Linux - NetworkingThis forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I have a MP3 machine (10.0.10.81) that has a working Samba configuration for sharing it's files. I however do not want everyone and their brother to have access to this machine. I know that I could use Samaba permissions but I am attempting to learn IP tables so I was trying to stop the packet requests in that manner. I feel that I understand the command in the respect that I know what all the switches mean and why they are there.
I have setup a rc.firewall script on the MP3 box (slack 10) that is completely customized. For stop it changes the default policy on I/O/F to ACCEPT and then flushes all the rules for the three. For start it changes the defualt pollicy to DROP for the three and then issues these commands to attempt to block 10.0.10.110 from the samba ports:
I have attempted including port 445 and all of those ports on both protocols to no avail. I think it has something to do with ports > 1024 as mentioned in thread #195407 (Sorry, can't post URLs ). Everything that I have searched on is ALLOWING samaba through the firewall. I am worried because to me (especialy with the default drop) it looks like this should not be allowing me access. Which makes me wonder what I might have missed in my other firewall rules on my other boxes. The only thing worse than no sense of security is a false sense.
I am testing from a Win XP Pro box running winamp, I do a /etc/rc.d/rc.firewall restart and then attempt to switch the songs, I still have music . I have verified the IP address of this machine several times it is 110.
What does the rest of your firewall script look like? From what you've posted (all default policies of DROP and the 2 rules rejecting SMB traffic) nothing at all should get in or out of the box (you haven't allowed anything). I'm guessing that you have other rules that are allowing traffic? If you could post them or even better yet, post the output of iptables -vnL. Make sure to remove any public IPs.
If the default policy on INPUT is DROP then you shouldn't need to specify that rule.
Try get rid of all rules and just have the default policy on DROP and see if your xp box can still connect.
Capt_Caveman: Yes you are correct I have other rules. Specificly SSH.
Demonbane: I can not disable all rules and setup REJECT policies at this time because the machine is in my office and I am VPNed in. I will attempt this tomarrow morning.
Here are my iptable rules:
Code:
{root@zorin}:[/etc/rc.d]$ iptables -vnL
Chain INPUT (policy DROP 7 packets, 1022 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
0 0 REJECT tcp -- * * 10.0.10.110 0.0.0.0/0 multiport dports 139 reject-with icmp-port-unreachable
0 0 REJECT udp -- * * 10.0.10.110 0.0.0.0/0 multiport dports 137,138 reject-with icmp-port-unreachable
8 696 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 state NEW
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
Chain OUTPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0
10 616 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
1 112 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
{root@zorin}:[/etc/rc.d]$
After examining this (I had not ran it before ) I am guessing that it has to do with the ESTABLISHED, RELATED rule. This rule was put in at the suggestion of a website that if the packet has already been approved then to not waste cycles examining it again. I had initaly thought this and moved my MP3 rules before this in the script, am I incorrect in assuming that the first rule matched is applied ?
Looking at the output, it does appear that the traffic is being allowed by the ESTABLISHED,RELATED rule. You should be able to block SMB traffic to that host if you have rules to reject traffic to both tcp ports 139 and 445. The order of the rules is very important, with rules being applied from top to bottom. So you'll have to add the rule somewhere above the ESTABLISHED,RELATED one. Try doing:
Yes it was indeed the ESTABLISHED,RELATED line. However it was below the Samba blocks as excepted. However my current samba blocks have no mention of port 445 so that may have something to do with it:
But if I disable the EST,RLTD rules completely and use the two rules above then I can cut my music off. However here is a strange thing I just realized, I was using REJECT rules with My laptop IP (which will actually have access when I am done) to test this, but my default policy is drop so these reject rules should have no effect correct ? I will post the relevent parts of mt rc.firewall and add some logging to see what is going on.
Thank you for all your help.
rc.firewall: (Header & case statements trimed):
Code:
IF_WAN=eth1 #Internet interface
IF_LAN=eth0 #LAN Interface
IF_LOOP=lo #Local Loopback interface
stop() {
echo "IPTABLES: Setting default chain polcies (ACCEPT) ..."
iptables --policy INPUT ACCEPT
iptables --policy OUTPUT ACCEPT
iptables --policy FORWARD ACCEPT
echo "IPTABLES: Flushing all firewall rules..."
## Flush all rules
iptables --flush INPUT
iptables --flush OUTPUT
iptables --flush FORWARD
}
start() {
echo "IPTABLES: Enabling firewall rules ..."
## Set the default policies to DROP.
iptables --policy INPUT DROP
iptables --policy OUTPUT DROP
iptables --policy FORWARD DROP
## Unlimited traffic on the loopback interface.
## Do immediately in case of firewall script errors.
iptables -A INPUT -i $IF_LOOP -j ACCEPT
iptables -A OUTPUT -o $IF_LOOP -j ACCEPT
##Allow all outgoing service requests
iptables -A OUTPUT -j ACCEPT
##Allow SSH connections from any interface
#iptables -A INPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
##Allow Samba (137-139 & 445) Connectections From Andrew
iptables -A INPUT -s 10.0.10.110 -m multiport -p tcp --dports 139 -j REJECT
iptables -A INPUT -s 10.0.10.110 -m multiport -p udp --dports 137,138 -j REJECT
}
I should also note that when I was testing this morning the samba rules WERE above the allow all outgoing service requests line. I also had to modify my SSH rule once I got rid of the est,rltd rule as I cut myself off .
EDIT: You were correct I also needed to add 445 to the tcp ports. And the drop policy was indeed working. Here are my moddified rules for any others that are interested:
Actually I had them set to reject to test that the correct filters were being applied (ports, ip, etc). I am actually blocking the machine from everyone except two machines to samaba (4 rules total). Which is a good thing or else I would have not cought the RELATED, port 445 loophole. Like I said in my first post the only thing worse than no security is a false sense. I wanted to be positive that it was working,
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
). Everything that I have searched on is ALLOWING samaba through the firewall. I am worried because to me (especialy with the default drop) it looks like this should not be allowing me access. Which makes me wonder what I might have missed in my other firewall rules on my other boxes. The only thing worse than no sense of security is a false sense.
. I have verified the IP address of this machine several times it is 110.
) I am guessing that it has to do with the ESTABLISHED, RELATED rule. This rule was put in at the suggestion of a website that if the packet has already been approved then to not waste cycles examining it again. I had initaly thought this and moved my MP3 rules before this in the script, am I incorrect in assuming that the first rule matched is applied ?
.
Those two rules are allowing it.
