shouldn't that be in the INPUT chain? i don't know if that's required
to work, but it makes more sense. FORWARD chains are used for NAT and
routing purposes, whereas you block ports on the INPUT and OUTPUT
sides of your firewall.
hope that helps,
ub
Matthew Kopishke wrote:
We have been getting a few windows messages as of late so I added the
following rules to my firewall:
iptables -A FORWARD -p tcp -d ! $SERVERIP --dport 135:139 -j DROP
iptables -A FORWARD -p udp -d ! $SERVERIP --dport 135:139 -j DROP
iptables -A FORWARD -p tcp -m iprange --dst-range $FULLRANGE --dport
445 -j DROP
iptables -A FORWARD -p udp -m iprange --dst-range $FULLRANGE --dport
445 -j DROP
$SERVERIP is a machine that needs 135 - 139 open, so the way I read
the rule is that unless it's going to $SERVERIP on 135 - 139 drop it,
but the windows messages still seem to be getting through. Oh, and
$FULLRANGE is just a range of IPs I'm doing this for. In this case
it could have been done just as easily as a block with a netmask, but
I guess I wasn't thinking at the moment.
Matt