Re: SMB in iptables

To: Kai Klopper <kaiklopper@hotmail.com>
Cc: debian-firewall@lists.debian.org
Subject: Re: SMB in iptables
From: Heitzso <heitzso@bellsouth.net>
Date: 02 Jan 2002 10:55:46 -0500
Message-id: <[🔎] 1009986946.22789.13.camel@zen>
In-reply-to: <[🔎] OE68MihoogG12jKW0kM0000c4b6@hotmail.com>
References: <[🔎] OE68MihoogG12jKW0kM0000c4b6@hotmail.com>

I'm curious re SMB myself.  The one point I can
add is that SMB uses a block of ports, possibly over
one more than one protocol.  I'll be interested
to see what the actual set are.


On Wed, 2002-01-02 at 10:31, Kai Klopper wrote:
> 
> 
> > ----------
> > From: 	Kai Klopper[SMTP:KAIKLOPPER@HOTMAIL.COM]
> > Sent: 	Wednesday, January 02, 2002 10:31:49 AM
> > To: 	debian-firewall@lists.debian.org
> > Subject: 	SMB in iptables
> > Auto forwarded by a Rule
> > 
> I have created a firewall setup for a pc that serves as web and database
> server
> on our university network
> 
> It is basically a setup with an input deny and output allow policy. No NAT
> or masquerading is used whatsoever.
> Kernel is a self-compiled 2.4.16
> The firewall functions good for most things:
> All ports are blocked except ssh, http,ftp and mysql.
> However, I have some questions:
> 1. How do I get SMB to work? it does not function with the rules below. I
> have experimented with the following lines:
> #
> iptables -A INPUT -i eth0 -p 137 -j ACCEPT
> iptables -A INPUT -i eth0 -p 138 -j ACCEPT
> iptables -A INPUT -i eth0 -p 139 -j ACCEPT
> iptables -A INPUT -p ALL -i eth0 -d 131.211.221.255 -j ACCEPT
> iptables -A INPUT -p ALL -i eth0 -d 131.211.255.255 -j ACCEPT
> iptables -A INPUT -p ALL -i eth0 -d 255.255.255.255 -j ACCEPT
> #
> However, they all make no difference whatsoever.
> 
> 2. Should I open both ports 20 and 21 for ftp? I use pure-ftpd.
> 
> 3. Should I deny UDP packets on interfaces that basically use TCP?
> 
> 4. Is it wise to check for malformed packets, such as christmas packets and
> the like??
> 
> Thanks for helping me,
> 
> Kai Klopper
> 
> #!/bin/sh
> ##Create chain which blocks new connections, except if coming from inside.
> #iptables -P FORWARD DROP
> iptables -F
> iptables -X block
> iptables -P INPUT DROP
> iptables -P OUTPUT ACCEPT
> 
> iptables -N block
> iptables -A block -m state --state ESTABLISHED,RELATED -j ACCEPT
> iptables -A block -m state --state NEW -i ! eth0 -j ACCEPT
> iptables -A block -j DROP
> 
> ## Jump to that chain from INPUT and FORWARD chains.
> #iptables -A FORWARD -j block
> 
> iptables -A INPUT -p tcp -i eth0 --dport 80 -j ACCEPT
> # only allow mysql from university ip-addresses
> iptables -A INPUT -p tcp -i eth0 -s 131.211.0.0/16 --dport 3306 -j ACCEPT
> iptables -A INPUT -p tcp -i eth0 --dport 22 -j ACCEPT
> iptables -A INPUT -p tcp -i eth0 --dport 20 -j ACCEPT
> iptables -A INPUT -p tcp -i eth0 --dport 21 -j ACCEPT
> iptables -A INPUT -j block
> 
> 
> -- 
> To UNSUBSCRIBE, email to debian-firewall-request@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Reply to:

References:
- SMB in iptables
  - From: "Kai Klopper" <kaiklopper@hotmail.com>

Prev by Date: SMB in iptables
Next by Date: Re: SMB in iptables
Previous by thread: SMB in iptables
Next by thread: Re: SMB in iptables
Index(es):
- Date
- Thread