Re: Blocking SMB

To: debian-firewall@lists.debian.org
Cc: Charlie Grosvenor <charlie@thegrosvenors.fsnet.co.uk>
Subject: Re: Blocking SMB
From: Bart-Jan Vrielink <bartjan@vrielink.net>
Date: 26 Feb 2002 17:32:33 +0100
Message-id: <[🔎] 1014741153.638.72.camel@zarniwoop>
In-reply-to: <[🔎] 007701c1bede$630602c0$8a2798d5@laptop>
References: <[🔎] 007701c1bede$630602c0$8a2798d5@laptop>

On Tue, 2002-02-26 at 16:57, Charlie Grosvenor wrote:
> Hi
>     I am trying to block smb going out of my network using the following
> rules.
> 
> iptables -A FORWARD -o ppp0 -p tcp --dport 135 -j REJECT
> iptables -A FORWARD -o ppp0 -p tcp --dport 136 -j REJECT
> iptables -A FORWARD -o ppp0 -p tcp --dport 137 -j REJECT
> iptables -A FORWARD -o ppp0 -p tcp --dport 138 -j REJECT
> iptables -A FORWARD -o ppp0 -p tcp --dport 139 -j REJECT
> iptables -A FORWARD -o ppp0 -p udp --dport 135 -j REJECT
> iptables -A FORWARD -o ppp0 -p udp --dport 136 -j REJECT
> iptables -A FORWARD -o ppp0 -p udp --dport 137 -j REJECT
> iptables -A FORWARD -o ppp0 -p udp --dport 138 -j REJECT
> iptables -A FORWARD -o ppp0 -p udp --dport 139 -j REJECT
> iptables -A FORWARD -o ppp0 -p udp --dport 445 -j REJECT
> iptables -A FORWARD -o ppp0 -p tcp --dport 445 -j REJECT
> 
> For some reason this is not working as http://stealthtests.lockdowncorp.com
> is able to find out information about my computer using smb for example it
> gives me my username that i used to log into windows with.
> 
> How can i get the blocking of smb working? Is ther a port that i should
> block that i haven't?

You are blocking these packets in the FORWARD chain, so the firewall
will not forward any SMB packets. If the host itself is running samba,
then you also need to block things on the input and output chains.

I would use:
iptables -A INPUT   -i ppp0 -p tcp -m multiport --dport 135,136,137,138,139,445 -j DROP
iptables -A FORWARD -i ppp0 -p tcp -m multiport --dport 135,136,137,138,139,445 -j DROP
iptables -A FORWARD -o ppp0 -p tcp -m multiport --dport 135,136,137,138,139,445 -j DROP
iptables -A OUTPUT  -o ppp0 -p tcp -m multiport --dport 135,136,137,138,139,445 -j DROP
iptables -A INPUT   -i ppp0 -p udp -m multiport --dport 135,136,137,138,139,445 -j DROP
iptables -A FORWARD -i ppp0 -p udp -m multiport --dport 135,136,137,138,139,445 -j DROP
iptables -A FORWARD -o ppp0 -p udp -m multiport --dport 135,136,137,138,139,445 -j DROP
iptables -A OUTPUT  -o ppp0 -p udp -m multiport --dport 135,136,137,138,139,445 -j DROP

I didn't know that 135, 136 and 445 where also used for SMB. I don't
care anyway, because a good firewall has a default policy of DROP and
then adds the minimal number of ACCEPT rules to get the amount of
complaining by the users to an acceptable level.

Besides using your firewall to block SMB, you should also configure
Samba not to listen to the ppp0 interface.
Whenever possible, use as much layers of protection as possible. Most
protocols can be secured on three levels:
- the daemon itself
- tcpwrappers
- firewall
Configure all three levels whenever possible.

-- 
Tot ziens,

Bart-Jan

Reply to:

References:
- Blocking SMB
  - From: "Charlie Grosvenor" <charlie@thegrosvenors.fsnet.co.uk>

Prev by Date: Re: Blocking SMB
Previous by thread: Re: Blocking SMB
Next by thread: Ping
Index(es):
- Date
- Thread