Re: SMB in iptables

To: <debian-firewall@lists.debian.org>
Subject: Re: SMB in iptables
From: "Kai Klopper" <kaiklopper@hotmail.com>
Date: Wed, 2 Jan 2002 17:03:13 +0100
Message-id: <[🔎] OE45i0qAxIZ9W9aRwHa0000c485@hotmail.com>
References: <[🔎] OE68MihoogG12jKW0kM0000c4b6@hotmail.com>

One thing I forgot to mention:

I want to use SMB from the webserver.
For example, when I log in on it with SSH, I want to be able to do:

nmblookup niels
(niels is a server on the lan)

This works with FW off, but not when it is on.

----- Original Message -----
From: "Kai Klopper" <kaiklopper@hotmail.com>
To: <debian-firewall@lists.debian.org>
Sent: Wednesday, January 02, 2002 4:31 PM
Subject: SMB in iptables


> I have created a firewall setup for a pc that serves as web and database
> server
> on our university network
>
> It is basically a setup with an input deny and output allow policy. No NAT
> or masquerading is used whatsoever.
> Kernel is a self-compiled 2.4.16
> The firewall functions good for most things:
> All ports are blocked except ssh, http,ftp and mysql.
> However, I have some questions:
> 1. How do I get SMB to work? it does not function with the rules below. I
> have experimented with the following lines:
> #
> iptables -A INPUT -i eth0 -p 137 -j ACCEPT
> iptables -A INPUT -i eth0 -p 138 -j ACCEPT
> iptables -A INPUT -i eth0 -p 139 -j ACCEPT
> iptables -A INPUT -p ALL -i eth0 -d 131.211.221.255 -j ACCEPT
> iptables -A INPUT -p ALL -i eth0 -d 131.211.255.255 -j ACCEPT
> iptables -A INPUT -p ALL -i eth0 -d 255.255.255.255 -j ACCEPT
> #
> However, they all make no difference whatsoever.
>
> 2. Should I open both ports 20 and 21 for ftp? I use pure-ftpd.
>
> 3. Should I deny UDP packets on interfaces that basically use TCP?
>
> 4. Is it wise to check for malformed packets, such as christmas packets
and
> the like??
>
> Thanks for helping me,
>
> Kai Klopper
>
> #!/bin/sh
> ##Create chain which blocks new connections, except if coming from inside.
> #iptables -P FORWARD DROP
> iptables -F
> iptables -X block
> iptables -P INPUT DROP
> iptables -P OUTPUT ACCEPT
>
> iptables -N block
> iptables -A block -m state --state ESTABLISHED,RELATED -j ACCEPT
> iptables -A block -m state --state NEW -i ! eth0 -j ACCEPT
> iptables -A block -j DROP
>
> ## Jump to that chain from INPUT and FORWARD chains.
> #iptables -A FORWARD -j block
>
> iptables -A INPUT -p tcp -i eth0 --dport 80 -j ACCEPT
> # only allow mysql from university ip-addresses
> iptables -A INPUT -p tcp -i eth0 -s 131.211.0.0/16 --dport 3306 -j ACCEPT
> iptables -A INPUT -p tcp -i eth0 --dport 22 -j ACCEPT
> iptables -A INPUT -p tcp -i eth0 --dport 20 -j ACCEPT
> iptables -A INPUT -p tcp -i eth0 --dport 21 -j ACCEPT
> iptables -A INPUT -j block
>
>
> --
> To UNSUBSCRIBE, email to debian-firewall-request@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact
listmaster@lists.debian.org
>
>

Reply to:

References:
- SMB in iptables
  - From: "Kai Klopper" <kaiklopper@hotmail.com>

Prev by Date: Re: SMB in iptables
Next by Date: Re: SMB in iptables
Previous by thread: Re: SMB in iptables
Next by thread: Re: SMB in iptables
Index(es):
- Date
- Thread