> -----Original Message----- > From: redhat-list-admin@xxxxxxxxxx > [mailto:redhat-list-admin@xxxxxxxxxx]On Behalf Of Sean Estabrooks > Sent: Wednesday, December 31, 2003 9:23 AM > To: redhat-list@xxxxxxxxxx > Subject: Re: how to configure iptables for samba > > > On Wed, 31 Dec 2003 09:16:06 -0600 > "Rigler, Steve" <SRigler@xxxxxxxxxxxxxxx> wrote: > > > > It's been some time since I setup iptables to allow for samba > > connections, but I remember something about having to allow > > connections from hosts where the source port is 137:139. > > > > Something like: > > iptables -I INPUT -p tcp -m tcp --sport 137:139 -j ACCEPT > > iptables -I INPUT -p udp -m udp --sport 137:139 -j ACCEPT > > > > The "-I" should cause the rules to be followed prior to any > > reject rules. > > > > This is a tremendously insecure set of rules. It means that all an > attacker has to do is use port 137 to generate his packets and he can > attach to any port on your machine! Also, it appears that > the problem > for the OP actually isn't iptables related. > > Sean > By saying "something like" I meant that the rules can be tweaked. It should, hopefully, not be the only means of securing a system. In my case, I needed to allow access so that I could mount other machines' filesystems (the mounts would time out if you don't allow access from ports 137:139). Winpopup may not need this level of access. Logging dropped packets and snooping the interface wouldn't be a bad idea to figure out exactly what is going on. The OP wasn't clear where the trusted traffic is coming from. If this is all over an ISP connection, smb traffic may be restricted. -- S C Rigler RHCE #803003335409754 -- redhat-list mailing list unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe https://www.redhat.com/mailman/listinfo/redhat-list
