Solved

IP-tables and SAMBA

Posted on 2004-08-22
4
278 Views
Last Modified: 2010-04-09
I have recently installed SAMBA on my network, and need to modify my IP-tables script so that everything on my local lan is allowed access, and one external IP - (for example 205.204.112.125).

The lan IP-range is 192.168.0.1 - 199. My current script looks something like this:
==================================================
#!/bin/sh
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables --flush        
iptables --delete-chain
iptables -P FORWARD DROP
iptables -P INPUT DROP
iptables -A INPUT -i lo --source 127.0.0.1 --destination 127.0.0.1 -j ACCEPT
iptables -A INPUT -m state --state "ESTABLISHED,RELATED" -j ACCEPT
iptables -A INPUT -p icmp --icmp-type destination-unreachable -j ACCEPT
iptables -A INPUT -p icmp --icmp-type time-exceeded -j ACCEPT
iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
iptables -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT
iptables -A INPUT -p all -s localhost -d localhost -j ACCEPT
iptables -A INPUT -p tcp --destination-port 3306 -j REJECT  
iptables -A OUTPUT -p icmp --icmp-type echo-reply -j DROP
iptables -A INPUT -j LOG -m limit --limit 40/minute
iptables -A INPUT -j DROP
# Save
iptables-save > /etc/sysconfig/iptables
echo "$0: Done."
=================================================
Any suggestions.?
0
Comment
Question by:dansker69
  • 2
4 Comments
 
LVL 6

Expert Comment

by:bloemkool1980
ID: 11869841
Is your samba located on the same machine as the firewall ?
Assume the samba server is on the same machine do the following

FOR LAN ACCESS
iptables -A INPUT -p tcp -s 192.168.0.1/24 --dport 139,445 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p udp -s 192.168.0.1/24 --dport 137,138 -j ACCEPT

FOR EXTERNAL ACCESS
iptables -A INPUT -p tcp -s 205.204.112.125/32 --dport 139,445 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p udp -s 205.204.112.125/32 --dport 137,138 -j ACCEPT


goodluck

If your samba server is not on the same machine please tell me. And do provide the name of the external interface and the one from the internal so we can add anti spoofing.
The script I run at home allows anything from inside to outside and to the firewall too.
It rejects anything from outside.

http://users.skynet.be/bk392628/S93iptables.


0
 

Expert Comment

by:theaussie
ID: 11871240
Samba is on the same machine. What do you mean by "name of the external interface and the one from the internal" ? Do you mean IP addresses.?
0
 

Author Comment

by:dansker69
ID: 11871657
I get a syntax error on the comma seperating "--dport 139,445". Should this be
--dport 139:445.?  
0
 
LVL 6

Accepted Solution

by:
bloemkool1980 earned 125 total points
ID: 11878339
the name of the interface is something like eth0 or ppp0
if that syntax does not work just add a line per port meaning
FOR LAN ACCESS
iptables -A INPUT -p tcp -s 192.168.0.1/24 --dport 139 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p tcp -s 192.168.0.1/24 --dport 445 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p udp -s 192.168.0.1/24 --dport 137 -j ACCEPT
iptables -A INPUT -p udp -s 192.168.0.1/24 --dport 138 -j ACCEPT

FOR EXTERNAL ACCESS
iptables -A INPUT -p tcp -s 205.204.112.125/32 --dport 139 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p tcp -s 205.204.112.125/32 --dport 445 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p udp -s 205.204.112.125/32 --dport 138 -j ACCEPT
iptables -A INPUT -p udp -s 205.204.112.125/32 --dport 137 -j ACCEPT
0

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Do you have a windows based Checkpoint SmartCenter for centralized Checkpoint management?  Have you ever backed up the firewall policy residing on the SmartCenter?  If you have then you know the hassles of connecting to the server, doing an upgrade_…
To setup a SonicWALL for policy based routing to be used with the Websense Content Gateway there are several steps that need to be completed. Below is a rough guide for accomplishing this. One thing of note is this guide is intended to assist in the…
Although Jacob Bernoulli (1654-1705) has been credited as the creator of "Binomial Distribution Table", Gottfried Leibniz (1646-1716) did his dissertation on the subject in 1666; Leibniz you may recall is the co-inventor of "Calculus" and beat Isaac…
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…

809 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question