[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Blocking SMB

	Just ran this quickly through fwbuilder and it generated the
following snippet of code:

iptables -P OUTPUT  DROP
iptables -P INPUT   DROP
iptables -P FORWARD DROP

iptables -A INPUT   -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT  -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

iptables -N RULE_0
iptables -A OUTPUT  -p udp -m state --state NEW  -m multiport \
	--destination-port 138,137,139 -j RULE_0
iptables -A INPUT  -p udp -m state --state NEW  -m multiport \
	--destination-port 138,137,139 -j RULE_0
iptables -A FORWARD  -p udp -m state --state NEW  -m multiport \
	--destination-port 138,137,139 -j RULE_0
iptables -A RULE_0  -j DROP 

iptables -A INPUT      -j DROP
iptables -A OUTPUT     -j DROP
iptables -A FORWARD    -j DROP

	This should allow SMB connetivity in which you initiate but not
allow it to be start'd by outside your network... I also only generated
it for UDP traffic... It also should only be using 137-139...

	Jeremy

On Mon, Feb 25, 2002 at 03:22:12PM -0000, Charlie Grosvenor wrote:
> Hi
>     Will the following work?
> 
> iptables -A INPUT -p udp -i PPP0 --dport 135 -j DROP
> iptables -A INPUT -p udp -i PPP0 --dport 136 -j DROP
> iptables -A INPUT -p udp -i PPP0 --dport 137 -j DROP
> iptables -A INPUT -p udp -i PPP0 --dport 138 -j DROP
> iptables -A INPUT -p udp -i PPP0 --dport 139 -j DROP
> iptables -A INPUT -p tcp -i PPP0 --dport 135 -j DROP
> iptables -A INPUT -p tcp -i PPP0 --dport 136 -j DROP
> iptables -A INPUT -p tcp -i PPP0 --dport 137 -j DROP
> iptables -A INPUT -p tcp -i PPP0 --dport 138 -j DROP
> iptables -A INPUT -p tcp -i PPP0 --dport 139 -j DROP
> 
> Also is it possible to allow outgoing smb connections so that i can connect
> to hosts outside my network but they cannot connect to me?
> 
> Charlie
>
Reply to: