how to block netbios broadcasts

tincboy · 10-08-2010, 08:15 AM

Hello,
I've a server in an European data center,
My server is receiving a lot of UDP Netbios Boradcast packets (I've sniffed them via tcpdump )

I've block the sender IP via iptables but tcpdump again shows the packets that are receiving.

an example tcpdump output
16:35:25.829592 IP SENDER-IP.netbios-ns > MY-SERVER-IP.255.netbios-ns: NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST

How can I block those broadcast packets?

MensaWater · 10-08-2010, 12:59 PM

Are you doing a "DROP" in the iptables rule? You'll still see the traffic but should also see it DROPped. When I had to do similar for stuff hitting my DNS server I could still see it in tcpdump but could also see it was never getting to DNS after being dropped by iptables.

jefro · 10-08-2010, 04:08 PM

You should actually block all that you don't need or only allow what you need. nebios should use a port but you block all udp that you don't use. Not sure what udp you'd normally want. Usually only port 80 tcp would be open maybe ssh ports or vpn ports.

tincboy · 10-09-2010, 02:21 AM

Quote:

Originally Posted by jefro

You should actually block all that you don't need or only allow what you need. nebios should use a port but you block all udp that you don't use. Not sure what udp you'd normally want. Usually only port 80 tcp would be open maybe ssh ports or vpn ports.

I've heard that the iptables can't block broadcast packets.
Do you know a way to block them all?

ganesh24pal@gmail.com · 10-09-2010, 02:33 AM

Hi

You should actually block all that you don't need or only allow what you need.you can do this in iptables(Firewall level).

paulsm4 · 10-09-2010, 02:45 AM

Hi -

I'm not necessarily sure you *want* to block NetBIOS, at least not within your local LAN. For better or worse, it's often an important for coexisting with Windows. For example, you might need NetBIOS in order to share disks or printers between Windows and Linux hosts.

HOWEVER:

If you really want to block it with iptables, it's easy. Just set up rules for the following ports:

Code:

- netbios-n       137 tcp 137 udp
- netbios-dgm             139 udp
- netbios-ssn     138 tcp 138 udp
- microsoft-ds    445 tcp 445 udp
- wins            137 tcp 137 udp

You could also try something like this:

Code:

iptables -I INPUT -m pkttype --pkt-type broadcast -j DROP

jefro · 10-10-2010, 03:48 PM

More examples. http://www.cyberciti.biz/tips/linux-...e-port-53.html

kaushalpatel1982 · 10-10-2010, 10:14 PM

You are right. We can not control broadcast packet to reach to the NIC, But yes we can drop the packets by IPTables. The Packets that you see is the packets you received on your interface in raw. You must check your iptables rules whether you are dropping packets or not.

You can check that by

iptables -nvx -t table-name -L

This will show you the rules prefixed with the packet count and data transfer.

tincboy · 10-11-2010, 02:37 AM

Quote:

Originally Posted by kaushalpatel1982

You are right. We can not control broadcast packet to reach to the NIC, But yes we can drop the packets by IPTables. The Packets that you see is the packets you received on your interface in raw. You must check your iptables rules whether you are dropping packets or not.

You can check that by

iptables -nvx -t table-name -L

This will show you the rules prefixed with the packet count and data transfer.

Thanks, you are right.
I've successfully dropped broadcast packets by adding proper rule in forwarding rule.