iptables block samba or not?

iptables block samba or not?

[Eial Czerwacki]

hello to all.
I have a strange issue with iptables an samba, I've added samba's ports to iptables and tried to connect to my local network but it isnt
working, it seems that iptables is blocking samba. here are my iptables rules:

*filter
:INPUT ACCEPT [5:952]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [1192099:595387635]

# accept all from localhost
-A INPUT -s 127.0.0.1 -j ACCEPT

# accept all previously established connections
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

# ssh
-A INPUT -p tcp -m state --state NEW --dport 22 -j ACCEPT

# ftp / webserver related
-A INPUT -p tcp -m state --state NEW --dport 20 -j ACCEPT
-A INPUT -p tcp -m state --state NEW --dport 21 -j ACCEPT
-A INPUT -p tcp -m state --state NEW --dport 80 -j ACCEPT
-A INPUT -p tcp -m state --state NEW --dport 443 -j ACCEPT

# Windows / Samba
-A INPUT -p tcp -m state --state NEW --dport 135 -s 132.72.144.0/20 -j ACCEPT
-A INPUT -p tcp -m state --state NEW --dport 139 -s 132.72.144.0/20 -j ACCEPT
-A INPUT -p udp -m state --state NEW --dport 137:138 -s 132.72.144.0/20 -j ACCEPT
-A INPUT -p tcp -m state --state NEW --dport 426 -s 132.72.144.0/20 -j ACCEPT
-A INPUT -p tcp -m state --state NEW --dport 445 -s 132.72.144.0/20 -j ACCEPT

-A INPUT -p tcp -m state --state NEW --dport 135 -s 192.168.114.0/24 -j ACCEPT
-A INPUT -p tcp -m state --state NEW --dport 139 -s 192.168.114.0/24 -j ACCEPT
-A INPUT -p udp -m state --state NEW --dport 137:138 -s 192.168.114.0/24 -j ACCEPT
-A INPUT -p tcp -m state --state NEW --dport 426 -s 192.168.114.0/24 -j ACCEPT
-A INPUT -p tcp -m state --state NEW --dport 445 -s 192.168.114.0/24 -j ACCEPT

# up to 5 Bit-torrent connections
-A INPUT -p tcp -m state --state NEW --dport 6881:6886 -j ACCEPT

#else
-A INPUT -j REJECT --reject-with icmp-port-unreachable

COMMIT

here is the output of iptables -nvL -t filter:

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    2   162 ACCEPT     all  --  *      *       127.0.0.1            0.0.0.0/0
 4163 3400K ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:22
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:20
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:21
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:80
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:443
    0     0 ACCEPT     tcp  --  *      *       132.72.144.0/20      0.0.0.0/0           state NEW tcp dpt:135
    0     0 ACCEPT     tcp  --  *      *       132.72.144.0/20      0.0.0.0/0           state NEW tcp dpt:139
19303 2144K ACCEPT     udp  --  *      *       132.72.144.0/20      0.0.0.0/0           state NEW udp dpts:137:138
    0     0 ACCEPT     tcp  --  *      *       132.72.144.0/20      0.0.0.0/0           state NEW tcp dpt:426
    0     0 ACCEPT     tcp  --  *      *       132.72.144.0/20      0.0.0.0/0           state NEW tcp dpt:445
    0     0 ACCEPT     tcp  --  *      *       192.168.114.0/24     0.0.0.0/0           state NEW tcp dpt:135
    0     0 ACCEPT     tcp  --  *      *       192.168.114.0/24     0.0.0.0/0           state NEW tcp dpt:139
    0     0 ACCEPT     udp  --  *      *       192.168.114.0/24     0.0.0.0/0           state NEW udp dpts:137:138
    0     0 ACCEPT     tcp  --  *      *       192.168.114.0/24     0.0.0.0/0           state NEW tcp dpt:426
    0     0 ACCEPT     tcp  --  *      *       192.168.114.0/24     0.0.0.0/0           state NEW tcp dpt:445
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpts:6881:6886
 1347  540K REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           reject-with icmp-port-unreachable

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 5079 packets, 777K bytes)
 pkts bytes target     prot opt in     out     source               destination

the ports are open and they receiving packages but the policy accept total is showing 0.
how can I open them? what port or rule did I missed?
one more thing, is there a way to sent multiple source addresses to one rule?

thanks in advance

Re: iptables block samba or not?

[Leonardo Rodrigues Magalhães]

[-- Attachment #1: Type: text/plain, Size: 1432 bytes --]



Eial Czerwacki escreveu:
> hello to all.
> I have a strange issue with iptables an samba, I've added samba's ports to iptables and tried to connect to my local network but it isnt
> working, it seems that iptables is blocking samba. here are my iptables rules:
>
>   
    iptables is NOT blocking samba. YOUR rules are blocking samba traffic.

> the ports are open and they receiving packages but the policy accept total is showing 0.
>   
    It's pretty obvious that nothing is going to reach your default 
policy ACCEPT rule ... you have a last one REJECT rule that matches 0/0 
all protocols. So, EVERYTHING will match your REJECT rule and, thus, 
never reach ACCEPT default policy one.

> how can I open them? what port or rule did I missed?
>   
    i dont have a clue .... get yourself a LOG rule before the final 
REJECT and watch for the LOGged rejected traffic .....

> one more thing, is there a way to sent multiple source addresses to one rule?
>   
    i think that can be acchieved using ipset stuff. But that's not 
completly easy ... i have never searched for that. When I need multiple 
sources, i get multiple rules ....

    but seems ipset can do the job.

-- 


	Atenciosamente / Sincerily,
	Leonardo Rodrigues
	Solutti Tecnologia
	http://www.solutti.com.br

	Minha armadilha de SPAM, NÃO mandem email
	gertrudes@solutti.com.br
	My SPAMTRAP, do not email it





[-- Attachment #2: S/MIME Cryptographic Signature --]
[-- Type: application/x-pkcs7-signature, Size: 5589 bytes --]

Re: iptables block samba or not?

[Dzianis Kahanovich]

Eial Czerwacki wrote:

> -A INPUT -p tcp -m state --state NEW --dport 135 -s 132.72.144.0/20 -j ACCEPT
> -A INPUT -p tcp -m state --state NEW --dport 139 -s 132.72.144.0/20 -j ACCEPT
> -A INPUT -p udp -m state --state NEW --dport 137:138 -s 132.72.144.0/20 -j ACCEPT
> -A INPUT -p tcp -m state --state NEW --dport 426 -s 132.72.144.0/20 -j ACCEPT
> -A INPUT -p tcp -m state --state NEW --dport 445 -s 132.72.144.0/20 -j ACCEPT
> 
> -A INPUT -p tcp -m state --state NEW --dport 135 -s 192.168.114.0/24 -j ACCEPT
> -A INPUT -p tcp -m state --state NEW --dport 139 -s 192.168.114.0/24 -j ACCEPT
> -A INPUT -p udp -m state --state NEW --dport 137:138 -s 192.168.114.0/24 -j ACCEPT
> -A INPUT -p tcp -m state --state NEW --dport 426 -s 192.168.114.0/24 -j ACCEPT
> -A INPUT -p tcp -m state --state NEW --dport 445 -s 192.168.114.0/24 -j ACCEPT
> 
> # up to 5 Bit-torrent connections
> -A INPUT -p tcp -m state --state NEW --dport 6881:6886 -j ACCEPT
> 
> #else
> -A INPUT -j REJECT --reject-with icmp-port-unreachable

You ACCEPTing only NEW connection state - initial packets for every session.
Remove "-m state -- state NEW".


-- 
WBR,
Denis Kaganovich,  mahatma@eu.by  http://mahatma.bspu.unibel.by

Re: iptables block samba or not?

[mouss]

Dzianis Kahanovich wrote:
> Eial Czerwacki wrote:
>
>> -A INPUT -p tcp -m state --state NEW --dport 135 -s 132.72.144.0/20 
>> -j ACCEPT
>> -A INPUT -p tcp -m state --state NEW --dport 139 -s 132.72.144.0/20 
>> -j ACCEPT
>> -A INPUT -p udp -m state --state NEW --dport 137:138 -s 
>> 132.72.144.0/20 -j ACCEPT
>> -A INPUT -p tcp -m state --state NEW --dport 426 -s 132.72.144.0/20 
>> -j ACCEPT
>> -A INPUT -p tcp -m state --state NEW --dport 445 -s 132.72.144.0/20 
>> -j ACCEPT
>>
>> -A INPUT -p tcp -m state --state NEW --dport 135 -s 192.168.114.0/24 
>> -j ACCEPT
>> -A INPUT -p tcp -m state --state NEW --dport 139 -s 192.168.114.0/24 
>> -j ACCEPT
>> -A INPUT -p udp -m state --state NEW --dport 137:138 -s 
>> 192.168.114.0/24 -j ACCEPT
>> -A INPUT -p tcp -m state --state NEW --dport 426 -s 192.168.114.0/24 
>> -j ACCEPT
>> -A INPUT -p tcp -m state --state NEW --dport 445 -s 192.168.114.0/24 
>> -j ACCEPT
>>
>> # up to 5 Bit-torrent connections
>> -A INPUT -p tcp -m state --state NEW --dport 6881:6886 -j ACCEPT
>>
>> #else
>> -A INPUT -j REJECT --reject-with icmp-port-unreachable
>
> You ACCEPTing only NEW connection state - initial packets for every 
> session.
> Remove "-m state -- state NEW".
>
>

or at least add stateful rules for output. but it is true that managing 
state in this case is cumbersome at best.

Another thing is that he is no allowing ICMP. It may be just me, but I 
tend to consider a machine as disconnected if it does not respond to 
ping... and while it be argued that this is helpful to protect winboxes, 
I would be frightened if this argument applied to a (not too old) linux 
or bsd ;-p

Finally, adding a rule to log rejected packets would help debugging 
whatever issues happen.

Re: iptables block samba or not?

[Eial Czerwacki]

I've got this too has part of the rules

-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT


On Thu 24 Jan 0:00 2008 Dzianis Kahanovich wrote:
> Eial Czerwacki wrote:
> 
> > -A INPUT -p tcp -m state --state NEW --dport 135 -s 132.72.144.0/20 -j ACCEPT
> > -A INPUT -p tcp -m state --state NEW --dport 139 -s 132.72.144.0/20 -j ACCEPT
> > -A INPUT -p udp -m state --state NEW --dport 137:138 -s 132.72.144.0/20 -j ACCEPT
> > -A INPUT -p tcp -m state --state NEW --dport 426 -s 132.72.144.0/20 -j ACCEPT
> > -A INPUT -p tcp -m state --state NEW --dport 445 -s 132.72.144.0/20 -j ACCEPT
> > 
> > -A INPUT -p tcp -m state --state NEW --dport 135 -s 192.168.114.0/24 -j ACCEPT
> > -A INPUT -p tcp -m state --state NEW --dport 139 -s 192.168.114.0/24 -j ACCEPT
> > -A INPUT -p udp -m state --state NEW --dport 137:138 -s 192.168.114.0/24 -j ACCEPT
> > -A INPUT -p tcp -m state --state NEW --dport 426 -s 192.168.114.0/24 -j ACCEPT
> > -A INPUT -p tcp -m state --state NEW --dport 445 -s 192.168.114.0/24 -j ACCEPT
> > 
> > # up to 5 Bit-torrent connections
> > -A INPUT -p tcp -m state --state NEW --dport 6881:6886 -j ACCEPT
> > 
> > #else
> > -A INPUT -j REJECT --reject-with icmp-port-unreachable
> 
> You ACCEPTing only NEW connection state - initial packets for every session.
> Remove "-m state -- state NEW".
> 
> 
> -- 
> WBR,
> Denis Kaganovich,  mahatma@eu.by  http://mahatma.bspu.unibel.by
> 
> -
> To unsubscribe from this list: send the line "unsubscribe netfilter" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
> 

Re: iptables block samba or not?

[mouss]

Eial Czerwacki wrote:
> I've got this too has part of the rules
>
> -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
>   

but not for output. what if your linux box initiates the connection?

Also, as I said before, allow for icmp (echo if you add a stateful 
accept for output icmp's if you don't have the stateful rule).
>
> On Thu 24 Jan 0:00 2008 Dzianis Kahanovich wrote:
>   
>> Eial Czerwacki wrote:
>>
>>     
>>> -A INPUT -p tcp -m state --state NEW --dport 135 -s 132.72.144.0/20 -j ACCEPT
>>> -A INPUT -p tcp -m state --state NEW --dport 139 -s 132.72.144.0/20 -j ACCEPT
>>> -A INPUT -p udp -m state --state NEW --dport 137:138 -s 132.72.144.0/20 -j ACCEPT
>>> -A INPUT -p tcp -m state --state NEW --dport 426 -s 132.72.144.0/20 -j ACCEPT
>>> -A INPUT -p tcp -m state --state NEW --dport 445 -s 132.72.144.0/20 -j ACCEPT
>>>
>>> -A INPUT -p tcp -m state --state NEW --dport 135 -s 192.168.114.0/24 -j ACCEPT
>>> -A INPUT -p tcp -m state --state NEW --dport 139 -s 192.168.114.0/24 -j ACCEPT
>>> -A INPUT -p udp -m state --state NEW --dport 137:138 -s 192.168.114.0/24 -j ACCEPT
>>> -A INPUT -p tcp -m state --state NEW --dport 426 -s 192.168.114.0/24 -j ACCEPT
>>> -A INPUT -p tcp -m state --state NEW --dport 445 -s 192.168.114.0/24 -j ACCEPT
>>>
>>> # up to 5 Bit-torrent connections
>>> -A INPUT -p tcp -m state --state NEW --dport 6881:6886 -j ACCEPT
>>>
>>> #else
>>> -A INPUT -j REJECT --reject-with icmp-port-unreachable
>>>       
>> You ACCEPTing only NEW connection state - initial packets for every session.
>> Remove "-m state -- state NEW".
>>
>>
>> -- 
>> WBR,
>> Denis Kaganovich,  mahatma@eu.by  http://mahatma.bspu.unibel.by
>>
>> -
>> To unsubscribe from this list: send the line "unsubscribe netfilter" in
>> the body of a message to majordomo@vger.kernel.org
>> More majordomo info at  http://vger.kernel.org/majordomo-info.html
>>
>>     
>
>
>
>
> -
> To unsubscribe from this list: send the line "unsubscribe netfilter" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
>   

Re: iptables block samba or not?

[Martijn Lievaart]

mouss wrote:
> Eial Czerwacki wrote:
>> I've got this too has part of the rules
>>
>> -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
>>   
>
> but not for output. what if your linux box initiates the connection?

Output policy is accept, so this is no problem. The state match does not 
create contracks, it just tests them. The conntrack is created once the 
first packet is accepted.

>
> Also, as I said before, allow for icmp (echo if you add a stateful 
> accept for output icmp's if you don't have the stateful rule).


This is a matter of taste and has nothing to do with the OPs problems.

M4

Re: iptables block samba or not?

[Eial Czerwacki]

so I need to add the same line to the output rules?
On Thu 24 Jan 23:13 2008 mouss wrote:
> Eial Czerwacki wrote:
> > I've got this too has part of the rules
> >
> > -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
> >   
> 
> but not for output. what if your linux box initiates the connection?
> 
> Also, as I said before, allow for icmp (echo if you add a stateful 
> accept for output icmp's if you don't have the stateful rule).
> >
> > On Thu 24 Jan 0:00 2008 Dzianis Kahanovich wrote:
> >   
> >> Eial Czerwacki wrote:
> >>
> >>     
> >>> -A INPUT -p tcp -m state --state NEW --dport 135 -s 132.72.144.0/20 -j ACCEPT
> >>> -A INPUT -p tcp -m state --state NEW --dport 139 -s 132.72.144.0/20 -j ACCEPT
> >>> -A INPUT -p udp -m state --state NEW --dport 137:138 -s 132.72.144.0/20 -j ACCEPT
> >>> -A INPUT -p tcp -m state --state NEW --dport 426 -s 132.72.144.0/20 -j ACCEPT
> >>> -A INPUT -p tcp -m state --state NEW --dport 445 -s 132.72.144.0/20 -j ACCEPT
> >>>
> >>> -A INPUT -p tcp -m state --state NEW --dport 135 -s 192.168.114.0/24 -j ACCEPT
> >>> -A INPUT -p tcp -m state --state NEW --dport 139 -s 192.168.114.0/24 -j ACCEPT
> >>> -A INPUT -p udp -m state --state NEW --dport 137:138 -s 192.168.114.0/24 -j ACCEPT
> >>> -A INPUT -p tcp -m state --state NEW --dport 426 -s 192.168.114.0/24 -j ACCEPT
> >>> -A INPUT -p tcp -m state --state NEW --dport 445 -s 192.168.114.0/24 -j ACCEPT
> >>>
> >>> # up to 5 Bit-torrent connections
> >>> -A INPUT -p tcp -m state --state NEW --dport 6881:6886 -j ACCEPT
> >>>
> >>> #else
> >>> -A INPUT -j REJECT --reject-with icmp-port-unreachable
> >>>       
> >> You ACCEPTing only NEW connection state - initial packets for every session.
> >> Remove "-m state -- state NEW".
> >>
> >>
> >> -- 
> >> WBR,
> >> Denis Kaganovich,  mahatma@eu.by  http://mahatma.bspu.unibel.by
> >>
> >> -
> >> To unsubscribe from this list: send the line "unsubscribe netfilter" in
> >> the body of a message to majordomo@vger.kernel.org
> >> More majordomo info at  http://vger.kernel.org/majordomo-info.html
> >>
> >>     
> >
> >
> >
> >
> > -
> > To unsubscribe from this list: send the line "unsubscribe netfilter" in
> > the body of a message to majordomo@vger.kernel.org
> > More majordomo info at  http://vger.kernel.org/majordomo-info.html
> >   
> 
> -
> To unsubscribe from this list: send the line "unsubscribe netfilter" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
> 

Re: iptables block samba or not?

[mouss]

Eial Czerwacki wrote:
> so I need to add the same line to the output rules?
>   

no you don't. I was wrong. Thanks to Martijn for the head up.

> On Thu 24 Jan 23:13 2008 mouss wrote:
>   
>> Eial Czerwacki wrote:
>>     
>>> I've got this too has part of the rules
>>>
>>> -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
>>>   
>>>       
>> but not for output. what if your linux box initiates the connection?
>>
>> Also, as I said before, allow for icmp (echo if you add a stateful 
>> accept for output icmp's if you don't have the stateful rule).
>>     
>>> On Thu 24 Jan 0:00 2008 Dzianis Kahanovich wrote:
>>>   
>>>       
>>>> Eial Czerwacki wrote:
>>>>
>>>>     
>>>>         
>>>>> -A INPUT -p tcp -m state --state NEW --dport 135 -s 132.72.144.0/20 -j ACCEPT
>>>>> -A INPUT -p tcp -m state --state NEW --dport 139 -s 132.72.144.0/20 -j ACCEPT
>>>>> -A INPUT -p udp -m state --state NEW --dport 137:138 -s 132.72.144.0/20 -j ACCEPT
>>>>> -A INPUT -p tcp -m state --state NEW --dport 426 -s 132.72.144.0/20 -j ACCEPT
>>>>> -A INPUT -p tcp -m state --state NEW --dport 445 -s 132.72.144.0/20 -j ACCEPT
>>>>>
>>>>> -A INPUT -p tcp -m state --state NEW --dport 135 -s 192.168.114.0/24 -j ACCEPT
>>>>> -A INPUT -p tcp -m state --state NEW --dport 139 -s 192.168.114.0/24 -j ACCEPT
>>>>> -A INPUT -p udp -m state --state NEW --dport 137:138 -s 192.168.114.0/24 -j ACCEPT
>>>>> -A INPUT -p tcp -m state --state NEW --dport 426 -s 192.168.114.0/24 -j ACCEPT
>>>>> -A INPUT -p tcp -m state --state NEW --dport 445 -s 192.168.114.0/24 -j ACCEPT
>>>>>
>>>>> # up to 5 Bit-torrent connections
>>>>> -A INPUT -p tcp -m state --state NEW --dport 6881:6886 -j ACCEPT
>>>>>
>>>>> #else
>>>>> -A INPUT -j REJECT --reject-with icmp-port-unreachable
>>>>>       
>>>>>           
>>>> You ACCEPTing only NEW connection state - initial packets for every session.
>>>> Remove "-m state -- state NEW".
>>>>
>>>>
>>>> -- 
>>>> WBR,
>>>> Denis Kaganovich,  mahatma@eu.by  http://mahatma.bspu.unibel.by
>>>>
>>>> -
>>>> To unsubscribe from this list: send the line "unsubscribe netfilter" in
>>>> the body of a message to majordomo@vger.kernel.org
>>>> More majordomo info at  http://vger.kernel.org/majordomo-info.html
>>>>
>>>>     
>>>>         
>>>
>>>
>>> -
>>> To unsubscribe from this list: send the line "unsubscribe netfilter" in
>>> the body of a message to majordomo@vger.kernel.org
>>> More majordomo info at  http://vger.kernel.org/majordomo-info.html
>>>   
>>>       
>> -
>> To unsubscribe from this list: send the line "unsubscribe netfilter" in
>> the body of a message to majordomo@vger.kernel.org
>> More majordomo info at  http://vger.kernel.org/majordomo-info.html
>>
>>     
>
>
>
>
> -
> To unsubscribe from this list: send the line "unsubscribe netfilter" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
>   

Re: iptables block samba or not?

[Eial Czerwacki]

ok, I've deiced to give it a try, after adding the line, I can browse the local network, e.g. samba isnt blocked again.
you guys say that this isnt the problem, now, after enabling it, is there any threat to my system?

On Fri 25 Jan 13:49 2008 mouss wrote:
> Eial Czerwacki wrote:
> > so I need to add the same line to the output rules?
> >   
> 
> no you don't. I was wrong. Thanks to Martijn for the head up.
> 
> > On Thu 24 Jan 23:13 2008 mouss wrote:
> >   
> >> Eial Czerwacki wrote:
> >>     
> >>> I've got this too has part of the rules
> >>>
> >>> -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
> >>>   
> >>>       
> >> but not for output. what if your linux box initiates the connection?
> >>
> >> Also, as I said before, allow for icmp (echo if you add a stateful 
> >> accept for output icmp's if you don't have the stateful rule).
> >>     
> >>> On Thu 24 Jan 0:00 2008 Dzianis Kahanovich wrote:
> >>>   
> >>>       
> >>>> Eial Czerwacki wrote:
> >>>>
> >>>>     
> >>>>         
> >>>>> -A INPUT -p tcp -m state --state NEW --dport 135 -s 132.72.144.0/20 -j ACCEPT
> >>>>> -A INPUT -p tcp -m state --state NEW --dport 139 -s 132.72.144.0/20 -j ACCEPT
> >>>>> -A INPUT -p udp -m state --state NEW --dport 137:138 -s 132.72.144.0/20 -j ACCEPT
> >>>>> -A INPUT -p tcp -m state --state NEW --dport 426 -s 132.72.144.0/20 -j ACCEPT
> >>>>> -A INPUT -p tcp -m state --state NEW --dport 445 -s 132.72.144.0/20 -j ACCEPT
> >>>>>
> >>>>> -A INPUT -p tcp -m state --state NEW --dport 135 -s 192.168.114.0/24 -j ACCEPT
> >>>>> -A INPUT -p tcp -m state --state NEW --dport 139 -s 192.168.114.0/24 -j ACCEPT
> >>>>> -A INPUT -p udp -m state --state NEW --dport 137:138 -s 192.168.114.0/24 -j ACCEPT
> >>>>> -A INPUT -p tcp -m state --state NEW --dport 426 -s 192.168.114.0/24 -j ACCEPT
> >>>>> -A INPUT -p tcp -m state --state NEW --dport 445 -s 192.168.114.0/24 -j ACCEPT
> >>>>>
> >>>>> # up to 5 Bit-torrent connections
> >>>>> -A INPUT -p tcp -m state --state NEW --dport 6881:6886 -j ACCEPT
> >>>>>
> >>>>> #else
> >>>>> -A INPUT -j REJECT --reject-with icmp-port-unreachable
> >>>>>       
> >>>>>           
> >>>> You ACCEPTing only NEW connection state - initial packets for every session.
> >>>> Remove "-m state -- state NEW".
> >>>>
> >>>>
> >>>> -- 
> >>>> WBR,
> >>>> Denis Kaganovich,  mahatma@eu.by  http://mahatma.bspu.unibel.by
> >>>>
> >>>> -
> >>>> To unsubscribe from this list: send the line "unsubscribe netfilter" in
> >>>> the body of a message to majordomo@vger.kernel.org
> >>>> More majordomo info at  http://vger.kernel.org/majordomo-info.html
> >>>>
> >>>>     
> >>>>         
> >>>
> >>>
> >>> -
> >>> To unsubscribe from this list: send the line "unsubscribe netfilter" in
> >>> the body of a message to majordomo@vger.kernel.org
> >>> More majordomo info at  http://vger.kernel.org/majordomo-info.html
> >>>   
> >>>       
> >> -
> >> To unsubscribe from this list: send the line "unsubscribe netfilter" in
> >> the body of a message to majordomo@vger.kernel.org
> >> More majordomo info at  http://vger.kernel.org/majordomo-info.html
> >>
> >>     
> >
> >
> >
> >
> > -
> > To unsubscribe from this list: send the line "unsubscribe netfilter" in
> > the body of a message to majordomo@vger.kernel.org
> > More majordomo info at  http://vger.kernel.org/majordomo-info.html
> >   
> 
> -
> To unsubscribe from this list: send the line "unsubscribe netfilter" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
> 

Re: iptables block samba or not?

[mouss]

Eial Czerwacki wrote:
> ok, I've deiced to give it a try, after adding the line, I can browse the local network, e.g. samba isnt blocked again.
> you guys say that this isnt the problem, now, after enabling it, is there any threat to my system?
>   

you mean enabled an output rule and it worked? now, I'm puzzled. post 
the full config.

and no, allowing output should not be a problem.

Re: iptables block samba or not?

[Eial Czerwacki]

the general rules has been changed abit, here:

#!/bin/bash
#PlasmaWall rules
NET_IPS="132.72.144.0/20 192.168.114.0/24"
#setup defaults
echo "  - Flushing rules..."
iptables -F
echo "  - Setting default policy..."
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -P FORWARD DROP

echo "  - Setting input rules..."
# accept all from localhost
/sbin/iptables -A INPUT -s 127.0.0.1 -j ACCEPT

# accept all previously established connections
/sbin/iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

#input
# ssh
#/sbin/iptables -A INPUT -p tcp -m state --state NEW --dport 22 -j ACCEPT

# ftp / webserver related
/sbin/iptables -A INPUT -p tcp -m state --state NEW --dport 21 -j ACCEPT
/sbin/iptables -A INPUT -p tcp -m state --state NEW --dport 443 -j ACCEPT
/sbin/iptables -A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT

# Windows / Samba
for host in $NET_IPS; do
 /sbin/iptables -A INPUT -p tcp -m state --state NEW --dport 135 -s $host -j ACCEPT
 /sbin/iptables -A INPUT -p tcp -m state --state NEW --dport 139 -s $host -j ACCEPT
 /sbin/iptables -A INPUT -p udp -m state --state NEW --dport 137 -s $host -j ACCEPT
 /sbin/iptables -A INPUT -p udp -m state --state NEW --dport 138 -s $host -j ACCEPT
 /sbin/iptables -A INPUT -p tcp -m state --state NEW --dport 426 -s $host -j ACCEPT
 /sbin/iptables -A INPUT -p tcp -m state --state NEW --dport 445 -s $host -j ACCEPT
done

# up to 5 Bit-torrent connections
/sbin/iptables -A INPUT -p tcp -m state --state NEW --dport 6881:6886 -j ACCEPT

#flood defence
#-N syn-flood
#/sbin/iptables -A INPUT -p tcp --syn -j syn-flood
#/sbin/iptables -A syn-flood -m limit --limit 1/s --limit-burst 4 -j RETURN
#/sbin/iptables -A syn-flood -j DROP
# Handle fragment flood attacks
/sbin/iptables -A INPUT -f -j LOG --log-prefix "IPTABLES FRAGMENTS: "
/sbin/iptables -A INPUT -f -j DROP

#else
/sbin/iptables -A INPUT -j LOG --log-prefix "Rejected: "
/sbin/iptables -A INPUT -j REJECT --reject-with icmp-port-unreachable

echo "  - Setting output rules..."
#output

# accept all previously established connections
/sbin/iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

/sbin/iptables -A OUTPUT -p tcp -m state --state NEW --dport 22 -j ACCEPT
echo " done."


On Fri 25 Jan 15:42 2008 mouss wrote:
> Eial Czerwacki wrote:
> > ok, I've deiced to give it a try, after adding the line, I can browse the local network, e.g. samba isnt blocked again.
> > you guys say that this isnt the problem, now, after enabling it, is there any threat to my system?
> >   
> 
> you mean enabled an output rule and it worked? now, I'm puzzled. post 
> the full config.
> 
> and no, allowing output should not be a problem.
> -
> To unsubscribe from this list: send the line "unsubscribe netfilter" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
> 

Re: iptables block samba or not?

[mouss]

Eial Czerwacki wrote:
> the general rules has been changed abit, here:
>
> #!/bin/bash
> #PlasmaWall rules
> NET_IPS="132.72.144.0/20 192.168.114.0/24"
> #setup defaults
> echo "  - Flushing rules..."
> iptables -F
> echo "  - Setting default policy..."
> iptables -P INPUT DROP
> iptables -P OUTPUT ACCEPT
> iptables -P FORWARD DROP
>
> echo "  - Setting input rules..."
> # accept all from localhost
> /sbin/iptables -A INPUT -s 127.0.0.1 -j ACCEPT
>
> # accept all previously established connections
> /sbin/iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
>
> #input
> # ssh
> #/sbin/iptables -A INPUT -p tcp -m state --state NEW --dport 22 -j ACCEPT
>
> # ftp / webserver related
> /sbin/iptables -A INPUT -p tcp -m state --state NEW --dport 21 -j ACCEPT
> /sbin/iptables -A INPUT -p tcp -m state --state NEW --dport 443 -j ACCEPT
> /sbin/iptables -A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
>
> # Windows / Samba
> for host in $NET_IPS; do
>  /sbin/iptables -A INPUT -p tcp -m state --state NEW --dport 135 -s $host -j ACCEPT
>  /sbin/iptables -A INPUT -p tcp -m state --state NEW --dport 139 -s $host -j ACCEPT
>  /sbin/iptables -A INPUT -p udp -m state --state NEW --dport 137 -s $host -j ACCEPT
>  /sbin/iptables -A INPUT -p udp -m state --state NEW --dport 138 -s $host -j ACCEPT
>  /sbin/iptables -A INPUT -p tcp -m state --state NEW --dport 426 -s $host -j ACCEPT
>  /sbin/iptables -A INPUT -p tcp -m state --state NEW --dport 445 -s $host -j ACCEPT
> done
>
> # up to 5 Bit-torrent connections
> /sbin/iptables -A INPUT -p tcp -m state --state NEW --dport 6881:6886 -j ACCEPT
>
> #flood defence
> #-N syn-flood
> #/sbin/iptables -A INPUT -p tcp --syn -j syn-flood
> #/sbin/iptables -A syn-flood -m limit --limit 1/s --limit-burst 4 -j RETURN
> #/sbin/iptables -A syn-flood -j DROP
> # Handle fragment flood attacks
> /sbin/iptables -A INPUT -f -j LOG --log-prefix "IPTABLES FRAGMENTS: "
> /sbin/iptables -A INPUT -f -j DROP
>
> #else
> /sbin/iptables -A INPUT -j LOG --log-prefix "Rejected: "
> /sbin/iptables -A INPUT -j REJECT --reject-with icmp-port-unreachable
>
> echo "  - Setting output rules..."
> #output
>
> # accept all previously established connections
> /sbin/iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
>
> /sbin/iptables -A OUTPUT -p tcp -m state --state NEW --dport 22 -j ACCEPT
> echo " done."
>   

comment out the last output rules and try again just to make sure the 
solution is elsewhere!

Re: iptables block samba or not?

[Eial Czerwacki]

works with it and without that, one more question, is there a way to approve a input only if I initiated the connection?
On Fri 25 Jan 17:15 2008 mouss wrote:
> Eial Czerwacki wrote:
> > the general rules has been changed abit, here:
> >
> > #!/bin/bash
> > #PlasmaWall rules
> > NET_IPS="132.72.144.0/20 192.168.114.0/24"
> > #setup defaults
> > echo "  - Flushing rules..."
> > iptables -F
> > echo "  - Setting default policy..."
> > iptables -P INPUT DROP
> > iptables -P OUTPUT ACCEPT
> > iptables -P FORWARD DROP
> >
> > echo "  - Setting input rules..."
> > # accept all from localhost
> > /sbin/iptables -A INPUT -s 127.0.0.1 -j ACCEPT
> >
> > # accept all previously established connections
> > /sbin/iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
> >
> > #input
> > # ssh
> > #/sbin/iptables -A INPUT -p tcp -m state --state NEW --dport 22 -j ACCEPT
> >
> > # ftp / webserver related
> > /sbin/iptables -A INPUT -p tcp -m state --state NEW --dport 21 -j ACCEPT
> > /sbin/iptables -A INPUT -p tcp -m state --state NEW --dport 443 -j ACCEPT
> > /sbin/iptables -A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
> >
> > # Windows / Samba
> > for host in $NET_IPS; do
> >  /sbin/iptables -A INPUT -p tcp -m state --state NEW --dport 135 -s $host -j ACCEPT
> >  /sbin/iptables -A INPUT -p tcp -m state --state NEW --dport 139 -s $host -j ACCEPT
> >  /sbin/iptables -A INPUT -p udp -m state --state NEW --dport 137 -s $host -j ACCEPT
> >  /sbin/iptables -A INPUT -p udp -m state --state NEW --dport 138 -s $host -j ACCEPT
> >  /sbin/iptables -A INPUT -p tcp -m state --state NEW --dport 426 -s $host -j ACCEPT
> >  /sbin/iptables -A INPUT -p tcp -m state --state NEW --dport 445 -s $host -j ACCEPT
> > done
> >
> > # up to 5 Bit-torrent connections
> > /sbin/iptables -A INPUT -p tcp -m state --state NEW --dport 6881:6886 -j ACCEPT
> >
> > #flood defence
> > #-N syn-flood
> > #/sbin/iptables -A INPUT -p tcp --syn -j syn-flood
> > #/sbin/iptables -A syn-flood -m limit --limit 1/s --limit-burst 4 -j RETURN
> > #/sbin/iptables -A syn-flood -j DROP
> > # Handle fragment flood attacks
> > /sbin/iptables -A INPUT -f -j LOG --log-prefix "IPTABLES FRAGMENTS: "
> > /sbin/iptables -A INPUT -f -j DROP
> >
> > #else
> > /sbin/iptables -A INPUT -j LOG --log-prefix "Rejected: "
> > /sbin/iptables -A INPUT -j REJECT --reject-with icmp-port-unreachable
> >
> > echo "  - Setting output rules..."
> > #output
> >
> > # accept all previously established connections
> > /sbin/iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
> >
> > /sbin/iptables -A OUTPUT -p tcp -m state --state NEW --dport 22 -j ACCEPT
> > echo " done."
> >   
> 
> comment out the last output rules and try again just to make sure the 
> solution is elsewhere!
> 
> -
> To unsubscribe from this list: send the line "unsubscribe netfilter" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
> 

Re: iptables block samba or not?

[mouss]

Eial Czerwacki wrote:
> works with it and without that, one more question, is there a way to approve a input only if I initiated the connection?
>   

that's what your "accept all previously established connections" does if 
you don't add other INPUT rules.
> On Fri 25 Jan 17:15 2008 mouss wrote:
>   
>> Eial Czerwacki wrote:
>>     
>>> the general rules has been changed abit, here:
>>>
>>> #!/bin/bash
>>> #PlasmaWall rules
>>> NET_IPS="132.72.144.0/20 192.168.114.0/24"
>>> #setup defaults
>>> echo "  - Flushing rules..."
>>> iptables -F
>>> echo "  - Setting default policy..."
>>> iptables -P INPUT DROP
>>> iptables -P OUTPUT ACCEPT
>>> iptables -P FORWARD DROP
>>>
>>> echo "  - Setting input rules..."
>>> # accept all from localhost
>>> /sbin/iptables -A INPUT -s 127.0.0.1 -j ACCEPT
>>>
>>> # accept all previously established connections
>>> /sbin/iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
>>>
>>> #input
>>> # ssh
>>> #/sbin/iptables -A INPUT -p tcp -m state --state NEW --dport 22 -j ACCEPT
>>>
>>> # ftp / webserver related
>>> /sbin/iptables -A INPUT -p tcp -m state --state NEW --dport 21 -j ACCEPT
>>> /sbin/iptables -A INPUT -p tcp -m state --state NEW --dport 443 -j ACCEPT
>>> /sbin/iptables -A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
>>>
>>> # Windows / Samba
>>> for host in $NET_IPS; do
>>>  /sbin/iptables -A INPUT -p tcp -m state --state NEW --dport 135 -s $host -j ACCEPT
>>>  /sbin/iptables -A INPUT -p tcp -m state --state NEW --dport 139 -s $host -j ACCEPT
>>>  /sbin/iptables -A INPUT -p udp -m state --state NEW --dport 137 -s $host -j ACCEPT
>>>  /sbin/iptables -A INPUT -p udp -m state --state NEW --dport 138 -s $host -j ACCEPT
>>>  /sbin/iptables -A INPUT -p tcp -m state --state NEW --dport 426 -s $host -j ACCEPT
>>>  /sbin/iptables -A INPUT -p tcp -m state --state NEW --dport 445 -s $host -j ACCEPT
>>> done
>>>
>>> # up to 5 Bit-torrent connections
>>> /sbin/iptables -A INPUT -p tcp -m state --state NEW --dport 6881:6886 -j ACCEPT
>>>
>>> #flood defence
>>> #-N syn-flood
>>> #/sbin/iptables -A INPUT -p tcp --syn -j syn-flood
>>> #/sbin/iptables -A syn-flood -m limit --limit 1/s --limit-burst 4 -j RETURN
>>> #/sbin/iptables -A syn-flood -j DROP
>>> # Handle fragment flood attacks
>>> /sbin/iptables -A INPUT -f -j LOG --log-prefix "IPTABLES FRAGMENTS: "
>>> /sbin/iptables -A INPUT -f -j DROP
>>>
>>> #else
>>> /sbin/iptables -A INPUT -j LOG --log-prefix "Rejected: "
>>> /sbin/iptables -A INPUT -j REJECT --reject-with icmp-port-unreachable
>>>
>>> echo "  - Setting output rules..."
>>> #output
>>>
>>> # accept all previously established connections
>>> /sbin/iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
>>>
>>> /sbin/iptables -A OUTPUT -p tcp -m state --state NEW --dport 22 -j ACCEPT
>>> echo " done."
>>>   
>>>       
>> comment out the last output rules and try again just to make sure the 
>> solution is elsewhere!
>>
>> -
>> To unsubscribe from this list: send the line "unsubscribe netfilter" in
>> the body of a message to majordomo@vger.kernel.org
>> More majordomo info at  http://vger.kernel.org/majordomo-info.html
>>
>>     
>
>
>
>
>   

Re: iptables block samba or not?

[Eial Czerwacki]

what I meant is that I want that ssh input will be accepted only from an ip that I've initiated the connection to.
On Fri 25 Jan 18:13 2008 mouss wrote:
> Eial Czerwacki wrote:
> > works with it and without that, one more question, is there a way to approve a input only if I initiated the connection?
> >   
> 
> that's what your "accept all previously established connections" does if 
> you don't add other INPUT rules.
> > On Fri 25 Jan 17:15 2008 mouss wrote:
> >   
> >> Eial Czerwacki wrote:
> >>     
> >>> the general rules has been changed abit, here:
> >>>
> >>> #!/bin/bash
> >>> #PlasmaWall rules
> >>> NET_IPS="132.72.144.0/20 192.168.114.0/24"
> >>> #setup defaults
> >>> echo "  - Flushing rules..."
> >>> iptables -F
> >>> echo "  - Setting default policy..."
> >>> iptables -P INPUT DROP
> >>> iptables -P OUTPUT ACCEPT
> >>> iptables -P FORWARD DROP
> >>>
> >>> echo "  - Setting input rules..."
> >>> # accept all from localhost
> >>> /sbin/iptables -A INPUT -s 127.0.0.1 -j ACCEPT
> >>>
> >>> # accept all previously established connections
> >>> /sbin/iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
> >>>
> >>> #input
> >>> # ssh
> >>> #/sbin/iptables -A INPUT -p tcp -m state --state NEW --dport 22 -j ACCEPT
> >>>
> >>> # ftp / webserver related
> >>> /sbin/iptables -A INPUT -p tcp -m state --state NEW --dport 21 -j ACCEPT
> >>> /sbin/iptables -A INPUT -p tcp -m state --state NEW --dport 443 -j ACCEPT
> >>> /sbin/iptables -A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
> >>>
> >>> # Windows / Samba
> >>> for host in $NET_IPS; do
> >>>  /sbin/iptables -A INPUT -p tcp -m state --state NEW --dport 135 -s $host -j ACCEPT
> >>>  /sbin/iptables -A INPUT -p tcp -m state --state NEW --dport 139 -s $host -j ACCEPT
> >>>  /sbin/iptables -A INPUT -p udp -m state --state NEW --dport 137 -s $host -j ACCEPT
> >>>  /sbin/iptables -A INPUT -p udp -m state --state NEW --dport 138 -s $host -j ACCEPT
> >>>  /sbin/iptables -A INPUT -p tcp -m state --state NEW --dport 426 -s $host -j ACCEPT
> >>>  /sbin/iptables -A INPUT -p tcp -m state --state NEW --dport 445 -s $host -j ACCEPT
> >>> done
> >>>
> >>> # up to 5 Bit-torrent connections
> >>> /sbin/iptables -A INPUT -p tcp -m state --state NEW --dport 6881:6886 -j ACCEPT
> >>>
> >>> #flood defence
> >>> #-N syn-flood
> >>> #/sbin/iptables -A INPUT -p tcp --syn -j syn-flood
> >>> #/sbin/iptables -A syn-flood -m limit --limit 1/s --limit-burst 4 -j RETURN
> >>> #/sbin/iptables -A syn-flood -j DROP
> >>> # Handle fragment flood attacks
> >>> /sbin/iptables -A INPUT -f -j LOG --log-prefix "IPTABLES FRAGMENTS: "
> >>> /sbin/iptables -A INPUT -f -j DROP
> >>>
> >>> #else
> >>> /sbin/iptables -A INPUT -j LOG --log-prefix "Rejected: "
> >>> /sbin/iptables -A INPUT -j REJECT --reject-with icmp-port-unreachable
> >>>
> >>> echo "  - Setting output rules..."
> >>> #output
> >>>
> >>> # accept all previously established connections
> >>> /sbin/iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
> >>>
> >>> /sbin/iptables -A OUTPUT -p tcp -m state --state NEW --dport 22 -j ACCEPT
> >>> echo " done."
> >>>   
> >>>       
> >> comment out the last output rules and try again just to make sure the 
> >> solution is elsewhere!
> >>
> >> -
> >> To unsubscribe from this list: send the line "unsubscribe netfilter" in
> >> the body of a message to majordomo@vger.kernel.org
> >> More majordomo info at  http://vger.kernel.org/majordomo-info.html
> >>
> >>     
> >
> >
> >
> >
> >   
> 

Re: iptables block samba or not?

[Martijn Lievaart]

Eial Czerwacki wrote:
> what I meant is that I want that ssh input will be accepted only from an ip that I've initiated the connection to.
> On Fri 25 Jan 18:13 2008 mouss wrote:
>   
>> Eial Czerwacki wrote:
>>     
>>> works with it and without that, one more question, is there a way to approve a input only if I initiated the connection?
>>>   
>>>       
>> that's what your "accept all previously established connections" does if 
>> you don't add other INPUT rules.
>>     

[ Please don't toppost ]

Yes, you need the recent module for this. Add the source of outgoing 
connections to a recent table and accept on source address in that table.

Something like this (untested!):

# Don't let established packets trigger the recent match below....
-A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A OUTPUT -o $EXTERNAL_IF -m recent --set --name tcpout --rdest
-A INPUT -i $EXTERNAL_IF -m recent --rcheck --seconds 100 --name tcpout 
--rsource -m tcp  --dport 22 -j ACCEPT

HTH,
M4

Re: iptables block samba or not?

[Steven Ayre]

>> # up to 5 Bit-torrent connections
>> /sbin/iptables -A INPUT -p tcp -m state --state NEW --dport 6881:6886 
>> -j ACCEPT
Your comment suggests you're trying to limit your BitTorrent client to 
only accepting 5 incoming connections at any one time. Is that the case?

If it is:
- There'll be no limit on the number of outgoing connections
- It'll allow your client to accept incoming connections on 5 port 
numbers, but you can have more than one computer connected to your 
client on the same port at the same time; so this'll allow connections 
to 5 ports, but won't limit the actual number of connections.

It will be needed for BitTorrent to work properly though since your 
INPUT policy is DROP. Just want to check you realise that it won't limit 
the number of connections (there are ways to do in iptables if that's 
what you wanted).

Rgds,
-Steve