| bioe007 |
07-12-2007 12:04 PM |
iptables: how do I allow samba connections?
hi all, I am learning too slowly iptables rules..
I used Alien Bob's rc.firewall generator (thanks AB!) and it works flawlessly for most things.
my trouble (i think) is with the udp rules. I'm trying to follow this tutorial but there is something I'm not getting.
I have added this to a very vanilla rc.firewall (as generated by above):
Code:
SAMBA_SERVER="XX.X.X.XX" # //ruach
NETWORK="XX.X.X.0/24"
BROADCAST="X.X.X.0"
# to the UDP inbound chain
$IPT -A udp_indbound -p UDP -s $SAMBA_SERVER -d $NETWORK -m multiport --dports 137,138 -j ACCEPT
$IPT -A udp_indbound -p UDP -s $SAMBA_SERVER -d $NETWORK -m multiport --dports 139,445 -j ACCEPT
# to the input chain
$IPT -A INPUT -p udp -s $NETWORK -d $SAMBA_SERVER -m multiport --dports 137,138 -j ACCEPT
$IPT -A INPUT -p tcp -s $NETWORK -d $SAMBA_SERVER -m multiport --dports 139,445 -j ACCEPT
$IPT -A INPUT -p udp -s $NETWORK -d $BROADCAST --dport 137 -j ACCEPT
$IPT -A INPUT -p udp -d $SAMBA_SERVER -m multiport --dports 137,138 -j DROP
$IPT -A INPUT -p tcp -d $SAMBA_SERVER -m multiport --dports 139,445 -j DROP
# to the output chain
$IPT -A OUTPUT -s $SAMBA_SERVER -d $NETWORK -m state --state ESTABLISHED,RELATED -j ACCEPT
I can run the above from a script (rc.smbfwl) and 'findsmb' still sees the local samba server, but I can't make it work inside the rc.firewall script.
I am very _new_ and stupid at networking/firewalling etc. (feel free to point and laugh)
also if its useful, here is the whole rc.firewall script (with my modifications and removed some comments)
Code:
#!/bin/sh
#
###############################################################################
#
# Local Settings
#
# sysctl location. If set, it will use sysctl to adjust the kernel parameters.
# If this is set to the empty string (or is unset), the use of sysctl
# is disabled.
#!/bin/bash
SAMBA_SERVER="XX.X.X.15" # //ruach
NETWORK="XX.X.X.0/24" # Local area network
BROADCAST="XX.X.X.0" # Local area network Broadcast Address
SYSCTL="/sbin/sysctl -w"
# To echo the value directly to the /proc file instead
# SYSCTL=""
# IPTables Location - adjust if needed
IPT="/usr/sbin/iptables"
IPTS="/usr/sbin/iptables-save"
IPTR="/usr/sbin/iptables-restore"
# Internet Interface
INET_IFACE="eth0"
INET_WIFACE="wlan0"
# Localhost Interface
LO_IFACE="lo"
LO_IP="127.0.0.1"
# Save and Restore arguments handled here
if [ "$1" = "save" ]
then
echo -n "Saving firewall to /etc/sysconfig/iptables ... "
$IPTS > /etc/sysconfig/iptables
echo "done"
exit 0
elif [ "$1" = "restore" ]
then
echo -n "Restoring firewall from /etc/sysconfig/iptables ... "
$IPTR < /etc/sysconfig/iptables
echo "done"
exit 0
fi
###############################################################################
#
# Load Modules
#
echo "Loading kernel modules ..."
# core netfilter module
/sbin/modprobe ip_tables
# the stateful connection tracking module
/sbin/modprobe ip_conntrack
# The ftp nat module is required for non-PASV ftp support
/sbin/modprobe ip_nat_ftp
# the module for full ftp connection tracking
/sbin/modprobe ip_conntrack_ftp
# the module for full irc connection tracking
/sbin/modprobe ip_conntrack_irc
###############################################################################
#
# Kernel Parameter Configuration
#
# See http://ipsysctl-tutorial.frozentux.net/chunkyhtml/index.html
# for a detailed tutorial on sysctl and the various settings
# available.
# This enables dynamic address hacking.
# This may help if you have a dynamic IP address \(e.g. slip, ppp, dhcp\).
if [ "$SYSCTL" = "" ]
then
echo "1" > /proc/sys/net/ipv4/ip_dynaddr
else
$SYSCTL net.ipv4.ip_dynaddr="1"
fi
# This enables SYN flood protection.
if [ "$SYSCTL" = "" ]
then
echo "1" > /proc/sys/net/ipv4/tcp_syncookies
else
$SYSCTL net.ipv4.tcp_syncookies="1"
fi
if [ "$SYSCTL" = "" ]
then
echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter
else
$SYSCTL net.ipv4.conf.all.rp_filter="1"
fi
# The following kernel settings were suggested by Alex Weeks. Thanks!
# This kernel parameter instructs the kernel to ignore all ICMP
# echo requests sent to the broadcast address. This prevents
# a number of smurfs and similar DoS nasty attacks.
if [ "$SYSCTL" = "" ]
then
echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
else
$SYSCTL net.ipv4.icmp_echo_ignore_broadcasts="1"
fi
# This option can be used to accept or refuse source routed
# packets. It is usually on by default, but is generally
# considered a security risk. This option turns it off.
if [ "$SYSCTL" = "" ]
then
echo "0" > /proc/sys/net/ipv4/conf/all/accept_source_route
else
$SYSCTL net.ipv4.conf.all.accept_source_route="0"
fi
# However, we'll ensure the secure_redirects option is on instead.
# This option accepts only from gateways in the default gateways list.
if [ "$SYSCTL" = "" ]
then
echo "1" > /proc/sys/net/ipv4/conf/all/secure_redirects
else
$SYSCTL net.ipv4.conf.all.secure_redirects="1"
fi
# This option logs packets from impossible addresses.
if [ "$SYSCTL" = "" ]
then
echo "1" > /proc/sys/net/ipv4/conf/all/log_martians
else
$SYSCTL net.ipv4.conf.all.log_martians="1"
fi
###############################################################################
#
# Flush Any Existing Rules or Chains
#
echo "Flushing Tables ..."
# Reset Default Policies
$IPT -P INPUT ACCEPT
$IPT -P FORWARD ACCEPT
$IPT -P OUTPUT ACCEPT
$IPT -t nat -P PREROUTING ACCEPT
$IPT -t nat -P POSTROUTING ACCEPT
$IPT -t nat -P OUTPUT ACCEPT
$IPT -t mangle -P PREROUTING ACCEPT
$IPT -t mangle -P OUTPUT ACCEPT
# Flush all rules
$IPT -F
$IPT -t nat -F
$IPT -t mangle -F
# Erase all non-default chains
$IPT -X
$IPT -t nat -X
$IPT -t mangle -X
if [ "$1" = "stop" ]
then
echo "Firewall completely flushed! Now running with no firewall."
exit 0
fi
###############################################################################
#
# Rules Configuration
#
###############################################################################
#
# Filter Table
#
###############################################################################
# Set Policies
$IPT -P INPUT DROP
$IPT -P OUTPUT DROP
$IPT -P FORWARD DROP
###############################################################################
#
# User-Specified Chains
#
# Create user chains to reduce the number of rules each packet
# must traverse.
echo "Create and populate custom rule chains ..."
# Create a chain to filter INVALID packets
$IPT -N bad_packets
# Create another chain to filter bad tcp packets
$IPT -N bad_tcp_packets
# Create separate chains for icmp, tcp (incoming and outgoing),
# and incoming udp packets.
$IPT -N icmp_packets
# Used for UDP packets inbound from the Internet
$IPT -N udp_inbound
# Used to block outbound UDP services from internal network
# Default to allow all
$IPT -N udp_outbound
# Used to allow inbound services if desired
# Default fail except for established sessions
$IPT -N tcp_inbound
# Used to block outbound services from internal network
# Default to allow all
$IPT -N tcp_outbound
###############################################################################
#
# Populate User Chains
#
# bad_packets chain
#
# Drop INVALID packets immediately
$IPT -A bad_packets -p ALL -m state --state INVALID -j LOG \
--log-prefix "Invalid packet: "
$IPT -A bad_packets -p ALL -m state --state INVALID -j DROP
# Then check the tcp packets for additional problems
$IPT -A bad_packets -p tcp -j bad_tcp_packets
# All good, so return
$IPT -A bad_packets -p ALL -j RETURN
# bad_tcp_packets chain
$IPT -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j LOG \
--log-prefix "New not syn: "
$IPT -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j DROP
$IPT -A bad_tcp_packets -p tcp --tcp-flags ALL NONE -j LOG \
--log-prefix "Stealth scan: "
$IPT -A bad_tcp_packets -p tcp --tcp-flags ALL NONE -j DROP
$IPT -A bad_tcp_packets -p tcp --tcp-flags ALL ALL -j LOG \
--log-prefix "Stealth scan: "
$IPT -A bad_tcp_packets -p tcp --tcp-flags ALL ALL -j DROP
$IPT -A bad_tcp_packets -p tcp --tcp-flags ALL FIN,URG,PSH -j LOG \
--log-prefix "Stealth scan: "
$IPT -A bad_tcp_packets -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
$IPT -A bad_tcp_packets -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j LOG \
--log-prefix "Stealth scan: "
$IPT -A bad_tcp_packets -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
$IPT -A bad_tcp_packets -p tcp --tcp-flags SYN,RST SYN,RST -j LOG \
--log-prefix "Stealth scan: "
$IPT -A bad_tcp_packets -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
$IPT -A bad_tcp_packets -p tcp --tcp-flags SYN,FIN SYN,FIN -j LOG \
--log-prefix "Stealth scan: "
$IPT -A bad_tcp_packets -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
# All good, so return
$IPT -A bad_tcp_packets -p tcp -j RETURN
# icmp_packets chain
# ICMP packets should fit in a Layer 2 frame, thus they should
# never be fragmented. Fragmented ICMP packets are a typical sign
# of a denial of service attack.
$IPT -A icmp_packets --fragment -p ICMP -j LOG \
--log-prefix "ICMP Fragment: "
$IPT -A icmp_packets --fragment -p ICMP -j DROP
# By default, however, drop pings without logging. Blaster
$IPT -A icmp_packets -p ICMP -s 0/0 --icmp-type 8 -j DROP
# Time Exceeded
$IPT -A icmp_packets -p ICMP -s 0/0 --icmp-type 11 -j ACCEPT
# Not matched, so return so it will be logged
$IPT -A icmp_packets -p ICMP -j RETURN
# TCP & UDP
# Identify ports at:
# http://www.chebucto.ns.ca/~rakerman/port-table.html
# http://www.iana.org/assignments/port-numbers
# udp_inbound chain
#
# Drop netbios calls
# chatter from Windows systems.
#$IPT -A udp_inbound -p UDP -s 0/0 --destination-port 137 -j DROP
#$IPT -A udp_inbound -p UDP -s 0/0 --destination-port 138 -j DROP
$IPT -A udp_indbound -p UDP -s $SAMBA_SERVER -d $NETWORK -m multiport --dports 137,138 -j ACCEPT
$IPT -A udp_indbound -p UDP -s $SAMBA_SERVER -d $NETWORK -m multiport --dports 139,445 -j ACCEPT
#$IPT -A INPUT -i lo -j ACCEPT
#$IPT -A OUTPUT -o lo -j ACCEPT
# Dynamic Address
# If DHCP, the initial request is a broadcast. The response
# doesn't exactly match the outbound packet. This explicitly
# allow the DHCP ports to alleviate this problem.
# If you receive your dynamic address by a different means, you
# can probably comment this line.
$IPT -A udp_inbound -p UDP -s 0/0 --source-port 67 --destination-port 68 -j ACCEPT
# Not matched, so return for logging
$IPT -A udp_inbound -p UDP -j RETURN
# udp_outbound chain
#
# This chain is used with a private network to prevent forwarding for
# UDP requests on specific protocols. Applied to the FORWARD rule from
# the internal network. Ends with an ACCEPT
# No match, so ACCEPT
$IPT -A udp_outbound -p UDP -s 0/0 -j ACCEPT
# tcp_inbound chain
#
# This chain is used to allow inbound connections to the
# system/gateway. Use with care. It defaults to none.
# It's applied on INPUT from the external or Internet interface.
# Not matched, so return so it will be logged
$IPT -A tcp_inbound -p TCP -j RETURN
# tcp_outbound chain
#
# This chain is used with a private network to prevent forwarding for
# requests on specific protocols. Applied to the FORWARD rule from
# the internal network. Ends with an ACCEPT
# No match, so ACCEPT
$IPT -A tcp_outbound -p TCP -s 0/0 -j ACCEPT
###############################################################################
#
# INPUT Chain
#
echo "Process INPUT chain ..."
# Allow all on localhost interface
$IPT -A INPUT -p ALL -i $LO_IFACE -j ACCEPT
# Drop bad packets
$IPT -A INPUT -p ALL -j bad_packets
# DOCSIS compliant cable modems
# Drop them without logging.
$IPT -A INPUT -p ALL -d 224.0.0.1 -j DROP
# The rule to accept the packets.
# $IPT -A INPUT -p ALL -d 224.0.0.1 -j ACCEPT
# Inbound Internet Packet Rules
# Accept Established Connections
$IPT -A INPUT -p ALL -i $INET_IFACE -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A INPUT -p ALL -i $INET_WIFACE -m state --state ESTABLISHED,RELATED -j ACCEPT
# Route the rest to the appropriate user chain
$IPT -A INPUT -p TCP -i $INET_IFACE -j tcp_inbound
$IPT -A INPUT -p UDP -i $INET_IFACE -j udp_inbound
$IPT -A INPUT -p ICMP -i $INET_IFACE -j icmp_packets
$IPT -A INPUT -p TCP -i $INET_WIFACE -j tcp_inbound
$IPT -A INPUT -p UDP -i $INET_WIFACE -j udp_inbound
$IPT -A INPUT -p ICMP -i $INET_WIFACE -j icmp_packets
# added 7-12-07
$IPT -A INPUT -p udp -s $NETWORK -d $SAMBA_SERVER -m multiport --dports 137,138 -j ACCEPT
$IPT -A INPUT -p tcp -s $NETWORK -d $SAMBA_SERVER -m multiport --dports 139,445 -j ACCEPT
$IPT -A INPUT -p udp -s $NETWORK -d $BROADCAST --dport 137 -j ACCEPT
$IPT -A INPUT -p udp -d $SAMBA_SERVER -m multiport --dports 137,138 -j DROP
$IPT -A INPUT -p tcp -d $SAMBA_SERVER -m multiport --dports 139,445 -j DROP
# Drop without logging broadcasts that get this far.
# Cuts down on log clutter.
# Comment this line if testing new rules that impact
# broadcast protocols.
$IPT -A INPUT -m pkttype --pkt-type broadcast -j DROP
# Log packets that still don't match
$IPT -A INPUT -m limit --limit 3/minute --limit-burst 3 -j LOG --log-prefix "INPUT packet died: "
###############################################################################
#
# FORWARD Chain
#
echo "Process FORWARD chain ..."
# Used if forwarding for a private network
###############################################################################
#
# OUTPUT Chain
#
echo "Process OUTPUT chain ..."
# Generally trust the firewall on output
# However, invalid icmp packets need to be dropped
# to prevent a possible exploit.
$IPT -A OUTPUT -m state -p icmp --state INVALID -j DROP
# Localhost
$IPT -A OUTPUT -p ALL -s $LO_IP -j ACCEPT
$IPT -A OUTPUT -p ALL -o $LO_IFACE -j ACCEPT
# To internet
$IPT -A OUTPUT -p ALL -o $INET_IFACE -j ACCEPT
$IPT -A OUTPUT -p ALL -o $INET_WIFACE -j ACCEPT
$IPT -A OUTPUT -s $SAMBA_SERVER -d $NETWORK -m state --state ESTABLISHED,RELATED -j ACCEPT
# Log packets that still don't match
$IPT -A OUTPUT -m limit --limit 3/minute --limit-burst 3 -j LOG \
--log-prefix "OUTPUT packet died: "
thanks for looking! |
