Firewall, NMDB, Ports

jeopardyracing · 01-19-2004, 01:15 PM

I have a question about the following setup:

I have a Dell Latitude D600 notebook which I use for business school. The Dell runs Red Hat 9.0. At home I have the Dell networked to my Apple iBook G4 via Linksys Ethernet router.

I have just gotten Samba set up on the Dell such that the Apple can mount its shares this is a huge benefit to me since I have a synch program on the Apple that syncronizes my school files from the Dell to the Apple for backup.

I have only been able to get the Apple to connect to the Dell as a Samba share by disabling Red Hat's firewall. Obviously I can't take the Dell on campus with the firewall off, so here are my questions:

Which ports need to be on for NMDB, etc to allow the Apple to mount the Dell's shares? How can I modify the Dell's firewall settings to open these ports while allowing the others to stay closed? Would I still be safe logging onto a Windows network on campus in this state?

Or is it better to simply turn off the Dell's firewall when I'm home since I am behind the LInksys ethernet router's firewall? That option makes me nervous as well.

Can a shell scrip be written to quickly turn on and off the ports I need so the process can be make quicker? Or could I create different runlevels (one for school, one for home) which would have different firewall settings?

Thanks!

Rich Hoyer
Dell Latitude D600
Red Hat 9.0
Apple iBook G4
OS X 10.3

david_ross · 01-19-2004, 01:44 PM

The ports you need to open are:
udp\137
udp\138
tcp\139

jeopardyracing · 01-19-2004, 02:11 PM

Thanks! Can this be done via the command line or via a shell script?

david_ross · 01-19-2004, 02:15 PM

Yes sure. You just need to fit it into your exisitn iptables rules. something like this should work:
iptables -A INPUT -p udp --dport 137 -j ACCPET
iptables -A INPUT -p udp --dport 138 -j ACCPET
iptables -A INPUT -p tcp --dport 139 -j ACCPET

jeopardyracing · 01-19-2004, 02:24 PM

Hey thanks a ton! and what about syntax to shut them off again when I leave home and go back on campus? I'd just like to have two shell scripts that I run real quick when I come home and then leave.

Sorry for all the questions - the campus network is hardly friendly territory re security.

Out of curiousity, would I be safe if I just turned the LInux firewall off so long as I'm behind my ethernet router/firewall at home? Could I still surf the net safely like that, or is it a stupid idea?

david_ross · 01-19-2004, 02:27 PM

To delete just swap "-A" for "-D":
man iptables
iptables -h

If you are on a trusted lan at home then you are probably quite safe to have the firewall turned off.

jeopardyracing · 01-19-2004, 02:34 PM

I sure appreciate your time. Pretty cool to be able to learn all this stuff.

Isn't it kind of scary that all my classmates are on that network with Windows machines where the default is to have the firewall off to begin with? Jeez, even if I forgot my firewall off I will always kill Samba when I leave home. The default Windows configuration leaving home with Samba on and the firewall off, isn' t it?

david_ross · 01-19-2004, 02:38 PM

That's windows for you. One of the reasons that viruses spread so easily over networks. Bugbear and sircam were both notorious for this.

jeopardyracing · 01-19-2004, 02:48 PM

shell script failed using exactly the commands you listed - it said there was no such command. But I did not add -t and the exact location of the iptables - was that my mistake? Where are the tables usually located?

david_ross · 01-19-2004, 02:51 PM

Make sure you run the script as root. To find out where iptables is:
whereis iptables

It is usually:
/sbin/iptables

jeopardyracing · 01-19-2004, 02:56 PM

Strangest thing. I found iptables and appended with -t /sbin/iptables

but bash still returns 'iptables: command not found"

Here is the exact syntax of the shell script (verbatim):

#!/bin/bash

iptables -t /sbin/iptables -A INPUT -p udp --dport 137 -j ACCPET
iptables -t /sbin/iptables -A INPUT -p udp --dport 138 -j ACCPET
iptables -t /sbin/iptables -A INPUT -p udp --dport 139 -j ACCPET

/sbin/service smb start

acid_kewpie · 01-19-2004, 03:08 PM

ACCPET???

david_ross · 01-19-2004, 03:09 PM

I really can't see how that is going to work - it has also just been pointed out to me that I made typo - try:

Code:

#!/bin/bash

/sbin/iptables -A INPUT -p udp --dport 137 -j ACCEPT
/sbin/iptables -A INPUT -p udp --dport 138 -j ACCEPT
/sbin/iptables -A INPUT -p tcp --dport 139 -j ACCEPT

/sbin/service smb start

jeopardyracing · 01-19-2004, 03:23 PM

Can't see how the idea of the shell script will work you mean? I thought I'd write one shell script that opened the relevant ports, then started Samba and then a second that shut off Samba and closed those ports again. Perhaps I am over thinking things?

It looks to me from the errors I'm getting like I need to specify a specific table for the iptables command to append. But I'm not sure which one to specify.

jeopardyracing · 01-19-2004, 03:33 PM

ACtually, no errors coming up now...might have worked! Let me see if the Apple can see the shares now....