IP-tables and SAMBA

I have recently installed SAMBA on my network, and need to modify my IP-tables script so that everything on my local lan is allowed access, and one external IP - (for example 205.204.112.125).

The lan IP-range is 192.168.0.1 - 199. My current script looks something like this:
==================================================
#!/bin/sh
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables --flush        
iptables --delete-chain
iptables -P FORWARD DROP
iptables -P INPUT DROP
iptables -A INPUT -i lo --source 127.0.0.1 --destination 127.0.0.1 -j ACCEPT
iptables -A INPUT -m state --state "ESTABLISHED,RELATED" -j ACCEPT
iptables -A INPUT -p icmp --icmp-type destination-unreachable -j ACCEPT
iptables -A INPUT -p icmp --icmp-type time-exceeded -j ACCEPT
iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
iptables -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT
iptables -A INPUT -p all -s localhost -d localhost -j ACCEPT
iptables -A INPUT -p tcp --destination-port 3306 -j REJECT  
iptables -A OUTPUT -p icmp --icmp-type echo-reply -j DROP
iptables -A INPUT -j LOG -m limit --limit 40/minute
iptables -A INPUT -j DROP
# Save
iptables-save > /etc/sysconfig/iptables
echo "$0: Done."
=================================================
Any suggestions.?
dansker69Asked:
Who is Participating?
 
bloemkool1980Connect With a Mentor Commented:
the name of the interface is something like eth0 or ppp0
if that syntax does not work just add a line per port meaning
FOR LAN ACCESS
iptables -A INPUT -p tcp -s 192.168.0.1/24 --dport 139 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p tcp -s 192.168.0.1/24 --dport 445 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p udp -s 192.168.0.1/24 --dport 137 -j ACCEPT
iptables -A INPUT -p udp -s 192.168.0.1/24 --dport 138 -j ACCEPT

FOR EXTERNAL ACCESS
iptables -A INPUT -p tcp -s 205.204.112.125/32 --dport 139 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p tcp -s 205.204.112.125/32 --dport 445 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p udp -s 205.204.112.125/32 --dport 138 -j ACCEPT
iptables -A INPUT -p udp -s 205.204.112.125/32 --dport 137 -j ACCEPT
0
 
bloemkool1980Commented:
Is your samba located on the same machine as the firewall ?
Assume the samba server is on the same machine do the following

FOR LAN ACCESS
iptables -A INPUT -p tcp -s 192.168.0.1/24 --dport 139,445 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p udp -s 192.168.0.1/24 --dport 137,138 -j ACCEPT

FOR EXTERNAL ACCESS
iptables -A INPUT -p tcp -s 205.204.112.125/32 --dport 139,445 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p udp -s 205.204.112.125/32 --dport 137,138 -j ACCEPT


goodluck

If your samba server is not on the same machine please tell me. And do provide the name of the external interface and the one from the internal so we can add anti spoofing.
The script I run at home allows anything from inside to outside and to the firewall too.
It rejects anything from outside.

http://users.skynet.be/bk392628/S93iptables.


0
 
theaussieCommented:
Samba is on the same machine. What do you mean by "name of the external interface and the one from the internal" ? Do you mean IP addresses.?
0
 
dansker69Author Commented:
I get a syntax error on the comma seperating "--dport 139,445". Should this be
--dport 139:445.?  
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.