iptables Samba - Linux, Unix, and *nix like Operating Systems forum at WebmasterWorld - WebmasterWorld

Forum Moderators: bakedjake

Message Too Old, No Replies

iptables Samba

Lan access troubles

David

3:14 am on Mar 26, 2002 (gmt 0)

10+ Year Member

This one has got me pulling my hair out. I haven't been able to find any info for my setup, most docs I have found have the linux box doing the nat with two interfaces (eth0,eth1).

The set up is a hardware router that handles the nat so all internal IP's are Class C. I can open the web and ssh for the lan but I can't get this right.

I could sure use some direction, I have had this so many ways that I am starting to try the same things again (confused).


INTERNET="eth0" 
UNPRIVPORTS="1024:65535" 
IPADDR="192.168.1.2 
################# udb SMB 
if [ "$CONNECTION_TRACKING" = "1" ]; then 
iptables -A OUTPUT -o $INTERNET -p udp \ 
-s 192.168.1.3 --sport 138 \ 
-d 192.168.1.2 --dport $UNPRIVPORTS -j ACCEPT 
fi 
iptables -A OUTPUT -o $INTERNET -p udp \ 
-s 192.168.1.3 --sport 138 \ 
-d 192.168.1.2 --dport $UNPRIVPORTS -j ACCEPT 
iptables -A INPUT -i $INTERNET -p udp \ 
-s 192.168.1.2 --sport $UNPRIVPORTS \ 
-d 192.168.1.3 --dport 138 -j ACCEPT 
########### SMB tcp 
if [ "$CONNECTION_TRACKING" = "1" ];then 
iptables -A OUTPUT -o $INTERNET -p tcp \ 
-s 192.168.1.3 --sport 139 \ 
-d 192.168.1.2 --dport $UNPRIVPORTS -j ACCEPT 
fi 
iptables -A INPUT -i $INTERNET -p tcp \ 
-s 192.168.1.2 --sport $UNPRIVPORTS \ 
-d $IPADDR --dport 139 -j ACCEPT 
iptables -A OUTPUT -o $INTERNET -p tcp ! --syn \ 
-s $IPADDR --sport 139 \ 
--dport $UNPRIVPORTS -j ACCEPT

David

1:10 am on Mar 27, 2002 (gmt 0)

10+ Year Member

Well I figured out how to get a Samba connection but its not Ideal. The Firewall script is a deny all by default and then drops all spoofed IP's (lan and wan). So the only way it works is to drop the firewall make the connection and restart the firewall. Since it's established and related it is allowed to continue. This actually works fine for my virtual machine but is going to be a hassel when my kids need to print from their stations.

What kind of firewall systems are some of you using and how are you developing them ?

If one of our resident nix experts knows how I should build this connection into the firewall please jump in.

Thanks
David

David

7:22 pm on Mar 28, 2002 (gmt 0)

10+ Year Member

Is this one of those topics that real Geeks don't talk about ?

littleman

11:01 pm on Mar 28, 2002 (gmt 0)

David, I'm sorry, it is a bit beyond my scope. I was hoping one of our resident ultageeks would jump in.

Do you have KDE2.x+, if so there is a very easy to use iptable GUI, Guarddog [simonzone.com]. It may simplify the setup for you.

David

12:29 am on Mar 29, 2002 (gmt 0)

10+ Year Member

Thanks Littleman,
I just took a quick look at gaurddog and it looks the best of GUI's I have seen. After being hacked by a "ultageek" and reading as much security stuff as I have time for.I am trying to be overly cautious.

The linux system can be very secure. What I have learned is that if a true hacker finds your box, its like discovering gold or diamonds. The stuff that can be done undetected because of our true multi tasking OS will make him probe harder and longer to find the door to take control.

So the firewall needs to limit access but almost as important if he gets user access it should help keep him jailed.

I am just tring to understand the iptables rules to the point that I can limit access to certain ports on remote machines to certain users and IP's and drop everyone else.

I am even wondering if it's possible to ssh a box using a spoofed IP and have the firewall rules only accept that spoofed IP and drop everone else. Be able to open ports and be in a stealth mode to the most stingent port scans.

Maybe I am dreaming, don't know yet I havent learned enough.

Still would like to hear some thoughts from the "ultrageeks"