LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Networking (https://www.linuxquestions.org/questions/linux-networking-3/)
-   -   how to block netbios broadcasts (https://www.linuxquestions.org/questions/linux-networking-3/how-to-block-netbios-broadcasts-836947/)

tincboy 10-08-2010 08:15 AM
how to block netbios broadcasts
 
Hello,
I've a server in an European data center,
My server is receiving a lot of UDP Netbios Boradcast packets (I've sniffed them via tcpdump )

I've block the sender IP via iptables but tcpdump again shows the packets that are receiving.

an example tcpdump output
16:35:25.829592 IP SENDER-IP.netbios-ns > MY-SERVER-IP.255.netbios-ns: NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST

How can I block those broadcast packets?

MensaWater 10-08-2010 12:59 PM
Are you doing a "DROP" in the iptables rule? You'll still see the traffic but should also see it DROPped. When I had to do similar for stuff hitting my DNS server I could still see it in tcpdump but could also see it was never getting to DNS after being dropped by iptables.

jefro 10-08-2010 04:08 PM
You should actually block all that you don't need or only allow what you need. nebios should use a port but you block all udp that you don't use. Not sure what udp you'd normally want. Usually only port 80 tcp would be open maybe ssh ports or vpn ports.

tincboy 10-09-2010 02:21 AM
Quote:
Originally Posted by jefro (Post 4121848)
You should actually block all that you don't need or only allow what you need. nebios should use a port but you block all udp that you don't use. Not sure what udp you'd normally want. Usually only port 80 tcp would be open maybe ssh ports or vpn ports.
I've heard that the iptables can't block broadcast packets.
Do you know a way to block them all?

ganesh24pal@gmail.com 10-09-2010 02:33 AM
Hi

You should actually block all that you don't need or only allow what you need.you can do this in iptables(Firewall level).

paulsm4 10-09-2010 02:45 AM
Hi -

I'm not necessarily sure you *want* to block NetBIOS, at least not within your local LAN. For better or worse, it's often an important for coexisting with Windows. For example, you might need NetBIOS in order to share disks or printers between Windows and Linux hosts.

HOWEVER:

If you really want to block it with iptables, it's easy. Just set up rules for the following ports:
Code:
- netbios-n      137 tcp 137 udp
- netbios-dgm            139 udp
- netbios-ssn    138 tcp 138 udp
- microsoft-ds    445 tcp 445 udp
- wins            137 tcp 137 udp
You could also try something like this:
Code:
iptables -I INPUT -m pkttype --pkt-type broadcast -j DROP

jefro 10-10-2010 03:48 PM
More examples. http://www.cyberciti.biz/tips/linux-...e-port-53.html

kaushalpatel1982 10-10-2010 10:14 PM
You are right. We can not control broadcast packet to reach to the NIC, But yes we can drop the packets by IPTables. The Packets that you see is the packets you received on your interface in raw. You must check your iptables rules whether you are dropping packets or not.

You can check that by

iptables -nvx -t table-name -L

This will show you the rules prefixed with the packet count and data transfer.

tincboy 10-11-2010 02:37 AM
Quote:
Originally Posted by kaushalpatel1982 (Post 4123396)
You are right. We can not control broadcast packet to reach to the NIC, But yes we can drop the packets by IPTables. The Packets that you see is the packets you received on your interface in raw. You must check your iptables rules whether you are dropping packets or not.

You can check that by

iptables -nvx -t table-name -L

This will show you the rules prefixed with the packet count and data transfer.
Thanks, you are right.
I've successfully dropped broadcast packets by adding proper rule in forwarding rule.


All times are GMT -5. The time now is 06:09 AM.