* rules suggestion
@ 2004-07-22 5:43 Askar Ali Khan
2004-07-22 6:16 ` adderek
2004-07-22 6:23 ` Patrick Leslie Polzer
0 siblings, 2 replies; 5+ messages in thread
From: Askar Ali Khan @ 2004-07-22 5:43 UTC (permalink / raw)
To: netfilter
Hi all
Here are few rules from overs firewall, please let me know is this is
the proper way to deal with windowz ports :)
iptables -A INPUT -p TCP -s 0/0 -d 0/0 --dport 135:140 -j DROP
iptables -A INPUT -p UDP -s 0/0 -d 0/0 --dport 135:140 -j DROP
iptables -A FORWARD -p TCP -s 0/0 -d 0/0 --dport 135:140 -j DROP
iptables -A FORWARD -p UDP -s 0/0 -d 0/0 --dport 135:140 -j DROP
iptables -t nat -A PREROUTING -p TCP -s 0/0 -d 0/0 --dport 135:140 -j DROP
iptables -t nat -A PREROUTING -p UDP -s 0/0 -d 0/0 --dport 135:140 -j DROP
Or we are unnecessary repeating it on some chains/tables.
regards
Askar Ali
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: rules suggestion
2004-07-22 5:43 rules suggestion Askar Ali Khan
@ 2004-07-22 6:16 ` adderek
2004-07-22 10:04 ` George Alexandru Dragoi
2004-07-22 6:23 ` Patrick Leslie Polzer
1 sibling, 1 reply; 5+ messages in thread
From: adderek @ 2004-07-22 6:16 UTC (permalink / raw)
To: Askar Ali Khan; +Cc: netfilter
Askar Ali Khan wrote:
> Here are few rules from overs firewall, please let me know is this is
> the proper way to deal with windowz ports :)
>
> iptables -A INPUT -p TCP -s 0/0 -d 0/0 --dport 135:140 -j DROP
> iptables -A INPUT -p UDP -s 0/0 -d 0/0 --dport 135:140 -j DROP
> iptables -A FORWARD -p TCP -s 0/0 -d 0/0 --dport 135:140 -j DROP
> iptables -A FORWARD -p UDP -s 0/0 -d 0/0 --dport 135:140 -j DROP
> iptables -t nat -A PREROUTING -p TCP -s 0/0 -d 0/0 --dport 135:140 -j DROP
> iptables -t nat -A PREROUTING -p UDP -s 0/0 -d 0/0 --dport 135:140 -j DROP
$ipt -t filter -A OUTPUT -o $extif_name -p udp -d 192.168.1.255 --dport
137:139 -j DROP #NETBIOS
$ipt -t filter -A INPUT -i $extif_name -p udp -d 192.168.1.255 --dport
137:139 -j DROP #NETBIOS
$ipt -t filter -A FORWARD -i $extif_name -p udp -d 192.168.1.255 --dport
137:139 -j DROP #NETBIOS
$ipt -t filter -A FORWARD -o $extif_name -p udp -d 192.168.1.255 --dport
137:139 -j DROP #NETBIOS
This will do (at least it works on my PC :)
I have 192.168.1.x subnet.
# NETBIOS is my comment (first two lines are taken from my bash's script
and lines 3 and 4 are not tested and I've created them by hand a while
ago). However I've disabled multicast forwarding on my router/firewall
so only first two lines are really needed (on my PC).
However if you like to enable SMB then some more ports will be needed
(ie. 32768 or someting like that, and this one port is undocumented)
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: rules suggestion
2004-07-22 6:16 ` adderek
@ 2004-07-22 10:04 ` George Alexandru Dragoi
0 siblings, 0 replies; 5+ messages in thread
From: George Alexandru Dragoi @ 2004-07-22 10:04 UTC (permalink / raw)
To: netfilter
This one should also help:
iptables -I FORWARD -p icmp --icmp-type echo-request -m length
--length 92:92 -j DROP
Maybe you also want to log some of those icmps
On Thu, 22 Jul 2004 08:16:08 +0200, adderek <adderek@polbox.com> wrote:
> Askar Ali Khan wrote:
>
> > Here are few rules from overs firewall, please let me know is this is
> > the proper way to deal with windowz ports :)
> >
> > iptables -A INPUT -p TCP -s 0/0 -d 0/0 --dport 135:140 -j DROP
> > iptables -A INPUT -p UDP -s 0/0 -d 0/0 --dport 135:140 -j DROP
> > iptables -A FORWARD -p TCP -s 0/0 -d 0/0 --dport 135:140 -j DROP
> > iptables -A FORWARD -p UDP -s 0/0 -d 0/0 --dport 135:140 -j DROP
> > iptables -t nat -A PREROUTING -p TCP -s 0/0 -d 0/0 --dport 135:140 -j DROP
> > iptables -t nat -A PREROUTING -p UDP -s 0/0 -d 0/0 --dport 135:140 -j DROP
>
>
> $ipt -t filter -A OUTPUT -o $extif_name -p udp -d 192.168.1.255 --dport
> 137:139 -j DROP #NETBIOS
>
> $ipt -t filter -A INPUT -i $extif_name -p udp -d 192.168.1.255 --dport
> 137:139 -j DROP #NETBIOS
>
> $ipt -t filter -A FORWARD -i $extif_name -p udp -d 192.168.1.255 --dport
> 137:139 -j DROP #NETBIOS
>
> $ipt -t filter -A FORWARD -o $extif_name -p udp -d 192.168.1.255 --dport
> 137:139 -j DROP #NETBIOS
>
> This will do (at least it works on my PC :)
>
> I have 192.168.1.x subnet.
>
> # NETBIOS is my comment (first two lines are taken from my bash's script
> and lines 3 and 4 are not tested and I've created them by hand a while
> ago). However I've disabled multicast forwarding on my router/firewall
> so only first two lines are really needed (on my PC).
>
> However if you like to enable SMB then some more ports will be needed
> (ie. 32768 or someting like that, and this one port is undocumented)
>
>
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: rules suggestion
2004-07-22 5:43 rules suggestion Askar Ali Khan
2004-07-22 6:16 ` adderek
@ 2004-07-22 6:23 ` Patrick Leslie Polzer
1 sibling, 0 replies; 5+ messages in thread
From: Patrick Leslie Polzer @ 2004-07-22 6:23 UTC (permalink / raw)
To: netfilter
Hello,
On Thu, 22 Jul 2004 10:43:07 +0500
Askar Ali Khan <askarali@gmail.com> wrote:
> Or we are unnecessary repeating it on some chains/tables.
Yes, here:
> iptables -t nat -A PREROUTING -p TCP -s 0/0 -d 0/0 --dport 135:140 -j DROP
> iptables -t nat -A PREROUTING -p UDP -s 0/0 -d 0/0 --dport 135:140 -j DROP
You already have that in your INPUT chain. Always stick to the 'filter' table
for filtering.
I also think Windows uses only UDP (quite sure) on ports 137:138 (not sure).
Why don't you go for a default DROP policy with ACCEPT rules?
Kind regards,
Leslie
^ permalink raw reply [flat|nested] 5+ messages in thread
* RE: rules suggestion
@ 2004-07-22 20:31 Jason Opperisano
0 siblings, 0 replies; 5+ messages in thread
From: Jason Opperisano @ 2004-07-22 20:31 UTC (permalink / raw)
To: netfilter
> $ipt -t filter -A OUTPUT -o $extif_name -p udp -d 192.168.1.255 --dport
> 137:139 -j DROP #NETBIOS
>
> $ipt -t filter -A INPUT -i $extif_name -p udp -d 192.168.1.255 --dport
> 137:139 -j DROP #NETBIOS
>
> $ipt -t filter -A FORWARD -i $extif_name -p udp -d 192.168.1.255 --dport
> 137:139 -j DROP #NETBIOS
>
> $ipt -t filter -A FORWARD -o $extif_name -p udp -d 192.168.1.255 --dport
> 137:139 -j DROP #NETBIOS
all these rules block are UDP 137-139 to the specific broadcast address on your internal LAN. while this is nice for tidying up your logs; i *believe* the original poster was looking to keep netbios-related traffic from leaking out to the internet. in which case, my recommendation is:
-A FORWARD -o $external_if -p udp --dport 137:138 -j DROP
-A FORWARD -o $external_if -p tcp --dport 139 -j DROP
-A FORWARD -o $external_if -p tcp --dport 445 -j DROP
two notes:
all the examples are using "-A." keep in mind that if you already have some kind of "allow everything on the inside out" rule, these will never get matched. in such a case, you would need to "-I FORWARD x" where x = the numnber of the "allow everything out" rule.
it gets mentioned all the time on this list, but hey--you can never get too much of a good thing, right:
the best way to design your firewall rules is to start with a default drop, and then just allow the specific traffic that you need. it may take slightly longer to get it setup initially, but requires much less care & feeding in the long run.
-j
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2004-07-22 20:31 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2004-07-22 5:43 rules suggestion Askar Ali Khan
2004-07-22 6:16 ` adderek
2004-07-22 10:04 ` George Alexandru Dragoi
2004-07-22 6:23 ` Patrick Leslie Polzer
-- strict thread matches above, loose matches on Subject: below --
2004-07-22 20:31 Jason Opperisano
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.