[Samba] help with samba and iptables
Reindl Harald
h.reindl at thelounge.net
Thu Oct 4 19:14:12 UTC 2018
start with simply that stuff by get rid of all the "-m state --state
RELATED,ESTABLISHED -j ACCEPT" rules - you need that only once on top
(or after loopbck device)
Am 04.10.18 um 20:50 schrieb Alex Gutiérrez Martínez via samba:
> Hi community, i have a samba server that work's great, but my friends of
> IT security said that is vulnerable without a firewall, i try to set an
> iptables firewall using the official documentation but is not working
> (obviously), this ti my config:
>
> #!/bin/sh
> echo n Aplicando Reglas de Firewall...
> ## FLUSH de reglas
> iptables -F
> iptables -X
> iptables -Z
> iptables -t nat -F
> ## Establecemos politica por defecto
> iptables -P INPUT DROP
> iptables -P OUTPUT ACCEPT
> iptables -P FORWARD ACCEPT
> ## Empezamos a filtrar
> # El localhost se deja (por ejemplo conexiones locales a mysql)
> /sbin/iptables -A INPUT -i lo -j ACCEPT
> # Permito las IP
> iptables -A INPUT -s 192.168.1.5 -j ACCEPT
> #permito el acceso a servicio ntp
> /sbin/iptables -A INPUT -s 192.168.2.3 -p udp -m udp --dport 123 -j ACCEPT
> /sbin/iptables -A INPUT -s 192.168.2.3 -p udp -m udp --sport 123 -m
> state --state RELATED,ESTABLISHED -j ACCEPT
> #permito el acceso a smb-udp
> #lan dvm
> /sbin/iptables -A INPUT -s 192.168.1.0/24 -p udp -m udp --dport 88 -j
> ACCEPT
> /sbin/iptables -A INPUT -s 192.168.1.0/24 -p udp -m udp --sport 88 -m
> state --state RELATED,ESTABLISHED -j ACCEPT
> /sbin/iptables -A INPUT -s 192.168.1.0/24 -p udp -m udp --dport 137 -j
> ACCEPT
> /sbin/iptables -A INPUT -s 192.168.1.0/24 -p udp -m udp --sport 137 -m
> state --state RELATED,ESTABLISHED -j ACCEPT
> /sbin/iptables -A INPUT -s 192.168.1.0/24 -p udp -m udp --dport 138 -j
> ACCEPT
> /sbin/iptables -A INPUT -s 192.168.1.0/24 -p udp -m udp --sport 138 -m
> state --state RELATED,ESTABLISHED -j ACCEPT
> /sbin/iptables -A INPUT -s 192.168.1.0/24 -p udp -m udp --dport 389 -j
> ACCEPT
> /sbin/iptables -A INPUT -s 192.168.1.0/24 -p udp -m udp --sport 389 -m
> state --state RELATED,ESTABLISHED -j ACCEPT
> /sbin/iptables -A INPUT -s 192.168.1.0/24 -p udp -m udp --dport 464 -j
> ACCEPT
> /sbin/iptables -A INPUT -s 192.168.1.0/24 -p udp -m udp --sport 464 -m
> state --state RELATED,ESTABLISHED -j ACCEPT
> /sbin/iptables -A INPUT -s 192.168.1.0/24 -p udp -m udp --dport
> 32700:32800 -j ACCEPT
> /sbin/iptables -A INPUT -s 192.168.1.0/24 -p udp -m udp --sport
> 32700:32800 -m state --state RELATED,ESTABLISHED -j ACCEPT
> #permito el acceso a smb-tcp
> #lan dvm
> /sbin/iptables -A INPUT -s 192.168.1.0/24 -p tcp -m tcp --dport 88 -j
> ACCEPT
> /sbin/iptables -A INPUT -s 192.168.1.0/24 -p tcp -m tcp --sport 88 -m
> state --state RELATED,ESTABLISHED -j ACCEPT
> /sbin/iptables -A INPUT -s 192.168.1.0/24 -p tcp -m tcp --dport 135 -j
> ACCEPT
> /sbin/iptables -A INPUT -s 192.168.1.0/24 -p tcp -m tcp --sport 135 -m
> state --state RELATED,ESTABLISHED -j ACCEPT
> /sbin/iptables -A INPUT -s 192.168.1.0/24 -p tcp -m tcp --dport 139 -j
> ACCEPT
> /sbin/iptables -A INPUT -s 192.168.1.0/24 -p tcp -m tcp --sport 139 -m
> state --state RELATED,ESTABLISHED -j ACCEPT
> /sbin/iptables -A INPUT -s 192.168.1.0/24 -p tcp -m tcp --dport 389 -j
> ACCEPT
> /sbin/iptables -A INPUT -s 192.168.1.0/24 -p tcp -m tcp --sport 389 -m
> state --state RELATED,ESTABLISHED -j ACCEPT
> /sbin/iptables -A INPUT -s 192.168.1.0/24 -p udp -m udp --dport 445 -j
> ACCEPT
> /sbin/iptables -A INPUT -s 192.168.1.0/24 -p udp -m udp --sport 445 -m
> state --state RELATED,ESTABLISHED -j ACCEPT
> /sbin/iptables -A INPUT -s 192.168.1.0/24 -p udp -m udp --dport 464 -j
> ACCEPT
> /sbin/iptables -A INPUT -s 192.168.1.0/24 -p udp -m udp --sport 464 -m
> state --state RELATED,ESTABLISHED -j ACCEPT
> /sbin/iptables -A INPUT -s 192.168.1.0/24 -p udp -m udp --dport 636 -j
> ACCEPT
> /sbin/iptables -A INPUT -s 192.168.1.0/24 -p udp -m udp --sport 636 -m
> state --state RELATED,ESTABLISHED -j ACCEPT
> /sbin/iptables -A INPUT -s 192.168.1.0/24 -p udp -m udp --dport 3268 -j
> ACCEPT
> /sbin/iptables -A INPUT -s 192.168.1.0/24 -p udp -m udp --sport 3268 -m
> state --state RELATED,ESTABLISHED -j ACCEPT
> /sbin/iptables -A INPUT -s 192.168.1.0/24 -p udp -m udp --dport
> 49152:65535 -j ACCEPT
> /sbin/iptables -A INPUT -s 192.168.1.0/24 -p udp -m udp --sport
> 49152:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT
>
> echo " OK . Verifique que lo que se aplica con: iptables L n"
> # Permitimos la consulta a un primer DNS
> /sbin/iptables -A INPUT -s 192.168.2.4 -p udp -m udp --sport 53 -j ACCEPT
> /sbin/iptables -A OUTPUT -d 192.168.2.5 -p udp -m udp --dport 53 -j ACCEPT
> #salvando config
> /etc/init.d/iptables-persistent save
> echo " OK . Verifique que lo que se aplica con: iptables -L -n"
> # Fin del scrip
>
>
> My question is simple, what i'm doing wrong?
More information about the samba
mailing list