[Samba] Re: security/firewall rules
Ulrich Kohlhase
kohlhase at cs.tu-berlin.de
Tue Mar 19 04:49:02 GMT 2002
Paul,
Just in case you haven't read this already:
http://people.unix-fu.org/andreasson/iptables-tutorial/iptables-tutorial
.html
Special chain to accept related and established connections.
Otherwise log and drop incoming packets:
$IPTABLES -N keep_state
## Packets from invalid conn.
$IPTABLES -A keep_state -m state --state INVALID -j DROP
## Packets belonging to existing conn.
$IPTABLES -A keep_state -m state --state RELATED,ESTABLISHED -j ACCEPT
## log and trash
$IPTABLES -A keep_state -m limit --limit 3/minute --limit-burst 3 -j LOG
--log-level notice --log-prefix "dropped: "
$IPTABLES -A keep_state -j DROP
$EXT_SERVER_IP is your external server you want to connect, allow
outgoing and incoming TCP and UDP connections from this IP address only:
$IPTABLES -A INPUT -p tcp -s $EXT_SERVER_IP --sport 1024: --dport
137:139 -j ACCEPT
$IPTABLES -A OUTPUT -p tcp -o $EXT_SERVER_IP --sport 137:139 --dport
1024: -j keep_state
$IPTABLES -A OUTPUT -p tcp -o $EXT_SERVER_IP --sport 1024: --dport
137:139 -j ACCEPT
$IPTABLES -A INPUT -p tcp -s $EXT_SERVER_IP --sport 137:139 --dport
1024: -j keep_state
$IPTABLES -A INPUT -p udp -s $EXT_SERVER_IP --dport 137:139 -j ACCEPT
$IPTABLES -A OUTPUT -p udp -o $EXT_SERVER_IP --dport 137:139 -j ACCEPT
Good luck,
Uli
More information about the samba
mailing list