LinuxQuestions.org
Did you know LQ has a Linux Hardware Compatibility List?
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Slackware
User Name
Password
Slackware This Forum is for the discussion of Slackware Linux.

Notices

Reply
 
Search this Thread
Old 07-12-2007, 12:04 PM   #1
bioe007
Member
 
Registered: Apr 2006
Location: lynnwood, wa - usa
Distribution: archlinux
Posts: 654

Rep: Reputation: 30
iptables: how do I allow samba connections?


hi all, I am learning too slowly iptables rules..

I used Alien Bob's rc.firewall generator (thanks AB!) and it works flawlessly for most things.

my trouble (i think) is with the udp rules. I'm trying to follow this tutorial but there is something I'm not getting.

I have added this to a very vanilla rc.firewall (as generated by above):

Code:
SAMBA_SERVER="XX.X.X.XX" # //ruach
NETWORK="XX.X.X.0/24"    
BROADCAST="X.X.X.0" 

# to the UDP inbound chain
$IPT -A udp_indbound -p UDP -s $SAMBA_SERVER -d $NETWORK -m multiport --dports 137,138 -j ACCEPT
$IPT -A udp_indbound -p UDP -s $SAMBA_SERVER -d $NETWORK -m multiport --dports 139,445 -j ACCEPT

# to the input chain 
$IPT -A INPUT -p udp -s $NETWORK -d $SAMBA_SERVER -m multiport --dports 137,138 -j ACCEPT
$IPT -A INPUT -p tcp -s $NETWORK -d $SAMBA_SERVER -m multiport --dports 139,445 -j ACCEPT
$IPT -A INPUT -p udp -s $NETWORK -d $BROADCAST --dport 137 -j ACCEPT
$IPT -A INPUT -p udp -d $SAMBA_SERVER -m multiport --dports 137,138 -j DROP
$IPT -A INPUT -p tcp -d $SAMBA_SERVER -m multiport --dports 139,445 -j DROP

# to the output chain
$IPT -A OUTPUT -s $SAMBA_SERVER -d $NETWORK -m state --state ESTABLISHED,RELATED -j ACCEPT
I can run the above from a script (rc.smbfwl) and 'findsmb' still sees the local samba server, but I can't make it work inside the rc.firewall script.

I am very _new_ and stupid at networking/firewalling etc. (feel free to point and laugh)

also if its useful, here is the whole rc.firewall script (with my modifications and removed some comments)
Code:
#!/bin/sh
#
###############################################################################
# 
# Local Settings
#

# sysctl location.  If set, it will use sysctl to adjust the kernel parameters.
# If this is set to the empty string (or is unset), the use of sysctl
# is disabled.
#!/bin/bash
 
SAMBA_SERVER="XX.X.X.15"	# //ruach
NETWORK="XX.X.X.0/24"    	# Local area network
BROADCAST="XX.X.X.0" 		# Local area network Broadcast Address
 
SYSCTL="/sbin/sysctl -w" 

# To echo the value directly to the /proc file instead
# SYSCTL=""

# IPTables Location - adjust if needed

IPT="/usr/sbin/iptables"
IPTS="/usr/sbin/iptables-save"
IPTR="/usr/sbin/iptables-restore"

# Internet Interface
INET_IFACE="eth0"
INET_WIFACE="wlan0"

# Localhost Interface

LO_IFACE="lo"
LO_IP="127.0.0.1"

# Save and Restore arguments handled here
if [ "$1" = "save" ]
then
	echo -n "Saving firewall to /etc/sysconfig/iptables ... "
	$IPTS > /etc/sysconfig/iptables
	echo "done"
	exit 0
elif [ "$1" = "restore" ]
then
	echo -n "Restoring firewall from /etc/sysconfig/iptables ... "
	$IPTR < /etc/sysconfig/iptables
	echo "done"
	exit 0
fi

###############################################################################
#
# Load Modules
#

echo "Loading kernel modules ..."

# core netfilter module
/sbin/modprobe ip_tables

# the stateful connection tracking module
/sbin/modprobe ip_conntrack

# The ftp nat module is required for non-PASV ftp support
/sbin/modprobe ip_nat_ftp

# the module for full ftp connection tracking
/sbin/modprobe ip_conntrack_ftp

# the module for full irc connection tracking
/sbin/modprobe ip_conntrack_irc


###############################################################################
#
# Kernel Parameter Configuration
#
# See http://ipsysctl-tutorial.frozentux.net/chunkyhtml/index.html
# for a detailed tutorial on sysctl and the various settings
# available.

# This enables dynamic address hacking.
# This may help if you have a dynamic IP address \(e.g. slip, ppp, dhcp\).
if [ "$SYSCTL" = "" ]
then
    echo "1" > /proc/sys/net/ipv4/ip_dynaddr
else
    $SYSCTL net.ipv4.ip_dynaddr="1"
fi

# This enables SYN flood protection.
if [ "$SYSCTL" = "" ]
then
    echo "1" > /proc/sys/net/ipv4/tcp_syncookies
else
    $SYSCTL net.ipv4.tcp_syncookies="1"
fi

if [ "$SYSCTL" = "" ]
then
    echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter
else
    $SYSCTL net.ipv4.conf.all.rp_filter="1"
fi


# The following kernel settings were suggested by Alex Weeks. Thanks!

# This kernel parameter instructs the kernel to ignore all ICMP
# echo requests sent to the broadcast address.  This prevents
# a number of smurfs and similar DoS nasty attacks.
if [ "$SYSCTL" = "" ]
then
    echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
else
    $SYSCTL net.ipv4.icmp_echo_ignore_broadcasts="1"
fi

# This option can be used to accept or refuse source routed
# packets.  It is usually on by default, but is generally
# considered a security risk.  This option turns it off.
if [ "$SYSCTL" = "" ]
then
    echo "0" > /proc/sys/net/ipv4/conf/all/accept_source_route
else
    $SYSCTL net.ipv4.conf.all.accept_source_route="0"
fi

# However, we'll ensure the secure_redirects option is on instead.
# This option accepts only from gateways in the default gateways list.
if [ "$SYSCTL" = "" ]
then
    echo "1" > /proc/sys/net/ipv4/conf/all/secure_redirects
else
    $SYSCTL net.ipv4.conf.all.secure_redirects="1"
fi

# This option logs packets from impossible addresses.
if [ "$SYSCTL" = "" ]
then
    echo "1" > /proc/sys/net/ipv4/conf/all/log_martians
else
    $SYSCTL net.ipv4.conf.all.log_martians="1"
fi


###############################################################################
#
# Flush Any Existing Rules or Chains
#

echo "Flushing Tables ..."

# Reset Default Policies
$IPT -P INPUT ACCEPT
$IPT -P FORWARD ACCEPT
$IPT -P OUTPUT ACCEPT
$IPT -t nat -P PREROUTING ACCEPT
$IPT -t nat -P POSTROUTING ACCEPT
$IPT -t nat -P OUTPUT ACCEPT
$IPT -t mangle -P PREROUTING ACCEPT
$IPT -t mangle -P OUTPUT ACCEPT

# Flush all rules
$IPT -F
$IPT -t nat -F
$IPT -t mangle -F

# Erase all non-default chains
$IPT -X
$IPT -t nat -X
$IPT -t mangle -X

if [ "$1" = "stop" ]
then
	echo "Firewall completely flushed!  Now running with no firewall."
	exit 0
fi

###############################################################################
#
# Rules Configuration
#

###############################################################################
#
# Filter Table
#
###############################################################################

# Set Policies

$IPT -P INPUT DROP
$IPT -P OUTPUT DROP
$IPT -P FORWARD DROP

###############################################################################
#
# User-Specified Chains
#
# Create user chains to reduce the number of rules each packet
# must traverse.

echo "Create and populate custom rule chains ..."

# Create a chain to filter INVALID packets

$IPT -N bad_packets

# Create another chain to filter bad tcp packets

$IPT -N bad_tcp_packets

# Create separate chains for icmp, tcp (incoming and outgoing),
# and incoming udp packets.

$IPT -N icmp_packets

# Used for UDP packets inbound from the Internet
$IPT -N udp_inbound

# Used to block outbound UDP services from internal network
# Default to allow all
$IPT -N udp_outbound

# Used to allow inbound services if desired
# Default fail except for established sessions
$IPT -N tcp_inbound

# Used to block outbound services from internal network
# Default to allow all
$IPT -N tcp_outbound

###############################################################################
#
# Populate User Chains
#

# bad_packets chain
#

# Drop INVALID packets immediately
$IPT -A bad_packets -p ALL -m state --state INVALID -j LOG \
    --log-prefix "Invalid packet: "

$IPT -A bad_packets -p ALL -m state --state INVALID -j DROP

# Then check the tcp packets for additional problems
$IPT -A bad_packets -p tcp -j bad_tcp_packets

# All good, so return
$IPT -A bad_packets -p ALL -j RETURN

# bad_tcp_packets chain

$IPT -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j LOG \
    --log-prefix "New not syn: "
$IPT -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j DROP

$IPT -A bad_tcp_packets -p tcp --tcp-flags ALL NONE -j LOG \
    --log-prefix "Stealth scan: "
$IPT -A bad_tcp_packets -p tcp --tcp-flags ALL NONE -j DROP

$IPT -A bad_tcp_packets -p tcp --tcp-flags ALL ALL -j LOG \
    --log-prefix "Stealth scan: "
$IPT -A bad_tcp_packets -p tcp --tcp-flags ALL ALL -j DROP

$IPT -A bad_tcp_packets -p tcp --tcp-flags ALL FIN,URG,PSH -j LOG \
    --log-prefix "Stealth scan: "
$IPT -A bad_tcp_packets -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP

$IPT -A bad_tcp_packets -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j LOG \
    --log-prefix "Stealth scan: "
$IPT -A bad_tcp_packets -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP

$IPT -A bad_tcp_packets -p tcp --tcp-flags SYN,RST SYN,RST -j LOG \
    --log-prefix "Stealth scan: "
$IPT -A bad_tcp_packets -p tcp --tcp-flags SYN,RST SYN,RST -j DROP

$IPT -A bad_tcp_packets -p tcp --tcp-flags SYN,FIN SYN,FIN -j LOG \
    --log-prefix "Stealth scan: "
$IPT -A bad_tcp_packets -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP

# All good, so return
$IPT -A bad_tcp_packets -p tcp -j RETURN

# icmp_packets chain
# ICMP packets should fit in a Layer 2 frame, thus they should
# never be fragmented.  Fragmented ICMP packets are a typical sign
# of a denial of service attack.
$IPT -A icmp_packets --fragment -p ICMP -j LOG \
    --log-prefix "ICMP Fragment: "
$IPT -A icmp_packets --fragment -p ICMP -j DROP

# By default, however, drop pings without logging. Blaster
$IPT -A icmp_packets -p ICMP -s 0/0 --icmp-type 8 -j DROP

# Time Exceeded
$IPT -A icmp_packets -p ICMP -s 0/0 --icmp-type 11 -j ACCEPT

# Not matched, so return so it will be logged
$IPT -A icmp_packets -p ICMP -j RETURN

# TCP & UDP
# Identify ports at:
#    http://www.chebucto.ns.ca/~rakerman/port-table.html
#    http://www.iana.org/assignments/port-numbers

# udp_inbound chain
#

# Drop netbios calls
# chatter from Windows systems.
#$IPT -A udp_inbound -p UDP -s 0/0 --destination-port 137 -j DROP
#$IPT -A udp_inbound -p UDP -s 0/0 --destination-port 138 -j DROP
$IPT -A udp_indbound -p UDP -s $SAMBA_SERVER -d $NETWORK -m multiport --dports 137,138 -j ACCEPT
$IPT -A udp_indbound -p UDP -s $SAMBA_SERVER -d $NETWORK -m multiport --dports 139,445 -j ACCEPT

#$IPT -A INPUT -i lo -j ACCEPT
#$IPT -A OUTPUT -o lo -j ACCEPT

# Dynamic Address
# If DHCP, the initial request is a broadcast. The response
# doesn't exactly match the outbound packet.  This explicitly
# allow the DHCP ports to alleviate this problem.
# If you receive your dynamic address by a different means, you
# can probably comment this line.
$IPT -A udp_inbound -p UDP -s 0/0 --source-port 67 --destination-port 68 -j ACCEPT

# Not matched, so return for logging
$IPT -A udp_inbound -p UDP -j RETURN

# udp_outbound chain
#
# This chain is used with a private network to prevent forwarding for
# UDP requests on specific protocols.  Applied to the FORWARD rule from
# the internal network.  Ends with an ACCEPT


# No match, so ACCEPT
$IPT -A udp_outbound -p UDP -s 0/0 -j ACCEPT

# tcp_inbound chain
#
# This chain is used to allow inbound connections to the
# system/gateway.  Use with care.  It defaults to none.
# It's applied on INPUT from the external or Internet interface.


# Not matched, so return so it will be logged
$IPT -A tcp_inbound -p TCP -j RETURN

# tcp_outbound chain
#
# This chain is used with a private network to prevent forwarding for
# requests on specific protocols.  Applied to the FORWARD rule from
# the internal network.  Ends with an ACCEPT


# No match, so ACCEPT
$IPT -A tcp_outbound -p TCP -s 0/0 -j ACCEPT

###############################################################################
#
# INPUT Chain
#

echo "Process INPUT chain ..."

# Allow all on localhost interface
$IPT -A INPUT -p ALL -i $LO_IFACE -j ACCEPT

# Drop bad packets
$IPT -A INPUT -p ALL -j bad_packets

# DOCSIS compliant cable modems
# Drop them without logging.
$IPT -A INPUT -p ALL -d 224.0.0.1 -j DROP
# The rule to accept the packets.
# $IPT -A INPUT -p ALL -d 224.0.0.1 -j ACCEPT


# Inbound Internet Packet Rules

# Accept Established Connections
$IPT -A INPUT -p ALL -i $INET_IFACE -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A INPUT -p ALL -i $INET_WIFACE -m state --state ESTABLISHED,RELATED -j ACCEPT

# Route the rest to the appropriate user chain
$IPT -A INPUT -p TCP -i $INET_IFACE -j tcp_inbound
$IPT -A INPUT -p UDP -i $INET_IFACE -j udp_inbound
$IPT -A INPUT -p ICMP -i $INET_IFACE -j icmp_packets

$IPT -A INPUT -p TCP -i $INET_WIFACE -j tcp_inbound
$IPT -A INPUT -p UDP -i $INET_WIFACE -j udp_inbound
$IPT -A INPUT -p ICMP -i $INET_WIFACE -j icmp_packets

# added 7-12-07
$IPT -A INPUT -p udp -s $NETWORK -d $SAMBA_SERVER -m multiport --dports 137,138 -j ACCEPT
$IPT -A INPUT -p tcp -s $NETWORK -d $SAMBA_SERVER -m multiport --dports 139,445 -j ACCEPT
$IPT -A INPUT -p udp -s $NETWORK -d $BROADCAST --dport 137 -j ACCEPT
$IPT -A INPUT -p udp -d $SAMBA_SERVER -m multiport --dports 137,138 -j DROP
$IPT -A INPUT -p tcp -d $SAMBA_SERVER -m multiport --dports 139,445 -j DROP

# Drop without logging broadcasts that get this far.
# Cuts down on log clutter.
# Comment this line if testing new rules that impact
# broadcast protocols.
$IPT -A INPUT -m pkttype --pkt-type broadcast -j DROP

# Log packets that still don't match
$IPT -A INPUT -m limit --limit 3/minute --limit-burst 3 -j LOG --log-prefix "INPUT packet died: "

###############################################################################
#
# FORWARD Chain
#

echo "Process FORWARD chain ..."

# Used if forwarding for a private network


###############################################################################
#
# OUTPUT Chain
#

echo "Process OUTPUT chain ..."

# Generally trust the firewall on output

# However, invalid icmp packets need to be dropped
# to prevent a possible exploit.
$IPT -A OUTPUT -m state -p icmp --state INVALID -j DROP

# Localhost
$IPT -A OUTPUT -p ALL -s $LO_IP -j ACCEPT
$IPT -A OUTPUT -p ALL -o $LO_IFACE -j ACCEPT

# To internet
$IPT -A OUTPUT -p ALL -o $INET_IFACE -j ACCEPT
$IPT -A OUTPUT -p ALL -o $INET_WIFACE -j ACCEPT

$IPT -A OUTPUT -s $SAMBA_SERVER -d $NETWORK -m state --state ESTABLISHED,RELATED -j ACCEPT

# Log packets that still don't match
$IPT -A OUTPUT -m limit --limit 3/minute --limit-burst 3 -j LOG \
    --log-prefix "OUTPUT packet died: "
thanks for looking!
 
Old 07-12-2007, 05:21 PM   #2
rworkman
Slackware Contributor
 
Registered: Oct 2004
Location: Tuscaloosa, Alabama (USA)
Distribution: Slackware
Posts: 1,913

Rep: Reputation: Disabled
On the samba server, allow 445/tcp, 139/tcp, 137/udp, and 138/udp
 
Old 07-12-2007, 11:43 PM   #3
bioe007
Member
 
Registered: Apr 2006
Location: lynnwood, wa - usa
Distribution: archlinux
Posts: 654

Original Poster
Rep: Reputation: 30
Quote:
On the samba server, allow 445/tcp, 139/tcp, 137/udp, and 138/udp
thank you & i'm sorry.. I'm not sure where you mean for me to put that?

I will look around...
 
Old 07-13-2007, 12:01 AM   #4
rworkman
Slackware Contributor
 
Registered: Oct 2004
Location: Tuscaloosa, Alabama (USA)
Distribution: Slackware
Posts: 1,913

Rep: Reputation: Disabled
http://iptables.rlworkman.net is a good iptables tutorial, and docs at netfilter.org are pretty decent too.
 
Old 07-13-2007, 12:58 AM   #5
Kahless
Member
 
Registered: Jul 2003
Location: Pennsylvainia
Distribution: Slackware / Debian / *Ubuntu / Opensuse / Solaris uname: Brian Cooney
Posts: 503

Rep: Reputation: 30
you have this

Code:
$IPT -A INPUT -p udp -d $SAMBA_SERVER -m multiport --dports 137,138 -j DROP
$IPT -A INPUT -p tcp -d $SAMBA_SERVER -m multiport --dports 139,445 -j DROP

I dont know iptables well enough to know if the rest of the info in thoes rules is correct, but I know that you need to replace the DROP with ACCEPT
 
  


Reply

Tags
iptables, samba


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
iptables - logging connections J4b0l Linux - Networking 5 11-01-2006 05:18 PM
need help with iptables and 2 net connections anthonysaulnier Linux - Security 7 01-28-2006 06:51 AM
iptables and VPN connections lucifercipher Linux - Networking 2 04-05-2005 09:43 AM
iptables rules to ask for password for new connections chingyenccy Linux - Newbie 1 02-25-2005 02:50 PM
Firewall - iptables - ftp connections cubee Linux - Security 22 01-29-2004 10:12 AM


All times are GMT -5. The time now is 05:12 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration