Solved

IP-tables and SAMBA

Posted on 2004-08-22
4
271 Views
Last Modified: 2010-04-09
I have recently installed SAMBA on my network, and need to modify my IP-tables script so that everything on my local lan is allowed access, and one external IP - (for example 205.204.112.125).

The lan IP-range is 192.168.0.1 - 199. My current script looks something like this:
==================================================
#!/bin/sh
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables --flush        
iptables --delete-chain
iptables -P FORWARD DROP
iptables -P INPUT DROP
iptables -A INPUT -i lo --source 127.0.0.1 --destination 127.0.0.1 -j ACCEPT
iptables -A INPUT -m state --state "ESTABLISHED,RELATED" -j ACCEPT
iptables -A INPUT -p icmp --icmp-type destination-unreachable -j ACCEPT
iptables -A INPUT -p icmp --icmp-type time-exceeded -j ACCEPT
iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
iptables -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT
iptables -A INPUT -p all -s localhost -d localhost -j ACCEPT
iptables -A INPUT -p tcp --destination-port 3306 -j REJECT  
iptables -A OUTPUT -p icmp --icmp-type echo-reply -j DROP
iptables -A INPUT -j LOG -m limit --limit 40/minute
iptables -A INPUT -j DROP
# Save
iptables-save > /etc/sysconfig/iptables
echo "$0: Done."
=================================================
Any suggestions.?
0
Comment
Question by:dansker69
  • 2
4 Comments
 
LVL 6

Expert Comment

by:bloemkool1980
ID: 11869841
Is your samba located on the same machine as the firewall ?
Assume the samba server is on the same machine do the following

FOR LAN ACCESS
iptables -A INPUT -p tcp -s 192.168.0.1/24 --dport 139,445 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p udp -s 192.168.0.1/24 --dport 137,138 -j ACCEPT

FOR EXTERNAL ACCESS
iptables -A INPUT -p tcp -s 205.204.112.125/32 --dport 139,445 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p udp -s 205.204.112.125/32 --dport 137,138 -j ACCEPT


goodluck

If your samba server is not on the same machine please tell me. And do provide the name of the external interface and the one from the internal so we can add anti spoofing.
The script I run at home allows anything from inside to outside and to the firewall too.
It rejects anything from outside.

http://users.skynet.be/bk392628/S93iptables.


0
 

Expert Comment

by:theaussie
ID: 11871240
Samba is on the same machine. What do you mean by "name of the external interface and the one from the internal" ? Do you mean IP addresses.?
0
 

Author Comment

by:dansker69
ID: 11871657
I get a syntax error on the comma seperating "--dport 139,445". Should this be
--dport 139:445.?  
0
 
LVL 6

Accepted Solution

by:
bloemkool1980 earned 125 total points
ID: 11878339
the name of the interface is something like eth0 or ppp0
if that syntax does not work just add a line per port meaning
FOR LAN ACCESS
iptables -A INPUT -p tcp -s 192.168.0.1/24 --dport 139 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p tcp -s 192.168.0.1/24 --dport 445 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p udp -s 192.168.0.1/24 --dport 137 -j ACCEPT
iptables -A INPUT -p udp -s 192.168.0.1/24 --dport 138 -j ACCEPT

FOR EXTERNAL ACCESS
iptables -A INPUT -p tcp -s 205.204.112.125/32 --dport 139 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p tcp -s 205.204.112.125/32 --dport 445 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p udp -s 205.204.112.125/32 --dport 138 -j ACCEPT
iptables -A INPUT -p udp -s 205.204.112.125/32 --dport 137 -j ACCEPT
0

Featured Post

Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
check firmware version - draytek vigor 2860 2 35
Opening Port 80 10 59
Cisco ASA 1 54
Is my Machine open to hackers 3 77
The DROP (Spamhaus Don't Route Or Peer List) is a small list of IP address ranges that have been stolen or hijacked from their rightful owners. The DROP list is not a DNS based list.  It is designed to be downloaded as a file, with primary intention…
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

759 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now