Re: SMB in iptables

To: Kai Klopper <kaiklopper@hotmail.com>
Cc: debian-firewall@lists.debian.org
Subject: Re: SMB in iptables
From: Fabian Moerchen <fabian@mybytes.de>
Date: 02 Jan 2002 10:48:34 +0100
Message-id: <[🔎] 1009964917.747.0.camel@pilgrimage.fragile>
In-reply-to: <[🔎] OE68MihoogG12jKW0kM0000c4b6@hotmail.com>
References: <[🔎] OE68MihoogG12jKW0kM0000c4b6@hotmail.com>

i use samba/ftp/ssh with an iptables firewall even with an output policy
of DROP. for ftp 21 is enough, conntrack takes care of the rest. for
samba opening 137-139 in and out were enough.

the only real difference i can see to your script right now is the
order: i do the established/related first, then add more rules for
allowed new connections. also i have two separate rulesest fpr tcp and
udp, but they both open 137-139. i just ignore the broadcasts, never
caused me any trouble.

i also allow any incoming icmp but echo requests (is that dangerous?).

hope this helps, doesn't really explain why it's not working for you but
maybe it gives you some hope. ;) btw. i used 2.4.17, but it worked with
older kernels, too.

bye
fabian

On Wed, 2002-01-02 at 16:31, Kai Klopper wrote:
> I have created a firewall setup for a pc that serves as web and database
> server
> on our university network
> 
> It is basically a setup with an input deny and output allow policy. No NAT
> or masquerading is used whatsoever.
> Kernel is a self-compiled 2.4.16
> The firewall functions good for most things:
> All ports are blocked except ssh, http,ftp and mysql.
> However, I have some questions:
> 1. How do I get SMB to work? it does not function with the rules below. I
> have experimented with the following lines:
> #
> iptables -A INPUT -i eth0 -p 137 -j ACCEPT
> iptables -A INPUT -i eth0 -p 138 -j ACCEPT
> iptables -A INPUT -i eth0 -p 139 -j ACCEPT
> iptables -A INPUT -p ALL -i eth0 -d 131.211.221.255 -j ACCEPT
> iptables -A INPUT -p ALL -i eth0 -d 131.211.255.255 -j ACCEPT
> iptables -A INPUT -p ALL -i eth0 -d 255.255.255.255 -j ACCEPT
> #
> However, they all make no difference whatsoever.
> 
> 2. Should I open both ports 20 and 21 for ftp? I use pure-ftpd.
> 
> 3. Should I deny UDP packets on interfaces that basically use TCP?
> 
> 4. Is it wise to check for malformed packets, such as christmas packets and
> the like??
> 
> Thanks for helping me,
> 
> Kai Klopper
> 
> #!/bin/sh
> ##Create chain which blocks new connections, except if coming from inside.
> #iptables -P FORWARD DROP
> iptables -F
> iptables -X block
> iptables -P INPUT DROP
> iptables -P OUTPUT ACCEPT
> 
> iptables -N block
> iptables -A block -m state --state ESTABLISHED,RELATED -j ACCEPT
> iptables -A block -m state --state NEW -i ! eth0 -j ACCEPT
> iptables -A block -j DROP
> 
> ## Jump to that chain from INPUT and FORWARD chains.
> #iptables -A FORWARD -j block
> 
> iptables -A INPUT -p tcp -i eth0 --dport 80 -j ACCEPT
> # only allow mysql from university ip-addresses
> iptables -A INPUT -p tcp -i eth0 -s 131.211.0.0/16 --dport 3306 -j ACCEPT
> iptables -A INPUT -p tcp -i eth0 --dport 22 -j ACCEPT
> iptables -A INPUT -p tcp -i eth0 --dport 20 -j ACCEPT
> iptables -A INPUT -p tcp -i eth0 --dport 21 -j ACCEPT
> iptables -A INPUT -j block
> 
> 
> -- 
> To UNSUBSCRIBE, email to debian-firewall-request@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
> 
>

Reply to:

References:
- SMB in iptables
  - From: "Kai Klopper" <kaiklopper@hotmail.com>

Prev by Date: Re: SMB in iptables
Next by Date: Re: SMB in iptables
Previous by thread: Re: SMB in iptables
Next by thread: Re: SMB in iptables
Index(es):
- Date
- Thread