Need help for intergrating SAMBA into firewall script
Hi,
I've recently installed and configured SAMBA on one of my multihomed
hosts.
I would like some advice on how I could filter SAMBA's services and
intergrate that into my current ip_tables script.
Currently, my ip_tables scripts uses connection tracking for ICMP, TCP, and
UDP, obviously dropping INVALID packets or datagrams.
I do this through a few user defined chains. How can I modify my script so
that the ports needed for SAMBA aren't passed through the general TCP or
UDP
chains and dealt with on a specific chains for SAMBA only?
My ip_tables script is attached for your viewing pleasure. I would also
like
to thank the many people on this list who have helped me debug this script
over a long period of time, thanks to you guys it just gets better and
better
:-D
Thanks,
Stef
#!/bin/sh
# /etc/network/ip_tables
# basic Netfilter firewall script
# by Stefan Srdic
# Define our path
PATH=/sbin:/bin:/usr/sbin:/usr/bin
export PATH
# Define a few network parameters
EXTIFACE=eth0
LANIFACE=eth1
LOOPBACK=lo
# External IP address
# keep the string below if you have a dynamic IP address
# otherwise enter your static IP here
IPADDR=`/sbin/ifconfig $EXTIFACE | grep 'inet addr:' | \
awk '{print $2}' | sed -e 's/addr://'`
LAN=192.168.0/24 # Lan address range
NODEFILTER=192.168.0.1 # Lan host
LOCALHOST=127.0.0.1 # Localhost
ANYADDR=0/0 # Any address
# Our ISP's networked hosts
PRINAME= # Primary name server
SECNAME= # Secondary name server
SMTP= # Remote SMTP server
POP3= # Remote POP3 server
NEWS= # Remote NNTP server
DHCP= # DHCP server
# Private or reserved address ranges
CLASS_A=10.0.0.0/8 # private class A network range
CLASS_B=172.16.0.0/12 # private class B network range
CLASS_C=192.168.0.0/16 # private class C network range
CLASS_D_MULTICAST=224.0.0.0/4 # class D multicast addresses
CLASS_E_RESERVED_NET=240.0.0.0/5 # class E reserved addresses
BROADCAST_SRC=0.0.0.0 # broadcast source address
BROADCAST_DEST=255.255.255.255 # broadcast destination address
# Various port ranges
WELLKNOWN=0:1023 # Well known port range
REGISTERED=1024:49151 # Registered port range
PRIVATE=49152:65535 # Private port range
# Load IPTables module (s)
depmod -a
modprobe ip_tables
# Set the default policies on the filter table.
for p in INPUT FORWARD OUTPUT; do
iptables -t filter -P $p DROP
done
# Set the default policies on the nat table.
for p in PREROUTING POSTROUTING OUTPUT; do
iptables -t nat -P $p ACCEPT
done
# Set the default policies on the mangle table
for p in PREROUTING OUTPUT; do
iptables -t mangle -P $p ACCEPT
done
# flush all rules and erase all user defined chains on all tables
for t in filter nat mangle; do
iptables -t $t -F
iptables -t $t -X
done
# Drop fragmented datagrams
iptables -A INPUT -f -j DROP
# match, then drop malformed or unclean datagrams
iptables -A INPUT --match unclean -j DROP
# Drop incoming datagrams spoofing the localhost, the local network,
# or our external interface
for ip in $LOCALHOST $LAN $IPADDR; do
iptables -A INPUT --source $ip -i $EXTIFACE -j DROP
done
# Drop datagrams claiming to be from a Class A, B or C private networks
# Drop Class D multicast addresses and Class E reserved IP addresses
for class in $CLASS_A $CLASS_B $CLASS_C $CLASS_D_MULTICAST $CLASS_E_RESERVED_NET; do
iptables -A INPUT --source $class -i $EXTIFACE -j DROP
iptables -A INPUT --destination $class -i $EXTIFACE -j DROP
iptables -A OUTPUT --source $class -o $EXTIFACE -j DROP
iptables -A OUTPUT --destination $class -o $EXTIFACE -j DROP
done
# Drop broadcast address SOURCE packets
iptables -A INPUT --source $BROADCAST_DEST -i $EXTIFACE -j DROP
iptables -A INPUT --destination $BROADCAST_SRC -i $EXTIFACE -j DROP
# Allow full access on our localhost
iptables -A INPUT -i $LOOPBACK -j ACCEPT
iptables -A OUTPUT -o $LOOPBACK -j ACCEPT
# Allow full access between our LAN and our host
iptables -A INPUT -i $LANIFACE -s $LAN -d $NODEFILTER -j ACCEPT
iptables -A OUTPUT -o $LANIFACE -d $LAN -s $NODEFILTER -j ACCEPT
# Masquerade the LAN ->out-> the external interface
iptables -t nat -A POSTROUTING -s $LAN -o $EXTIFACE -j MASQUERADE
iptables -A FORWARD --protocol tcp --tcp-flags SYN,RST SYN \
-j TCPMSS --clamp-mss-to-pmtu
# Disallow NEW and INVALID forwarded packets from external interface.
iptables -A FORWARD -i $EXTIFACE -m state --state NEW,INVALID -j DROP
# Create a chain which logs or the drops
iptables -N LOGRDROP 2>/dev/null
# 0 -> LOG
# 1 -> DROP
# 2 -> LOG then DROP
OPTION=1
case "$OPTION" in
0) #Log forbidden TCP datagrams
iptables -A LOGRDROP --protocol tcp -m limit --limit 1/minute \
--limit-burst 4 -j LOG --log-level DEBUG --log-prefix 'Denied TCP: ';
iptables -A LOGRDROP --protocol udp -m limit --limit 1/minute \
--limit-burst 4 -j LOG --log-level DEBUG --log-prefix 'Denied UDP: ';
iptables -A LOGRDROP --protocol icmp -m limit --limit 1/minute \
--limit-burst 4 -j LOG --log-level DEBUG --log-prefix 'Denied ICMP: ';
;;
1) # Disallow NEW and INVALID
iptables -A LOGRDROP -m state --state NEW,INVALID -j DROP;
# Drop all other incoming datagrams (if any)
iptables -A LOGRDROP -j DROP;
;;
2) #Log forbidden datagrams
iptables -A LOGRDROP --protocol tcp -m limit --limit 1/minute \
--limit-burst 4 -j LOG --log-level DEBUG --log-prefix 'Denied TCP: ';
iptables -A LOGRDROP --protocol udp -m limit --limit 1/minute \
--limit-burst 4 -j LOG --log-level DEBUG --log-prefix 'Denied UDP: ';
iptables -A LOGRDROP --protocol icmp -m limit --limit 1/minute \
--limit-burst 4 -j LOG --log-level DEBUG --log-prefix 'Denied ICMP: ';
# Disallow NEW and INVALID
iptables -A LOGRDROP -m state --state NEW,INVALID -j DROP;
# Drop all other incoming datagrams
iptables -A LOGRDROP -j DROP;
;;
esac
# ICMP filters -> eleminate ICMP types that we do not want
# create a chain for incomming ICMP datagrams
iptables -N ICMP 2>/dev/null
# Divert all ICMP traffic into the ICMP chain
for chain in INPUT OUTPUT FORWARD; do
iptables -t filter -A $chain --protocol icmp -j ICMP
done
# Keep track of all relative ICMP messages
for iface in $LOOPBACK $LANIFACE $EXTIFACE; do
iptables -A ICMP -o $iface --protocol icmp -m state --state \
NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A ICMP -i $iface --protocol icmp -m state --state \
ESTABLISHED,RELATED -j ACCEPT
# Drop all other ICMP datagrams
iptables -A ICMP -o $iface --protocol icmp -m state --state \
INVALID -j LOGRDROP
iptables -A ICMP -i $iface --protocol icmp -m state --state \
INVALID -j LOGRDROP
done
# make sure nothing else slips by
iptables -A ICMP -j DROP
# TCP filters
# create new chain for general TCP services, hosted services will be dealt
# with specific or default chains
iptables -N TCP 2>/dev/null
# divert all TCP traffic into TCP chain
for chain in INPUT OUTPUT FORWARD; do
iptables -t filter -A $chain --protocol tcp -j TCP
done
# Make sure NEW tcp connections are SYN packets
iptables -A TCP --protocol tcp ! --syn -m state --state NEW -j LOGRDROP
# enable connection tracking for TCP traffic
for iface in $LOOPBACK $LANIFACE $EXTIFACE; do
iptables -A TCP -i $iface --protocol tcp -m state \
--state ESTABLISHED -j ACCEPT
iptables -A TCP -o $iface --protocol tcp -m state \
--state NEW,ESTABLISHED -j ACCEPT
iptables -A TCP -i $iface --protocol tcp -m state \
--state INVALID -j LOGRDROP
iptables -A TCP -o $iface --protocol tcp -m state \
--state INVALID -j LOGRDROP
done
# make sure nothing else slips by
iptables -A TCP -j DROP
# UDP filters
# create general chain for UDP services, hosted services shoule be
# dealt with in specific or default chains
iptables -N UDP 2>/dev/null
# divert all UDP traffic into UDP chain
for chain in INPUT OUTPUT FORWARD; do
iptables -t filter -A $chain --protocol udp -j UDP
done
# enable connection tracking for UDP traffic
for iface in $LOOPBACK $LANIFACE $EXTIFACE; do
iptables -A UDP -i $iface --protocol udp -m state \
--state ESTABLISHED,RELATED -j ACCEPT
iptables -A UDP -o $iface --protocol udp -m state \
--state NEW,ESTABLISHED -j ACCEPT
iptables -A UDP -i $iface --protocol udp -m state \
--state INVALID -j LOGRDROP
iptables -A UDP -o $iface --protocol udp -m state \
--state INVALID -j LOGRDROP
done
# make sure nothing slips by
iptables -A UDP -j DROP
Reply to: