[clug] iptables for a samba file server

[Steve Walsh]

Hello George


On 21/09/17 22:05, George at Clug via linux wrote:
> I believe there is another school of thought that you allow all
> outgoing ports, and block all but required incoming ports.
>
> I am not completely familiar with FTP, however I believe that FTP
> requires outgoing ports 1024 and above to be opened (known as
> unprivileged ports). Which is one very large outgoing hole in a
> firewall, hence I don't normally suggest using FTP.
>
> However it is also my understanding that since these are outgoing
> ports, and no services are [normally] listening on ports 1025 and
> above, there "should be" no security risk to having these outgoing
> ports opened. These ports are only enabled for outgoing traffic then
> they can only used to initiate calls to external systems in response
> to a request (e.g. an FTP connection). Even then the main risk is only
> that a malicious program (e.g. virus) has managed to get itself
> running on your server and is trying to find a way out via a port that
> is not being used by an exiting server service.

This is where the iptables nf_conntrack module, and the 'RELATED' part 
of your RELATED,ESTABLISHED rules come into play.

nf_conntrack is a connection tracking module for the kernel. it tracks 
the kind of things like "I have an incoming connection from this IP 
address to the FTP process listening on this port, and the FTP process 
has now spawned a bunch processes listening on these other, different, 
ports to react to this, so I'll permit traffic from that IP address to 
those ports on the server until I see the connections go away".

Ie - the ports are closed until the conntrack module opens them, but the 
conntrack module only opens them to traffic from a specific IP.

this means that you only need to open port 20 (and port 21 if you want 
passive connections), enable the nf_conntrack module in your iptables 
config, and it should all just take care of itself.

HTH.