Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I know there is tons of docs about iptables out there. But I need a quick and dirty iptables command to block netbios and samba ports from the Internet at my firewall. Both incoming and outgoing.
I already have basic rc.firewall script downloaded from somewhere in the Internet. Configured to be NAT and eanble all outgoing but only related incoming.
Oh, yuh, explanation of the command flags would be helpful. Thanks.
Rather than shut down those ports specifically, the better approach is to shut down ALL ports with the default table properties and then open up only those you need. So your defaults should look something like
INPUT -P DROP
OUTPUT -P DROP
FORWARD -P DROP
Then for each daemon you want to be able to listen, add a line opening that port. So say you want to run Apache with SSL. You'll need to open two ports
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -j ACCEPT
You would also need to open up outbound traffic, and I like to use state matching to do this.
iptables -A OUTPUT -p tcp -m state --state NEW, ESTABLISHED, RELATED -j ACCEPT
So as long as you don't open the netbios or Samba ports, the table defaults will block them. This also means that you are only opening the ports you absoluetly need to have.
Will I have problem with bittorrent if I use this method?
I think you do have to open up some additional ports to use bittorrent. Unless I'm mistaken, incoming bittorrent connections are NEW and you really don't want to allow state matches to NEW on your INPUT chain. It kinda defeats the purpose of a firewall. However, if you are using state matches on OUTPUT, you can safely use NEW and probably want to. I'm not at my linux box, but tonight I'll post how I allow bittorrent through my firewall.
Quote:
Does this look correct for blocking those ports? Where is the log store?
Yeah, it looks like the ports are blocked. As for the log entries look in /var/log/syslog. If there is nothing there check /var/log/messages.
Originally posted by carboncopy Is that the only port which is used by bittorrent? I mean, I can have hundreds of connection using that port?
It is the only port that bittorrent listens on, it can actually send on any number of ports, so as long as you allow inbound traffic on 6881 and then allow outbound traffic on any number of ports, you should be fine. So the two rules in my firewall that apply here are:
iptables -A INPUT -i eth0 -p tcp --dport 6881 -j ACCEPT
iptables -A OUTPUT -i eth0 -p tcp -m state --state NEW, RELATED, ESTABLISHED -j ACCEPT.
The first rule allow all inbound traffic on 6881 and the second rule allow all outbound traffic regardless of what port it originates from.
I guess I don't see anything wrong with the netstat output either. However, you may want to try slightly different output (see man netstat for options) to make sure that all of the connections are from programs you recognize.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.