Thanx all for reply.
Quote:
are you trying to block the netbios traffic from reaching the linux box itself or is the linux box acting as
a gatweway/router and you want to filter it from passing in and out of the LAN. Also where is the NetBIOS traffic
originating, on the LAN or remotely?
|
Acctually i am trying to block them on both way. if its possible to block them before reaching my server switch,
it would be better. but for more assurance, i want to filter and reject the NetBIOS and broadcast data from my
gateway.
Acctually my office is an ISP. i have an internal LAN. it originates a huge Broadcast traffic. and this LAN switch
is connected with my ISP's main radio switch. so, when a lot of Network broadcast comes from my LAN, it simply
jamm my ISP network.
And the Sensitive fact is, most of my clients are Bank. they are to sensitive to be disconnected for a moment. they
uses a software named REUTER. when my lan become a jamm one, they usually get disconnected from that
software.
here is my script :
#!/bin/sh
#
# rc.firewall-2.4
FWVER=0.73
echo -e "\n\nLoading simple rc.firewall version $FWVER..\n"
IPTABLES=/sbin/iptables
DEPMOD=/sbin/depmod
INSMOD=/sbin/insmod
EXTIF="eth0"
INTIF1="eth1"
INTIF2="eth2"
echo " External Interface: $EXTIF"
echo " Internal Interface: $INTIF1"
echo " Second Internal Interface: $INTIF2"
echo -en " loading modules: "
$DEPMOD -a
echo "----------------------------------------------------------------------"
echo -en "ip_tables, "
$INSMOD ip_tables
echo -en "ip_conntrack, "
$INSMOD ip_conntrack
echo -en "ip_conntrack_ftp, "
$INSMOD ip_conntrack_ftp
echo -en "ip_conntrack_irc, "
$INSMOD ip_conntrack_irc
echo -en "iptable_nat, "
$INSMOD iptable_nat
echo -en "ip_nat_ftp, "
$INSMOD ip_nat_ftp
echo -e "ip_nat_irc"
$INSMOD ip_nat_irc
echo "----------------------------------------------------------------------"
echo -e " Done loading modules.\n"
echo " Enabling forwarding.."
echo "1" > /proc/sys/net/ipv4/ip_forward
echo " Clearing any existing rules and setting default policy.."
$IPTABLES -P INPUT ACCEPT
$IPTABLES -F INPUT
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -F OUTPUT
$IPTABLES -P FORWARD DROP
$IPTABLES -F FORWARD
$IPTABLES -t nat -F
echo " FWD: Allow all connections OUT and only existing and related ones IN"
$IPTABLES -A FORWARD -i $EXTIF -o $INTIF1 -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -i $EXTIF -o $INTIF2 -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -i $INTIF1 -o $EXTIF -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -i $INTIF2 -o $EXTIF -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -i $INTIF1 -o $EXTIF -j ACCEPT
$IPTABLES -A FORWARD -i $INTIF2 -o $EXTIF -j ACCEPT
################
#
#MICROSOFT DS BLOCKING RULES
#
###############
echo " blocking MICROSOFT DS ..... "
$IPTABLES -I FORWARD -i $EXTIF -p tcp -m tcp --dport 135:139 -j DROP
$IPTABLES -I FORWARD -i $EXTIF -p udp -m udp --dport 135:139 -j DROP
$IPTABLES -I FORWARD -i $INTIF1 -p tcp -m tcp --dport 135:139 -j DROP
$IPTABLES -I FORWARD -i $INTIF1 -p udp -m udp --dport 135:139 -j DROP
$IPTABLES -I FORWARD -i $INTIF2 -p tcp -m tcp --dport 135:139 -j DROP
$IPTABLES -I FORWARD -i $INTIF2 -p udp -m udp --dport 135:139 -j DROP
$IPTABLES -I FORWARD -i $EXTIF -p tcp -m tcp --dport 445 -j DROP
$IPTABLES -I FORWARD -i $EXTIF -p udp -m udp --dport 445 -j DROP
$IPTABLES -I FORWARD -i $INTIF1 -p tcp -m tcp --dport 445 -j DROP
$IPTABLES -I FORWARD -i $INTIF1 -p udp -m udp --dport 445 -j DROP
$IPTABLES -I FORWARD -i $INTIF2 -p tcp -m tcp --dport 445 -j DROP
$IPTABLES -I FORWARD -i $INTIF2 -p udp -m udp --dport 445 -j DROP
$IPTABLES -I INPUT -i $EXTIF -p tcp -m tcp --dport 135:139 -j DROP
$IPTABLES -I INPUT -i $EXTIF -p udp -m udp --dport 135:139 -j DROP
$IPTABLES -I INPUT -i $INTIF1 -p tcp -m tcp --dport 135:139 -j DROP
$IPTABLES -I INPUT -i $INTIF1 -p udp -m udp --dport 135:139 -j DROP
$IPTABLES -I INPUT -i $INTIF2 -p tcp -m tcp --dport 135:139 -j DROP
$IPTABLES -I INPUT -i $INTIF2 -p udp -m udp --dport 135:139 -j DROP
$IPTABLES -I INPUT -i $EXTIF -p tcp -m tcp --dport 445 -j DROP
$IPTABLES -I INPUT -i $EXTIF -p udp -m udp --dport 445 -j DROP
$IPTABLES -I INPUT -i $INTIF1 -p tcp -m tcp --dport 445 -j DROP
$IPTABLES -I INPUT -i $INTIF1 -p udp -m udp --dport 445 -j DROP
$IPTABLES -I INPUT -i $INTIF2 -p tcp -m tcp --dport 445 -j DROP
$IPTABLES -I INPUT -i $INTIF2 -p udp -m udp --dport 445 -j DROP
$IPTABLES -I INPUT -i $EXTIF -p tcp -m tcp --dport 1025 -j DROP
$IPTABLES -I INPUT -i $EXTIF -p udp -m udp --dport 1025 -j DROP
$IPTABLES -I INPUT -i $INTIF1 -p tcp -m tcp --dport 1025 -j DROP
$IPTABLES -I INPUT -i $INTIF1 -p udp -m udp --dport 1025 -j DROP
$IPTABLES -I INPUT -i $INTIF2 -p tcp -m tcp --dport 1025 -j DROP
$IPTABLES -I INPUT -i $INTIF2 -p udp -m udp --dport 1025 -j DROP
#$IPTABLES -I OUTPUT -i $EXTIF -p tcp -m tcp --dport 135:139 -j DROP
#$IPTABLES -I OUTPUT -i $EXTIF -p udp -m udp --dport 135:139 -j DROP
#$IPTABLES -I OUTPUT -i $INTIF1 -p tcp -m tcp --dport 135:139 -j DROP
#$IPTABLES -I OUTPUT -i $INTIF1 -p udp -m udp --dport 135:139 -j DROP
#$IPTABLES -I OUTPUT -i $INTIF2 -p tcp -m tcp --dport 135:139 -j DROP
#$IPTABLES -I OUTPUT -i $INTIF2 -p udp -m udp --dport 135:139 -j DROP
#$IPTABLES -I OUTPUT -i $EXTIF -p tcp -m tcp --dport 445 -j DROP
#$IPTABLES -I OUTPUT -i $EXTIF -p udp -m udp --dport 445 -j DROP
#$IPTABLES -I OUTPUT -i $INTIF1 -p tcp -m tcp --dport 445 -j DROP
#$IPTABLES -I OUTPUT -i $INTIF1 -p udp -m udp --dport 445 -j DROP
#$IPTABLES -I OUTPUT -i $INTIF2 -p tcp -m tcp --dport 445 -j DROP
#$IPTABLES -I OUTPUT -i $INTIF2 -p udp -m udp --dport 445 -j DROP
echo " Done blocking MICROSOFT DS ..... "
echo " .............loading dataedge modules"
$IPTABLES -A INPUT --protocol tcp --dport 10000 -j ACCEPT
$IPTABLES -A INPUT --protocol tcp --dport 19638 -j ACCEPT
$IPTABLES -A INPUT --protocol tcp --dport 80 -j ACCEPT
$IPTABLES -A INPUT --protocol tcp --dport 443 -j ACCEPT
$IPTABLES -A INPUT --protocol tcp --dport 110 -j ACCEPT
$IPTABLES -A INPUT --protocol tcp --dport 25 -j ACCEPT
$IPTABLES -A INPUT --protocol tcp --dport 8080 -j ACCEPT
$IPTABLES -A INPUT --protocol tcp --dport 113 -j ACCEPT
$IPTABLES -A INPUT --protocol tcp --dport 1080 -j ACCEPT
$IPTABLES -A INPUT --protocol tcp --dport 21 -j ACCEPT
$IPTABLES -A INPUT --protocol tcp --dport 6667 -j ACCEPT
echo " Enabling SNAT (MASQUERADE) functionality on $EXTIF"
$IPTABLES -t nat -A PREROUTING -i $EXTIF -j ACCEPT
$IPTABLES -t nat -A POSTROUTING -o eth0 -j SNAT --to xx.xx.xx.xx
echo -e "\nrc.firewall-2.4 v$FWVER done.\n"
thanx again for the reply.