[clug] iptables for a samba file server

CLUG CLUG at goproject.info
Wed Sep 20 10:38:28 UTC 2017 

Bob and others,

I would enjoy a talk on iptables if anyone is offering...

For now, please review the below iptables rules and reply with your 
revisions and explanation on how to create a simpler or better solution.

These rules allow for management via ssh (22),  DNS lookup (53), NTP 
time (123), port 80 for apt, and the minimum ports for an smb file 
server. I guess ping is not required but it can be useful.

How would I apply these rules to a specific interface, e.g. eth0 ?

-=-==-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

# Delete all existing rules
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X

# Allow traffic on loopback
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

# Allow all inbound established connections
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

# Allow all outbound established connections
iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

# Enable specific incoming ports for ssh
iptables -A INPUT -p tcp -m state --state NEW --dport 22 -j ACCEPT
# Enable specific incoming ports for SAMBA
iptables -A INPUT -p tcp -m state --state NEW -m multiport --dport 
139,445 -j ACCEPT
iptables -A INPUT -p udp -m state --state NEW -m multiport --dport 
137,138 -j ACCEPT

# Enable specific outgoing ports infrastructure support (ssh, dns, apt, ntp)
iptables -A OUTPUT -p udp  -m state --state NEW --dport 53 -j ACCEPT
iptables -A OUTPUT -p tcp -m state --state NEW -m multiport --dport 
22,53,80,123 -j ACCEPT
# Enable specific outgoing ports for SAMBA
iptables -A OUTPUT -p tcp -m state --state NEW -m multiport --dport 
139,445 -j ACCEPT
iptables -A OUTPUT -p udp -m state --state NEW -m multiport --dport 
137,138 -j ACCEPT

# Allow pinging
iptables -A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT

# Set default chain policies after opening ports
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP

-=-==-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

More information about the linux mailing list