On Wed, 27 Feb 2013 jboyce@xxxxxxxxxxxxxxx wrote:
iptables -I INPUT ! -s 192.168.112.0/24 -j DROP
iptables -I INPUT ! -s 10.9.8.0/24 -j DROP
With the use of negation, this would cause a problem because the second
network range would not be allowed through, regardless of which rule was
listed first.
You need to just turn those into ACCEPT rules and then either have a
default policy of drop or a drop rule following the ACCEPT rules.
i.e. if samba is listening on
Port 135/TCP - used by smbd
Port 137/UDP - used by nmbd
Port 138/UDP - used by nmbd
Port 139/TCP - used by smbd
Port 445/TCP - used by smbd
I'd do something like:
iptables -N SAMBA
iptables -A SAMBA -s 192.168.112.0/24 -j ACCEPT
iptables -A SAMBA -s 10.9.8.0/24 -j ACCEPT
iptables -A INPUT -m tcp -p tcp --dport 135 -j SAMBA
iptables -A INPUT -m udp -p udp --dport 137 -j SAMBA
iptables -A INPUT -m udp -p udp --dport 138 -j SAMBA
iptables -A INPUT -m tcp -p tcp --dport 139 -j SAMBA
iptables -A INPUT -m tcp -p tcp --dport 445 -j SAMBA
You can finish this with either
iptables -A SAMBA -j DROP
or a default policy of DROP on the INPUT chain, or an explicit DROP rule
at the end of the INPUT rules.
----------------------------------------------------------------------
Jon Lewis, MCP :) | I route
Senior Network Engineer | therefore you are
Atlantic Net |
_________ http://www.lewis.org/~jlewis/pgp for PGP public key_________
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
