LinuxQuestions.org
View the Most Wanted LQ Wiki articles.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 09-29-2008, 12:59 AM   #1
bkcreddy17
Member
 
Registered: Feb 2008
Location: India-Hyderabad
Distribution: RHEL and Fedora
Posts: 171

Rep: Reputation: 15
Unhappy how to block port 139 using iptables


Hi, I am using samba server on ip 192.168.0.88. Now i want to block all ips other than 192.168.0.7 and 192.168.0.10. I tried in these ways.
Code:
$sodo /sbin/iptables -A INPUT -p tcp -s ! 192.168.0.7 --dport 139 -j DROP
$sodo /sbin/iptables -A INPUT -p tcp -s ! 192.168.0.10 --dport 139 -j DROP
But i am able to access from other ips also.
When i used this rule
Code:
$sodo /sbin/iptables -A INPUT -p tcp -s 0/0 --dport 139 -j DROP
I am able to access samba share from any ip. What is this it? What to i do now? I dont want through tcp wrappers. It has to happen by iptables.
 
Old 09-29-2008, 01:03 AM   #2
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
Most likely you have a rule above those which is sending the packets to ACCEPT.

Change the append (-A) to an insert (-I) and try again. If it works, then it confirms the above.
 
Old 09-29-2008, 01:03 AM   #3
billymayday
Guru
 
Registered: Mar 2006
Location: Sydney, Australia
Distribution: Fedora, CentOS, OpenSuse, Slack, Gentoo, Debian, Arch, PCBSD
Posts: 6,678

Rep: Reputation: 122Reputation: 122
Rather than doing it that way, accept traffic from that IP to 139 and drop everything else. Assuming you have a default policy of drop, or some other catch-all at the end of the chain, you shouldn't need to specifically drop any thing, so

Code:
$sudo /sbin/iptables -A INPUT -p tcp -s 192.168.0.7 --dport 139 -j ACCEPT
$sudo /sbin/iptables -A INPUT -p tcp -s 192.168.0.10 --dport 139 -j ACCEPT
...
drop everything else
 
Old 09-29-2008, 01:20 AM   #4
bkcreddy17
Member
 
Registered: Feb 2008
Location: India-Hyderabad
Distribution: RHEL and Fedora
Posts: 171

Original Poster
Rep: Reputation: 15
Code:
1      144 13779 ACCEPT  all  --  lo  *  0.0.0.0/0  0.0.0.0/0
2    14570 1651K LOG     all  --  eth0  * 0.0.0.0/0 0.0.0.0/0   LOG flags 0 level 7 prefix `BANDWIDTH_IN:'
These are two rules above.
The same rules are in other system and i used for port number 22 which is working fine.
 
Old 09-29-2008, 01:28 AM   #5
billymayday
Guru
 
Registered: Mar 2006
Location: Sydney, Australia
Distribution: Fedora, CentOS, OpenSuse, Slack, Gentoo, Debian, Arch, PCBSD
Posts: 6,678

Rep: Reputation: 122Reputation: 122
The way you were trying to do it couldn't work anyway: you've already dropped 192.168.0.10
 
Old 09-29-2008, 01:32 AM   #6
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
Quote:
Originally Posted by billymayday View Post
The way you were trying to do it couldn't work anyway: you've already dropped 192.168.0.10
Haha, word! Nice catch!

Quote:
Originally Posted by bkcreddy17 View Post
Code:
1      144 13779 ACCEPT  all  --  lo  *  0.0.0.0/0  0.0.0.0/0
2    14570 1651K LOG     all  --  eth0  * 0.0.0.0/0 0.0.0.0/0   LOG flags 0 level 7 prefix `BANDWIDTH_IN:'
These are two rules above.
The same rules are in other system and i used for port number 22 which is working fine.
You should really let us see the whole picture by posting the complete output of:
Code:
iptables -nvL INPUT

Last edited by win32sux; 09-29-2008 at 01:35 AM.
 
Old 09-29-2008, 01:40 AM   #7
bkcreddy17
Member
 
Registered: Feb 2008
Location: India-Hyderabad
Distribution: RHEL and Fedora
Posts: 171

Original Poster
Rep: Reputation: 15
Code:
$ sudo /sbin/iptables -L -v -n  --line-numbers
Chain INPUT (policy ACCEPT 14548 packets, 1650K bytes)
num   pkts bytes target     prot opt in     out     source               destination         
1      144 13779 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0           
2    14570 1651K LOG        all  --  eth0   *       0.0.0.0/0            0.0.0.0/0           LOG flags 0 level 7 prefix `BANDWIDTH_IN:' 

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination         
1        0     0 LOG        all  --  *      eth0    0.0.0.0/0            0.0.0.0/0           LOG flags 0 level 7 prefix `BANDWIDTH_OUT:' 
2        0     0 LOG        all  --  eth0   *       0.0.0.0/0            0.0.0.0/0           LOG flags 0 level 7 prefix `BANDWIDTH_IN:' 
3        0     0 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0           
4        0     0 ACCEPT     all  --  *      lo      0.0.0.0/0            0.0.0.0/0           
5        0     0 ACCEPT     all  --  eth0   *       0.0.0.0/0            0.0.0.0/0           
6        0     0 ACCEPT     all  --  *      eth0    0.0.0.0/0            0.0.0.0/0           

Chain OUTPUT (policy ACCEPT 9763 packets, 2437K bytes)
num   pkts bytes target     prot opt in     out     source               destination         
1      144 13779 ACCEPT     all  --  *      lo      0.0.0.0/0            0.0.0.0/0           
2     9763 2437K LOG        all  --  *      eth0    0.0.0.0/0            0.0.0.0/0           LOG flags 0 level 7 prefix `BANDWIDTH_OUT:'
 
Old 09-29-2008, 01:47 AM   #8
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
Hmmm, okay. Well, considering that there are no non-loopback terminating rules, then I would say that your problem is caused by what billymayday pointed out. This would mean that with the rules in your original post, you WOULD be able connect from 192.168.0.7, but NOT from 192.168.0.10. My suggestion would be to follow billymayday's advice and change your policy to DROP, making ACCEPT rules only for packets you want to allow. I do, however, understand that can take some time to properly implement when you aren't familiar with iptables (depending on how much stuff you actually need to allow), so a temporary fix for you could be to do this (instead of what you were doing in the OP):
Code:
iptables -A INPUT -p tcp -s 192.168.0.7 --dport 139 -j ACCEPT
iptables -A INPUT -p tcp -s 192.168.0.10 --dport 139 -j ACCEPT
iptables -A INPUT -p tcp --dport 139 -j DROP

Last edited by win32sux; 09-29-2008 at 01:48 AM.
 
Old 09-29-2008, 02:11 AM   #9
bkcreddy17
Member
 
Registered: Feb 2008
Location: India-Hyderabad
Distribution: RHEL and Fedora
Posts: 171

Original Poster
Rep: Reputation: 15
Code:
iptables -A INPUT -p tcp -s 192.168.0.7 --dport 139 -j ACCEPT
iptables -A INPUT -p tcp -s 192.168.0.10 --dport 139 -j ACCEPT
iptables -A INPUT -p tcp --dport 139 -j DROP
This did not work out. Yes i am not much familiar with iptables. I am just newbie. I am scared to use default policy to DROP. Because when i used at my home PC the whole GUI stopped working, all icons are disabled, terminal did not opened and only mouse pointer was moving. And even my PC was not booted. Again i went to single user mode and flushed all rules. These are rules in other system and working fine.
Code:
]$ sudo /sbin/iptables -L -v -n --line-numbers
Chain INPUT (policy ACCEPT 17258 packets, 3965K bytes)
num   pkts bytes target     prot opt in     out     source               destination         
1     5835 3245K ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0           
2    17258 3965K LOG        all  --  eth0   *       0.0.0.0/0            0.0.0.0/0           LOG flags 0 level 7 prefix `BANDWIDTH_IN:' 
3        0     0 ACCEPT     tcp  --  *      *       192.168.0.88         0.0.0.0/0           tcp dpt:22 
4        0     0 ACCEPT     tcp  --  *      *       192.168.0.201        0.0.0.0/0           tcp dpt:22 
5        0     0 ACCEPT     tcp  --  *      *       192.168.0.204        0.0.0.0/0           tcp dpt:22 
6        0     0 ACCEPT     tcp  --  *      *       192.168.1.152        0.0.0.0/0           tcp dpt:22 
7        0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:22 
8        0     0 ACCEPT     icmp --  *      *       192.168.1.152        0.0.0.0/0           icmp type 8 
9        0     0 DROP       icmp --  *      *       0.0.0.0/0            0.0.0.0/0           icmp type 8 

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination         
1        0     0 LOG        all  --  eth0   *       0.0.0.0/0            0.0.0.0/0           LOG flags 0 level 7 prefix `BANDWIDTH_IN:' 
2        0     0 LOG        all  --  *      eth0    0.0.0.0/0            0.0.0.0/0           LOG flags 0 level 7 prefix `BANDWIDTH_OUT:' 
3        0     0 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0           
4        0     0 ACCEPT     all  --  *      lo      0.0.0.0/0            0.0.0.0/0           
5        0     0 ACCEPT     all  --  eth0   *       0.0.0.0/0            0.0.0.0/0           
6        0     0 ACCEPT     all  --  *      eth0    0.0.0.0/0            0.0.0.0/0           

Chain OUTPUT (policy ACCEPT 11260 packets, 1259K bytes)
num   pkts bytes target     prot opt in     out     source               destination         
1     5835 3245K ACCEPT     all  --  *      lo      0.0.0.0/0            0.0.0.0/0           
2    11268 1260K LOG        all  --  *      eth0    0.0.0.0/0            0.0.0.0/0           LOG flags 0 level 7 prefix `BANDWIDTH_OUT:' 
3        8   672 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           icmp type 8
 
Old 09-29-2008, 02:17 AM   #10
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
Quote:
Originally Posted by bkcreddy17 View Post
This did not work out.
Post the "iptables -nvL INPUT" output you have after implementing the rules.

I don't see why it wouldn't work - it's the same approach you have on the box which you report works fine.

Last edited by win32sux; 09-29-2008 at 02:18 AM.
 
Old 09-29-2008, 02:25 AM   #11
bkcreddy17
Member
 
Registered: Feb 2008
Location: India-Hyderabad
Distribution: RHEL and Fedora
Posts: 171

Original Poster
Rep: Reputation: 15
Code:
$ sudo /sbin/iptables -nvL  --line-numbers
Chain INPUT (policy ACCEPT 47596 packets, 7562K bytes)
num   pkts bytes target     prot opt in     out     source               destination         
1      144 13779 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0           
2    47623 7563K LOG        all  --  eth0   *       0.0.0.0/0            0.0.0.0/0           LOG flags 0 level 7 prefix `BANDWIDTH_IN:' 
3        0     0 ACCEPT     tcp  --  *      *       192.168.0.7          0.0.0.0/0           tcp dpt:139 
4        0     0 ACCEPT     tcp  --  *      *       192.168.0.10         0.0.0.0/0           tcp dpt:139 
5        5   240 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:139 

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination         
1        0     0 LOG        all  --  *      eth0    0.0.0.0/0            0.0.0.0/0           LOG flags 0 level 7 prefix `BANDWIDTH_OUT:' 
2        0     0 LOG        all  --  eth0   *       0.0.0.0/0            0.0.0.0/0           LOG flags 0 level 7 prefix `BANDWIDTH_IN:' 
3        0     0 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0           
4        0     0 ACCEPT     all  --  *      lo      0.0.0.0/0            0.0.0.0/0           
5        0     0 ACCEPT     all  --  eth0   *       0.0.0.0/0            0.0.0.0/0           
6        0     0 ACCEPT     all  --  *      eth0    0.0.0.0/0            0.0.0.0/0           

Chain OUTPUT (policy ACCEPT 36031 packets, 9351K bytes)
num   pkts bytes target     prot opt in     out     source               destination         
1      144 13779 ACCEPT     all  --  *      lo      0.0.0.0/0            0.0.0.0/0           
2    36031 9351K LOG        all  --  *      eth0    0.0.0.0/0            0.0.0.0/0           LOG flags 0 level 7 prefix `BANDWIDTH_OUT:'
This was the out put.
 
Old 09-29-2008, 02:35 AM   #12
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
Quote:
Originally Posted by bkcreddy17 View Post
Code:
$ sudo /sbin/iptables -nvL  --line-numbers
Chain INPUT (policy ACCEPT 47596 packets, 7562K bytes)
num   pkts bytes target     prot opt in     out     source               destination         
1      144 13779 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0           
2    47623 7563K LOG        all  --  eth0   *       0.0.0.0/0            0.0.0.0/0           LOG flags 0 level 7 prefix `BANDWIDTH_IN:' 
3        0     0 ACCEPT     tcp  --  *      *       192.168.0.7          0.0.0.0/0           tcp dpt:139 
4        0     0 ACCEPT     tcp  --  *      *       192.168.0.10         0.0.0.0/0           tcp dpt:139 
5        5   240 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:139
This was the out put.
This looks fine to me. TCP packets coming into port 139 will only get sent to ACCEPT if they have a source address of 192.168.0.7 or 192.168.0.10. I suggest you check the method you are using to test this (make sure you are really using one of those two IPs when testing), but if any packets from those two IPs are getting sent to DROP by that last rule, then it should be easy to spot by sticking a LOG rule on top of it, like:
Code:
iptables -A INPUT -p tcp -s 192.168.0.7 --dport 139 -j ACCEPT
iptables -A INPUT -p tcp -s 192.168.0.10 --dport 139 -j ACCEPT
iptables -A INPUT -p tcp --dport 139 -j LOG --log-prefix "INPUT DROP: "
iptables -A INPUT -p tcp --dport 139 -j DROP

Last edited by win32sux; 09-29-2008 at 02:40 AM.
 
Old 09-29-2008, 02:43 AM   #13
linuxgurusa
Member
 
Registered: Mar 2008
Location: Namibia, Swakopmund
Distribution: Redhat, Fedora
Posts: 127

Rep: Reputation: 27
Hi there

Try and block both UDP and TCP packets on the samba port 139

iptables -A INPUT -i eth0 -p udp etc etc.
 
Old 09-29-2008, 03:04 AM   #14
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
Yeah, that would explain why other IPs were still getting to the daemon. I went to the Samba page and found this. So in order to do this properly (or at least the way the Samba people recommend on that link) you'd wanna use something like this:
Code:
iptables -A INPUT -p tcp -s 192.168.0.7 --dport 135 -j ACCEPT
iptables -A INPUT -p tcp -s 192.168.0.10 --dport 135 -j ACCEPT
iptables -A INPUT -p tcp --dport 135 -j DROP

iptables -A INPUT -p udp -s 192.168.0.7 --dport 137 -j ACCEPT
iptables -A INPUT -p udp -s 192.168.0.10 --dport 137 -j ACCEPT
iptables -A INPUT -p udp --dport 137 -j DROP

iptables -A INPUT -p udp -s 192.168.0.7 --dport 138 -j ACCEPT
iptables -A INPUT -p udp -s 192.168.0.10 --dport 138 -j ACCEPT
iptables -A INPUT -p udp --dport 138 -j DROP

iptables -A INPUT -p tcp -s 192.168.0.7 --dport 139 -j ACCEPT
iptables -A INPUT -p tcp -s 192.168.0.10 --dport 139 -j ACCEPT
iptables -A INPUT -p tcp --dport 139 -j DROP

iptables -A INPUT -p tcp -s 192.168.0.7 --dport 445 -j ACCEPT
iptables -A INPUT -p tcp -s 192.168.0.10 --dport 445 -j ACCEPT
iptables -A INPUT -p tcp --dport 445 -j DROP
Or alternatively, create a new chain in order to streamline the process a bit, like:
Code:
iptables -N SAMBA_CLIENTS

iptables -A INPUT -p tcp --dport 135 -j SAMBA_CLIENTS
iptables -A INPUT -p udp --dport 137 -j SAMBA_CLIENTS
iptables -A INPUT -p udp --dport 138 -j SAMBA_CLIENTS
iptables -A INPUT -p tcp --dport 139 -j SAMBA_CLIENTS
iptables -A INPUT -p tcp --dport 445 -j SAMBA_CLIENTS

iptables -A SAMBA_CLIENTS -s 192.168.0.7 -j ACCEPT
iptables -A SAMBA_CLIENTS -s 192.168.0.10 -j ACCEPT
iptables -A SAMBA_CLIENTS -j DROP

Last edited by win32sux; 09-29-2008 at 03:12 AM.
 
Old 09-29-2008, 03:50 AM   #15
bkcreddy17
Member
 
Registered: Feb 2008
Location: India-Hyderabad
Distribution: RHEL and Fedora
Posts: 171

Original Poster
Rep: Reputation: 15
Hi win32sux,
Wow this worked pretty well. Thank youuuuu........
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
How can I block all traffic to port 110 to and IP using IPtables? abefroman Linux - Networking 8 11-16-2005 07:26 PM
Iptables help, block port to outside but open to inside. Brian1 Linux - Networking 2 09-27-2005 08:41 PM
iptables, block port 80? frank2 Linux - Security 4 09-12-2004 09:14 AM
Block incoming port Iptables cli_man Linux - Networking 5 08-11-2003 08:32 PM
iptables - howto block by a port and IP address -HELP! macnanc Linux - Networking 2 03-07-2003 04:45 AM


All times are GMT -5. The time now is 03:23 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration