* iptables block samba or not?
@ 2008-01-21 22:33 Eial Czerwacki
2008-01-22 1:52 ` Leonardo Rodrigues Magalhães
2008-01-23 22:00 ` Dzianis Kahanovich
0 siblings, 2 replies; 18+ messages in thread
From: Eial Czerwacki @ 2008-01-21 22:33 UTC (permalink / raw)
To: netfilter
hello to all.
I have a strange issue with iptables an samba, I've added samba's ports to iptables and tried to connect to my local network but it isnt
working, it seems that iptables is blocking samba. here are my iptables rules:
*filter
:INPUT ACCEPT [5:952]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [1192099:595387635]
# accept all from localhost
-A INPUT -s 127.0.0.1 -j ACCEPT
# accept all previously established connections
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
# ssh
-A INPUT -p tcp -m state --state NEW --dport 22 -j ACCEPT
# ftp / webserver related
-A INPUT -p tcp -m state --state NEW --dport 20 -j ACCEPT
-A INPUT -p tcp -m state --state NEW --dport 21 -j ACCEPT
-A INPUT -p tcp -m state --state NEW --dport 80 -j ACCEPT
-A INPUT -p tcp -m state --state NEW --dport 443 -j ACCEPT
# Windows / Samba
-A INPUT -p tcp -m state --state NEW --dport 135 -s 132.72.144.0/20 -j ACCEPT
-A INPUT -p tcp -m state --state NEW --dport 139 -s 132.72.144.0/20 -j ACCEPT
-A INPUT -p udp -m state --state NEW --dport 137:138 -s 132.72.144.0/20 -j ACCEPT
-A INPUT -p tcp -m state --state NEW --dport 426 -s 132.72.144.0/20 -j ACCEPT
-A INPUT -p tcp -m state --state NEW --dport 445 -s 132.72.144.0/20 -j ACCEPT
-A INPUT -p tcp -m state --state NEW --dport 135 -s 192.168.114.0/24 -j ACCEPT
-A INPUT -p tcp -m state --state NEW --dport 139 -s 192.168.114.0/24 -j ACCEPT
-A INPUT -p udp -m state --state NEW --dport 137:138 -s 192.168.114.0/24 -j ACCEPT
-A INPUT -p tcp -m state --state NEW --dport 426 -s 192.168.114.0/24 -j ACCEPT
-A INPUT -p tcp -m state --state NEW --dport 445 -s 192.168.114.0/24 -j ACCEPT
# up to 5 Bit-torrent connections
-A INPUT -p tcp -m state --state NEW --dport 6881:6886 -j ACCEPT
#else
-A INPUT -j REJECT --reject-with icmp-port-unreachable
COMMIT
here is the output of iptables -nvL -t filter:
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
2 162 ACCEPT all -- * * 127.0.0.1 0.0.0.0/0
4163 3400K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:20
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:21
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:80
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:443
0 0 ACCEPT tcp -- * * 132.72.144.0/20 0.0.0.0/0 state NEW tcp dpt:135
0 0 ACCEPT tcp -- * * 132.72.144.0/20 0.0.0.0/0 state NEW tcp dpt:139
19303 2144K ACCEPT udp -- * * 132.72.144.0/20 0.0.0.0/0 state NEW udp dpts:137:138
0 0 ACCEPT tcp -- * * 132.72.144.0/20 0.0.0.0/0 state NEW tcp dpt:426
0 0 ACCEPT tcp -- * * 132.72.144.0/20 0.0.0.0/0 state NEW tcp dpt:445
0 0 ACCEPT tcp -- * * 192.168.114.0/24 0.0.0.0/0 state NEW tcp dpt:135
0 0 ACCEPT tcp -- * * 192.168.114.0/24 0.0.0.0/0 state NEW tcp dpt:139
0 0 ACCEPT udp -- * * 192.168.114.0/24 0.0.0.0/0 state NEW udp dpts:137:138
0 0 ACCEPT tcp -- * * 192.168.114.0/24 0.0.0.0/0 state NEW tcp dpt:426
0 0 ACCEPT tcp -- * * 192.168.114.0/24 0.0.0.0/0 state NEW tcp dpt:445
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpts:6881:6886
1347 540K REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 5079 packets, 777K bytes)
pkts bytes target prot opt in out source destination
the ports are open and they receiving packages but the policy accept total is showing 0.
how can I open them? what port or rule did I missed?
one more thing, is there a way to sent multiple source addresses to one rule?
thanks in advance
^ permalink raw reply [flat|nested] 18+ messages in thread
* Re: iptables block samba or not?
2008-01-21 22:33 iptables block samba or not? Eial Czerwacki
@ 2008-01-22 1:52 ` Leonardo Rodrigues Magalhães
2008-01-23 22:00 ` Dzianis Kahanovich
1 sibling, 0 replies; 18+ messages in thread
From: Leonardo Rodrigues Magalhães @ 2008-01-22 1:52 UTC (permalink / raw)
To: Eial Czerwacki; +Cc: netfilter
[-- Attachment #1: Type: text/plain, Size: 1432 bytes --]
Eial Czerwacki escreveu:
> hello to all.
> I have a strange issue with iptables an samba, I've added samba's ports to iptables and tried to connect to my local network but it isnt
> working, it seems that iptables is blocking samba. here are my iptables rules:
>
>
iptables is NOT blocking samba. YOUR rules are blocking samba traffic.
> the ports are open and they receiving packages but the policy accept total is showing 0.
>
It's pretty obvious that nothing is going to reach your default
policy ACCEPT rule ... you have a last one REJECT rule that matches 0/0
all protocols. So, EVERYTHING will match your REJECT rule and, thus,
never reach ACCEPT default policy one.
> how can I open them? what port or rule did I missed?
>
i dont have a clue .... get yourself a LOG rule before the final
REJECT and watch for the LOGged rejected traffic .....
> one more thing, is there a way to sent multiple source addresses to one rule?
>
i think that can be acchieved using ipset stuff. But that's not
completly easy ... i have never searched for that. When I need multiple
sources, i get multiple rules ....
but seems ipset can do the job.
--
Atenciosamente / Sincerily,
Leonardo Rodrigues
Solutti Tecnologia
http://www.solutti.com.br
Minha armadilha de SPAM, NÃO mandem email
gertrudes@solutti.com.br
My SPAMTRAP, do not email it
[-- Attachment #2: S/MIME Cryptographic Signature --]
[-- Type: application/x-pkcs7-signature, Size: 5589 bytes --]
^ permalink raw reply [flat|nested] 18+ messages in thread
* Re: iptables block samba or not?
2008-01-21 22:33 iptables block samba or not? Eial Czerwacki
2008-01-22 1:52 ` Leonardo Rodrigues Magalhães
@ 2008-01-23 22:00 ` Dzianis Kahanovich
2008-01-24 20:16 ` mouss
2008-01-24 20:17 ` Eial Czerwacki
1 sibling, 2 replies; 18+ messages in thread
From: Dzianis Kahanovich @ 2008-01-23 22:00 UTC (permalink / raw)
To: netfilter
Eial Czerwacki wrote:
> -A INPUT -p tcp -m state --state NEW --dport 135 -s 132.72.144.0/20 -j ACCEPT
> -A INPUT -p tcp -m state --state NEW --dport 139 -s 132.72.144.0/20 -j ACCEPT
> -A INPUT -p udp -m state --state NEW --dport 137:138 -s 132.72.144.0/20 -j ACCEPT
> -A INPUT -p tcp -m state --state NEW --dport 426 -s 132.72.144.0/20 -j ACCEPT
> -A INPUT -p tcp -m state --state NEW --dport 445 -s 132.72.144.0/20 -j ACCEPT
>
> -A INPUT -p tcp -m state --state NEW --dport 135 -s 192.168.114.0/24 -j ACCEPT
> -A INPUT -p tcp -m state --state NEW --dport 139 -s 192.168.114.0/24 -j ACCEPT
> -A INPUT -p udp -m state --state NEW --dport 137:138 -s 192.168.114.0/24 -j ACCEPT
> -A INPUT -p tcp -m state --state NEW --dport 426 -s 192.168.114.0/24 -j ACCEPT
> -A INPUT -p tcp -m state --state NEW --dport 445 -s 192.168.114.0/24 -j ACCEPT
>
> # up to 5 Bit-torrent connections
> -A INPUT -p tcp -m state --state NEW --dport 6881:6886 -j ACCEPT
>
> #else
> -A INPUT -j REJECT --reject-with icmp-port-unreachable
You ACCEPTing only NEW connection state - initial packets for every session.
Remove "-m state -- state NEW".
--
WBR,
Denis Kaganovich, mahatma@eu.by http://mahatma.bspu.unibel.by
^ permalink raw reply [flat|nested] 18+ messages in thread
* Re: iptables block samba or not?
2008-01-23 22:00 ` Dzianis Kahanovich
@ 2008-01-24 20:16 ` mouss
2008-01-24 20:17 ` Eial Czerwacki
1 sibling, 0 replies; 18+ messages in thread
From: mouss @ 2008-01-24 20:16 UTC (permalink / raw)
Cc: netfilter
Dzianis Kahanovich wrote:
> Eial Czerwacki wrote:
>
>> -A INPUT -p tcp -m state --state NEW --dport 135 -s 132.72.144.0/20
>> -j ACCEPT
>> -A INPUT -p tcp -m state --state NEW --dport 139 -s 132.72.144.0/20
>> -j ACCEPT
>> -A INPUT -p udp -m state --state NEW --dport 137:138 -s
>> 132.72.144.0/20 -j ACCEPT
>> -A INPUT -p tcp -m state --state NEW --dport 426 -s 132.72.144.0/20
>> -j ACCEPT
>> -A INPUT -p tcp -m state --state NEW --dport 445 -s 132.72.144.0/20
>> -j ACCEPT
>>
>> -A INPUT -p tcp -m state --state NEW --dport 135 -s 192.168.114.0/24
>> -j ACCEPT
>> -A INPUT -p tcp -m state --state NEW --dport 139 -s 192.168.114.0/24
>> -j ACCEPT
>> -A INPUT -p udp -m state --state NEW --dport 137:138 -s
>> 192.168.114.0/24 -j ACCEPT
>> -A INPUT -p tcp -m state --state NEW --dport 426 -s 192.168.114.0/24
>> -j ACCEPT
>> -A INPUT -p tcp -m state --state NEW --dport 445 -s 192.168.114.0/24
>> -j ACCEPT
>>
>> # up to 5 Bit-torrent connections
>> -A INPUT -p tcp -m state --state NEW --dport 6881:6886 -j ACCEPT
>>
>> #else
>> -A INPUT -j REJECT --reject-with icmp-port-unreachable
>
> You ACCEPTing only NEW connection state - initial packets for every
> session.
> Remove "-m state -- state NEW".
>
>
or at least add stateful rules for output. but it is true that managing
state in this case is cumbersome at best.
Another thing is that he is no allowing ICMP. It may be just me, but I
tend to consider a machine as disconnected if it does not respond to
ping... and while it be argued that this is helpful to protect winboxes,
I would be frightened if this argument applied to a (not too old) linux
or bsd ;-p
Finally, adding a rule to log rejected packets would help debugging
whatever issues happen.
^ permalink raw reply [flat|nested] 18+ messages in thread
* Re: iptables block samba or not?
2008-01-23 22:00 ` Dzianis Kahanovich
2008-01-24 20:16 ` mouss
@ 2008-01-24 20:17 ` Eial Czerwacki
2008-01-24 21:13 ` mouss
1 sibling, 1 reply; 18+ messages in thread
From: Eial Czerwacki @ 2008-01-24 20:17 UTC (permalink / raw)
To: Dzianis Kahanovich; +Cc: netfilter
I've got this too has part of the rules
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
On Thu 24 Jan 0:00 2008 Dzianis Kahanovich wrote:
> Eial Czerwacki wrote:
>
> > -A INPUT -p tcp -m state --state NEW --dport 135 -s 132.72.144.0/20 -j ACCEPT
> > -A INPUT -p tcp -m state --state NEW --dport 139 -s 132.72.144.0/20 -j ACCEPT
> > -A INPUT -p udp -m state --state NEW --dport 137:138 -s 132.72.144.0/20 -j ACCEPT
> > -A INPUT -p tcp -m state --state NEW --dport 426 -s 132.72.144.0/20 -j ACCEPT
> > -A INPUT -p tcp -m state --state NEW --dport 445 -s 132.72.144.0/20 -j ACCEPT
> >
> > -A INPUT -p tcp -m state --state NEW --dport 135 -s 192.168.114.0/24 -j ACCEPT
> > -A INPUT -p tcp -m state --state NEW --dport 139 -s 192.168.114.0/24 -j ACCEPT
> > -A INPUT -p udp -m state --state NEW --dport 137:138 -s 192.168.114.0/24 -j ACCEPT
> > -A INPUT -p tcp -m state --state NEW --dport 426 -s 192.168.114.0/24 -j ACCEPT
> > -A INPUT -p tcp -m state --state NEW --dport 445 -s 192.168.114.0/24 -j ACCEPT
> >
> > # up to 5 Bit-torrent connections
> > -A INPUT -p tcp -m state --state NEW --dport 6881:6886 -j ACCEPT
> >
> > #else
> > -A INPUT -j REJECT --reject-with icmp-port-unreachable
>
> You ACCEPTing only NEW connection state - initial packets for every session.
> Remove "-m state -- state NEW".
>
>
> --
> WBR,
> Denis Kaganovich, mahatma@eu.by http://mahatma.bspu.unibel.by
>
> -
> To unsubscribe from this list: send the line "unsubscribe netfilter" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at http://vger.kernel.org/majordomo-info.html
>
^ permalink raw reply [flat|nested] 18+ messages in thread
* Re: iptables block samba or not?
2008-01-24 20:17 ` Eial Czerwacki
@ 2008-01-24 21:13 ` mouss
2008-01-24 21:37 ` Martijn Lievaart
2008-01-25 10:40 ` Eial Czerwacki
0 siblings, 2 replies; 18+ messages in thread
From: mouss @ 2008-01-24 21:13 UTC (permalink / raw)
To: netfilter
Eial Czerwacki wrote:
> I've got this too has part of the rules
>
> -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
>
but not for output. what if your linux box initiates the connection?
Also, as I said before, allow for icmp (echo if you add a stateful
accept for output icmp's if you don't have the stateful rule).
>
> On Thu 24 Jan 0:00 2008 Dzianis Kahanovich wrote:
>
>> Eial Czerwacki wrote:
>>
>>
>>> -A INPUT -p tcp -m state --state NEW --dport 135 -s 132.72.144.0/20 -j ACCEPT
>>> -A INPUT -p tcp -m state --state NEW --dport 139 -s 132.72.144.0/20 -j ACCEPT
>>> -A INPUT -p udp -m state --state NEW --dport 137:138 -s 132.72.144.0/20 -j ACCEPT
>>> -A INPUT -p tcp -m state --state NEW --dport 426 -s 132.72.144.0/20 -j ACCEPT
>>> -A INPUT -p tcp -m state --state NEW --dport 445 -s 132.72.144.0/20 -j ACCEPT
>>>
>>> -A INPUT -p tcp -m state --state NEW --dport 135 -s 192.168.114.0/24 -j ACCEPT
>>> -A INPUT -p tcp -m state --state NEW --dport 139 -s 192.168.114.0/24 -j ACCEPT
>>> -A INPUT -p udp -m state --state NEW --dport 137:138 -s 192.168.114.0/24 -j ACCEPT
>>> -A INPUT -p tcp -m state --state NEW --dport 426 -s 192.168.114.0/24 -j ACCEPT
>>> -A INPUT -p tcp -m state --state NEW --dport 445 -s 192.168.114.0/24 -j ACCEPT
>>>
>>> # up to 5 Bit-torrent connections
>>> -A INPUT -p tcp -m state --state NEW --dport 6881:6886 -j ACCEPT
>>>
>>> #else
>>> -A INPUT -j REJECT --reject-with icmp-port-unreachable
>>>
>> You ACCEPTing only NEW connection state - initial packets for every session.
>> Remove "-m state -- state NEW".
>>
>>
>> --
>> WBR,
>> Denis Kaganovich, mahatma@eu.by http://mahatma.bspu.unibel.by
>>
>> -
>> To unsubscribe from this list: send the line "unsubscribe netfilter" in
>> the body of a message to majordomo@vger.kernel.org
>> More majordomo info at http://vger.kernel.org/majordomo-info.html
>>
>>
>
>
>
>
> -
> To unsubscribe from this list: send the line "unsubscribe netfilter" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at http://vger.kernel.org/majordomo-info.html
>
^ permalink raw reply [flat|nested] 18+ messages in thread
* Re: iptables block samba or not?
2008-01-24 21:13 ` mouss
@ 2008-01-24 21:37 ` Martijn Lievaart
2008-01-25 10:40 ` Eial Czerwacki
1 sibling, 0 replies; 18+ messages in thread
From: Martijn Lievaart @ 2008-01-24 21:37 UTC (permalink / raw)
To: mouss; +Cc: netfilter
mouss wrote:
> Eial Czerwacki wrote:
>> I've got this too has part of the rules
>>
>> -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
>>
>
> but not for output. what if your linux box initiates the connection?
Output policy is accept, so this is no problem. The state match does not
create contracks, it just tests them. The conntrack is created once the
first packet is accepted.
>
> Also, as I said before, allow for icmp (echo if you add a stateful
> accept for output icmp's if you don't have the stateful rule).
This is a matter of taste and has nothing to do with the OPs problems.
M4
^ permalink raw reply [flat|nested] 18+ messages in thread
* Re: iptables block samba or not?
2008-01-24 21:13 ` mouss
2008-01-24 21:37 ` Martijn Lievaart
@ 2008-01-25 10:40 ` Eial Czerwacki
2008-01-25 11:49 ` mouss
1 sibling, 1 reply; 18+ messages in thread
From: Eial Czerwacki @ 2008-01-25 10:40 UTC (permalink / raw)
To: mouss; +Cc: netfilter
so I need to add the same line to the output rules?
On Thu 24 Jan 23:13 2008 mouss wrote:
> Eial Czerwacki wrote:
> > I've got this too has part of the rules
> >
> > -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
> >
>
> but not for output. what if your linux box initiates the connection?
>
> Also, as I said before, allow for icmp (echo if you add a stateful
> accept for output icmp's if you don't have the stateful rule).
> >
> > On Thu 24 Jan 0:00 2008 Dzianis Kahanovich wrote:
> >
> >> Eial Czerwacki wrote:
> >>
> >>
> >>> -A INPUT -p tcp -m state --state NEW --dport 135 -s 132.72.144.0/20 -j ACCEPT
> >>> -A INPUT -p tcp -m state --state NEW --dport 139 -s 132.72.144.0/20 -j ACCEPT
> >>> -A INPUT -p udp -m state --state NEW --dport 137:138 -s 132.72.144.0/20 -j ACCEPT
> >>> -A INPUT -p tcp -m state --state NEW --dport 426 -s 132.72.144.0/20 -j ACCEPT
> >>> -A INPUT -p tcp -m state --state NEW --dport 445 -s 132.72.144.0/20 -j ACCEPT
> >>>
> >>> -A INPUT -p tcp -m state --state NEW --dport 135 -s 192.168.114.0/24 -j ACCEPT
> >>> -A INPUT -p tcp -m state --state NEW --dport 139 -s 192.168.114.0/24 -j ACCEPT
> >>> -A INPUT -p udp -m state --state NEW --dport 137:138 -s 192.168.114.0/24 -j ACCEPT
> >>> -A INPUT -p tcp -m state --state NEW --dport 426 -s 192.168.114.0/24 -j ACCEPT
> >>> -A INPUT -p tcp -m state --state NEW --dport 445 -s 192.168.114.0/24 -j ACCEPT
> >>>
> >>> # up to 5 Bit-torrent connections
> >>> -A INPUT -p tcp -m state --state NEW --dport 6881:6886 -j ACCEPT
> >>>
> >>> #else
> >>> -A INPUT -j REJECT --reject-with icmp-port-unreachable
> >>>
> >> You ACCEPTing only NEW connection state - initial packets for every session.
> >> Remove "-m state -- state NEW".
> >>
> >>
> >> --
> >> WBR,
> >> Denis Kaganovich, mahatma@eu.by http://mahatma.bspu.unibel.by
> >>
> >> -
> >> To unsubscribe from this list: send the line "unsubscribe netfilter" in
> >> the body of a message to majordomo@vger.kernel.org
> >> More majordomo info at http://vger.kernel.org/majordomo-info.html
> >>
> >>
> >
> >
> >
> >
> > -
> > To unsubscribe from this list: send the line "unsubscribe netfilter" in
> > the body of a message to majordomo@vger.kernel.org
> > More majordomo info at http://vger.kernel.org/majordomo-info.html
> >
>
> -
> To unsubscribe from this list: send the line "unsubscribe netfilter" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at http://vger.kernel.org/majordomo-info.html
>
^ permalink raw reply [flat|nested] 18+ messages in thread
* Re: iptables block samba or not?
2008-01-25 10:40 ` Eial Czerwacki
@ 2008-01-25 11:49 ` mouss
2008-01-25 13:35 ` Eial Czerwacki
0 siblings, 1 reply; 18+ messages in thread
From: mouss @ 2008-01-25 11:49 UTC (permalink / raw)
To: Eial Czerwacki; +Cc: netfilter
Eial Czerwacki wrote:
> so I need to add the same line to the output rules?
>
no you don't. I was wrong. Thanks to Martijn for the head up.
> On Thu 24 Jan 23:13 2008 mouss wrote:
>
>> Eial Czerwacki wrote:
>>
>>> I've got this too has part of the rules
>>>
>>> -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
>>>
>>>
>> but not for output. what if your linux box initiates the connection?
>>
>> Also, as I said before, allow for icmp (echo if you add a stateful
>> accept for output icmp's if you don't have the stateful rule).
>>
>>> On Thu 24 Jan 0:00 2008 Dzianis Kahanovich wrote:
>>>
>>>
>>>> Eial Czerwacki wrote:
>>>>
>>>>
>>>>
>>>>> -A INPUT -p tcp -m state --state NEW --dport 135 -s 132.72.144.0/20 -j ACCEPT
>>>>> -A INPUT -p tcp -m state --state NEW --dport 139 -s 132.72.144.0/20 -j ACCEPT
>>>>> -A INPUT -p udp -m state --state NEW --dport 137:138 -s 132.72.144.0/20 -j ACCEPT
>>>>> -A INPUT -p tcp -m state --state NEW --dport 426 -s 132.72.144.0/20 -j ACCEPT
>>>>> -A INPUT -p tcp -m state --state NEW --dport 445 -s 132.72.144.0/20 -j ACCEPT
>>>>>
>>>>> -A INPUT -p tcp -m state --state NEW --dport 135 -s 192.168.114.0/24 -j ACCEPT
>>>>> -A INPUT -p tcp -m state --state NEW --dport 139 -s 192.168.114.0/24 -j ACCEPT
>>>>> -A INPUT -p udp -m state --state NEW --dport 137:138 -s 192.168.114.0/24 -j ACCEPT
>>>>> -A INPUT -p tcp -m state --state NEW --dport 426 -s 192.168.114.0/24 -j ACCEPT
>>>>> -A INPUT -p tcp -m state --state NEW --dport 445 -s 192.168.114.0/24 -j ACCEPT
>>>>>
>>>>> # up to 5 Bit-torrent connections
>>>>> -A INPUT -p tcp -m state --state NEW --dport 6881:6886 -j ACCEPT
>>>>>
>>>>> #else
>>>>> -A INPUT -j REJECT --reject-with icmp-port-unreachable
>>>>>
>>>>>
>>>> You ACCEPTing only NEW connection state - initial packets for every session.
>>>> Remove "-m state -- state NEW".
>>>>
>>>>
>>>> --
>>>> WBR,
>>>> Denis Kaganovich, mahatma@eu.by http://mahatma.bspu.unibel.by
>>>>
>>>> -
>>>> To unsubscribe from this list: send the line "unsubscribe netfilter" in
>>>> the body of a message to majordomo@vger.kernel.org
>>>> More majordomo info at http://vger.kernel.org/majordomo-info.html
>>>>
>>>>
>>>>
>>>
>>>
>>> -
>>> To unsubscribe from this list: send the line "unsubscribe netfilter" in
>>> the body of a message to majordomo@vger.kernel.org
>>> More majordomo info at http://vger.kernel.org/majordomo-info.html
>>>
>>>
>> -
>> To unsubscribe from this list: send the line "unsubscribe netfilter" in
>> the body of a message to majordomo@vger.kernel.org
>> More majordomo info at http://vger.kernel.org/majordomo-info.html
>>
>>
>
>
>
>
> -
> To unsubscribe from this list: send the line "unsubscribe netfilter" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at http://vger.kernel.org/majordomo-info.html
>
^ permalink raw reply [flat|nested] 18+ messages in thread
* Re: iptables block samba or not?
2008-01-25 11:49 ` mouss
@ 2008-01-25 13:35 ` Eial Czerwacki
2008-01-25 13:42 ` mouss
0 siblings, 1 reply; 18+ messages in thread
From: Eial Czerwacki @ 2008-01-25 13:35 UTC (permalink / raw)
To: mouss; +Cc: netfilter
ok, I've deiced to give it a try, after adding the line, I can browse the local network, e.g. samba isnt blocked again.
you guys say that this isnt the problem, now, after enabling it, is there any threat to my system?
On Fri 25 Jan 13:49 2008 mouss wrote:
> Eial Czerwacki wrote:
> > so I need to add the same line to the output rules?
> >
>
> no you don't. I was wrong. Thanks to Martijn for the head up.
>
> > On Thu 24 Jan 23:13 2008 mouss wrote:
> >
> >> Eial Czerwacki wrote:
> >>
> >>> I've got this too has part of the rules
> >>>
> >>> -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
> >>>
> >>>
> >> but not for output. what if your linux box initiates the connection?
> >>
> >> Also, as I said before, allow for icmp (echo if you add a stateful
> >> accept for output icmp's if you don't have the stateful rule).
> >>
> >>> On Thu 24 Jan 0:00 2008 Dzianis Kahanovich wrote:
> >>>
> >>>
> >>>> Eial Czerwacki wrote:
> >>>>
> >>>>
> >>>>
> >>>>> -A INPUT -p tcp -m state --state NEW --dport 135 -s 132.72.144.0/20 -j ACCEPT
> >>>>> -A INPUT -p tcp -m state --state NEW --dport 139 -s 132.72.144.0/20 -j ACCEPT
> >>>>> -A INPUT -p udp -m state --state NEW --dport 137:138 -s 132.72.144.0/20 -j ACCEPT
> >>>>> -A INPUT -p tcp -m state --state NEW --dport 426 -s 132.72.144.0/20 -j ACCEPT
> >>>>> -A INPUT -p tcp -m state --state NEW --dport 445 -s 132.72.144.0/20 -j ACCEPT
> >>>>>
> >>>>> -A INPUT -p tcp -m state --state NEW --dport 135 -s 192.168.114.0/24 -j ACCEPT
> >>>>> -A INPUT -p tcp -m state --state NEW --dport 139 -s 192.168.114.0/24 -j ACCEPT
> >>>>> -A INPUT -p udp -m state --state NEW --dport 137:138 -s 192.168.114.0/24 -j ACCEPT
> >>>>> -A INPUT -p tcp -m state --state NEW --dport 426 -s 192.168.114.0/24 -j ACCEPT
> >>>>> -A INPUT -p tcp -m state --state NEW --dport 445 -s 192.168.114.0/24 -j ACCEPT
> >>>>>
> >>>>> # up to 5 Bit-torrent connections
> >>>>> -A INPUT -p tcp -m state --state NEW --dport 6881:6886 -j ACCEPT
> >>>>>
> >>>>> #else
> >>>>> -A INPUT -j REJECT --reject-with icmp-port-unreachable
> >>>>>
> >>>>>
> >>>> You ACCEPTing only NEW connection state - initial packets for every session.
> >>>> Remove "-m state -- state NEW".
> >>>>
> >>>>
> >>>> --
> >>>> WBR,
> >>>> Denis Kaganovich, mahatma@eu.by http://mahatma.bspu.unibel.by
> >>>>
> >>>> -
> >>>> To unsubscribe from this list: send the line "unsubscribe netfilter" in
> >>>> the body of a message to majordomo@vger.kernel.org
> >>>> More majordomo info at http://vger.kernel.org/majordomo-info.html
> >>>>
> >>>>
> >>>>
> >>>
> >>>
> >>> -
> >>> To unsubscribe from this list: send the line "unsubscribe netfilter" in
> >>> the body of a message to majordomo@vger.kernel.org
> >>> More majordomo info at http://vger.kernel.org/majordomo-info.html
> >>>
> >>>
> >> -
> >> To unsubscribe from this list: send the line "unsubscribe netfilter" in
> >> the body of a message to majordomo@vger.kernel.org
> >> More majordomo info at http://vger.kernel.org/majordomo-info.html
> >>
> >>
> >
> >
> >
> >
> > -
> > To unsubscribe from this list: send the line "unsubscribe netfilter" in
> > the body of a message to majordomo@vger.kernel.org
> > More majordomo info at http://vger.kernel.org/majordomo-info.html
> >
>
> -
> To unsubscribe from this list: send the line "unsubscribe netfilter" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at http://vger.kernel.org/majordomo-info.html
>
^ permalink raw reply [flat|nested] 18+ messages in thread
* Re: iptables block samba or not?
2008-01-25 13:35 ` Eial Czerwacki
@ 2008-01-25 13:42 ` mouss
2008-01-25 14:27 ` Eial Czerwacki
0 siblings, 1 reply; 18+ messages in thread
From: mouss @ 2008-01-25 13:42 UTC (permalink / raw)
To: netfilter
Eial Czerwacki wrote:
> ok, I've deiced to give it a try, after adding the line, I can browse the local network, e.g. samba isnt blocked again.
> you guys say that this isnt the problem, now, after enabling it, is there any threat to my system?
>
you mean enabled an output rule and it worked? now, I'm puzzled. post
the full config.
and no, allowing output should not be a problem.
^ permalink raw reply [flat|nested] 18+ messages in thread
* Re: iptables block samba or not?
2008-01-25 13:42 ` mouss
@ 2008-01-25 14:27 ` Eial Czerwacki
2008-01-25 15:15 ` mouss
0 siblings, 1 reply; 18+ messages in thread
From: Eial Czerwacki @ 2008-01-25 14:27 UTC (permalink / raw)
To: mouss; +Cc: netfilter
the general rules has been changed abit, here:
#!/bin/bash
#PlasmaWall rules
NET_IPS="132.72.144.0/20 192.168.114.0/24"
#setup defaults
echo " - Flushing rules..."
iptables -F
echo " - Setting default policy..."
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -P FORWARD DROP
echo " - Setting input rules..."
# accept all from localhost
/sbin/iptables -A INPUT -s 127.0.0.1 -j ACCEPT
# accept all previously established connections
/sbin/iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
#input
# ssh
#/sbin/iptables -A INPUT -p tcp -m state --state NEW --dport 22 -j ACCEPT
# ftp / webserver related
/sbin/iptables -A INPUT -p tcp -m state --state NEW --dport 21 -j ACCEPT
/sbin/iptables -A INPUT -p tcp -m state --state NEW --dport 443 -j ACCEPT
/sbin/iptables -A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
# Windows / Samba
for host in $NET_IPS; do
/sbin/iptables -A INPUT -p tcp -m state --state NEW --dport 135 -s $host -j ACCEPT
/sbin/iptables -A INPUT -p tcp -m state --state NEW --dport 139 -s $host -j ACCEPT
/sbin/iptables -A INPUT -p udp -m state --state NEW --dport 137 -s $host -j ACCEPT
/sbin/iptables -A INPUT -p udp -m state --state NEW --dport 138 -s $host -j ACCEPT
/sbin/iptables -A INPUT -p tcp -m state --state NEW --dport 426 -s $host -j ACCEPT
/sbin/iptables -A INPUT -p tcp -m state --state NEW --dport 445 -s $host -j ACCEPT
done
# up to 5 Bit-torrent connections
/sbin/iptables -A INPUT -p tcp -m state --state NEW --dport 6881:6886 -j ACCEPT
#flood defence
#-N syn-flood
#/sbin/iptables -A INPUT -p tcp --syn -j syn-flood
#/sbin/iptables -A syn-flood -m limit --limit 1/s --limit-burst 4 -j RETURN
#/sbin/iptables -A syn-flood -j DROP
# Handle fragment flood attacks
/sbin/iptables -A INPUT -f -j LOG --log-prefix "IPTABLES FRAGMENTS: "
/sbin/iptables -A INPUT -f -j DROP
#else
/sbin/iptables -A INPUT -j LOG --log-prefix "Rejected: "
/sbin/iptables -A INPUT -j REJECT --reject-with icmp-port-unreachable
echo " - Setting output rules..."
#output
# accept all previously established connections
/sbin/iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
/sbin/iptables -A OUTPUT -p tcp -m state --state NEW --dport 22 -j ACCEPT
echo " done."
On Fri 25 Jan 15:42 2008 mouss wrote:
> Eial Czerwacki wrote:
> > ok, I've deiced to give it a try, after adding the line, I can browse the local network, e.g. samba isnt blocked again.
> > you guys say that this isnt the problem, now, after enabling it, is there any threat to my system?
> >
>
> you mean enabled an output rule and it worked? now, I'm puzzled. post
> the full config.
>
> and no, allowing output should not be a problem.
> -
> To unsubscribe from this list: send the line "unsubscribe netfilter" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at http://vger.kernel.org/majordomo-info.html
>
^ permalink raw reply [flat|nested] 18+ messages in thread
* Re: iptables block samba or not?
2008-01-25 14:27 ` Eial Czerwacki
@ 2008-01-25 15:15 ` mouss
2008-01-25 16:02 ` Eial Czerwacki
2008-01-25 16:04 ` Steven Ayre
0 siblings, 2 replies; 18+ messages in thread
From: mouss @ 2008-01-25 15:15 UTC (permalink / raw)
To: Eial Czerwacki; +Cc: netfilter
Eial Czerwacki wrote:
> the general rules has been changed abit, here:
>
> #!/bin/bash
> #PlasmaWall rules
> NET_IPS="132.72.144.0/20 192.168.114.0/24"
> #setup defaults
> echo " - Flushing rules..."
> iptables -F
> echo " - Setting default policy..."
> iptables -P INPUT DROP
> iptables -P OUTPUT ACCEPT
> iptables -P FORWARD DROP
>
> echo " - Setting input rules..."
> # accept all from localhost
> /sbin/iptables -A INPUT -s 127.0.0.1 -j ACCEPT
>
> # accept all previously established connections
> /sbin/iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
>
> #input
> # ssh
> #/sbin/iptables -A INPUT -p tcp -m state --state NEW --dport 22 -j ACCEPT
>
> # ftp / webserver related
> /sbin/iptables -A INPUT -p tcp -m state --state NEW --dport 21 -j ACCEPT
> /sbin/iptables -A INPUT -p tcp -m state --state NEW --dport 443 -j ACCEPT
> /sbin/iptables -A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
>
> # Windows / Samba
> for host in $NET_IPS; do
> /sbin/iptables -A INPUT -p tcp -m state --state NEW --dport 135 -s $host -j ACCEPT
> /sbin/iptables -A INPUT -p tcp -m state --state NEW --dport 139 -s $host -j ACCEPT
> /sbin/iptables -A INPUT -p udp -m state --state NEW --dport 137 -s $host -j ACCEPT
> /sbin/iptables -A INPUT -p udp -m state --state NEW --dport 138 -s $host -j ACCEPT
> /sbin/iptables -A INPUT -p tcp -m state --state NEW --dport 426 -s $host -j ACCEPT
> /sbin/iptables -A INPUT -p tcp -m state --state NEW --dport 445 -s $host -j ACCEPT
> done
>
> # up to 5 Bit-torrent connections
> /sbin/iptables -A INPUT -p tcp -m state --state NEW --dport 6881:6886 -j ACCEPT
>
> #flood defence
> #-N syn-flood
> #/sbin/iptables -A INPUT -p tcp --syn -j syn-flood
> #/sbin/iptables -A syn-flood -m limit --limit 1/s --limit-burst 4 -j RETURN
> #/sbin/iptables -A syn-flood -j DROP
> # Handle fragment flood attacks
> /sbin/iptables -A INPUT -f -j LOG --log-prefix "IPTABLES FRAGMENTS: "
> /sbin/iptables -A INPUT -f -j DROP
>
> #else
> /sbin/iptables -A INPUT -j LOG --log-prefix "Rejected: "
> /sbin/iptables -A INPUT -j REJECT --reject-with icmp-port-unreachable
>
> echo " - Setting output rules..."
> #output
>
> # accept all previously established connections
> /sbin/iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
>
> /sbin/iptables -A OUTPUT -p tcp -m state --state NEW --dport 22 -j ACCEPT
> echo " done."
>
comment out the last output rules and try again just to make sure the
solution is elsewhere!
^ permalink raw reply [flat|nested] 18+ messages in thread
* Re: iptables block samba or not?
2008-01-25 15:15 ` mouss
@ 2008-01-25 16:02 ` Eial Czerwacki
2008-01-25 16:13 ` mouss
2008-01-25 16:04 ` Steven Ayre
1 sibling, 1 reply; 18+ messages in thread
From: Eial Czerwacki @ 2008-01-25 16:02 UTC (permalink / raw)
To: mouss; +Cc: netfilter
works with it and without that, one more question, is there a way to approve a input only if I initiated the connection?
On Fri 25 Jan 17:15 2008 mouss wrote:
> Eial Czerwacki wrote:
> > the general rules has been changed abit, here:
> >
> > #!/bin/bash
> > #PlasmaWall rules
> > NET_IPS="132.72.144.0/20 192.168.114.0/24"
> > #setup defaults
> > echo " - Flushing rules..."
> > iptables -F
> > echo " - Setting default policy..."
> > iptables -P INPUT DROP
> > iptables -P OUTPUT ACCEPT
> > iptables -P FORWARD DROP
> >
> > echo " - Setting input rules..."
> > # accept all from localhost
> > /sbin/iptables -A INPUT -s 127.0.0.1 -j ACCEPT
> >
> > # accept all previously established connections
> > /sbin/iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
> >
> > #input
> > # ssh
> > #/sbin/iptables -A INPUT -p tcp -m state --state NEW --dport 22 -j ACCEPT
> >
> > # ftp / webserver related
> > /sbin/iptables -A INPUT -p tcp -m state --state NEW --dport 21 -j ACCEPT
> > /sbin/iptables -A INPUT -p tcp -m state --state NEW --dport 443 -j ACCEPT
> > /sbin/iptables -A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
> >
> > # Windows / Samba
> > for host in $NET_IPS; do
> > /sbin/iptables -A INPUT -p tcp -m state --state NEW --dport 135 -s $host -j ACCEPT
> > /sbin/iptables -A INPUT -p tcp -m state --state NEW --dport 139 -s $host -j ACCEPT
> > /sbin/iptables -A INPUT -p udp -m state --state NEW --dport 137 -s $host -j ACCEPT
> > /sbin/iptables -A INPUT -p udp -m state --state NEW --dport 138 -s $host -j ACCEPT
> > /sbin/iptables -A INPUT -p tcp -m state --state NEW --dport 426 -s $host -j ACCEPT
> > /sbin/iptables -A INPUT -p tcp -m state --state NEW --dport 445 -s $host -j ACCEPT
> > done
> >
> > # up to 5 Bit-torrent connections
> > /sbin/iptables -A INPUT -p tcp -m state --state NEW --dport 6881:6886 -j ACCEPT
> >
> > #flood defence
> > #-N syn-flood
> > #/sbin/iptables -A INPUT -p tcp --syn -j syn-flood
> > #/sbin/iptables -A syn-flood -m limit --limit 1/s --limit-burst 4 -j RETURN
> > #/sbin/iptables -A syn-flood -j DROP
> > # Handle fragment flood attacks
> > /sbin/iptables -A INPUT -f -j LOG --log-prefix "IPTABLES FRAGMENTS: "
> > /sbin/iptables -A INPUT -f -j DROP
> >
> > #else
> > /sbin/iptables -A INPUT -j LOG --log-prefix "Rejected: "
> > /sbin/iptables -A INPUT -j REJECT --reject-with icmp-port-unreachable
> >
> > echo " - Setting output rules..."
> > #output
> >
> > # accept all previously established connections
> > /sbin/iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
> >
> > /sbin/iptables -A OUTPUT -p tcp -m state --state NEW --dport 22 -j ACCEPT
> > echo " done."
> >
>
> comment out the last output rules and try again just to make sure the
> solution is elsewhere!
>
> -
> To unsubscribe from this list: send the line "unsubscribe netfilter" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at http://vger.kernel.org/majordomo-info.html
>
^ permalink raw reply [flat|nested] 18+ messages in thread
* Re: iptables block samba or not?
2008-01-25 15:15 ` mouss
2008-01-25 16:02 ` Eial Czerwacki
@ 2008-01-25 16:04 ` Steven Ayre
1 sibling, 0 replies; 18+ messages in thread
From: Steven Ayre @ 2008-01-25 16:04 UTC (permalink / raw)
To: netfilter
>> # up to 5 Bit-torrent connections
>> /sbin/iptables -A INPUT -p tcp -m state --state NEW --dport 6881:6886
>> -j ACCEPT
Your comment suggests you're trying to limit your BitTorrent client to
only accepting 5 incoming connections at any one time. Is that the case?
If it is:
- There'll be no limit on the number of outgoing connections
- It'll allow your client to accept incoming connections on 5 port
numbers, but you can have more than one computer connected to your
client on the same port at the same time; so this'll allow connections
to 5 ports, but won't limit the actual number of connections.
It will be needed for BitTorrent to work properly though since your
INPUT policy is DROP. Just want to check you realise that it won't limit
the number of connections (there are ways to do in iptables if that's
what you wanted).
Rgds,
-Steve
^ permalink raw reply [flat|nested] 18+ messages in thread
* Re: iptables block samba or not?
2008-01-25 16:02 ` Eial Czerwacki
@ 2008-01-25 16:13 ` mouss
2008-01-25 16:53 ` Eial Czerwacki
0 siblings, 1 reply; 18+ messages in thread
From: mouss @ 2008-01-25 16:13 UTC (permalink / raw)
To: Eial Czerwacki; +Cc: netfilter
Eial Czerwacki wrote:
> works with it and without that, one more question, is there a way to approve a input only if I initiated the connection?
>
that's what your "accept all previously established connections" does if
you don't add other INPUT rules.
> On Fri 25 Jan 17:15 2008 mouss wrote:
>
>> Eial Czerwacki wrote:
>>
>>> the general rules has been changed abit, here:
>>>
>>> #!/bin/bash
>>> #PlasmaWall rules
>>> NET_IPS="132.72.144.0/20 192.168.114.0/24"
>>> #setup defaults
>>> echo " - Flushing rules..."
>>> iptables -F
>>> echo " - Setting default policy..."
>>> iptables -P INPUT DROP
>>> iptables -P OUTPUT ACCEPT
>>> iptables -P FORWARD DROP
>>>
>>> echo " - Setting input rules..."
>>> # accept all from localhost
>>> /sbin/iptables -A INPUT -s 127.0.0.1 -j ACCEPT
>>>
>>> # accept all previously established connections
>>> /sbin/iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
>>>
>>> #input
>>> # ssh
>>> #/sbin/iptables -A INPUT -p tcp -m state --state NEW --dport 22 -j ACCEPT
>>>
>>> # ftp / webserver related
>>> /sbin/iptables -A INPUT -p tcp -m state --state NEW --dport 21 -j ACCEPT
>>> /sbin/iptables -A INPUT -p tcp -m state --state NEW --dport 443 -j ACCEPT
>>> /sbin/iptables -A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
>>>
>>> # Windows / Samba
>>> for host in $NET_IPS; do
>>> /sbin/iptables -A INPUT -p tcp -m state --state NEW --dport 135 -s $host -j ACCEPT
>>> /sbin/iptables -A INPUT -p tcp -m state --state NEW --dport 139 -s $host -j ACCEPT
>>> /sbin/iptables -A INPUT -p udp -m state --state NEW --dport 137 -s $host -j ACCEPT
>>> /sbin/iptables -A INPUT -p udp -m state --state NEW --dport 138 -s $host -j ACCEPT
>>> /sbin/iptables -A INPUT -p tcp -m state --state NEW --dport 426 -s $host -j ACCEPT
>>> /sbin/iptables -A INPUT -p tcp -m state --state NEW --dport 445 -s $host -j ACCEPT
>>> done
>>>
>>> # up to 5 Bit-torrent connections
>>> /sbin/iptables -A INPUT -p tcp -m state --state NEW --dport 6881:6886 -j ACCEPT
>>>
>>> #flood defence
>>> #-N syn-flood
>>> #/sbin/iptables -A INPUT -p tcp --syn -j syn-flood
>>> #/sbin/iptables -A syn-flood -m limit --limit 1/s --limit-burst 4 -j RETURN
>>> #/sbin/iptables -A syn-flood -j DROP
>>> # Handle fragment flood attacks
>>> /sbin/iptables -A INPUT -f -j LOG --log-prefix "IPTABLES FRAGMENTS: "
>>> /sbin/iptables -A INPUT -f -j DROP
>>>
>>> #else
>>> /sbin/iptables -A INPUT -j LOG --log-prefix "Rejected: "
>>> /sbin/iptables -A INPUT -j REJECT --reject-with icmp-port-unreachable
>>>
>>> echo " - Setting output rules..."
>>> #output
>>>
>>> # accept all previously established connections
>>> /sbin/iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
>>>
>>> /sbin/iptables -A OUTPUT -p tcp -m state --state NEW --dport 22 -j ACCEPT
>>> echo " done."
>>>
>>>
>> comment out the last output rules and try again just to make sure the
>> solution is elsewhere!
>>
>> -
>> To unsubscribe from this list: send the line "unsubscribe netfilter" in
>> the body of a message to majordomo@vger.kernel.org
>> More majordomo info at http://vger.kernel.org/majordomo-info.html
>>
>>
>
>
>
>
>
^ permalink raw reply [flat|nested] 18+ messages in thread
* Re: iptables block samba or not?
2008-01-25 16:13 ` mouss
@ 2008-01-25 16:53 ` Eial Czerwacki
2008-01-25 19:02 ` Martijn Lievaart
0 siblings, 1 reply; 18+ messages in thread
From: Eial Czerwacki @ 2008-01-25 16:53 UTC (permalink / raw)
To: mouss; +Cc: netfilter
what I meant is that I want that ssh input will be accepted only from an ip that I've initiated the connection to.
On Fri 25 Jan 18:13 2008 mouss wrote:
> Eial Czerwacki wrote:
> > works with it and without that, one more question, is there a way to approve a input only if I initiated the connection?
> >
>
> that's what your "accept all previously established connections" does if
> you don't add other INPUT rules.
> > On Fri 25 Jan 17:15 2008 mouss wrote:
> >
> >> Eial Czerwacki wrote:
> >>
> >>> the general rules has been changed abit, here:
> >>>
> >>> #!/bin/bash
> >>> #PlasmaWall rules
> >>> NET_IPS="132.72.144.0/20 192.168.114.0/24"
> >>> #setup defaults
> >>> echo " - Flushing rules..."
> >>> iptables -F
> >>> echo " - Setting default policy..."
> >>> iptables -P INPUT DROP
> >>> iptables -P OUTPUT ACCEPT
> >>> iptables -P FORWARD DROP
> >>>
> >>> echo " - Setting input rules..."
> >>> # accept all from localhost
> >>> /sbin/iptables -A INPUT -s 127.0.0.1 -j ACCEPT
> >>>
> >>> # accept all previously established connections
> >>> /sbin/iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
> >>>
> >>> #input
> >>> # ssh
> >>> #/sbin/iptables -A INPUT -p tcp -m state --state NEW --dport 22 -j ACCEPT
> >>>
> >>> # ftp / webserver related
> >>> /sbin/iptables -A INPUT -p tcp -m state --state NEW --dport 21 -j ACCEPT
> >>> /sbin/iptables -A INPUT -p tcp -m state --state NEW --dport 443 -j ACCEPT
> >>> /sbin/iptables -A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
> >>>
> >>> # Windows / Samba
> >>> for host in $NET_IPS; do
> >>> /sbin/iptables -A INPUT -p tcp -m state --state NEW --dport 135 -s $host -j ACCEPT
> >>> /sbin/iptables -A INPUT -p tcp -m state --state NEW --dport 139 -s $host -j ACCEPT
> >>> /sbin/iptables -A INPUT -p udp -m state --state NEW --dport 137 -s $host -j ACCEPT
> >>> /sbin/iptables -A INPUT -p udp -m state --state NEW --dport 138 -s $host -j ACCEPT
> >>> /sbin/iptables -A INPUT -p tcp -m state --state NEW --dport 426 -s $host -j ACCEPT
> >>> /sbin/iptables -A INPUT -p tcp -m state --state NEW --dport 445 -s $host -j ACCEPT
> >>> done
> >>>
> >>> # up to 5 Bit-torrent connections
> >>> /sbin/iptables -A INPUT -p tcp -m state --state NEW --dport 6881:6886 -j ACCEPT
> >>>
> >>> #flood defence
> >>> #-N syn-flood
> >>> #/sbin/iptables -A INPUT -p tcp --syn -j syn-flood
> >>> #/sbin/iptables -A syn-flood -m limit --limit 1/s --limit-burst 4 -j RETURN
> >>> #/sbin/iptables -A syn-flood -j DROP
> >>> # Handle fragment flood attacks
> >>> /sbin/iptables -A INPUT -f -j LOG --log-prefix "IPTABLES FRAGMENTS: "
> >>> /sbin/iptables -A INPUT -f -j DROP
> >>>
> >>> #else
> >>> /sbin/iptables -A INPUT -j LOG --log-prefix "Rejected: "
> >>> /sbin/iptables -A INPUT -j REJECT --reject-with icmp-port-unreachable
> >>>
> >>> echo " - Setting output rules..."
> >>> #output
> >>>
> >>> # accept all previously established connections
> >>> /sbin/iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
> >>>
> >>> /sbin/iptables -A OUTPUT -p tcp -m state --state NEW --dport 22 -j ACCEPT
> >>> echo " done."
> >>>
> >>>
> >> comment out the last output rules and try again just to make sure the
> >> solution is elsewhere!
> >>
> >> -
> >> To unsubscribe from this list: send the line "unsubscribe netfilter" in
> >> the body of a message to majordomo@vger.kernel.org
> >> More majordomo info at http://vger.kernel.org/majordomo-info.html
> >>
> >>
> >
> >
> >
> >
> >
>
^ permalink raw reply [flat|nested] 18+ messages in thread
* Re: iptables block samba or not?
2008-01-25 16:53 ` Eial Czerwacki
@ 2008-01-25 19:02 ` Martijn Lievaart
0 siblings, 0 replies; 18+ messages in thread
From: Martijn Lievaart @ 2008-01-25 19:02 UTC (permalink / raw)
To: Eial Czerwacki; +Cc: mouss, netfilter
Eial Czerwacki wrote:
> what I meant is that I want that ssh input will be accepted only from an ip that I've initiated the connection to.
> On Fri 25 Jan 18:13 2008 mouss wrote:
>
>> Eial Czerwacki wrote:
>>
>>> works with it and without that, one more question, is there a way to approve a input only if I initiated the connection?
>>>
>>>
>> that's what your "accept all previously established connections" does if
>> you don't add other INPUT rules.
>>
[ Please don't toppost ]
Yes, you need the recent module for this. Add the source of outgoing
connections to a recent table and accept on source address in that table.
Something like this (untested!):
# Don't let established packets trigger the recent match below....
-A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A OUTPUT -o $EXTERNAL_IF -m recent --set --name tcpout --rdest
-A INPUT -i $EXTERNAL_IF -m recent --rcheck --seconds 100 --name tcpout
--rsource -m tcp --dport 22 -j ACCEPT
HTH,
M4
^ permalink raw reply [flat|nested] 18+ messages in thread
end of thread, other threads:[~2008-01-25 19:02 UTC | newest]
Thread overview: 18+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2008-01-21 22:33 iptables block samba or not? Eial Czerwacki
2008-01-22 1:52 ` Leonardo Rodrigues Magalhães
2008-01-23 22:00 ` Dzianis Kahanovich
2008-01-24 20:16 ` mouss
2008-01-24 20:17 ` Eial Czerwacki
2008-01-24 21:13 ` mouss
2008-01-24 21:37 ` Martijn Lievaart
2008-01-25 10:40 ` Eial Czerwacki
2008-01-25 11:49 ` mouss
2008-01-25 13:35 ` Eial Czerwacki
2008-01-25 13:42 ` mouss
2008-01-25 14:27 ` Eial Czerwacki
2008-01-25 15:15 ` mouss
2008-01-25 16:02 ` Eial Czerwacki
2008-01-25 16:13 ` mouss
2008-01-25 16:53 ` Eial Czerwacki
2008-01-25 19:02 ` Martijn Lievaart
2008-01-25 16:04 ` Steven Ayre
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox