[Samba] Firewall trouble?
Rowland penny
rpenny at samba.org
Mon Dec 28 16:12:29 UTC 2015
On 28/12/15 15:33, Ryan Ashley wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> I recently tried adding a firewall to my Samba 4 server using the port
> information I found on the wiki. Below is a dump of the resulting rules.
>
> root at dc01:~# iptables -S
> - -P INPUT DROP
> - -P FORWARD DROP
> - -P OUTPUT ACCEPT
> - -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
> - -A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -m recent --set
> - --name BLOCKED --rsource
> - -A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -m recent
> - --update --seconds 600 --hitcount 4 --name BLOCKED --rsource -j DROP
> - -A INPUT -p icmp -m icmp --icmp-type 3 -j ACCEPT
> - -A INPUT -p icmp -m icmp --icmp-type 11 -j ACCEPT
> - -A INPUT -p icmp -m icmp --icmp-type 12 -j ACCEPT
> - -A INPUT -p tcp -m tcp --dport 113 --tcp-flags FIN,SYN,RST,ACK SYN -j
> REJECT --reject-with tcp-reset
> - -A INPUT -p gre -j ACCEPT
> - -A INPUT -p esp -j ACCEPT
> - -A INPUT -p ah -j ACCEPT
> - -A INPUT -p tcp -m state --state NEW -m multiport --dports
> 22,53,88,135,139,445,464,636,1024:5000,3268,3269 -j ACCEPT
> - -A INPUT -p udp -m state --state NEW -m multiport --dports
> 53,67,88,123,137,138,389,464 -j ACCEPT
> - -A INPUT -i lo -j ACCEPT
>
> As you can see, I try to prevent brute-force attacks on SSH, but
> accept data, both TCP and UDP on the ports specified by the wiki
> article.
I would check the ports again, if I were you, you need port 389 tcp as
well as udp. Also whilst not being a firewall expert, doesn't having
port 22 mentioned at the end of the file take precedence over the
earlier line ?
Rowland
More information about the samba
mailing list