Re: SMB in iptables

To: <debian-firewall@lists.debian.org>
Subject: Re: SMB in iptables
From: "Paul Haesler" <paul@phaesler.org>
Date: Thu, 3 Jan 2002 17:07:57 +1000
Message-id: <[🔎] E16M12n-0001ao-00@marge.haeslernet>
In-reply-to: <[🔎] OE68MihoogG12jKW0kM0000c4b6@hotmail.com>

For the record Samba uses:

UDP ports 137 and 138
TCP port 139

> I have created a firewall setup for a pc that serves as web and
> database server on our university network
> 
> It is basically a setup with an input deny and output allow policy. No
> NAT or masquerading is used whatsoever. Kernel is a self-compiled
> 2.4.16 The firewall functions good for most things: All ports are
> blocked except ssh, http,ftp and mysql. However, I have some
> questions: 1. How do I get SMB to work? it does not function with the
> rules below. I have experimented with the following lines: # iptables
> -A INPUT -i eth0 -p 137 -j ACCEPT iptables -A INPUT -i eth0 -p 138 -j
> ACCEPT iptables -A INPUT -i eth0 -p 139 -j ACCEPT iptables -A INPUT -p
> ALL -i eth0 -d 131.211.221.255 -j ACCEPT iptables -A INPUT -p ALL -i
> eth0 -d 131.211.255.255 -j ACCEPT iptables -A INPUT -p ALL -i eth0 -d
> 255.255.255.255 -j ACCEPT # However, they all make no difference
> whatsoever.
> 
> 2. Should I open both ports 20 and 21 for ftp? I use pure-ftpd.
> 
> 3. Should I deny UDP packets on interfaces that basically use TCP?
> 
> 4. Is it wise to check for malformed packets, such as christmas
> packets and the like??
> 
> Thanks for helping me,
> 
> Kai Klopper
> 
> #!/bin/sh
> ##Create chain which blocks new connections, except if coming from
> ##inside.
> #iptables -P FORWARD DROP
> iptables -F
> iptables -X block
> iptables -P INPUT DROP
> iptables -P OUTPUT ACCEPT
> 
> iptables -N block
> iptables -A block -m state --state ESTABLISHED,RELATED -j ACCEPT
> iptables -A block -m state --state NEW -i ! eth0 -j ACCEPT
> iptables -A block -j DROP
> 
> ## Jump to that chain from INPUT and FORWARD chains.
> #iptables -A FORWARD -j block
> 
> iptables -A INPUT -p tcp -i eth0 --dport 80 -j ACCEPT
> # only allow mysql from university ip-addresses
> iptables -A INPUT -p tcp -i eth0 -s 131.211.0.0/16 --dport 3306 -j
> ACCEPT iptables -A INPUT -p tcp -i eth0 --dport 22 -j ACCEPT iptables
> -A INPUT -p tcp -i eth0 --dport 20 -j ACCEPT iptables -A INPUT -p tcp
> -i eth0 --dport 21 -j ACCEPT iptables -A INPUT -j block
> 
> 
> -- 
> To UNSUBSCRIBE, email to debian-firewall-request@lists.debian.org with
> a subject of "unsubscribe". Trouble? Contact
> listmaster@lists.debian.org
> 


--
Paul Haesler                    paul@phaesler.org
                                ICQ: 124547085

Reply to:

Follow-Ups:
- Re: SMB in iptables
  - From: Heitzso <heitzso@bellsouth.net>
- Re: SMB in iptables
  - From: "Paul Haesler" <paul@phaesler.org>

References:
- SMB in iptables
  - From: "Kai Klopper" <kaiklopper@hotmail.com>

Prev by Date: Re: SMB in iptables
Next by Date: Re: SMB in iptables
Previous by thread: Re: SMB in iptables
Next by thread: Re: SMB in iptables
Index(es):
- Date
- Thread