID: 11869841
Is your samba located on the same machine as the firewall ?
Assume the samba server is on the same machine do the following

FOR LAN ACCESS
iptables -A INPUT -p tcp -s 192.168.0.1/24 --dport 139,445 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p udp -s 192.168.0.1/24 --dport 137,138 -j ACCEPT

FOR EXTERNAL ACCESS
iptables -A INPUT -p tcp -s 205.204.112.125/32 --dport 139,445 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p udp -s 205.204.112.125/32 --dport 137,138 -j ACCEPT


goodluck

If your samba server is not on the same machine please tell me. And do provide the name of the external interface and the one from the internal so we can add anti spoofing.
The script I run at home allows anything from inside to outside and to the firewall too.
It rejects anything from outside.

http://users.skynet.be/bk392628/S93iptables.


0
 

Expert Comment

by:theaussie
ID: 11871240
Samba is on the same machine. What do you mean by "name of the external interface and the one from the internal" ? Do you mean IP addresses.?
0
 

Author Comment

by:dansker69
ID: 11871657
I get a syntax error on the comma seperating "--dport 139,445". Should this be
--dport 139:445.?  
0
 
LVL 6

Accepted Solution

by:
bloemkool1980 earned 125 total points
ID: 11878339
the name of the interface is something like eth0 or ppp0
if that syntax does not work just add a line per port meaning
FOR LAN ACCESS
iptables -A INPUT -p tcp -s 192.168.0.1/24 --dport 139 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p tcp -s 192.168.0.1/24 --dport 445 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p udp -s 192.168.0.1/24 --dport 137 -j ACCEPT
iptables -A INPUT -p udp -s 192.168.0.1/24 --dport 138 -j ACCEPT

FOR EXTERNAL ACCESS
iptables -A INPUT -p tcp -s 205.204.112.125/32 --dport 139 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p tcp -s 205.204.112.125/32 --dport 445 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p udp -s 205.204.112.125/32 --dport 138 -j ACCEPT
iptables -A INPUT -p udp -s 205.204.112.125/32 --dport 137 -j ACCEPT
0

Featured Post

Space-Age Communications Transitions to DevOps

ViaSat, a global provider of satellite and wireless communications, securely connects businesses, governments, and organizations to the Internet. Learn how ViaSat’s Network Solutions Engineer, drove the transition from a traditional network support to a DevOps-centric model.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Wikipedia defines 'Script Kiddies' in this informal way: "In hacker culture, a script kiddie, occasionally script bunny, skiddie, script kitty, script-running juvenile (SRJ), or similar, is a derogatory term used to describe those who use scripts or…
To setup a SonicWALL for policy based routing to be used with the Websense Content Gateway there are several steps that need to be completed. Below is a rough guide for accomplishing this. One thing of note is this guide is intended to assist in the…
This video Micro Tutorial shows how to password-protect PDF files with free software. Many software products can do this, such as Adobe Acrobat (but not Adobe Reader), Nuance PaperPort, and Nuance Power PDF, but they are not free products. This vide…
Michael from AdRem Software explains how to view the most utilized and worst performing nodes in your network, by accessing the Top Charts view in NetCrunch network monitor (https://www.adremsoft.com/). Top Charts is a view in which you can set seve…

690 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question