homepage Welcome to WebmasterWorld Guest from 174.129.74.186
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Become a Pro Member
Home / Forums Index / Hardware and OS Related Technologies / Linux, Unix, and *nix like Operating Systems
Forum Library, Charter, Moderators: bakedjake

Linux, Unix, and *nix like Operating Systems Forum

    
iptables Samba
Lan access troubles
David




msg:912106
 3:14 am on Mar 26, 2002 (gmt 0)

This one has got me pulling my hair out. I haven't been able to find any info for my setup, most docs I have found have the linux box doing the nat with two interfaces (eth0,eth1).

The set up is a hardware router that handles the nat so all internal IP's are Class C. I can open the web and ssh for the lan but I can't get this right.

I could sure use some direction, I have had this so many ways that I am starting to try the same things again (confused).

INTERNET="eth0"
UNPRIVPORTS="1024:65535"
IPADDR="192.168.1.2
################# udb SMB
if [ "$CONNECTION_TRACKING" = "1" ]; then
iptables -A OUTPUT -o $INTERNET -p udp \
-s 192.168.1.3 --sport 138 \
-d 192.168.1.2 --dport $UNPRIVPORTS -j ACCEPT
fi
iptables -A OUTPUT -o $INTERNET -p udp \
-s 192.168.1.3 --sport 138 \
-d 192.168.1.2 --dport $UNPRIVPORTS -j ACCEPT
iptables -A INPUT -i $INTERNET -p udp \
-s 192.168.1.2 --sport $UNPRIVPORTS \
-d 192.168.1.3 --dport 138 -j ACCEPT
########### SMB tcp
if [ "$CONNECTION_TRACKING" = "1" ];then
iptables -A OUTPUT -o $INTERNET -p tcp \
-s 192.168.1.3 --sport 139 \
-d 192.168.1.2 --dport $UNPRIVPORTS -j ACCEPT
fi
iptables -A INPUT -i $INTERNET -p tcp \
-s 192.168.1.2 --sport $UNPRIVPORTS \
-d $IPADDR --dport 139 -j ACCEPT
iptables -A OUTPUT -o $INTERNET -p tcp ! --syn \
-s $IPADDR --sport 139 \
--dport $UNPRIVPORTS -j ACCEPT

 

David




msg:912107
 1:10 am on Mar 27, 2002 (gmt 0)

Well I figured out how to get a Samba connection but its not Ideal. The Firewall script is a deny all by default and then drops all spoofed IP's (lan and wan). So the only way it works is to drop the firewall make the connection and restart the firewall. Since it's established and related it is allowed to continue. This actually works fine for my virtual machine but is going to be a hassel when my kids need to print from their stations.

What kind of firewall systems are some of you using and how are you developing them ?

If one of our resident nix experts knows how I should build this connection into the firewall please jump in.

Thanks
David

David




msg:912108
 7:22 pm on Mar 28, 2002 (gmt 0)


Is this one of those topics that real Geeks don't talk about ?

littleman




msg:912109
 11:01 pm on Mar 28, 2002 (gmt 0)

David, I'm sorry, it is a bit beyond my scope. I was hoping one of our resident ultageeks would jump in.

Do you have KDE2.x+, if so there is a very easy to use iptable GUI, Guarddog [simonzone.com]. It may simplify the setup for you.

David




msg:912110
 12:29 am on Mar 29, 2002 (gmt 0)

Thanks Littleman,
I just took a quick look at gaurddog and it looks the best of GUI's I have seen. After being hacked by a "ultageek" and reading as much security stuff as I have time for.I am trying to be overly cautious.

The linux system can be very secure. What I have learned is that if a true hacker finds your box, its like discovering gold or diamonds. The stuff that can be done undetected because of our true multi tasking OS will make him probe harder and longer to find the door to take control.

So the firewall needs to limit access but almost as important if he gets user access it should help keep him jailed.

I am just tring to understand the iptables rules to the point that I can limit access to certain ports on remote machines to certain users and IP's and drop everyone else.

I am even wondering if it's possible to ssh a box using a spoofed IP and have the firewall rules only accept that spoofed IP and drop everone else. Be able to open ports and be in a stealth mode to the most stingent port scans.

Maybe I am dreaming, don't know yet I havent learned enough.

Still would like to hear some thoughts from the "ultrageeks"


Global Options:
 top home search open messages active posts  
 

Home / Forums Index / Hardware and OS Related Technologies / Linux, Unix, and *nix like Operating Systems
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved