[Samba] Firewall trouble?
Ryan Ashley
ryana at reachtechfp.com
Tue Dec 29 16:38:53 UTC 2015
No, iptables will first hit the line:
-p tcp -m tcp --dport 22 -m state --state NEW -m recent --set --name
BLOCKED --rsource
This line adds the IP to the "BLOCKED" list and increments the
attempts to connect by one. The next line checks to see if there are
four or more attempts to connect in under ten minutes. If so, drop the
connection. If not, continue processing the rules. The rule allowing
it later is only reach by somebody who has not tried to repeatedly
login to SSH.
Yes, I now see I forgot 389 TCP. I will add it and give it a shot.
Thank you for pointing that out.
Lead IT/IS Specialist
Reach Technology FP, Inc
On 12/28/2015 11:12 AM, Rowland penny wrote:
> On 28/12/15 15:33, Ryan Ashley wrote:
>> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
>>
>> I recently tried adding a firewall to my Samba 4 server using
>> the port information I found on the wiki. Below is a dump of the
>> resulting rules.
>>
>> root at dc01:~# iptables -S - -P INPUT DROP - -P FORWARD DROP - -P
>> OUTPUT ACCEPT - -A INPUT -m conntrack --ctstate
>> RELATED,ESTABLISHED -j ACCEPT - -A INPUT -p tcp -m tcp --dport
>> 22 -m state --state NEW -m recent --set - --name BLOCKED
>> --rsource - -A INPUT -p tcp -m tcp --dport 22 -m state --state
>> NEW -m recent - --update --seconds 600 --hitcount 4 --name
>> BLOCKED --rsource -j DROP - -A INPUT -p icmp -m icmp --icmp-type
>> 3 -j ACCEPT - -A INPUT -p icmp -m icmp --icmp-type 11 -j ACCEPT -
>> -A INPUT -p icmp -m icmp --icmp-type 12 -j ACCEPT - -A INPUT -p
>> tcp -m tcp --dport 113 --tcp-flags FIN,SYN,RST,ACK SYN -j REJECT
>> --reject-with tcp-reset - -A INPUT -p gre -j ACCEPT - -A INPUT -p
>> esp -j ACCEPT - -A INPUT -p ah -j ACCEPT - -A INPUT -p tcp -m
>> state --state NEW -m multiport --dports
>> 22,53,88,135,139,445,464,636,1024:5000,3268,3269 -j ACCEPT - -A
>> INPUT -p udp -m state --state NEW -m multiport --dports
>> 53,67,88,123,137,138,389,464 -j ACCEPT - -A INPUT -i lo -j
>> ACCEPT
>>
>> As you can see, I try to prevent brute-force attacks on SSH, but
>> accept data, both TCP and UDP on the ports specified by the wiki
>> article.
>
>
> I would check the ports again, if I were you, you need port 389
> tcp as well as udp. Also whilst not being a firewall expert,
> doesn't having port 22 mentioned at the end of the file take
> precedence over the earlier line ?
>
> Rowland
>
More information about the samba
mailing list