rules suggestion

rules suggestion

[Askar Ali Khan]

Hi all

Here are few rules from overs firewall, please let me know is this is
the proper way to deal with windowz ports :)

iptables -A INPUT -p TCP -s 0/0 -d 0/0 --dport 135:140 -j DROP
iptables -A INPUT -p UDP -s 0/0 -d 0/0 --dport 135:140 -j DROP
iptables -A FORWARD -p TCP -s 0/0 -d 0/0 --dport 135:140 -j DROP
iptables -A FORWARD -p UDP -s 0/0 -d 0/0 --dport 135:140 -j DROP
iptables -t nat -A PREROUTING -p TCP -s 0/0 -d 0/0 --dport 135:140 -j DROP
iptables -t nat -A PREROUTING -p UDP -s 0/0 -d 0/0 --dport 135:140 -j DROP

Or we are unnecessary repeating it on some chains/tables.

regards
Askar Ali

Re: rules suggestion

[adderek]

Askar Ali Khan wrote:

> Here are few rules from overs firewall, please let me know is this is
> the proper way to deal with windowz ports :)
> 
> iptables -A INPUT -p TCP -s 0/0 -d 0/0 --dport 135:140 -j DROP
> iptables -A INPUT -p UDP -s 0/0 -d 0/0 --dport 135:140 -j DROP
> iptables -A FORWARD -p TCP -s 0/0 -d 0/0 --dport 135:140 -j DROP
> iptables -A FORWARD -p UDP -s 0/0 -d 0/0 --dport 135:140 -j DROP
> iptables -t nat -A PREROUTING -p TCP -s 0/0 -d 0/0 --dport 135:140 -j DROP
> iptables -t nat -A PREROUTING -p UDP -s 0/0 -d 0/0 --dport 135:140 -j DROP


$ipt -t filter -A OUTPUT -o $extif_name -p udp -d 192.168.1.255 --dport 
137:139 -j DROP  #NETBIOS

$ipt -t filter -A INPUT -i $extif_name -p udp -d 192.168.1.255 --dport 
137:139 -j DROP  #NETBIOS

$ipt -t filter -A FORWARD -i $extif_name -p udp -d 192.168.1.255 --dport 
137:139 -j DROP  #NETBIOS

$ipt -t filter -A FORWARD -o $extif_name -p udp -d 192.168.1.255 --dport 
137:139 -j DROP  #NETBIOS



This will do (at least it works on my PC :)

I have 192.168.1.x subnet.

# NETBIOS is my comment (first two lines are taken from my bash's script 
and lines 3 and 4 are not tested and I've created them by hand a while 
ago). However I've disabled multicast forwarding on my router/firewall 
so only first two lines are really needed (on my PC).

However if you like to enable SMB then some more ports will be needed 
(ie. 32768 or someting like that, and this one port is undocumented)

Re: rules suggestion

[Patrick Leslie Polzer]

Hello,

On Thu, 22 Jul 2004 10:43:07 +0500
Askar Ali Khan <askarali@gmail.com> wrote:

> Or we are unnecessary repeating it on some chains/tables.
Yes, here:
> iptables -t nat -A PREROUTING -p TCP -s 0/0 -d 0/0 --dport 135:140 -j DROP
> iptables -t nat -A PREROUTING -p UDP -s 0/0 -d 0/0 --dport 135:140 -j DROP

You already have that in your INPUT chain. Always stick to the 'filter' table
for filtering.

I also think Windows uses only UDP (quite sure) on ports 137:138 (not sure).

Why don't you go for a default DROP policy with ACCEPT rules?


Kind regards,

Leslie

Re: rules suggestion

[George Alexandru Dragoi]

This one should also help:

iptables -I FORWARD -p icmp --icmp-type echo-request -m length
--length 92:92 -j DROP

Maybe you also want to log some of those icmps

On Thu, 22 Jul 2004 08:16:08 +0200, adderek <adderek@polbox.com> wrote:
> Askar Ali Khan wrote:
> 
> > Here are few rules from overs firewall, please let me know is this is
> > the proper way to deal with windowz ports :)
> >
> > iptables -A INPUT -p TCP -s 0/0 -d 0/0 --dport 135:140 -j DROP
> > iptables -A INPUT -p UDP -s 0/0 -d 0/0 --dport 135:140 -j DROP
> > iptables -A FORWARD -p TCP -s 0/0 -d 0/0 --dport 135:140 -j DROP
> > iptables -A FORWARD -p UDP -s 0/0 -d 0/0 --dport 135:140 -j DROP
> > iptables -t nat -A PREROUTING -p TCP -s 0/0 -d 0/0 --dport 135:140 -j DROP
> > iptables -t nat -A PREROUTING -p UDP -s 0/0 -d 0/0 --dport 135:140 -j DROP
> 
> 
> $ipt -t filter -A OUTPUT -o $extif_name -p udp -d 192.168.1.255 --dport
> 137:139 -j DROP  #NETBIOS
> 
> $ipt -t filter -A INPUT -i $extif_name -p udp -d 192.168.1.255 --dport
> 137:139 -j DROP  #NETBIOS
> 
> $ipt -t filter -A FORWARD -i $extif_name -p udp -d 192.168.1.255 --dport
> 137:139 -j DROP  #NETBIOS
> 
> $ipt -t filter -A FORWARD -o $extif_name -p udp -d 192.168.1.255 --dport
> 137:139 -j DROP  #NETBIOS
> 
> This will do (at least it works on my PC :)
> 
> I have 192.168.1.x subnet.
> 
> # NETBIOS is my comment (first two lines are taken from my bash's script
> and lines 3 and 4 are not tested and I've created them by hand a while
> ago). However I've disabled multicast forwarding on my router/firewall
> so only first two lines are really needed (on my PC).
> 
> However if you like to enable SMB then some more ports will be needed
> (ie. 32768 or someting like that, and this one port is undocumented)
> 
>

RE: rules suggestion

[Jason Opperisano]

> $ipt -t filter -A OUTPUT -o $extif_name -p udp -d 192.168.1.255 --dport
> 137:139 -j DROP  #NETBIOS
>
> $ipt -t filter -A INPUT -i $extif_name -p udp -d 192.168.1.255 --dport
> 137:139 -j DROP  #NETBIOS
>
> $ipt -t filter -A FORWARD -i $extif_name -p udp -d 192.168.1.255 --dport
> 137:139 -j DROP  #NETBIOS
>
> $ipt -t filter -A FORWARD -o $extif_name -p udp -d 192.168.1.255 --dport
> 137:139 -j DROP  #NETBIOS

all these rules block are UDP 137-139 to the specific broadcast address on your internal LAN.  while this is nice for tidying up your logs; i *believe* the original poster was looking to keep netbios-related traffic from leaking out to the internet.  in which case, my recommendation is:

-A FORWARD -o $external_if -p udp --dport 137:138 -j DROP
-A FORWARD -o $external_if -p tcp --dport 139 -j DROP
-A FORWARD -o $external_if -p tcp --dport 445 -j DROP

two notes:

all the examples are using "-A."  keep in mind that if you already have some kind of "allow everything on the inside out" rule, these will never get matched.  in such a case, you would need to "-I FORWARD x" where x = the numnber of the "allow everything out" rule.

it gets mentioned all the time on this list, but hey--you can never get too much of a good thing, right:

the best way to design your firewall rules is to start with a default drop, and then just allow the specific traffic that you need.  it may take slightly longer to get it setup initially, but requires much less care & feeding in the long run.

-j