Askar Ali Khan wrote:
Here are few rules from overs firewall, please let me know is this is the proper way to deal with windowz ports :)
iptables -A INPUT -p TCP -s 0/0 -d 0/0 --dport 135:140 -j DROP iptables -A INPUT -p UDP -s 0/0 -d 0/0 --dport 135:140 -j DROP iptables -A FORWARD -p TCP -s 0/0 -d 0/0 --dport 135:140 -j DROP iptables -A FORWARD -p UDP -s 0/0 -d 0/0 --dport 135:140 -j DROP iptables -t nat -A PREROUTING -p TCP -s 0/0 -d 0/0 --dport 135:140 -j DROP iptables -t nat -A PREROUTING -p UDP -s 0/0 -d 0/0 --dport 135:140 -j DROP
$ipt -t filter -A OUTPUT -o $extif_name -p udp -d 192.168.1.255 --dport 137:139 -j DROP #NETBIOS
$ipt -t filter -A INPUT -i $extif_name -p udp -d 192.168.1.255 --dport 137:139 -j DROP #NETBIOS
$ipt -t filter -A FORWARD -i $extif_name -p udp -d 192.168.1.255 --dport 137:139 -j DROP #NETBIOS
$ipt -t filter -A FORWARD -o $extif_name -p udp -d 192.168.1.255 --dport 137:139 -j DROP #NETBIOS
This will do (at least it works on my PC :)
I have 192.168.1.x subnet.
# NETBIOS is my comment (first two lines are taken from my bash's script and lines 3 and 4 are not tested and I've created them by hand a while ago). However I've disabled multicast forwarding on my router/firewall so only first two lines are really needed (on my PC).
However if you like to enable SMB then some more ports will be needed (ie. 32768 or someting like that, and this one port is undocumented)
