newbie question about iptables and samba

DarkSun4241 · 09-06-2004, 10:11 AM

Hello

I seem to be have problem understanding iptables in reguards to samba. I finally create a scripts that works, but I not sure why I needed highport connections rules. Is this not what input ESTABLISHED,RELATED rule is for.

Thanks Brian

Below is my firewall script

IPT=/sbin/iptables
IFC=/sbin/ifconfig
MPB=/sbin/modprobe
LSM=/sbin/lsmod
RMM=/sbin/rmmod

IF=eth0
IP=`/sbin/ifconfig $IF | grep inet | cut -d : -f 2 | cut -d \ -f 1`
MASK=`/sbin/ifconfig $IF | grep Mas | cut -d : -f 4`
NET=$IP/$MASK

$IPT -P INPUT DROP
$IPT -P OUTPUT ACCEPT
$IPT -P FORWARD DROP
$IPT -F
$IPT -X

for table in filter nat mangle
do
$IPT -t $table -F
$IPT -t $table -X
$IPT -t $table -Z
done

$IPT -N LD 2> /dev/null
$IPT -F LD
$IPT -A LD -j LOG --log-level=info
$IPT -A LD -j DROP

STOP=LD

$IPT -N STATE 2> /dev/null
$IPT -F STATE
$IPT -I STATE -m state --state NEW -i ! lo -j $STOP
$IPT -A STATE -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A STATE -j $STOP

$IPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
#$IPT -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

#SAMBA
$IPT -t filter -A INPUT -p tcp -m state --state NEW -s 0/0 -d 0/0 --dport 137:139 -i $IF -j ACCEPT
$IPT -t filter -A INPUT -p udp -m state --state NEW -s 0/0 -d 0/0 --dport 137:139 -i $IF -j ACCEPT
$IPT -t filter -A INPUT -p tcp -m state --state NEW -s 0/0 -d 0/0 --dport 445 -i $IF -j ACCEPT
$IPT -t filter -A INPUT -p udp -m state --state NEW -s 0/0 -d 0/0 --dport 445 -i $IF -j ACCEPT

# --------( Rules Configuration - Inbound Traffic - Highport Connections )--------

$IPT -A INPUT -p tcp -s 0/0 -d $NET --dport 1024:65535 -j STATE
$IPT -A INPUT -p udp -s 0/0 -d $NET --dport 1023:65535 -j ACCEPT

win32sux · 09-10-2004, 09:44 PM

Code:

#!/bin/sh

IPT="/sbin/iptables"
IF="eth0"
LO="lo"
LO_IP="127.0.0.1"

/sbin/modprobe ip_tables
/sbin/modprobe ip_conntrack

echo "1" > /proc/sys/net/ipv4/tcp_syncookies
echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
echo "1" > /proc/sys/net/ipv4/conf/all/log_martians

$IPT -F
$IPT -F -t nat
$IPT -F -t mangle
$IPT -X
$IPT -X -t nat
$IPT -X -t mangle
$IPT -P INPUT DROP
$IPT -P OUTPUT DROP
$IPT -P FORWARD DROP
$IPT -t nat -P PREROUTING ACCEPT
$IPT -t nat -P POSTROUTING ACCEPT

$IPT -A INPUT -p ALL -m state --state INVALID -j DROP
$IPT -A INPUT -p ALL -i $LO -s $LO_IP -j ACCEPT
$IPT -A INPUT -p TCP ! --syn -m state --state NEW -j DROP
$IPT -A INPUT -p TCP -i $IF --dport 137:139 -j ACCEPT
$IPT -A INPUT -p UDP -i $IF --dport 137:139 -j ACCEPT
$IPT -A INPUT -p TCP -i $IF --dport 445 -j ACCEPT
$IPT -A INPUT -p UDP -i $IF --dport 445 -j ACCEPT
$IPT -A INPUT -p ALL -j LOG --log-prefix "INPUT DROP: "

$IPT -A OUTPUT -p ALL -m state --state INVALID -j DROP
$IPT -A OUTPUT -p ALL -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A OUTPUT -p ALL -o $LO -s $LO_IP -j ACCEPT
$IPT -A OUTPUT -p ALL --log-prefix "OUTPUT DROP: "

echo "So let it be written, so let it be done..."

no more high port BS... just my two cents...

=)