Welcome to WebmasterWorld Guest from

Forum Moderators: bakedjake

Message Too Old, No Replies

iptables Samba

Lan access troubles



3:14 am on Mar 26, 2002 (gmt 0)

10+ Year Member

This one has got me pulling my hair out. I haven't been able to find any info for my setup, most docs I have found have the linux box doing the nat with two interfaces (eth0,eth1).

The set up is a hardware router that handles the nat so all internal IP's are Class C. I can open the web and ssh for the lan but I can't get this right.

I could sure use some direction, I have had this so many ways that I am starting to try the same things again (confused).

################# udb SMB
if [ "$CONNECTION_TRACKING" = "1" ]; then
iptables -A OUTPUT -o $INTERNET -p udp \
-s --sport 138 \
iptables -A OUTPUT -o $INTERNET -p udp \
-s --sport 138 \
iptables -A INPUT -i $INTERNET -p udp \
-s --sport $UNPRIVPORTS \
-d --dport 138 -j ACCEPT
########### SMB tcp
if [ "$CONNECTION_TRACKING" = "1" ];then
iptables -A OUTPUT -o $INTERNET -p tcp \
-s --sport 139 \
iptables -A INPUT -i $INTERNET -p tcp \
-s --sport $UNPRIVPORTS \
-d $IPADDR --dport 139 -j ACCEPT
iptables -A OUTPUT -o $INTERNET -p tcp ! --syn \
-s $IPADDR --sport 139 \


1:10 am on Mar 27, 2002 (gmt 0)

10+ Year Member

Well I figured out how to get a Samba connection but its not Ideal. The Firewall script is a deny all by default and then drops all spoofed IP's (lan and wan). So the only way it works is to drop the firewall make the connection and restart the firewall. Since it's established and related it is allowed to continue. This actually works fine for my virtual machine but is going to be a hassel when my kids need to print from their stations.

What kind of firewall systems are some of you using and how are you developing them ?

If one of our resident nix experts knows how I should build this connection into the firewall please jump in.



7:22 pm on Mar 28, 2002 (gmt 0)

10+ Year Member

Is this one of those topics that real Geeks don't talk about ?


11:01 pm on Mar 28, 2002 (gmt 0)

WebmasterWorld Senior Member littleman is a WebmasterWorld Top Contributor of All Time 10+ Year Member

David, I'm sorry, it is a bit beyond my scope. I was hoping one of our resident ultageeks would jump in.

Do you have KDE2.x+, if so there is a very easy to use iptable GUI, Guarddog [simonzone.com]. It may simplify the setup for you.


12:29 am on Mar 29, 2002 (gmt 0)

10+ Year Member

Thanks Littleman,
I just took a quick look at gaurddog and it looks the best of GUI's I have seen. After being hacked by a "ultageek" and reading as much security stuff as I have time for.I am trying to be overly cautious.

The linux system can be very secure. What I have learned is that if a true hacker finds your box, its like discovering gold or diamonds. The stuff that can be done undetected because of our true multi tasking OS will make him probe harder and longer to find the door to take control.

So the firewall needs to limit access but almost as important if he gets user access it should help keep him jailed.

I am just tring to understand the iptables rules to the point that I can limit access to certain ports on remote machines to certain users and IP's and drop everyone else.

I am even wondering if it's possible to ssh a box using a spoofed IP and have the firewall rules only accept that spoofed IP and drop everone else. Be able to open ports and be in a stealth mode to the most stingent port scans.

Maybe I am dreaming, don't know yet I havent learned enough.

Still would like to hear some thoughts from the "ultrageeks"


Featured Threads

Hot Threads This Week

Hot Threads This Month