RE: Samba What a struggle

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



> Andrew Robinson wrote:
> 
> Alexander Dalloz wrote:
> > Am Mi, den 03.03.2004 schrieb Andrew Robinson um 20:51:
> > 
> > 
> >># Samba access
> >>-A RH-Firewall-1-INPUT -m udp -p udp --dport 137:138 -j ACCEPT -A 
> >>RH-Firewall-1-INPUT -m udp -p udp --sport 137:138 -j ACCEPT -A 
> >>RH-Firewall-1-INPUT -m tcp -p tcp --dport 139 -j ACCEPT -A 
> >>RH-Firewall-1-INPUT -m tcp -p tcp --dport 445 -j ACCEPT -A 
> >>RH-Firewall-1-INPUT -m udp -p udp --dport 445 -j ACCEPT -A 
> >>RH-Firewall-1-INPUT -m tcp -p tcp --dport 1512 -j ACCEPT -A 
> >>RH-Firewall-1-INPUT -m udp -p udp --dport 1512 -j ACCEPT
> >>
> >>I don't think all of these iptables entries are required to 
> get Samba 
> >>to
> >>work. However, this works for me.
> > 
> > 
> > .oO Be aware what you open up this way! You are at high 
> risk to open 
> > your samba filesharing to the whole internet. Be sure you only open 
> > those ports on your local net and not on outbound devices.
> > 
> 
> How would I restrict these entries to my local net? Do I add an "-s 
> 192.168.1/24" to each line?
> 
> Thanks!
> 
> Andrew
> 

That would work, but wouldn't prevent spoofing. If you're running samba on a
gateway device, then you really don't need the above rules. You should be
paranoiacally restrictive on your external interface, but unless you've
already been burned by internal hackers, you can probably trust your
internal interface. 

redhat-config-securitylevel has checkbox options for trusting all traffic on
specific interfaces, or if you prefer to edit /etc/sysconfig/iptables
directly then something like this will do to create a basic black hole on
eth1 while trusting everything from eth0 and masquerading outbound traffic. 

*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:no-conns-from-eth1 - [0:0]
-A INPUT -j no-conns-from-eth1 
-A FORWARD -j no-conns-from-eth1 
-A no-conns-from-eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A no-conns-from-eth1 -i ! eth1 -m state --state NEW -j ACCEPT 
-A no-conns-from-eth1 -i eth1 -m limit --limit 3/hour -j LOG --log-prefix
"Bad packet from eth1:"
-A no-conns-from-eth1 -i ! eth1 -m limit --limit 3/hour -j LOG --log-prefix
"Bad packet NOT from eth1:"
-A no-conns-from-eth1 -j DROP 
COMMIT
*nat
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A POSTROUTING -o eth1 -j MASQUERADE 
COMMIT

Note: This is iptables-save output from a script that was (almost) copied
wholesale from Rusty's IP Filtering and NAT HowTo's. It is deliberately very
basic. Given the realities of being connected to the internet you will
probably want additional rules. Google 'iptables' for more resources. I
recommend Rusty's guides highly. After all, he did write the stuff...

You should then restrict samba to the internal interface with:

interfaces = eth0
bind interfaces only = yes

This also interacts with the host allow list so make sure you've included
all networks/subnets that will be accessing this server in your hosts allow
statement:

Hosts allow = 192.168.42. 10.42.0. 127.

Make doubly sure you include the 127. reference or nasty things can happen
when you implement bind interfaces only. See man smb.conf for details.

Hope this helps. Have fun!


Eric Diamond
eDiamond Networking & Security
303-246-9555
[email protected]
 





[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux