[Samba] RE: firewall

Ulrich Kohlhase Ulrich.Kohlhase at t-online.de
Sun Nov 3 16:28:00 GMT 2002


Justin,

> -A INPUT -p tcp -m tcp -s 192.168.1.0/24 --dport 139 --syn -j ACCEPT
> -A INPUT -p udp -m udp -s 192.168.1.0/24 --dport 137 -j ACCEPT
> -A INPUT -p udp -m udp -s 192.168.1.0/24 --dport 138 -j ACCEPT

Did you specify OUTPUT rules also ? You may want to try the following
lines taken from a working server config. "keep_state" is a special
chain for stateful inspection and logging purposes:

-A INPUT   -p tcp -s 192.168.1.0/24 --sport 1024: --dport 137:139 -j
ACCEPT
-A OUTPUT  -p tcp -d 192.168.1.0/24 --sport 137:139 --dport 1024: -j
keep_state
-A OUTPUT  -p tcp -d 192.168.1.0/24 --sport 1024: --dport 137:139 -j
ACCEPT
-A INPUT   -p tcp -s 192.168.1.0/24 --sport 137:139 --dport 1024: -j
keep_state
-A INPUT   -p udp -s 192.168.1.0/24 --dport 137:139 -j ACCEPT
-A OUTPUT  -p udp -d 192.168.1.0/24 --dport 137:139 -j ACCEPT

-N keep_state
-A keep_state -m state --state INVALID -j DROP
-A keep_state -m state --state RELATED,ESTABLISHED -j ACCEPT
# debug, info, notice, warning, err, crit, alert und emerg
-A keep_state -m limit --limit 10/minute --limit-burst 10 -j LOG
--log-level notice --log-prefix "Packets dropped: "
-A keep_state -j DROP





More information about the samba mailing list