SMB in iptables
I have created a firewall setup for a pc that serves as web and database
server
on our university network
It is basically a setup with an input deny and output allow policy. No NAT
or masquerading is used whatsoever.
Kernel is a self-compiled 2.4.16
The firewall functions good for most things:
All ports are blocked except ssh, http,ftp and mysql.
However, I have some questions:
1. How do I get SMB to work? it does not function with the rules below. I
have experimented with the following lines:
#
iptables -A INPUT -i eth0 -p 137 -j ACCEPT
iptables -A INPUT -i eth0 -p 138 -j ACCEPT
iptables -A INPUT -i eth0 -p 139 -j ACCEPT
iptables -A INPUT -p ALL -i eth0 -d 131.211.221.255 -j ACCEPT
iptables -A INPUT -p ALL -i eth0 -d 131.211.255.255 -j ACCEPT
iptables -A INPUT -p ALL -i eth0 -d 255.255.255.255 -j ACCEPT
#
However, they all make no difference whatsoever.
2. Should I open both ports 20 and 21 for ftp? I use pure-ftpd.
3. Should I deny UDP packets on interfaces that basically use TCP?
4. Is it wise to check for malformed packets, such as christmas packets and
the like??
Thanks for helping me,
Kai Klopper
#!/bin/sh
##Create chain which blocks new connections, except if coming from inside.
#iptables -P FORWARD DROP
iptables -F
iptables -X block
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -N block
iptables -A block -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A block -m state --state NEW -i ! eth0 -j ACCEPT
iptables -A block -j DROP
## Jump to that chain from INPUT and FORWARD chains.
#iptables -A FORWARD -j block
iptables -A INPUT -p tcp -i eth0 --dport 80 -j ACCEPT
# only allow mysql from university ip-addresses
iptables -A INPUT -p tcp -i eth0 -s 131.211.0.0/16 --dport 3306 -j ACCEPT
iptables -A INPUT -p tcp -i eth0 --dport 22 -j ACCEPT
iptables -A INPUT -p tcp -i eth0 --dport 20 -j ACCEPT
iptables -A INPUT -p tcp -i eth0 --dport 21 -j ACCEPT
iptables -A INPUT -j block
Reply to: