block m$ related ports using iptables

carboncopy · 01-26-2005, 06:10 AM

Hi!

I know there is tons of docs about iptables out there. But I need a quick and dirty iptables command to block netbios and samba ports from the Internet at my firewall. Both incoming and outgoing.

I already have basic rc.firewall script downloaded from somewhere in the Internet. Configured to be NAT and eanble all outgoing but only related incoming.

Oh, yuh, explanation of the command flags would be helpful. Thanks.

Hangdog42 · 01-26-2005, 07:42 AM

Rather than shut down those ports specifically, the better approach is to shut down ALL ports with the default table properties and then open up only those you need. So your defaults should look something like

INPUT -P DROP
OUTPUT -P DROP
FORWARD -P DROP

Then for each daemon you want to be able to listen, add a line opening that port. So say you want to run Apache with SSL. You'll need to open two ports

iptables -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -j ACCEPT

You would also need to open up outbound traffic, and I like to use state matching to do this.

iptables -A OUTPUT -p tcp -m state --state NEW, ESTABLISHED, RELATED -j ACCEPT

So as long as you don't open the netbios or Samba ports, the table defaults will block them. This also means that you are only opening the ports you absoluetly need to have.

carboncopy · 01-26-2005, 11:19 AM

Will I have problem with bittorrent if I use this method?

Does bittorrent connection initiated (NEW) by me? Or it is both ways?

carboncopy · 01-26-2005, 11:20 AM

This is how my INPUT chain looks like for now

Code:

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
LOG        tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:445 LOG flags 0 level 4 
LOG        udp  --  0.0.0.0/0            0.0.0.0/0           udp dpt:445 LOG flags 0 level 4 
DROP       tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:445 
DROP       udp  --  0.0.0.0/0            0.0.0.0/0           udp dpt:445 
LOG        udp  --  0.0.0.0/0            0.0.0.0/0           udp dpt:137 LOG flags 0 level 4 
DROP       udp  --  0.0.0.0/0            0.0.0.0/0           udp dpt:137 
LOG        udp  --  0.0.0.0/0            0.0.0.0/0           udp dpt:138 LOG flags 0 level 4 
DROP       udp  --  0.0.0.0/0            0.0.0.0/0           udp dpt:138 
LOG        udp  --  0.0.0.0/0            0.0.0.0/0           udp dpt:139 LOG flags 0 level 4 
DROP       udp  --  0.0.0.0/0            0.0.0.0/0           udp dpt:139 
LOG        tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:139 LOG flags 0 level 4 
DROP       tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:139

Does this look correct for blocking those ports? Where is the log store? I know this is bad policy, but let me learn please

Hangdog42 · 01-26-2005, 02:34 PM

Quote:

Will I have problem with bittorrent if I use this method?

I think you do have to open up some additional ports to use bittorrent. Unless I'm mistaken, incoming bittorrent connections are NEW and you really don't want to allow state matches to NEW on your INPUT chain. It kinda defeats the purpose of a firewall. However, if you are using state matches on OUTPUT, you can safely use NEW and probably want to. I'm not at my linux box, but tonight I'll post how I allow bittorrent through my firewall.

Quote:

Does this look correct for blocking those ports? Where is the log store?

Yeah, it looks like the ports are blocked. As for the log entries look in /var/log/syslog. If there is nothing there check /var/log/messages.

Hangdog42 · 01-26-2005, 04:44 PM

OK, for bittorrent I allow port 6881 through the firewall and that works just fine.

carboncopy · 01-28-2005, 09:08 AM

Is that the only port which is used by bittorrent? I mean, I can have hundreds of connection using that port?

carboncopy · 01-28-2005, 09:51 AM

Ok as a follow up to bittorrent,

does this netstat looks ok?

Code:

root@carboncopy:/var/log# netstat --numeric-hosts
Active Internet connections (w/o servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State      
tcp        0   1462 XXX.XXX.200.97:42291      82.168.82.183:64998     ESTABLISHED 
tcp        0   1867 XXX.XXX.200.97:42624      82.168.82.183:64998     ESTABLISHED 
tcp        0      0 XXX.XXX.200.97:42187      82.41.73.197:6881       ESTABLISHED 
tcp        0   2002 XXX.XXX.200.97:39367      71.32.19.170:6881       ESTABLISHED 
<internal connection> 
tcp        0      0 XXX.XXX.200.97:43106      201.8.193.63:23918      ESTABLISHED 
tcp        0   1984 XXX.XXX.200.97:42118      82.35.242.218:10001     ESTABLISHED 
tcp        0   3807 XXX.XXX.200.97:42169      80.202.218.52:6881      ESTABLISHED 
tcp        0   5534 XXX.XXX.200.97:42864      80.202.218.52:6881      ESTABLISHED

Hangdog42 · 01-28-2005, 12:30 PM

Quote:

Originally posted by carboncopy
Is that the only port which is used by bittorrent? I mean, I can have hundreds of connection using that port?

It is the only port that bittorrent listens on, it can actually send on any number of ports, so as long as you allow inbound traffic on 6881 and then allow outbound traffic on any number of ports, you should be fine. So the two rules in my firewall that apply here are:

iptables -A INPUT -i eth0 -p tcp --dport 6881 -j ACCEPT
iptables -A OUTPUT -i eth0 -p tcp -m state --state NEW, RELATED, ESTABLISHED -j ACCEPT.

The first rule allow all inbound traffic on 6881 and the second rule allow all outbound traffic regardless of what port it originates from.

I guess I don't see anything wrong with the netstat output either. However, you may want to try slightly different output (see man netstat for options) to make sure that all of the connections are from programs you recognize.