* Samba Blocked? (repost)
@ 2002-11-26 22:10 Dan Egli
2002-11-27 0:24 ` Joel Newkirk
0 siblings, 1 reply; 6+ messages in thread
From: Dan Egli @ 2002-11-26 22:10 UTC (permalink / raw)
To: netfilter
Ok. I'm a fair bit confused here. I'm trying to setup a IPtables filter set
that will block certain ports and allow others. It seems to work perfectly
for anything other than Samba. If I try:
smbclient //myserver/shared1, it fails to connect. But using the IP in place
of it:
smbclient //192.168.0.2/shared1 works just fine. I am specifically allowing
NetBIOS-ns, NetBIOS-ssn, and NetBIOS-dgm. Still no go. What's wrong?
Thanks!
-- Dan
tables:
#!/bin/bash
IPT=/sbin/iptables
# step 1 - ensure iptables are loaded
modprobe ip_conntrack_ftp
# that should pull in all dependant modules
#step 2 SET DEFAULT POLICY
$IPT -P INPUT DROP
$IPT -P OUTPUT ACCEPT
$IPT -P FORWARD DROP
# step 3 FLUSH THE TABLES
$IPT -F INPUT
$IPT -F OUTPUT
$IPT -F FORWARD
$IPT -t nat -F PREROUTING
$IPT -t nat -F POSTROUTING
$IPT -t nat -F OUTPUT
# setp 4 - setup rules
$IPT -A INPUT -p tcp -m multiport --dports smtp,ftp,telnet,ssh -j ACCEPT
$IPT -A INPUT -p tcp -i eth0 -m multiport --dports
telnet,ssh,domain,nntp,ntp,printer,pop3,imap,http,https,netbios-ns,netbios-d
gm,netbios-ssn -j ACCEPT
$IPT -A INPUT -p udp -i eth0 -m multiport --dports
domain,ntp,netbios-ns,netbios-dgm,netbios-ssn -j ACCEPT
$IPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
$IPT -A INPUT -j LOG
$IPT -A FORWARD -i eth0 -j ACCEPT
$IPT -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
$IPT -A FORWARD -j LOG
# step 5 - enable NAT
$IPT -t nat -A POSTROUTING -o eth1 -j SNAT --to-source 64.122.31.38
# step 6 - setup the proc files for a propper firewall
echo 1 > /proc/sys/net/ipv4/ip_forward
P.S. With these rules, it should only log packets that are failing, and I
see the packets on port 137 in the log, so I don't know what's wrong.
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: Samba Blocked? (repost)
2002-11-26 22:10 Samba Blocked? (repost) Dan Egli
@ 2002-11-27 0:24 ` Joel Newkirk
2002-11-27 2:30 ` Dan Egli
0 siblings, 1 reply; 6+ messages in thread
From: Joel Newkirk @ 2002-11-27 0:24 UTC (permalink / raw)
To: Dan Egli, netfilter
On Tuesday 26 November 2002 05:10 pm, Dan Egli wrote:
> Ok. I'm a fair bit confused here. I'm trying to setup a IPtables filter set
> that will block certain ports and allow others. It seems to work perfectly
> for anything other than Samba. If I try:
>
> smbclient //myserver/shared1, it fails to connect. But using the IP in
> place of it:
> smbclient //192.168.0.2/shared1 works just fine. I am specifically allowing
> NetBIOS-ns, NetBIOS-ssn, and NetBIOS-dgm. Still no go. What's wrong?
> # setp 4 - setup rules
> $IPT -A INPUT -p tcp -m multiport --dports smtp,ftp,telnet,ssh -j ACCEPT
> $IPT -A INPUT -p tcp -i eth0 -m multiport --dports
> telnet,ssh,domain,nntp,ntp,printer,pop3,imap,http,https,netbios-ns,netbios-
>d gm,netbios-ssn -j ACCEPT
> $IPT -A INPUT -p udp -i eth0 -m multiport --dports
> domain,ntp,netbios-ns,netbios-dgm,netbios-ssn -j ACCEPT
> $IPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
> $IPT -A INPUT -j LOG
> P.S. With these rules, it should only log packets that are failing, and I
> see the packets on port 137 in the log, so I don't know what's wrong.
Have you tried replacing netbios-ns with 137 in the rules? It may not be
resolving the name properly through your /etc/services file. I don't see any
other reason they should reach the log rule.
If that isn't it, maybe you can post a few of the droplog lines for 137s?
Also, I assume you are seeing 137 logged only when connection fails?
j
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: Samba Blocked? (repost)
2002-11-27 0:24 ` Joel Newkirk
@ 2002-11-27 2:30 ` Dan Egli
2002-11-27 5:00 ` Joel Newkirk
0 siblings, 1 reply; 6+ messages in thread
From: Dan Egli @ 2002-11-27 2:30 UTC (permalink / raw)
To: netfilter
that is correct. And I know for a fact that NetBIOS-ns is in the services
file because I've seen it, and I did try it both ways. Every time I try to
connect using //myserver/shared1 I get the following log lines:
Nov 26 20:22:11 mail kernel: IN=lo OUT=
MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=64.122.31.38
DST=64.122.31.38 LEN=90 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=137
DPT=32807 LEN=70
Nov 26 20:22:11 mail last message repeated 2 times
Nov 26 20:22:28 mail kernel: IN=eth1 OUT=
MAC=00:80:ad:c8:b0:a9:00:00:c5:81:21:44:08:00 SRC=63.241.23.201
DST=64.122.31.38 LEN=64 TOS=0x00 PREC=0x00 TTL=48 ID=29779 PROTO=ICMP TYPE=8
CODE=0 ID=45290 SEQ=0
Nov 26 20:22:29 mail kernel: IN=eth1 OUT=
MAC=00:80:ad:c8:b0:a9:00:00:c5:81:21:44:08:00 SRC=63.241.23.201
DST=64.122.31.38 LEN=64 TOS=0x00 PREC=0x00 TTL=48 ID=29782 PROTO=ICMP TYPE=8
CODE=0 ID=45290 SEQ=256
Nov 26 20:22:30 mail kernel: IN=eth1 OUT=
MAC=00:80:ad:c8:b0:a9:00:00:c5:81:21:44:08:00 SRC=63.241.23.201
DST=64.122.31.38 LEN=64 TOS=0x00 PREC=0x00 TTL=48 ID=29792 PROTO=ICMP TYPE=8
CODE=0 ID=45290 SEQ=512
Nov 26 20:22:37 mail kernel: IN=lo OUT=
MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=127.0.0.1 DST=127.0.0.1
LEN=78 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=32807 DPT=137 LEN=58
Nov 26 20:22:42 mail last message repeated 2 times
Nov 26 20:22:44 mail kernel: IN=lo OUT=
MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=192.168.0.2
DST=192.168.0.2 LEN=90 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=137
DPT=32807 LEN=70
Nov 26 20:22:44 mail last message repeated 2 times
Nov 26 20:22:44 mail kernel: IN=lo OUT=
MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=64.122.31.38
DST=64.122.31.38 LEN=90 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=137
DPT=32807 LEN=70
Nov 26 20:22:45 mail last message repeated 2 times
Nov 26 20:23:05 mail kernel: IN=lo OUT=
MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=127.0.0.1 DST=127.0.0.1
LEN=78 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=32807 DPT=137 LEN=58
Nov 26 20:23:09 mail last message repeated 2 times
Nov 26 20:23:11 mail kernel: IN=lo OUT=
MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=192.168.0.2
DST=192.168.0.2 LEN=90 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=137
DPT=32807 LEN=70
Nov 26 20:23:12 mail last message repeated 2 times
Nov 26 20:23:12 mail kernel: IN=lo OUT=
MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=64.122.31.38
DST=64.122.31.38 LEN=90 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=137
DPT=32807 LEN=70
and myserver is in my /etc/hosts as 192.168.0.2 (correct IP).
Help?
-- Dan
----- Original Message -----
From: "Joel Newkirk" <netfilter@newkirk.us>
To: "Dan Egli" <dan@shortcircuit.dyndns.org>;
<netfilter@lists.netfilter.org>
Sent: Tuesday, November 26, 2002 5:24 PM
Subject: Re: Samba Blocked? (repost)
On Tuesday 26 November 2002 05:10 pm, Dan Egli wrote:
> Ok. I'm a fair bit confused here. I'm trying to setup a IPtables filter
set
> that will block certain ports and allow others. It seems to work perfectly
> for anything other than Samba. If I try:
>
> smbclient //myserver/shared1, it fails to connect. But using the IP in
> place of it:
> smbclient //192.168.0.2/shared1 works just fine. I am specifically
allowing
> NetBIOS-ns, NetBIOS-ssn, and NetBIOS-dgm. Still no go. What's wrong?
> # setp 4 - setup rules
> $IPT -A INPUT -p tcp -m multiport --dports smtp,ftp,telnet,ssh -j ACCEPT
> $IPT -A INPUT -p tcp -i eth0 -m multiport --dports
>
telnet,ssh,domain,nntp,ntp,printer,pop3,imap,http,https,netbios-ns,netbios-
>d gm,netbios-ssn -j ACCEPT
> $IPT -A INPUT -p udp -i eth0 -m multiport --dports
> domain,ntp,netbios-ns,netbios-dgm,netbios-ssn -j ACCEPT
> $IPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
> $IPT -A INPUT -j LOG
> P.S. With these rules, it should only log packets that are failing, and I
> see the packets on port 137 in the log, so I don't know what's wrong.
Have you tried replacing netbios-ns with 137 in the rules? It may not be
resolving the name properly through your /etc/services file. I don't see
any
other reason they should reach the log rule.
If that isn't it, maybe you can post a few of the droplog lines for 137s?
Also, I assume you are seeing 137 logged only when connection fails?
j
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: Samba Blocked? (repost)
2002-11-27 2:30 ` Dan Egli
@ 2002-11-27 5:00 ` Joel Newkirk
2002-11-27 8:06 ` Michael
0 siblings, 1 reply; 6+ messages in thread
From: Joel Newkirk @ 2002-11-27 5:00 UTC (permalink / raw)
To: Dan Egli, netfilter
On Tuesday 26 November 2002 09:30 pm, Dan Egli wrote:
> that is correct. And I know for a fact that NetBIOS-ns is in the services
> file because I've seen it, and I did try it both ways. Every time I try to
> connect using //myserver/shared1 I get the following log lines:
Very strange. the only packets caught here with --dport 137 are on lo with lo IP, then
--sport 137 with 64.x.x.x on lo, and --sport 137 with local 192.x x.x on lo. It looks like the
'real' --dport 137 packets get through (they're not listed here) but the machine tries to
query itself on lo to resolve the names. shot in the dark, try:
/sbin/iptables -A INPUT -i lo -j ACCEPT
/sbin/iptables -A OUTPUT -o lo -j ACCEPT
to let these through. I've only done minimal work with samba, so I don't know if this self-request
is normal or not...
j
> Nov 26 20:22:11 mail kernel: IN=lo OUT=
> MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=64.122.31.38
> DST=64.122.31.38 LEN=90 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=137
> DPT=32807 LEN=70
> Nov 26 20:22:11 mail last message repeated 2 times
> Nov 26 20:22:28 mail kernel: IN=eth1 OUT=
> MAC=00:80:ad:c8:b0:a9:00:00:c5:81:21:44:08:00 SRC=63.241.23.201
> DST=64.122.31.38 LEN=64 TOS=0x00 PREC=0x00 TTL=48 ID=29779 PROTO=ICMP
> TYPE=8 CODE=0 ID=45290 SEQ=0
> Nov 26 20:22:29 mail kernel: IN=eth1 OUT=
> MAC=00:80:ad:c8:b0:a9:00:00:c5:81:21:44:08:00 SRC=63.241.23.201
> DST=64.122.31.38 LEN=64 TOS=0x00 PREC=0x00 TTL=48 ID=29782 PROTO=ICMP
> TYPE=8 CODE=0 ID=45290 SEQ=256
> Nov 26 20:22:30 mail kernel: IN=eth1 OUT=
> MAC=00:80:ad:c8:b0:a9:00:00:c5:81:21:44:08:00 SRC=63.241.23.201
> DST=64.122.31.38 LEN=64 TOS=0x00 PREC=0x00 TTL=48 ID=29792 PROTO=ICMP
> TYPE=8 CODE=0 ID=45290 SEQ=512
> Nov 26 20:22:37 mail kernel: IN=lo OUT=
> MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=127.0.0.1 DST=127.0.0.1
> LEN=78 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=32807 DPT=137 LEN=58
> Nov 26 20:22:42 mail last message repeated 2 times
> Nov 26 20:22:44 mail kernel: IN=lo OUT=
> MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=192.168.0.2
> DST=192.168.0.2 LEN=90 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=137
> DPT=32807 LEN=70
> Nov 26 20:22:44 mail last message repeated 2 times
> Nov 26 20:22:44 mail kernel: IN=lo OUT=
> MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=64.122.31.38
> DST=64.122.31.38 LEN=90 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=137
> DPT=32807 LEN=70
> Nov 26 20:22:45 mail last message repeated 2 times
> Nov 26 20:23:05 mail kernel: IN=lo OUT=
> MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=127.0.0.1 DST=127.0.0.1
> LEN=78 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=32807 DPT=137 LEN=58
> Nov 26 20:23:09 mail last message repeated 2 times
> Nov 26 20:23:11 mail kernel: IN=lo OUT=
> MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=192.168.0.2
> DST=192.168.0.2 LEN=90 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=137
> DPT=32807 LEN=70
> Nov 26 20:23:12 mail last message repeated 2 times
> Nov 26 20:23:12 mail kernel: IN=lo OUT=
> MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=64.122.31.38
> DST=64.122.31.38 LEN=90 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=137
> DPT=32807 LEN=70
>
> and myserver is in my /etc/hosts as 192.168.0.2 (correct IP).
>
> Help?
>
> -- Dan
>
>
>
>
>
> ----- Original Message -----
> From: "Joel Newkirk" <netfilter@newkirk.us>
> To: "Dan Egli" <dan@shortcircuit.dyndns.org>;
> <netfilter@lists.netfilter.org>
> Sent: Tuesday, November 26, 2002 5:24 PM
> Subject: Re: Samba Blocked? (repost)
>
> On Tuesday 26 November 2002 05:10 pm, Dan Egli wrote:
> > Ok. I'm a fair bit confused here. I'm trying to setup a IPtables filter
>
> set
>
> > that will block certain ports and allow others. It seems to work
> > perfectly for anything other than Samba. If I try:
> >
> > smbclient //myserver/shared1, it fails to connect. But using the IP in
> > place of it:
> > smbclient //192.168.0.2/shared1 works just fine. I am specifically
>
> allowing
>
> > NetBIOS-ns, NetBIOS-ssn, and NetBIOS-dgm. Still no go. What's wrong?
> >
> > # setp 4 - setup rules
> > $IPT -A INPUT -p tcp -m multiport --dports smtp,ftp,telnet,ssh -j ACCEPT
> > $IPT -A INPUT -p tcp -i eth0 -m multiport --dports
>
> telnet,ssh,domain,nntp,ntp,printer,pop3,imap,http,https,netbios-ns,netbios-
>
> >d gm,netbios-ssn -j ACCEPT
> > $IPT -A INPUT -p udp -i eth0 -m multiport --dports
> > domain,ntp,netbios-ns,netbios-dgm,netbios-ssn -j ACCEPT
> > $IPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
> > $IPT -A INPUT -j LOG
> >
> > P.S. With these rules, it should only log packets that are failing, and I
> > see the packets on port 137 in the log, so I don't know what's wrong.
>
> Have you tried replacing netbios-ns with 137 in the rules? It may not be
> resolving the name properly through your /etc/services file. I don't see
> any
> other reason they should reach the log rule.
>
> If that isn't it, maybe you can post a few of the droplog lines for 137s?
> Also, I assume you are seeing 137 logged only when connection fails?
>
> j
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: Samba Blocked? (repost)
2002-11-27 5:00 ` Joel Newkirk
@ 2002-11-27 8:06 ` Michael
2002-11-27 18:17 ` Dan Egli
0 siblings, 1 reply; 6+ messages in thread
From: Michael @ 2002-11-27 8:06 UTC (permalink / raw)
To: netfilter
Joel Newkirk wrote:
>On Tuesday 26 November 2002 09:30 pm, Dan Egli wrote:
>
>
>>that is correct. And I know for a fact that NetBIOS-ns is in the services
>>file because I've seen it, and I did try it both ways. Every time I try to
>>connect using //myserver/shared1 I get the following log lines:
>>
>>
>
>Very strange. the only packets caught here with --dport 137 are on lo with lo IP, then
>--sport 137 with 64.x.x.x on lo, and --sport 137 with local 192.x x.x on lo. It looks like the
>'real' --dport 137 packets get through (they're not listed here) but the machine tries to
>query itself on lo to resolve the names. shot in the dark, try:
>
>/sbin/iptables -A INPUT -i lo -j ACCEPT
>/sbin/iptables -A OUTPUT -o lo -j ACCEPT
>
>to let these through. I've only done minimal work with samba, so I don't know if this self-request
>is normal or not...
>
>
I think it's due to smbd talking to nmbd via lo when it receives a bcast
?? Something like that.
Something like this is generally needed anyway:
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
Cheers,
Michael
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: Samba Blocked? (repost)
2002-11-27 8:06 ` Michael
@ 2002-11-27 18:17 ` Dan Egli
0 siblings, 0 replies; 6+ messages in thread
From: Dan Egli @ 2002-11-27 18:17 UTC (permalink / raw)
To: Michael, netfilter
I will try this one then. Thanks!
----- Original Message -----
From: "Michael" <mutk@iprimus.com.au>
To: <netfilter@lists.netfilter.org>
Sent: Wednesday, November 27, 2002 1:06 AM
Subject: Re: Samba Blocked? (repost)
> Joel Newkirk wrote:
>
> >On Tuesday 26 November 2002 09:30 pm, Dan Egli wrote:
> >
> >
> >>that is correct. And I know for a fact that NetBIOS-ns is in the
services
> >>file because I've seen it, and I did try it both ways. Every time I try
to
> >>connect using //myserver/shared1 I get the following log lines:
> >>
> >>
> >
> >Very strange. the only packets caught here with --dport 137 are on lo
with lo IP, then
> >--sport 137 with 64.x.x.x on lo, and --sport 137 with local 192.x x.x on
lo. It looks like the
> >'real' --dport 137 packets get through (they're not listed here) but the
machine tries to
> >query itself on lo to resolve the names. shot in the dark, try:
> >
> >/sbin/iptables -A INPUT -i lo -j ACCEPT
> >/sbin/iptables -A OUTPUT -o lo -j ACCEPT
> >
> >to let these through. I've only done minimal work with samba, so I don't
know if this self-request
> >is normal or not...
> >
> >
>
> I think it's due to smbd talking to nmbd via lo when it receives a bcast
> ?? Something like that.
> Something like this is generally needed anyway:
>
> iptables -A INPUT -i lo -j ACCEPT
> iptables -A OUTPUT -o lo -j ACCEPT
>
>
> Cheers,
> Michael
>
>
>
>
^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2002-11-27 18:17 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2002-11-26 22:10 Samba Blocked? (repost) Dan Egli
2002-11-27 0:24 ` Joel Newkirk
2002-11-27 2:30 ` Dan Egli
2002-11-27 5:00 ` Joel Newkirk
2002-11-27 8:06 ` Michael
2002-11-27 18:17 ` Dan Egli
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.