RE: problems filtering ms file shares

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 




> -----Original Message-----
> From: netfilter-admin@xxxxxxxxxxxxxxxxxxx 
> [mailto:netfilter-admin@xxxxxxxxxxxxxxxxxxx] On Behalf Of 
> Matthew Pocock
> Sent: Monday, June 02, 2003 3:15 PM
> To: netfilter@xxxxxxxxxxxxxxxxxxx
> Subject: problems filtering ms file shares
> 
> 
> Hi,
> 
> I'm having trouble setting fire wall rules on a bridge. I'm 
> running rh9, 
> and
> have patched the kernel with 
> bridge-nf-0.0.10-against-2.4.20.diff and 
> ebtables-v2.0.003_vs_2.4.20.diff as well as installing the utilities 
> brctl and
> ebtables.
> 
> Using iptables (editing my uni2lan & lan2uni chains), I seem 
> to be able to control what goes through the firewall well 
> enough to convince ping, http, nmap and traceroute (with and 
> without the -I option) that protocols & ports are reachable or not.
> 
> However, windows file sharing seems go go right through. If I 
> pull either cable out of the bridge, then windows file 
> sharing across the bridge 
> stops (no
> supprise there), but if the cable is in, file sharing is 
> always functional, even if I set all chains to deny 
> everything (by uncommenting the debugging rules below).
> 

What I can see is that filesharing can go into the firewall (-P INPUT
ACCEPT, -P OUTPUT ACCEPT)
And Lan can acces filesharing to universe (-A FORWARD -i eth1 -o eth0 -j
lan2uni, -A lan2uni -j ACCEPT)
Is this what you expect? Where should filesharing not go thrue? Firewall
itself or to other computers?



> Down at the bottom of the netfilter/iptables docs, it says I 
> should be 
> using
> the physdev module to match bridge ports, but it seems that 
> this module 
> is not
> present on my system. Other docs say that it is only needed 
> for kernels 
> 2.5.44
> and greater...
> 
> iptables-restore v1.2.7a: Couldn't load match
> `physdev':/lib/iptables/libipt_physdev.so: cannot open shared object 
> file: No
> such file or directory
> 
> tcpdump (run seperately on eth0 and eth1) seems to be showing exactly 
> what you
> would expect given the firewall rules & doesn't show the packets 
> transmitting
> information between the two PCs, but the two PCs still are doing file 
> sharing.
> 
> I'm feeling bewildered.
> 
> I use this script to set up the bridge:
> 
> /usr/sbin/brctl addbr br0
> /usr/sbin/brctl stp br0 off
> /usr/sbin/brctl addif br0 eth0
> /usr/sbin/brctl addif br0 eth1
> /sbin/ifconfig eth0 down
> /sbin/ifconfig eth1 down
> /sbin/ifconfig eth0 0.0.0.0 up
> /sbin/ifconfig eth1 0.0.0.0 up
> /sbin/ifconfig br0 128.240.227.17
> echo "1" > /proc/sys/net/ipv4/ip_forward
> /sbin/route add default gw 128.240.227.251
> 
> My iptables config looks like this:
> 
> ##############################################################
> ################
> #
> # iptables config file written by Matthew Pocock 
> (matthew.pocock@xxxxxxxxx) #
> 
> ## main chains
> *filter
> :INPUT ACCEPT [0:0]
> :FORWARD DROP [0:0]
> :OUTPUT ACCEPT [0:0]
> :lan2uni - [0:0]
> :uni2lan - [0:0]
> 
> ##############################################################
> ################
> #
> ## debugging rules
> #-A FORWARD -j DROP
> #-A INPUT -j DROP
> #-A OUTPUT -j DROP
> 
> ##############################################################
> ################
> #
> ## drop all invalid packets, iregardless
> -A FORWARD -m state --state INVALID -j DROP
> 
> ## split traffic depending upon direction
> -A FORWARD -i eth0 -o eth1 -j uni2lan
> -A FORWARD -i eth1 -o eth0 -j lan2uni
> 
> ##############################################################
> ################
> #
> ## let everything out - is this a good plan?
> ## we should realy be a bit more careful here, but hey-ho
> -A lan2uni -j ACCEPT
> 
> ##############################################################
> ################
> #
> ## let only specific things in
> 
> ## stuff we've seen before should get through
> -A uni2lan -m state --state RELATED,ESTABLISHED -j ACCEPT
> 
> ## accept some new connections for 'nice' protocols
> ## we know they are new, as we've dropped all invalid things earlier, 
> and just
> ## now we let related & established through.
> 
> ## ping, ssh
> -A uni2lan -p icmp -j ACCEPT
> -A uni2lan -p tcp --dport 22 -j ACCEPT
> 
> ## drop everything else comming in
> -A uni2lan -j REJECT
> 
> 
> 
> COMMIT
> 
> 
> Thanks,
> 
> Matthew
> 
> 


/Klintan




[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux