[Samba] please help me.
Radio Gong 2000 GmbH & Co. KG [Technik]
sascha.bieler at radiogong.de
Mon May 31 22:23:42 GMT 2004
But port 80 got nothing to do with samba and as u say, it works fine when u
turn it off!
I made a script for u maybe u try it otherwise I have no more ideas.
I added all rfc nets, because I don't know ur ip-range...
Maybe u have to change the path for iptables and so on....
Regards and good luck
#!/bin/sh
#
# This is automatically generated file.
# Firewall Builder fwb_ipt v1.1.2-1
# Tue Jun 1 00:18:52 2004 CEST
#
#
#
#
#
#
log() {
test -x "$LOGGER" && $LOGGER -p info "$1"
}
va_num=1
add_addr() {
addr=$1
nm=$2
dev=$3
type=""
aadd=""
L=`$IP -4 link ls $dev | grep "$dev:"`
if test -n "$L"; then
OIFS=$IFS
IFS=" /:,<"
set $L
type=$4
IFS=$OIFS
L=`$IP -4 addr ls $dev to $addr | grep " inet "`
if test -n "$L"; then
OIFS=$IFS
IFS=" /"
set $L
aadd=$2
IFS=$OIFS
fi
fi
if test -z "$aadd"; then
if test "$type" = "POINTOPOINT"; then
$IP -4 addr add $addr dev $dev scope global label $dev:FWB${va_num}
va_num=`expr $va_num + 1`
fi
if test "$type" = "BROADCAST"; then
$IP -4 addr add $addr/$nm dev $dev brd + scope global label
$dev:FWB${va_num}
va_num=`expr $va_num + 1`
fi
fi
}
getaddr() {
dev=$1
name=$2
L=`$IP -4 addr show dev $dev | grep inet`
test -z "$L" && {
eval "$name=''"
return
}
OIFS=$IFS
IFS=" /"
set $L
eval "$name=$2"
IFS=$OIFS
}
getinterfaces() {
NAME=$1
$IP link show | grep -E "$NAME[^ ]*: "| while read L; do
OIFS=$IFS
IFS=" :"
set $L
IFS=$OIFS
echo $2
done
}
LSMOD="/sbin/lsmod"
MODPROBE="/sbin/modprobe"
IPTABLES="/usr/sbin/iptables"
IP="/sbin/ip"
LOGGER="/bin/logger"
INTERFACES="eth0 ppp0 lo "
for i in $INTERFACES ; do
$IP link show "$i" > /dev/null 2>&1 || {
echo Interface $i does not exist
exit 1
}
done
add_addr 127.0.0.1 8 lo
$IP link set lo up
getaddr eth0 interface_eth0
getaddr ppp0 interface_ppp0
$IPTABLES -P OUTPUT DROP
$IPTABLES -P INPUT DROP
$IPTABLES -P FORWARD DROP
cat /proc/net/ip_tables_names | while read table; do
$IPTABLES -t $table -L -n | while read c chain rest; do
if test "X$c" = "XChain" ; then
$IPTABLES -t $table -F $chain
fi
done
$IPTABLES -t $table -X
done
MODULE_DIR="/lib/modules/`uname -r`/kernel/net/ipv4/netfilter/"
MODULES=`(cd $MODULE_DIR; ls *_conntrack_* *_nat_* | sed 's/\.o.*$//;
s/\.ko$//')`
for module in $(echo $MODULES); do
if $LSMOD | grep ${module} >/dev/null; then continue; fi
$MODPROBE ${module} || exit 1
done
log "Activating firewall for samba-server"
#
# Rule 0(NAT)
#
# redirect to proxy
$IPTABLES -t nat -A PREROUTING -p tcp -s 10.0.0.0/8 --destination-port 80
-j REDIRECT --to-ports 8080
$IPTABLES -t nat -A PREROUTING -p tcp -s 192.168.0.0/16 --destination-port
80 -j REDIRECT --to-ports 8080
$IPTABLES -t nat -A PREROUTING -p tcp -s 172.16.0.0/12 --destination-port
80 -j REDIRECT --to-ports 8080
#
# Rule 1(NAT)
#
#
$IPTABLES -t nat -A POSTROUTING -o ppp0 -s 10.0.0.0/8 -j MASQUERADE
$IPTABLES -t nat -A POSTROUTING -o ppp0 -s 192.168.0.0/16 -j MASQUERADE
$IPTABLES -t nat -A POSTROUTING -o ppp0 -s 172.16.0.0/12 -j MASQUERADE
#
#
$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
#
# Rule 0(ppp0)
#
# anti-spoofing Regel
#
$IPTABLES -N ppp0_In_RULE_0
test -n "$interface_eth0" && $IPTABLES -A INPUT -i ppp0 -s $interface_eth0
-j ppp0_In_RULE_0
test -n "$interface_ppp0" && $IPTABLES -A INPUT -i ppp0 -s $interface_ppp0
-j ppp0_In_RULE_0
$IPTABLES -A INPUT -i ppp0 -s 10.0.0.0/8 -j ppp0_In_RULE_0
$IPTABLES -A INPUT -i ppp0 -s 192.168.0.0/16 -j ppp0_In_RULE_0
$IPTABLES -A INPUT -i ppp0 -s 172.16.0.0/12 -j ppp0_In_RULE_0
test -n "$interface_eth0" && $IPTABLES -A FORWARD -i ppp0 -s $interface_eth0
-j ppp0_In_RULE_0
test -n "$interface_ppp0" && $IPTABLES -A FORWARD -i ppp0 -s $interface_ppp0
-j ppp0_In_RULE_0
$IPTABLES -A FORWARD -i ppp0 -s 10.0.0.0/8 -j ppp0_In_RULE_0
$IPTABLES -A FORWARD -i ppp0 -s 192.168.0.0/16 -j ppp0_In_RULE_0
$IPTABLES -A FORWARD -i ppp0 -s 172.16.0.0/12 -j ppp0_In_RULE_0
$IPTABLES -A ppp0_In_RULE_0 -j LOG --log-level info --log-prefix "RULE 0 --
DENY "
$IPTABLES -A ppp0_In_RULE_0 -j DROP
#
# Rule 1(ppp0)
#
# anti-spoofing Regel
#
$IPTABLES -N Cid40BBAA6A.0
$IPTABLES -A OUTPUT -o ppp0 -j Cid40BBAA6A.0
$IPTABLES -A FORWARD -o ppp0 -j Cid40BBAA6A.0
test -n "$interface_eth0" && $IPTABLES -A Cid40BBAA6A.0 -o ppp0 -s
$interface_eth0 -j RETURN
test -n "$interface_ppp0" && $IPTABLES -A Cid40BBAA6A.0 -o ppp0 -s
$interface_ppp0 -j RETURN
$IPTABLES -A Cid40BBAA6A.0 -o ppp0 -s 10.0.0.0/8 -j RETURN
$IPTABLES -A Cid40BBAA6A.0 -o ppp0 -s 192.168.0.0/16 -j RETURN
$IPTABLES -A Cid40BBAA6A.0 -o ppp0 -s 172.16.0.0/12 -j RETURN
$IPTABLES -N ppp0_Out_RULE_1_3
$IPTABLES -A Cid40BBAA6A.0 -o ppp0 -j ppp0_Out_RULE_1_3
$IPTABLES -A ppp0_Out_RULE_1_3 -j LOG --log-level info --log-prefix "RULE 1
-- DENY "
$IPTABLES -A ppp0_Out_RULE_1_3 -j DROP
#
# Rule 0(lo)
#
# Erlaube alle Verbindungen zur 'loopback'-Schnittstelle
#
$IPTABLES -A INPUT -i lo -j ACCEPT
$IPTABLES -A OUTPUT -o lo -j ACCEPT
#
# Rule 0(global)
#
# block fragments
#
$IPTABLES -N RULE_0
$IPTABLES -A OUTPUT -p all -f -j RULE_0
$IPTABLES -A INPUT -p all -f -j RULE_0
$IPTABLES -A FORWARD -p all -f -j RULE_0
$IPTABLES -A RULE_0 -j LOG --log-level info --log-prefix "RULE 0 -- DENY "
$IPTABLES -A RULE_0 -j DROP
#
# Rule 1(global)
#
# allow ssh
#
test -n "$interface_eth0" && $IPTABLES -A OUTPUT -p tcp -d $interface_eth0
--destination-port 22 -m state --state NEW -j ACCEPT
test -n "$interface_ppp0" && $IPTABLES -A OUTPUT -p tcp -d $interface_ppp0
--destination-port 22 -m state --state NEW -j ACCEPT
test -n "$interface_eth0" && $IPTABLES -A INPUT -p tcp -d $interface_eth0
--destination-port 22 -m state --state NEW -j ACCEPT
test -n "$interface_ppp0" && $IPTABLES -A INPUT -p tcp -d $interface_ppp0
--destination-port 22 -m state --state NEW -j ACCEPT
#
# Rule 2(global)
#
# allow windows services
#
test -n "$interface_eth0" && $IPTABLES -A INPUT -p tcp -m multiport -s
10.0.0.0/8 -d $interface_eth0 --destination-port
139,135,42,445,88,389,636,3268,3269,53 -m state --state NEW -j ACCEPT
test -n "$interface_ppp0" && $IPTABLES -A INPUT -p tcp -m multiport -s
10.0.0.0/8 -d $interface_ppp0 --destination-port
139,135,42,445,88,389,636,3268,3269,53 -m state --state NEW -j ACCEPT
test -n "$interface_eth0" && $IPTABLES -A INPUT -p tcp -m multiport -s
192.168.0.0/16 -d $interface_eth0 --destination-port
139,135,42,445,88,389,636,3268,3269,53 -m state --state NEW -j ACCEPT
test -n "$interface_ppp0" && $IPTABLES -A INPUT -p tcp -m multiport -s
192.168.0.0/16 -d $interface_ppp0 --destination-port
139,135,42,445,88,389,636,3268,3269,53 -m state --state NEW -j ACCEPT
test -n "$interface_eth0" && $IPTABLES -A INPUT -p tcp -m multiport -s
172.16.0.0/12 -d $interface_eth0 --destination-port
139,135,42,445,88,389,636,3268,3269,53 -m state --state NEW -j ACCEPT
test -n "$interface_ppp0" && $IPTABLES -A INPUT -p tcp -m multiport -s
172.16.0.0/12 -d $interface_ppp0 --destination-port
139,135,42,445,88,389,636,3268,3269,53 -m state --state NEW -j ACCEPT
test -n "$interface_eth0" && $IPTABLES -A INPUT -p udp -m multiport -s
10.0.0.0/8 -d $interface_eth0 --destination-port 138,137,53,88 -m state
--state NEW -j ACCEPT
test -n "$interface_ppp0" && $IPTABLES -A INPUT -p udp -m multiport -s
10.0.0.0/8 -d $interface_ppp0 --destination-port 138,137,53,88 -m state
--state NEW -j ACCEPT
test -n "$interface_eth0" && $IPTABLES -A INPUT -p udp -m multiport -s
192.168.0.0/16 -d $interface_eth0 --destination-port 138,137,53,88 -m
state --state NEW -j ACCEPT
test -n "$interface_ppp0" && $IPTABLES -A INPUT -p udp -m multiport -s
192.168.0.0/16 -d $interface_ppp0 --destination-port 138,137,53,88 -m
state --state NEW -j ACCEPT
test -n "$interface_eth0" && $IPTABLES -A INPUT -p udp -m multiport -s
172.16.0.0/12 -d $interface_eth0 --destination-port 138,137,53,88 -m state
--state NEW -j ACCEPT
test -n "$interface_ppp0" && $IPTABLES -A INPUT -p udp -m multiport -s
172.16.0.0/12 -d $interface_ppp0 --destination-port 138,137,53,88 -m state
--state NEW -j ACCEPT
#
# Rule 3(global)
#
# allow dns service
#
test -n "$interface_eth0" && $IPTABLES -A OUTPUT -p tcp -s $interface_eth0
--destination-port 53 -m state --state NEW -j ACCEPT
test -n "$interface_ppp0" && $IPTABLES -A OUTPUT -p tcp -s $interface_ppp0
--destination-port 53 -m state --state NEW -j ACCEPT
test -n "$interface_eth0" && $IPTABLES -A OUTPUT -p udp -s $interface_eth0
--destination-port 53 -m state --state NEW -j ACCEPT
test -n "$interface_ppp0" && $IPTABLES -A OUTPUT -p udp -s $interface_ppp0
--destination-port 53 -m state --state NEW -j ACCEPT
#
# Rule 4(global)
#
# DHCP server for the LAN?
#
$IPTABLES -N Cid40BBAAC8.0
test -n "$interface_eth0" && $IPTABLES -A INPUT -d $interface_eth0 -m state
--state NEW -j Cid40BBAAC8.0
test -n "$interface_ppp0" && $IPTABLES -A INPUT -d $interface_ppp0 -m state
--state NEW -j Cid40BBAAC8.0
$IPTABLES -N Cid40BBAAC8.1
$IPTABLES -A Cid40BBAAC8.0 -p udp -m multiport --destination-port 68,67 -m
state --state NEW -j Cid40BBAAC8.1
$IPTABLES -A Cid40BBAAC8.1 -s 10.0.0.0/8 -m state --state NEW -j ACCEPT
$IPTABLES -A Cid40BBAAC8.1 -s 192.168.0.0/16 -m state --state NEW -j ACCEPT
$IPTABLES -A Cid40BBAAC8.1 -s 172.16.0.0/12 -m state --state NEW -j ACCEPT
$IPTABLES -N Cid40BBAAC8.2
$IPTABLES -A INPUT -p udp -m multiport --destination-port 68,67 -m state
--state NEW -j Cid40BBAAC8.2
$IPTABLES -A Cid40BBAAC8.2 -s 10.0.0.0/8 -d 255.255.255.255 -m state
--state NEW -j ACCEPT
$IPTABLES -A Cid40BBAAC8.2 -s 192.168.0.0/16 -d 255.255.255.255 -m state
--state NEW -j ACCEPT
$IPTABLES -A Cid40BBAAC8.2 -s 172.16.0.0/12 -d 255.255.255.255 -m state
--state NEW -j ACCEPT
#
# Rule 5(global)
#
# again DHCP
#
$IPTABLES -N Cid40BBAADA.0
$IPTABLES -A OUTPUT -p udp -m multiport --destination-port 68,67 -m state
--state NEW -j Cid40BBAADA.0
$IPTABLES -N Cid40BBAADA.1
test -n "$interface_eth0" && $IPTABLES -A Cid40BBAADA.0 -s $interface_eth0
-m state --state NEW -j Cid40BBAADA.1
test -n "$interface_ppp0" && $IPTABLES -A Cid40BBAADA.0 -s $interface_ppp0
-m state --state NEW -j Cid40BBAADA.1
$IPTABLES -A Cid40BBAADA.1 -d 10.0.0.0/8 -m state --state NEW -j ACCEPT
$IPTABLES -A Cid40BBAADA.1 -d 192.168.0.0/16 -m state --state NEW -j ACCEPT
$IPTABLES -A Cid40BBAADA.1 -d 172.16.0.0/12 -m state --state NEW -j ACCEPT
#
# Rule 6(global)
#
# 'masquerading' rfc-nets
#
$IPTABLES -A INPUT -s 10.0.0.0/8 -m state --state NEW -j ACCEPT
$IPTABLES -A INPUT -s 192.168.0.0/16 -m state --state NEW -j ACCEPT
$IPTABLES -A INPUT -s 172.16.0.0/12 -m state --state NEW -j ACCEPT
$IPTABLES -A FORWARD -s 10.0.0.0/8 -m state --state NEW -j ACCEPT
$IPTABLES -A FORWARD -s 192.168.0.0/16 -m state --state NEW -j ACCEPT
$IPTABLES -A FORWARD -s 172.16.0.0/12 -m state --state NEW -j ACCEPT
#
# Rule 7(global)
#
# 'catch all'
#
$IPTABLES -N RULE_7
$IPTABLES -A OUTPUT -j RULE_7
$IPTABLES -A INPUT -j RULE_7
$IPTABLES -A FORWARD -j RULE_7
$IPTABLES -A RULE_7 -j LOG --log-level info --log-prefix "RULE 7 -- DENY "
$IPTABLES -A RULE_7 -j DROP
#
#
echo 1 > /proc/sys/net/ipv4/ip_forward
More information about the samba
mailing list