iptables help

shio · 07-13-2007, 01:39 AM

Hi All,

i new in Linux Firewall. hope someone can help me out my firewall script due to i cant access my samba share folder. below is my script.

#!/bin/sh

IPT=/sbin/iptables
MOD=/sbin/modprobe

$MOD ip_tables
$MOD ip_conntrack
$MOD ip_conntrack_ftp
$MOD ip_nat_ftp
$MOD ip_conntrack_irc

$IPT -P INPUT ACCEPT
$IPT -P FORWARD ACCEPT
$IPT -P OUTPUT ACCEPT
$IPT -t mangle -P PREROUTING ACCEPT
$IPT -t mangle -P OUTPUT ACCEPT

$IPT -F
$IPT -t mangle -F

$IPT -P INPUT DROP
$IPT -P OUTPUT DROP
$IPT -P FORWARD DROP

$IPT -A INPUT -p ALL -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A INPUT -p tcp -i eth0 --dport 21 -j ACCEPT
$IPT -A INPUT -p tcp -i eth0 --dport 22 -j ACCEPT
$IPT -A INPUT -p tcp -i eth0 --dport 23 -j ACCEPT
$IPT -A INPUT -p tcp -i eth0 --dport 25 -j ACCEPT
$IPT -A INPUT -p tcp -i eth0 --dport 80 -j ACCEPT
$IPT -A INPUT -p tcp -i eth0 --dport 110 -j ACCEPT
$IPT -A INPUT -p udp -s 192.168.2.0 -d 192.168.2.9 -m multiport --dport 137,138 -j ACCEPT
$IPT -A INPUT -p tcp -s 192.168.2.0 -d 192.168.2.9 -m multiport --dport 135,139,445 -j ACCEPT
$IPT -A INPUT -p tcp -i eth0 --dport 10000 -j ACCEPT
$IPT -A INPUT -p udp -d 192.168.2.9 -m multiport --dports 137,138 -j DROP
$IPT -A INPUT -p tcp -d 192.168.2.9 -m multiport --dports 135,139,445 -j DROP
$IPT -A INPUT -p tcp -i lo -j ACCEPT

$IPT -A OUTPUT -p ALL -s 127.0.0.1 -j ACCEPT
$IPT -A OUTPUT -p ALL -o lo -j ACCEPT
$IPT -A OUTPUT -p ALL -o eth0 -j ACCEPT
$IPT -A OUTPUT -s 192.168.2.9 -d 192.168.2.0 -m state --state ESTABLISHED,RELATED -j ACCEPT

Simon Bridge · 07-13-2007, 02:26 AM

Where is your samba share folder, and how are you trying to access it?
What makes you think the firewall is to blame?

shio · 07-13-2007, 02:39 AM

Quote:

Originally Posted by Simon Bridge

Where is your samba share folder, and how are you trying to access it?
What makes you think the firewall is to blame?

Hi Simon,

my samba folder dir = /usr/src with permission 777
i trying to access it with my laptop (winxp)and it prompt out password dialog but i cant access it with the correct password

when i set the default policy to ACCEPT, and delete the DROP rules,i can access my samba share folder without any problem.

btw, do u think my firewall script is error free?

thanks.

b0uncer · 07-13-2007, 02:59 AM

Quote:

btw, do u think my firewall script is error free?

It depends. To me it looks curious that you first set policies (-P) of INPUT, OUTPUT and FORWARD to ACCEPT and a little later you do the same to set them DROP. What's the point in configuring that twice? Rather use the

Code:

$IPT -F
$IPT -X

which first flushes all rules from any chains (-F), and then remoes all non-builtin empty chains (-X). Shortly said, clears out your current configuration so you can create new. Then set policies to DROP or whatever you want and continue on..

When I create iptables scripts, I start them off by flushing chains and removing all non-builtin chains to have a clean start, then set all policies to DROP (because I think it's easier to drop everything and allow the stuff I know I need, than allow everything and try to drop everything I don't need) and after that explicitly tell iptables, with appropriate rules, what I want to go trough.

shio · 07-13-2007, 03:17 AM

Quote:

Originally Posted by b0uncer

It depends. To me it looks curious that you first set policies (-P) of INPUT, OUTPUT and FORWARD to ACCEPT and a little later you do the same to set them DROP. What's the point in configuring that twice? Rather use the

Code:

$IPT -F
$IPT -X

which first flushes all rules from any chains (-F), and then remoes all non-builtin empty chains (-X). Shortly said, clears out your current configuration so you can create new. Then set policies to DROP or whatever you want and continue on..

When I create iptables scripts, I start them off by flushing chains and removing all non-builtin chains to have a clean start, then set all policies to DROP (because I think it's easier to drop everything and allow the stuff I know I need, than allow everything and try to drop everything I don't need) and after that explicitly tell iptables, with appropriate rules, what I want to go trough.

thanks for your quick reply. haha! i just noticed that i write it twice. so how bout the samba server setting? is it ok? if no, i need you guy help. thanks

Simon Bridge · 07-13-2007, 04:22 AM

OK... you have set up a computer to be a samba server, sharing the directory /usr/src (i.e. the kernel source directory!)

You attempt to access by a laptop running windows... and the access is denied on correct password if the firewall is up but accepted on password if the fireall is down. Is this correct?

Would the laptop be on IP 192.168.2.0 and the server on 192.168.2.9 ?

Since eth0 is LAN as well as internet, I guess you are using a wired switch/router/modem combo. Is this correct? (A 10-port switch?)

Examining your firewall I see...

You have default drop policies - good - but why accept at the start?
You opened a "mangle" chain... only to close and flush it. Why?

I suspect you are trying to get the firewall to do too many things at once. (If you put a "stop" before line 18, you would get completely open chains. This is a cludgy way of switching the firewall on and off.)

INPUT Rules:
... you accept any incoming packet from established connections, and anything you requested. Rules are evaluated in order (someone correct me) so any INPUT rules after this one will only affect NEW connections.

You are accepting new tcp connections from ports 21, 22, 23, 25, 80 and 110

You are accepting new tcp and udp connections (on designated ports) from host 0
provided the packet is for host 9 (I have left out the 192.168.2. part.)

As an afterthought, you accept new tcp connections on port 10000(!?)

The following two rules:
$IPT -A INPUT -p udp -d 192.168.2.9 -m multiport --dports 137,138 -j DROP
$IPT -A INPUT -p tcp -d 192.168.2.9 -m multiport --dports 135,139,445 -j DROP
... will never be evaluated, as there is an identical condition set to ACCEPT previous to this one. But, shouldn't "--dports" be "--dport"?

However... you can safely delete these lines without affecting your firewall. If you want to switch these ports off, just comment out the previous rule.

After all these rules have been checked, then, and only then, do you allow all (tcp) traffic through the computer internals (aka. the loopback interface). This rule should be first, not last.

OUTPUT Rules: there are four...

$IPT -A OUTPUT -p ALL -s 127.0.0.1 -j ACCEPT
... if it came in on the loopback, then let it out the same way

$IPT -A OUTPUT -p ALL -o lo -j ACCEPT
... let everything out along the loopback - hey? Didn't we just do that?
Delete the previous rule. Keep this one.

$IPT -A OUTPUT -p ALL -o eth0 -j ACCEPT
... let all outgoing packets out eth0
(If you only have lo and eth0, why not just let everything out?)

$IPT -A OUTPUT -s 192.168.2.9 -d 192.168.2.0 -m state --state ESTABLISHED,RELATED -j ACCEPT
... this line doesn't get evaluated unless these IP's are connected through something other than eth0. It says that anything from host 9 can go to hast 0 provided it is part of an existing session.

Probably you can see that you need to re-evaluate your firewall policy. Simplify your firewall. (Write comments in the script!) Then you'll find things working again.

Note... you are using iptables and samba to restrict access to samba.

From your rules, you want to restrict samba to your LAN... that is, any host with IP in range 192.168.2.0 to 192.168.2.256 ... the lines that do this are:

Code:

$IPT -A INPUT -p udp -m udp -s 192.168.2.0/24 --dport 137 -j ACCEPT
$IPT -A INPUT -p udp -m udp -s 192.168.2.0/24 --dport 138 -j ACCEPT
$IPT -A INPUT -m state --state NEW -m tcp -p tcp -s 192.168.2.0/24 --dport 139 -j ACCEPT
$IPT -A INPUT -m state --state NEW -m tcp -p tcp -s 192.168.2.0/24 --dport 445 -j ACCEPT

... to restrict to a single host, change the "/24" to "/32" with the appropriate IP. Set the output rule to let everything out. (So you'll be doing all your filtering on INPUT.)

Delete the lines with multiport in them.

For a friendly lesson:
http://troy.jdmz.net/samba/fw/

shio · 07-13-2007, 04:33 AM

thank simon. i get it.

Simon Bridge · 07-13-2007, 04:41 AM

Here is an example firewall script configured to allow samba sharing on a LAN...

Code:

# sdb firewall: Simon Bridge 2005
# Updated 2006, 2007
# based on the mdh firewall: Jon "maddog" Hall & Paul G Seary 2003
# (CC) Creative Commons Attribution Share-alike

#! /bin/sh

# Load appropriate modules.
modprobe ip_tables
modprobe ip_conntrack
modprobe ip_conntrack_ftp

# remove existing rules
iptables --flush
iptables -t nat --flush
iptables --delete_chain
iptables --zero

# Definitions
MYNET="192.168.2.0/24"
LANFACE="eth0"
WEBFACE="eth0"
WEBIP="192.168.0.0"
DNS01=""
DNS02=""
BCAST="192.168.255.255"
LOOPB="127.0.0.1/32"

### Kernel Parameters ###

# Uncomment to disable response to icmp ping requests.
#/bin/echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_all

# Disable response to broadcasts.
# You don't want yourself becoming a Smurf amplifier.
/bin/echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

# Don't accept source routed packets.
/bin/echo "0" > /proc/sys/net/ipv4/conf/all/accept_source_route

# Disable ICMP redirect acceptance.
for interface in /proc/sys/net/ipv4/conf/*/accept_redirects; do
   /bin/echo "0" > $WEBFACE
done

# Enable bad error message protection.
/bin/echo "1" > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses

# Turn on reverse path filtering.
for interface in /proc/sys/net/ipv4/conf/*/rp_filter; do
   /bin/echo "1" > $WEBFACE
done

# Make sure that IP forwarding is turned off.
/bin/echo "0" > /proc/sys/net/ipv4/ip_forward

### Rules ###

# Set up a default DROP policy for the built-in chains.
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP

# Allow unlimited traffic on the loopback interface.
iptables -A INPUT  -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

# Allow SSH connections
iptables -A INPUT -p tcp -j ACCEPT -dport 22

# Allow network traffic through LAN
iptables -A INPUT -i $LANFACE -s $MYNET -j ACCEPT

# Allow only initiated traffic in
iptables -A INPUT -m state --state RELATED,EXISTING -j ACCEPT

# Allow IP Forwarding and use NAT for outgoing connections.
# (Only use for dual homed host acting as an internet gateway.)
#/bin/echo "1" > /proc/sys/net/ipv4/ip_forward
#iptables -P FORWARD ACCEPT
#iptables -A POSTROUTING -t NAT -o $WEBFACE -j SNAT --to $WEBIP

# Allow accesss to Samba shares
iptables -A INPUT -p udp -m udp -s $LANFACE --dport 137 -j ACCEPT
iptables -A INPUT -p udp -m udp -s $LANFACE --dport 138 -j ACCEPT
iptables -A INPUT -m state --state NEW -m tcp -p tcp -s $LANFACE --dport 139 -j ACCEPT
iptables -A INPUT -m state --state NEW -m tcp -p tcp -s $LANFACE --dport 445 -j ACCEPT

# Allow all traffic out
# Any other output rule should go /before/ this one
iptables -A OUTPUT -m state --state NEW,RELATED,EXISTING -j ACCEPT

win32sux · 07-13-2007, 09:50 PM

Here's a cleaned-up version of the script you posted. It will let you know via the log file about anything it filters. That's probably the main issue I see in your current script (the fact it doesn't do any logging). Plus all the quirks mentioned by Simon Bridge.

Code:

#!/bin/sh

IPT="/sbin/iptables"
MOD="/sbin/modprobe"

$IPT -P INPUT DROP
$IPT -P FORWARD DROP
$IPT -P OUTPUT ACCEPT

$IPT -t mangle -P PREROUTING ACCEPT
$IPT -t mangle -P INPUT ACCEPT
$IPT -t mangle -P FORWARD ACCEPT
$IPT -t mangle -P OUTPUT ACCEPT
$IPT -t mangle -P POSTROUTING ACCEPT

$IPT -t nat -P PREROUTING ACCEPT
$IPT -t nat -P POSTROUTING ACCEPT
$IPT -t nat -P OUTPUT ACCEPT

$IPT -F
$IPT -F -t nat
$IPT -F -t mangle

$IPT -X
$IPT -X -t nat
$IPT -X -t mangle

$MOD ip_conntrack_ftp
$MOD ip_conntrack_irc
$MOD ip_nat_ftp

$IPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

$IPT -A INPUT -i lo -j ACCEPT

$IPT -A INPUT -p TCP -i eth0 -m state --state NEW \
-m multiport --dports 21,22,23,25,80,110,10000 -j ACCEPT

$IPT -A INPUT -p TCP -i eth0 -s 192.168.2.0/24 -d 192.168.2.9 \
-m state --state NEW -m multiport --dports 139,445 -j ACCEPT

$IPT -A INPUT -p UDP -i eth0 -s 192.168.2.0/24 -d 192.168.2.9 \
-m state --state NEW -m multiport --dports 137,138 -j ACCEPT

$IPT -A INPUT -j LOG --log-prefix "INPUT DROP: "

This assumes you have only one interface. Also, the "-d 192.168.2.9" is only needed if you have more than one IP assigned to said interface, and I'm not sure what you are using the FTP NAT module for if this isn't a router. Just my