On Fri, 28 Jan 2005 19:50:02 +0100, cjlesh <no-reply-gw@xxxxxxxxxxxxxxxxx> wrote: > Hey all: > > I have a laptop running Fedora Core 3 and a dekstop with Widows XP, both connected via a Linksys router. > > I am trying to figure out a way to allow the laptop 'see' the shared directories on the Windows machine. If I disable the Fedora firewall, it works. > > I would like to do this without disabling the firewall. > A google search turns up to following command: > > iptables -A INPUT -p ALL -i eth0 -s 192.168.0.1 --destination-port 137:139 -j ACCEPT > > however this results in an error. > > Any help on a reasonable firewall rule to allow windows share traffic on my local network only? I finally found the answer, after experimenting with this all day. My insight comes from running an Ethereal capture of a three-minute session, during which I browsed a Samba server (actually, two of them--my own machine and another machine on the network) and printed to a Samba printer (on the other machine). In your iptables rule set, make sure you have the following as your last rules: -A RH-Firewall-1-INPUT -p udp -m udp -s 192.168.1.0/24 --dport 137 -j ACCEPT -A RH-Firewall-1-INPUT -p udp -m udp -s 192.168.1.0/24 --dport 32700:32800 -j ACCEPT -A RH-Firewall-1-INPUT -p tcp -m tcp -s 192.168.1.0/24 --dport 139 -j ACCEPT -A RH-Firewall-1-INPUT -p tcp -m tcp -s 192.168.1.0/24 --dport 445 -j ACCEPT -A RH-Firewall-1-INPUT -p tcp -m tcp -s 192.168.1.0/24 --dport 32800:32900 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT -A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited COMMIT Note carefully: insert all rules quoting 192.168.1.0/24 as the source (-s) directly above the -m state rule accepting ESTABLISHED and RELATED states. The above are for a network based on a Linksys router having on it a Windows machine and/or any UNIX/Linux box running the Samba services. The rationale is this: UDP Port 137: NetBIOS name service. UDP Port range 32700:32800: the upper end of a NetBIOS name service conversation. TCP Port 139: NetBIOS-SSN. TCP Port 445: Microsoft-DS TCP Port range 32800:32900: the upper end of all SMB TCP conversations. Open these ports, and their ranges, but /only/ for 192.168.1.0/24 as a source, and you should have Windows file and print sharing, but will /not/ have to worry about anyone detecting you on the outside. If I have time, I might refine this to tighten up the range. But as it stands now, it works, and it's a lot more narrow than simply opening my system up to /everything/ having 192.168.1.0/24 as its source. My next experiment will probably be to restrict everything to transactions having UDP port 137 or TCP ports 139 and 445 as /either source or destination port./ Right now, I was concerned strictly with opening every destination port that might come up. I have something that works, and is less vulnerable. Temlakos -- Temlakos <temlakos@xxxxxxxxx>
