[Samba] Firewall trouble?

Ryan Ashley ryana at reachtechfp.com
Tue Dec 29 17:13:59 UTC 2015


Alright, I have setup the new rules and am waiting to see if I have any
issues. If I do, I will keep working on it. I also read the article
below, which mentions exactly what you I was told about 2008 and newer
using different ports.

https://support.microsoft.com/en-us/kb/929851

Here is the new configuration:

root at dc01:~# iptables -S
-P INPUT DROP
-P FORWARD DROP
-P OUTPUT ACCEPT
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -m recent --set
--name BLOCKED --rsource
-A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -m recent
--update --seconds 600 --hitcount 4 --name BLOCKED --rsource -j DROP
-A INPUT -p icmp -m icmp --icmp-type 3 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 12 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 113 --tcp-flags FIN,SYN,RST,ACK SYN -j
REJECT --reject-with tcp-reset
-A INPUT -s 10.0.0.0/22 -p tcp -m state --state NEW -m multiport
--dports 22,53,88,135,139,389,445,464,636,3268,3269,49152:65535 -j ACCEPT
-A INPUT -s 10.0.0.0/22 -p udp -m state --state NEW -m multiport
--dports 53,67,88,123,137,138,389,464 -j ACCEPT
-A INPUT -i lo -j ACCEPT

As you can see, I only allow access from my LAN now, thus further
securing the server. VPN users get a LAN address so they will work with
this setup also.

Lead IT/IS Specialist
Reach Technology FP, Inc

On 12/29/2015 03:58 AM, L.P.H. van Belle wrote:
> Hai, 
> 
> Im missing a few things. 
> 
> And maybe time server port to open? Are your dc's time server also?
> These are the ports i've set. 
> 
> TCP what im having.
> 22,42,53,88,135,139,389,445,464,636,3268,3269,1024:5000,49612:65535
> 
> How you did: 
> 22,53,88,135,139,445,464,636,1024:5000,3268,3269
> Your missing 42 389 and range : 49612:65535
> 
> 
> UDP what im having.
> 53,67,68,88,123,137,138,389,464
> 
> How you did: 
> 53,67,88,123,137,138,389,464
> Your missing 68 ( but i dont know if you need it )
> 
> If your not familiar with iptables. 
> I advice you to install ufw for example.
> I have a nice "base" set of rules, if you need some examples. 
> Ufw isnt that hard and easy to extented. 
> And a handy thing, integrating iptables + GeoIP is really easy. 
> And handy for ssh access/blocks. 
> I only allow ssh acces on my server from the netherlands with a rule like:
> 
> -A ufw-before-input -m state --state NEW -m geoip ! --src-cc NL -m tcp -p tcp --dport 22 -m comment --comment 'SSH%20Geoip' -j DROP
> 
> If you want some extra info on that, just mail me, no problem. 
> 
> 
> Greetz, 
> 
> Louis
> 
> 
> 
> 
>> -----Oorspronkelijk bericht-----
>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens James
>> Verzonden: maandag 28 december 2015 17:27
>> Aan: samba at lists.samba.org
>> Onderwerp: Re: [Samba] Firewall trouble?
>>
>> On 12/28/2015 10:33 AM, Ryan Ashley wrote:
> I recently tried adding a firewall to my Samba 4 server using the port
> information I found on the wiki. Below is a dump of the resulting rules.
> 
> root at dc01:~# iptables -S
> -P INPUT DROP
> -P FORWARD DROP
> -P OUTPUT ACCEPT
> -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
> -A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -m recent --set
> --name BLOCKED --rsource
> -A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -m recent
> --update --seconds 600 --hitcount 4 --name BLOCKED --rsource -j DROP
> -A INPUT -p icmp -m icmp --icmp-type 3 -j ACCEPT
> -A INPUT -p icmp -m icmp --icmp-type 11 -j ACCEPT
> -A INPUT -p icmp -m icmp --icmp-type 12 -j ACCEPT
> -A INPUT -p tcp -m tcp --dport 113 --tcp-flags FIN,SYN,RST,ACK SYN -j
> REJECT --reject-with tcp-reset
> -A INPUT -p gre -j ACCEPT
> -A INPUT -p esp -j ACCEPT
> -A INPUT -p ah -j ACCEPT
> -A INPUT -p tcp -m state --state NEW -m multiport --dports
> 22,53,88,135,139,445,464,636,1024:5000,3268,3269 -j ACCEPT
> -A INPUT -p udp -m state --state NEW -m multiport --dports
> 53,67,88,123,137,138,389,464 -j ACCEPT
> -A INPUT -i lo -j ACCEPT
> 
> As you can see, I try to prevent brute-force attacks on SSH, but
> accept data, both TCP and UDP on the ports specified by the wiki
> article. However, when this firewall is on my AD DC server, logins
> take eons, everything is SLOW on workstations, and sometimes
> authentications just plain fail. Why?
>>>
>> I assume this is for a DC. If so are you using functional level 2008?
>> You need to open ports 49152 through 65535 if you are. Level 2003 used
>> 1025 through 5000.
>>
>> --
>> -James
>>
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
> 
> 
> 



More information about the samba mailing list