iptables

dschuett · 08-25-2010, 09:57 PM

Quote:

Originally Posted by dschuett

I found out that it was always at the samba rules that it took forever to display. As far as the ssh issue, as soon as I added the line below, it fixed it and now connects at pretty normal speed:

#allow established connections
$IPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

without that i couldn't even ping google from the router, but i could get to the internet from the client machines??? But that was definitely what was hanging it up.

Another question I have is, what rule in my iptables is allowing me to connect to my samba share on that machine? I can connect even after flushing rules and I have all my samba rules commented out???

Here is my iptables -vnL:

Chain INPUT (policy DROP 2645 packets, 179K bytes)
pkts bytes target prot opt in out source destination
1570 209K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
1 60 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT tcp -- * * 127.0.0.1 0.0.0.0/0 tcp dpt:3306
1067 105K ACCEPT all -- eth1 * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT tcp -- eth1 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:5900
12 588 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:8080
1 60 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:2020
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 0
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 3
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 11
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 8 limit: avg 1/sec burst 5

Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
27015 4272K ACCEPT all -- eth1 * 0.0.0.0/0 0.0.0.0/0 state NEW,RELATED,ESTABLISHED
41771 51M ACCEPT all -- eth0 eth1 0.0.0.0/0 0.0.0.0/0 state NEW,RELATED,ESTABLISHED
0 0 DROP all -- eth0 * 0.0.0.0/0 0.0.0.0/0 state INVALID,NEW

Chain OUTPUT (policy ACCEPT 1875 packets, 333K bytes)

thanks again!

wait...would i even need any specific internal eth1 rules such as samba or vnc since i already have this rule:

$IPT -A INPUT -i eth1 -j ACCEPT

wouldn't that cover everything?

TheMadIndian · 08-25-2010, 10:01 PM

Quote:

Originally Posted by dschuett

wait...would i even need any specific internal eth1 rules such as samba or vnc since i already have this rule:

$IPT -A INPUT -i eth1 -j ACCEPT

wouldn't that cover everything?

depends on how secure you want things

dschuett · 08-25-2010, 10:16 PM

Quote:

Originally Posted by TheMadIndian

There it is, 1067 105K ACCEPT all -- eth1 * 0.0.0.0/0 0.0.0.0/0

it says on eth1 accept input from any source

So is this a bad thing?? Does it create a security hole of any sort from the outside world? Or is it ok since it is the internal nic?

TheMadIndian · 08-25-2010, 10:30 PM

Quote:

Originally Posted by dschuett

So is this a bad thing?? Does it create a security hole of any sort from the outside world? Or is it ok since it is the internal nic?

The more open things are if a system became compromised its that much easier to get other systems on the network if there are no rules on the local vlan

dschuett · 08-25-2010, 10:40 PM

Quote:

Originally Posted by TheMadIndian

The more open things are if a system became compromised its that much easier to get other systems on the network if there are no rules on the local vlan

so if i took the -A INPUT -i eth1 ACCEPT out would i have to add a port for every service... as such:

#internet
$IPT -A INPUT -i eth1 -p tcp --dport 80 -s 192.168.0.0/24 -j ACCEPT

#ssh
$IPT -A INPUT -i eth1 -p tcp --dport 22 -s 192.168.0.0/24 -j ACCEPT

#samba
#$IPT -A INPUT -i eth1 -p udp -m udp --dport 137 -s 192.168.0.0/24 -j ACCEPT
#$IPT -A INPUT -i eth1 -p udp -m udp --dport 138 -s 192.168.0.0/24 -j ACCEPT

???