> Andrew Robinson wrote: > > Alexander Dalloz wrote: > > Am Mi, den 03.03.2004 schrieb Andrew Robinson um 20:51: > > > > > >># Samba access > >>-A RH-Firewall-1-INPUT -m udp -p udp --dport 137:138 -j ACCEPT -A > >>RH-Firewall-1-INPUT -m udp -p udp --sport 137:138 -j ACCEPT -A > >>RH-Firewall-1-INPUT -m tcp -p tcp --dport 139 -j ACCEPT -A > >>RH-Firewall-1-INPUT -m tcp -p tcp --dport 445 -j ACCEPT -A > >>RH-Firewall-1-INPUT -m udp -p udp --dport 445 -j ACCEPT -A > >>RH-Firewall-1-INPUT -m tcp -p tcp --dport 1512 -j ACCEPT -A > >>RH-Firewall-1-INPUT -m udp -p udp --dport 1512 -j ACCEPT > >> > >>I don't think all of these iptables entries are required to > get Samba > >>to > >>work. However, this works for me. > > > > > > .oO Be aware what you open up this way! You are at high > risk to open > > your samba filesharing to the whole internet. Be sure you only open > > those ports on your local net and not on outbound devices. > > > > How would I restrict these entries to my local net? Do I add an "-s > 192.168.1/24" to each line? > > Thanks! > > Andrew > That would work, but wouldn't prevent spoofing. If you're running samba on a gateway device, then you really don't need the above rules. You should be paranoiacally restrictive on your external interface, but unless you've already been burned by internal hackers, you can probably trust your internal interface. redhat-config-securitylevel has checkbox options for trusting all traffic on specific interfaces, or if you prefer to edit /etc/sysconfig/iptables directly then something like this will do to create a basic black hole on eth1 while trusting everything from eth0 and masquerading outbound traffic. *filter :INPUT DROP [0:0] :FORWARD DROP [0:0] :OUTPUT ACCEPT [0:0] :no-conns-from-eth1 - [0:0] -A INPUT -j no-conns-from-eth1 -A FORWARD -j no-conns-from-eth1 -A no-conns-from-eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT -A no-conns-from-eth1 -i ! eth1 -m state --state NEW -j ACCEPT -A no-conns-from-eth1 -i eth1 -m limit --limit 3/hour -j LOG --log-prefix "Bad packet from eth1:" -A no-conns-from-eth1 -i ! eth1 -m limit --limit 3/hour -j LOG --log-prefix "Bad packet NOT from eth1:" -A no-conns-from-eth1 -j DROP COMMIT *nat :PREROUTING ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] :OUTPUT ACCEPT [0:0] -A POSTROUTING -o eth1 -j MASQUERADE COMMIT Note: This is iptables-save output from a script that was (almost) copied wholesale from Rusty's IP Filtering and NAT HowTo's. It is deliberately very basic. Given the realities of being connected to the internet you will probably want additional rules. Google 'iptables' for more resources. I recommend Rusty's guides highly. After all, he did write the stuff... You should then restrict samba to the internal interface with: interfaces = eth0 bind interfaces only = yes This also interacts with the host allow list so make sure you've included all networks/subnets that will be accessing this server in your hosts allow statement: Hosts allow = 192.168.42. 10.42.0. 127. Make doubly sure you include the 127. reference or nasty things can happen when you implement bind interfaces only. See man smb.conf for details. Hope this helps. Have fun! Eric Diamond eDiamond Networking & Security 303-246-9555 eric@xxxxxxxxxxxx
