Re: iptables block samba or not?

mouss <mouss@xxxxxxxxxxx> · Fri, 25 Jan 2008 16:15:49 +0100

Eial Czerwacki wrote:
the general rules has been changed abit, here:

#!/bin/bash
#PlasmaWall rules
NET_IPS="132.72.144.0/20 192.168.114.0/24"
#setup defaults
echo "  - Flushing rules..."
iptables -F
echo "  - Setting default policy..."
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -P FORWARD DROP

echo "  - Setting input rules..."
# accept all from localhost
/sbin/iptables -A INPUT -s 127.0.0.1 -j ACCEPT

# accept all previously established connections
/sbin/iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

#input
# ssh
#/sbin/iptables -A INPUT -p tcp -m state --state NEW --dport 22 -j ACCEPT

# ftp / webserver related
/sbin/iptables -A INPUT -p tcp -m state --state NEW --dport 21 -j ACCEPT
/sbin/iptables -A INPUT -p tcp -m state --state NEW --dport 443 -j ACCEPT
/sbin/iptables -A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT

# Windows / Samba
for host in $NET_IPS; do
 /sbin/iptables -A INPUT -p tcp -m state --state NEW --dport 135 -s $host -j ACCEPT
 /sbin/iptables -A INPUT -p tcp -m state --state NEW --dport 139 -s $host -j ACCEPT
 /sbin/iptables -A INPUT -p udp -m state --state NEW --dport 137 -s $host -j ACCEPT
 /sbin/iptables -A INPUT -p udp -m state --state NEW --dport 138 -s $host -j ACCEPT
 /sbin/iptables -A INPUT -p tcp -m state --state NEW --dport 426 -s $host -j ACCEPT
 /sbin/iptables -A INPUT -p tcp -m state --state NEW --dport 445 -s $host -j ACCEPT
done

# up to 5 Bit-torrent connections
/sbin/iptables -A INPUT -p tcp -m state --state NEW --dport 6881:6886 -j ACCEPT

#flood defence
#-N syn-flood
#/sbin/iptables -A INPUT -p tcp --syn -j syn-flood
#/sbin/iptables -A syn-flood -m limit --limit 1/s --limit-burst 4 -j RETURN
#/sbin/iptables -A syn-flood -j DROP
# Handle fragment flood attacks
/sbin/iptables -A INPUT -f -j LOG --log-prefix "IPTABLES FRAGMENTS: "
/sbin/iptables -A INPUT -f -j DROP

#else
/sbin/iptables -A INPUT -j LOG --log-prefix "Rejected: "
/sbin/iptables -A INPUT -j REJECT --reject-with icmp-port-unreachable

echo "  - Setting output rules..."
#output

# accept all previously established connections
/sbin/iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

/sbin/iptables -A OUTPUT -p tcp -m state --state NEW --dport 22 -j ACCEPT
echo " done."

comment out the last output rules and try again just to make sure the 
solution is elsewhere!

-
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html