LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices


Reply
  Search this Thread
Old 08-03-2004, 12:46 PM   #1
Erebus Bat
LQ Newbie
 
Registered: Jul 2004
Distribution: Ubuntu 10.04 (Lucid)
Posts: 25

Rep: Reputation: 15
Blocking Machines From Samba with IPTables


Hello All.

I have a MP3 machine (10.0.10.81) that has a working Samba configuration for sharing it's files. I however do not want everyone and their brother to have access to this machine. I know that I could use Samaba permissions but I am attempting to learn IP tables so I was trying to stop the packet requests in that manner. I feel that I understand the command in the respect that I know what all the switches mean and why they are there.

I have setup a rc.firewall script on the MP3 box (slack 10) that is completely customized. For stop it changes the default policy on I/O/F to ACCEPT and then flushes all the rules for the three. For start it changes the defualt pollicy to DROP for the three and then issues these commands to attempt to block 10.0.10.110 from the samba ports:

Code:
iptables -A INPUT -s 10.0.10.110 -m multiport -p tcp --dports 139 -j REJECT
iptables -A INPUT -s 10.0.10.110 -m multiport -p udp --dports 137,138 -j REJECT
I have attempted including port 445 and all of those ports on both protocols to no avail. I think it has something to do with ports > 1024 as mentioned in thread #195407 (Sorry, can't post URLs ). Everything that I have searched on is ALLOWING samaba through the firewall. I am worried because to me (especialy with the default drop) it looks like this should not be allowing me access. Which makes me wonder what I might have missed in my other firewall rules on my other boxes. The only thing worse than no sense of security is a false sense.

I am testing from a Win XP Pro box running winamp, I do a /etc/rc.d/rc.firewall restart and then attempt to switch the songs, I still have music . I have verified the IP address of this machine several times it is 110.

Thank you in advance.
 
Old 08-03-2004, 08:41 PM   #2
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 69
What does the rest of your firewall script look like? From what you've posted (all default policies of DROP and the 2 rules rejecting SMB traffic) nothing at all should get in or out of the box (you haven't allowed anything). I'm guessing that you have other rules that are allowing traffic? If you could post them or even better yet, post the output of iptables -vnL. Make sure to remove any public IPs.
 
Old 08-03-2004, 11:36 PM   #3
Demonbane
LQ Guru
 
Registered: Aug 2003
Location: Sydney, Australia
Distribution: Gentoo
Posts: 1,796

Rep: Reputation: 47
If the default policy on INPUT is DROP then you shouldn't need to specify that rule.
Try get rid of all rules and just have the default policy on DROP and see if your xp box can still connect.
 
Old 08-04-2004, 12:12 AM   #4
Erebus Bat
LQ Newbie
 
Registered: Jul 2004
Distribution: Ubuntu 10.04 (Lucid)
Posts: 25

Original Poster
Rep: Reputation: 15
Capt_Caveman: Yes you are correct I have other rules. Specificly SSH.

Demonbane: I can not disable all rules and setup REJECT policies at this time because the machine is in my office and I am VPNed in. I will attempt this tomarrow morning.

Here are my iptable rules:
Code:
{root@zorin}:[/etc/rc.d]$ iptables -vnL
Chain INPUT (policy DROP 7 packets, 1022 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0
    0     0 REJECT     tcp  --  *      *       10.0.10.110          0.0.0.0/0           multiport dports 139 reject-with icmp-port-unreachable
    0     0 REJECT     udp  --  *      *       10.0.10.110          0.0.0.0/0           multiport dports 137,138 reject-with icmp-port-unreachable
    8   696 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:22 state NEW

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED

Chain OUTPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     all  --  *      lo      0.0.0.0/0            0.0.0.0/0
   10   616 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
    1   112 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0
{root@zorin}:[/etc/rc.d]$
After examining this (I had not ran it before ) I am guessing that it has to do with the ESTABLISHED, RELATED rule. This rule was put in at the suggestion of a website that if the packet has already been approved then to not waste cycles examining it again. I had initaly thought this and moved my MP3 rules before this in the script, am I incorrect in assuming that the first rule matched is applied ?
 
Old 08-04-2004, 08:47 AM   #5
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 69
Looking at the output, it does appear that the traffic is being allowed by the ESTABLISHED,RELATED rule. You should be able to block SMB traffic to that host if you have rules to reject traffic to both tcp ports 139 and 445. The order of the rules is very important, with rules being applied from top to bottom. So you'll have to add the rule somewhere above the ESTABLISHED,RELATED one. Try doing:

iptables -I INPUT -p tcp --dport 445 -s 10.0.10.110 -j REJECT

If that doesn't work, try adding a log rule just above the ESTABLISHED,RELATED line and see if there is something about the packets that your missing.
 
Old 08-04-2004, 10:54 AM   #6
Erebus Bat
LQ Newbie
 
Registered: Jul 2004
Distribution: Ubuntu 10.04 (Lucid)
Posts: 25

Original Poster
Rep: Reputation: 15
Capt_Caveman:

Yes it was indeed the ESTABLISHED,RELATED line. However it was below the Samba blocks as excepted. However my current samba blocks have no mention of port 445 so that may have something to do with it:
Code:
iptables -A INPUT -s 10.0.10.110 -m multiport -p tcp --dports 139 -j REJECT
iptables -A INPUT -s 10.0.10.110 -m multiport -p udp --dports 137,138 -j REJECT
But if I disable the EST,RLTD rules completely and use the two rules above then I can cut my music off. However here is a strange thing I just realized, I was using REJECT rules with My laptop IP (which will actually have access when I am done) to test this, but my default policy is drop so these reject rules should have no effect correct ? I will post the relevent parts of mt rc.firewall and add some logging to see what is going on.

Thank you for all your help.

rc.firewall: (Header & case statements trimed):

Code:
IF_WAN=eth1	#Internet interface
IF_LAN=eth0	#LAN Interface
IF_LOOP=lo	#Local Loopback interface

stop() {
	echo "IPTABLES: Setting default chain polcies (ACCEPT) ..."
	iptables --policy INPUT   ACCEPT
	iptables --policy OUTPUT  ACCEPT
	iptables --policy FORWARD ACCEPT
	
	echo "IPTABLES: Flushing all firewall rules..."
	## Flush all rules
	iptables --flush INPUT
	iptables --flush OUTPUT
	iptables --flush FORWARD
}

start() {	
	echo "IPTABLES: Enabling firewall rules ..."	
	## Set the default policies to DROP.
	iptables --policy INPUT   DROP
	iptables --policy OUTPUT  DROP
	iptables --policy FORWARD DROP

	## Unlimited traffic on the loopback interface.
	## Do immediately in case of firewall script errors.
	iptables -A INPUT   -i $IF_LOOP -j ACCEPT
	iptables -A OUTPUT  -o $IF_LOOP -j ACCEPT
	
	##Allow all outgoing service requests
	iptables -A OUTPUT -j ACCEPT

	##Allow SSH connections from any interface
	#iptables -A INPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT
	iptables -A INPUT -p tcp --dport 22 -j ACCEPT
	
	##Allow Samba (137-139 & 445) Connectections From Andrew
	iptables -A INPUT -s 10.0.10.110 -m multiport -p tcp --dports 139 -j REJECT
	iptables -A INPUT -s 10.0.10.110 -m multiport -p udp --dports 137,138 -j REJECT
}
I should also note that when I was testing this morning the samba rules WERE above the allow all outgoing service requests line. I also had to modify my SSH rule once I got rid of the est,rltd rule as I cut myself off .

EDIT: You were correct I also needed to add 445 to the tcp ports. And the drop policy was indeed working. Here are my moddified rules for any others that are interested:

Code:
iptables -A INPUT -s 10.0.10.110 -m multiport -p tcp --dports 139,445 -j ACCEPT
iptables -A INPUT -s 10.0.10.110 -m multiport -p udp --dports 137,138 -j ACCEPT
Thank you again for all your help Capt_Caveman!

Last edited by Erebus Bat; 08-04-2004 at 11:02 AM.
 
Old 08-04-2004, 12:41 PM   #7
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 69
I thought you were trying to block traffic to the Samba ports from that IP Those two rules are allowing it.

Last edited by Capt_Caveman; 08-04-2004 at 12:43 PM.
 
Old 08-04-2004, 03:13 PM   #8
Erebus Bat
LQ Newbie
 
Registered: Jul 2004
Distribution: Ubuntu 10.04 (Lucid)
Posts: 25

Original Poster
Rep: Reputation: 15
Actually I had them set to reject to test that the correct filters were being applied (ports, ip, etc). I am actually blocking the machine from everyone except two machines to samaba (4 rules total). Which is a good thing or else I would have not cought the RELATED, port 445 loophole. Like I said in my first post the only thing worse than no security is a false sense. I wanted to be positive that it was working,
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
blocking an IP using iptables picox Linux - Security 7 12-10-2010 03:00 PM
iptables blocking samba connection to WinXP QClown Linux - Networking 15 01-30-2005 05:01 PM
Blocking squid through iptables jomy Linux - Networking 1 12-20-2004 10:24 AM
fedora c2; iptables blocking samba??? help GrumpyGnome Linux - Networking 2 07-03-2004 12:12 PM
blocking MSN using iptables? systemgsr Linux - Networking 16 09-04-2003 12:59 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 11:56 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration