how to block port 139 using iptables
Hi, I am using samba server on ip 192.168.0.88. Now i want to block all ips other than 192.168.0.7 and 192.168.0.10. I tried in these ways.
Code:
$sodo /sbin/iptables -A INPUT -p tcp -s ! 192.168.0.7 --dport 139 -j DROP When i used this rule Code:
$sodo /sbin/iptables -A INPUT -p tcp -s 0/0 --dport 139 -j DROP |
Most likely you have a rule above those which is sending the packets to ACCEPT.
Change the append (-A) to an insert (-I) and try again. If it works, then it confirms the above. |
Rather than doing it that way, accept traffic from that IP to 139 and drop everything else. Assuming you have a default policy of drop, or some other catch-all at the end of the chain, you shouldn't need to specifically drop any thing, so
Code:
$sudo /sbin/iptables -A INPUT -p tcp -s 192.168.0.7 --dport 139 -j ACCEPT |
Code:
1 144 13779 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 The same rules are in other system and i used for port number 22 which is working fine. |
The way you were trying to do it couldn't work anyway: you've already dropped 192.168.0.10
|
Quote:
Quote:
Code:
iptables -nvL INPUT |
Code:
$ sudo /sbin/iptables -L -v -n --line-numbers |
Hmmm, okay. Well, considering that there are no non-loopback terminating rules, then I would say that your problem is caused by what billymayday pointed out. This would mean that with the rules in your original post, you WOULD be able connect from 192.168.0.7, but NOT from 192.168.0.10. My suggestion would be to follow billymayday's advice and change your policy to DROP, making ACCEPT rules only for packets you want to allow. I do, however, understand that can take some time to properly implement when you aren't familiar with iptables (depending on how much stuff you actually need to allow), so a temporary fix for you could be to do this (instead of what you were doing in the OP):
Code:
iptables -A INPUT -p tcp -s 192.168.0.7 --dport 139 -j ACCEPT |
Code:
iptables -A INPUT -p tcp -s 192.168.0.7 --dport 139 -j ACCEPT Code:
]$ sudo /sbin/iptables -L -v -n --line-numbers |
Quote:
I don't see why it wouldn't work - it's the same approach you have on the box which you report works fine. |
Code:
$ sudo /sbin/iptables -nvL --line-numbers |
Quote:
Code:
iptables -A INPUT -p tcp -s 192.168.0.7 --dport 139 -j ACCEPT |
Hi there
Try and block both UDP and TCP packets on the samba port 139 iptables -A INPUT -i eth0 -p udp etc etc. |
Yeah, that would explain why other IPs were still getting to the daemon. I went to the Samba page and found this. So in order to do this properly (or at least the way the Samba people recommend on that link) you'd wanna use something like this:
Code:
iptables -A INPUT -p tcp -s 192.168.0.7 --dport 135 -j ACCEPT Code:
iptables -N SAMBA_CLIENTS |
Hi win32sux,
Wow this worked pretty well. Thank youuuuu........ |
All times are GMT -5. The time now is 01:59 PM. |