[Samba] Firewall trouble?

Reindl Harald h.reindl at thelounge.net
Mon Dec 28 16:20:49 UTC 2015 


Am 28.12.2015 um 17:12 schrieb Rowland penny:
> On 28/12/15 15:33, Ryan Ashley wrote:
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA256
>>
>> I recently tried adding a firewall to my Samba 4 server using the port
>> information I found on the wiki. Below is a dump of the resulting rules.
>>
>> root at dc01:~# iptables -S
>> - -P INPUT DROP
>> - -P FORWARD DROP
>> - -P OUTPUT ACCEPT
>> - -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
>> - -A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -m recent --set
>> - --name BLOCKED --rsource
>> - -A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -m recent
>> - --update --seconds 600 --hitcount 4 --name BLOCKED --rsource -j DROP
>> - -A INPUT -p icmp -m icmp --icmp-type 3 -j ACCEPT
>> - -A INPUT -p icmp -m icmp --icmp-type 11 -j ACCEPT
>> - -A INPUT -p icmp -m icmp --icmp-type 12 -j ACCEPT
>> - -A INPUT -p tcp -m tcp --dport 113 --tcp-flags FIN,SYN,RST,ACK SYN -j
>> REJECT --reject-with tcp-reset
>> - -A INPUT -p gre -j ACCEPT
>> - -A INPUT -p esp -j ACCEPT
>> - -A INPUT -p ah -j ACCEPT
>> - -A INPUT -p tcp -m state --state NEW -m multiport --dports
>> 22,53,88,135,139,445,464,636,1024:5000,3268,3269 -j ACCEPT
>> - -A INPUT -p udp -m state --state NEW -m multiport --dports
>> 53,67,88,123,137,138,389,464 -j ACCEPT
>> - -A INPUT -i lo -j ACCEPT
>>
>> As you can see, I try to prevent brute-force attacks on SSH, but
>> accept data, both TCP and UDP on the ports specified by the wiki
>> article.
>
>
> I would check the ports again, if I were you, you need port 389 tcp as
> well as udp. Also whilst not being a firewall expert, doesn't having
> port 22 mentioned at the end of the file take precedence over the
> earlier line?

iptables work from top to bottom
the first rule which hits is a final decision

the erlier lines are conditional DROP after more than 4 hits within 600 
seconds for a specific IP, the ACCEPT at the bottom is needed because 
otherwise 22 would be closed at all but never hits for the IP's hitted 
the rate control at the begin

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba/attachments/20151228/ad84ebed/signature.sig>

More information about the samba mailing list