Re: SMB in iptables
Thank you Paul for the specifics. I'm not sure
I'm handling it right, but on my Toshiba ISDN
toaster it's built in firewall has the netbios
127, 138 and 139 ports open but I still can't
"net use" to Microsoft Windows drives on the
other side of the fence,where as I could before
the Toshiba ISDN toaster added the firewall
software. I was under the impression that
WinNT picked ports from a block of ports when
setting up a share and that that was my problem.
As a question, I suppose I'ld like
to know if Microsoft's use of SMB protocol
uses a block of ports and not just the aforementioned
3 ports.
Please, don't sweat this question anyone.
I long ago switched over to VNC and ssh/cygwin to
manipulate files on the WinNT systems I need
to reach on the other side of my ISDN toaster.
But ... if someone knows the answer off the
top of their head ...
Thanks,
Heitzso
On Thu, 2002-01-03 at 02:07, Paul Haesler wrote:
>
>
> > ----------
> > From: Paul Haesler[SMTP:PAUL@PHAESLER.ORG]
> > Sent: Thursday, January 03, 2002 2:07:57 AM
> > To: debian-firewall@lists.debian.org
> > Subject: Re: SMB in iptables
> > Auto forwarded by a Rule
> >
> For the record Samba uses:
>
> UDP ports 137 and 138
> TCP port 139
>
> > I have created a firewall setup for a pc that serves as web and
> > database server on our university network
> >
> > It is basically a setup with an input deny and output allow policy. No
> > NAT or masquerading is used whatsoever. Kernel is a self-compiled
> > 2.4.16 The firewall functions good for most things: All ports are
> > blocked except ssh, http,ftp and mysql. However, I have some
> > questions: 1. How do I get SMB to work? it does not function with the
> > rules below. I have experimented with the following lines: # iptables
> > -A INPUT -i eth0 -p 137 -j ACCEPT iptables -A INPUT -i eth0 -p 138 -j
> > ACCEPT iptables -A INPUT -i eth0 -p 139 -j ACCEPT iptables -A INPUT -p
> > ALL -i eth0 -d 131.211.221.255 -j ACCEPT iptables -A INPUT -p ALL -i
> > eth0 -d 131.211.255.255 -j ACCEPT iptables -A INPUT -p ALL -i eth0 -d
> > 255.255.255.255 -j ACCEPT # However, they all make no difference
> > whatsoever.
> >
> > 2. Should I open both ports 20 and 21 for ftp? I use pure-ftpd.
> >
> > 3. Should I deny UDP packets on interfaces that basically use TCP?
> >
> > 4. Is it wise to check for malformed packets, such as christmas
> > packets and the like??
> >
> > Thanks for helping me,
> >
> > Kai Klopper
> >
> > #!/bin/sh
> > ##Create chain which blocks new connections, except if coming from
> > ##inside.
> > #iptables -P FORWARD DROP
> > iptables -F
> > iptables -X block
> > iptables -P INPUT DROP
> > iptables -P OUTPUT ACCEPT
> >
> > iptables -N block
> > iptables -A block -m state --state ESTABLISHED,RELATED -j ACCEPT
> > iptables -A block -m state --state NEW -i ! eth0 -j ACCEPT
> > iptables -A block -j DROP
> >
> > ## Jump to that chain from INPUT and FORWARD chains.
> > #iptables -A FORWARD -j block
> >
> > iptables -A INPUT -p tcp -i eth0 --dport 80 -j ACCEPT
> > # only allow mysql from university ip-addresses
> > iptables -A INPUT -p tcp -i eth0 -s 131.211.0.0/16 --dport 3306 -j
> > ACCEPT iptables -A INPUT -p tcp -i eth0 --dport 22 -j ACCEPT iptables
> > -A INPUT -p tcp -i eth0 --dport 20 -j ACCEPT iptables -A INPUT -p tcp
> > -i eth0 --dport 21 -j ACCEPT iptables -A INPUT -j block
> >
> >
> > --
> > To UNSUBSCRIBE, email to debian-firewall-request@lists.debian.org with
> > a subject of "unsubscribe". Trouble? Contact
> > listmaster@lists.debian.org
> >
>
>
> --
> Paul Haesler paul@phaesler.org
> ICQ: 124547085
>
>
> --
> To UNSUBSCRIBE, email to debian-firewall-request@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Reply to: