[Samba] help with samba and iptables
Alex Gutiérrez Martínez
alex at dvm.esines.cu
Thu Oct 4 18:50:21 UTC 2018
Hi community, i have a samba server that work's great, but my friends of
IT security said that is vulnerable without a firewall, i try to set an
iptables firewall using the official documentation but is not working
(obviously), this ti my config:
#!/bin/sh
echo n Aplicando Reglas de Firewall...
## FLUSH de reglas
iptables -F
iptables -X
iptables -Z
iptables -t nat -F
## Establecemos politica por defecto
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
## Empezamos a filtrar
# El localhost se deja (por ejemplo conexiones locales a mysql)
/sbin/iptables -A INPUT -i lo -j ACCEPT
# Permito las IP
iptables -A INPUT -s 192.168.1.5 -j ACCEPT
#permito el acceso a servicio ntp
/sbin/iptables -A INPUT -s 192.168.2.3 -p udp -m udp --dport 123 -j ACCEPT
/sbin/iptables -A INPUT -s 192.168.2.3 -p udp -m udp --sport 123 -m
state --state RELATED,ESTABLISHED -j ACCEPT
#permito el acceso a smb-udp
#lan dvm
/sbin/iptables -A INPUT -s 192.168.1.0/24 -p udp -m udp --dport 88 -j ACCEPT
/sbin/iptables -A INPUT -s 192.168.1.0/24 -p udp -m udp --sport 88 -m
state --state RELATED,ESTABLISHED -j ACCEPT
/sbin/iptables -A INPUT -s 192.168.1.0/24 -p udp -m udp --dport 137 -j
ACCEPT
/sbin/iptables -A INPUT -s 192.168.1.0/24 -p udp -m udp --sport 137 -m
state --state RELATED,ESTABLISHED -j ACCEPT
/sbin/iptables -A INPUT -s 192.168.1.0/24 -p udp -m udp --dport 138 -j
ACCEPT
/sbin/iptables -A INPUT -s 192.168.1.0/24 -p udp -m udp --sport 138 -m
state --state RELATED,ESTABLISHED -j ACCEPT
/sbin/iptables -A INPUT -s 192.168.1.0/24 -p udp -m udp --dport 389 -j
ACCEPT
/sbin/iptables -A INPUT -s 192.168.1.0/24 -p udp -m udp --sport 389 -m
state --state RELATED,ESTABLISHED -j ACCEPT
/sbin/iptables -A INPUT -s 192.168.1.0/24 -p udp -m udp --dport 464 -j
ACCEPT
/sbin/iptables -A INPUT -s 192.168.1.0/24 -p udp -m udp --sport 464 -m
state --state RELATED,ESTABLISHED -j ACCEPT
/sbin/iptables -A INPUT -s 192.168.1.0/24 -p udp -m udp --dport
32700:32800 -j ACCEPT
/sbin/iptables -A INPUT -s 192.168.1.0/24 -p udp -m udp --sport
32700:32800 -m state --state RELATED,ESTABLISHED -j ACCEPT
#permito el acceso a smb-tcp
#lan dvm
/sbin/iptables -A INPUT -s 192.168.1.0/24 -p tcp -m tcp --dport 88 -j ACCEPT
/sbin/iptables -A INPUT -s 192.168.1.0/24 -p tcp -m tcp --sport 88 -m
state --state RELATED,ESTABLISHED -j ACCEPT
/sbin/iptables -A INPUT -s 192.168.1.0/24 -p tcp -m tcp --dport 135 -j
ACCEPT
/sbin/iptables -A INPUT -s 192.168.1.0/24 -p tcp -m tcp --sport 135 -m
state --state RELATED,ESTABLISHED -j ACCEPT
/sbin/iptables -A INPUT -s 192.168.1.0/24 -p tcp -m tcp --dport 139 -j
ACCEPT
/sbin/iptables -A INPUT -s 192.168.1.0/24 -p tcp -m tcp --sport 139 -m
state --state RELATED,ESTABLISHED -j ACCEPT
/sbin/iptables -A INPUT -s 192.168.1.0/24 -p tcp -m tcp --dport 389 -j
ACCEPT
/sbin/iptables -A INPUT -s 192.168.1.0/24 -p tcp -m tcp --sport 389 -m
state --state RELATED,ESTABLISHED -j ACCEPT
/sbin/iptables -A INPUT -s 192.168.1.0/24 -p udp -m udp --dport 445 -j
ACCEPT
/sbin/iptables -A INPUT -s 192.168.1.0/24 -p udp -m udp --sport 445 -m
state --state RELATED,ESTABLISHED -j ACCEPT
/sbin/iptables -A INPUT -s 192.168.1.0/24 -p udp -m udp --dport 464 -j
ACCEPT
/sbin/iptables -A INPUT -s 192.168.1.0/24 -p udp -m udp --sport 464 -m
state --state RELATED,ESTABLISHED -j ACCEPT
/sbin/iptables -A INPUT -s 192.168.1.0/24 -p udp -m udp --dport 636 -j
ACCEPT
/sbin/iptables -A INPUT -s 192.168.1.0/24 -p udp -m udp --sport 636 -m
state --state RELATED,ESTABLISHED -j ACCEPT
/sbin/iptables -A INPUT -s 192.168.1.0/24 -p udp -m udp --dport 3268 -j
ACCEPT
/sbin/iptables -A INPUT -s 192.168.1.0/24 -p udp -m udp --sport 3268 -m
state --state RELATED,ESTABLISHED -j ACCEPT
/sbin/iptables -A INPUT -s 192.168.1.0/24 -p udp -m udp --dport
49152:65535 -j ACCEPT
/sbin/iptables -A INPUT -s 192.168.1.0/24 -p udp -m udp --sport
49152:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT
echo " OK . Verifique que lo que se aplica con: iptables L n"
# Permitimos la consulta a un primer DNS
/sbin/iptables -A INPUT -s 192.168.2.4 -p udp -m udp --sport 53 -j ACCEPT
/sbin/iptables -A OUTPUT -d 192.168.2.5 -p udp -m udp --dport 53 -j ACCEPT
#salvando config
/etc/init.d/iptables-persistent save
echo " OK . Verifique que lo que se aplica con: iptables -L -n"
# Fin del scrip
My question is simple, what i'm doing wrong?
--
Saludos Cordiales
Lic. Alex Gutiérrez Martínez
Tel. +53 7 2710327
More information about the samba
mailing list