[Samba] help with samba and iptables

Rowland Penny rpenny at samba.org
Thu Oct 4 19:41:32 UTC 2018


On Thu, 4 Oct 2018 14:50:21 -0400
Alex Gutiérrez Martínez via samba <samba at lists.samba.org> wrote:

> Hi community, i have a samba server that work's great, but my friends
> of IT security said that is vulnerable without a firewall,  i try to
> set an iptables firewall using the official documentation but is not
> working (obviously), this ti my config:
> 
> 
> #!/bin/sh
> echo n Aplicando Reglas de Firewall...
> ## FLUSH de reglas
> iptables -F
> iptables -X
> iptables -Z
> iptables -t nat -F
> ## Establecemos politica por defecto
> iptables -P INPUT DROP
> iptables -P OUTPUT ACCEPT
> iptables -P FORWARD ACCEPT
> ## Empezamos a filtrar
> # El localhost se deja (por ejemplo conexiones locales a mysql)
> /sbin/iptables -A INPUT -i lo -j ACCEPT
> # Permito las IP
> iptables -A INPUT -s 192.168.1.5 -j ACCEPT
> #permito el acceso a servicio ntp
> /sbin/iptables -A INPUT -s 192.168.2.3 -p udp -m udp --dport 123 -j
> ACCEPT /sbin/iptables -A INPUT -s 192.168.2.3 -p udp -m udp --sport
> 123 -m state --state RELATED,ESTABLISHED -j ACCEPT
> #permito el acceso a smb-udp
> #lan dvm
> /sbin/iptables -A INPUT -s 192.168.1.0/24 -p udp -m udp --dport 88 -j
> ACCEPT /sbin/iptables -A INPUT -s 192.168.1.0/24 -p udp -m udp
> --sport 88 -m state --state RELATED,ESTABLISHED -j ACCEPT
> /sbin/iptables -A INPUT -s 192.168.1.0/24 -p udp -m udp --dport 137
> -j ACCEPT
> /sbin/iptables -A INPUT -s 192.168.1.0/24 -p udp -m udp --sport 137
> -m state --state RELATED,ESTABLISHED -j ACCEPT
> /sbin/iptables -A INPUT -s 192.168.1.0/24 -p udp -m udp --dport 138
> -j ACCEPT
> /sbin/iptables -A INPUT -s 192.168.1.0/24 -p udp -m udp --sport 138
> -m state --state RELATED,ESTABLISHED -j ACCEPT
> /sbin/iptables -A INPUT -s 192.168.1.0/24 -p udp -m udp --dport 389
> -j ACCEPT
> /sbin/iptables -A INPUT -s 192.168.1.0/24 -p udp -m udp --sport 389
> -m state --state RELATED,ESTABLISHED -j ACCEPT
> /sbin/iptables -A INPUT -s 192.168.1.0/24 -p udp -m udp --dport 464
> -j ACCEPT
> /sbin/iptables -A INPUT -s 192.168.1.0/24 -p udp -m udp --sport 464
> -m state --state RELATED,ESTABLISHED -j ACCEPT
> /sbin/iptables -A INPUT -s 192.168.1.0/24 -p udp -m udp --dport 
> 32700:32800 -j ACCEPT
> /sbin/iptables -A INPUT -s 192.168.1.0/24 -p udp -m udp --sport 
> 32700:32800 -m state --state RELATED,ESTABLISHED -j ACCEPT
> #permito el acceso a smb-tcp
> #lan dvm
> /sbin/iptables -A INPUT -s 192.168.1.0/24 -p tcp -m tcp --dport 88 -j
> ACCEPT /sbin/iptables -A INPUT -s 192.168.1.0/24 -p tcp -m tcp
> --sport 88 -m state --state RELATED,ESTABLISHED -j ACCEPT
> /sbin/iptables -A INPUT -s 192.168.1.0/24 -p tcp -m tcp --dport 135
> -j ACCEPT
> /sbin/iptables -A INPUT -s 192.168.1.0/24 -p tcp -m tcp --sport 135
> -m state --state RELATED,ESTABLISHED -j ACCEPT
> /sbin/iptables -A INPUT -s 192.168.1.0/24 -p tcp -m tcp --dport 139
> -j ACCEPT
> /sbin/iptables -A INPUT -s 192.168.1.0/24 -p tcp -m tcp --sport 139
> -m state --state RELATED,ESTABLISHED -j ACCEPT
> /sbin/iptables -A INPUT -s 192.168.1.0/24 -p tcp -m tcp --dport 389
> -j ACCEPT
> /sbin/iptables -A INPUT -s 192.168.1.0/24 -p tcp -m tcp --sport 389
> -m state --state RELATED,ESTABLISHED -j ACCEPT
> /sbin/iptables -A INPUT -s 192.168.1.0/24 -p udp -m udp --dport 445
> -j ACCEPT
> /sbin/iptables -A INPUT -s 192.168.1.0/24 -p udp -m udp --sport 445
> -m state --state RELATED,ESTABLISHED -j ACCEPT
> /sbin/iptables -A INPUT -s 192.168.1.0/24 -p udp -m udp --dport 464
> -j ACCEPT
> /sbin/iptables -A INPUT -s 192.168.1.0/24 -p udp -m udp --sport 464
> -m state --state RELATED,ESTABLISHED -j ACCEPT
> /sbin/iptables -A INPUT -s 192.168.1.0/24 -p udp -m udp --dport 636
> -j ACCEPT
> /sbin/iptables -A INPUT -s 192.168.1.0/24 -p udp -m udp --sport 636
> -m state --state RELATED,ESTABLISHED -j ACCEPT
> /sbin/iptables -A INPUT -s 192.168.1.0/24 -p udp -m udp --dport 3268
> -j ACCEPT
> /sbin/iptables -A INPUT -s 192.168.1.0/24 -p udp -m udp --sport 3268
> -m state --state RELATED,ESTABLISHED -j ACCEPT
> /sbin/iptables -A INPUT -s 192.168.1.0/24 -p udp -m udp --dport 
> 49152:65535 -j ACCEPT
> /sbin/iptables -A INPUT -s 192.168.1.0/24 -p udp -m udp --sport 
> 49152:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT
> 
> echo " OK . Verifique que lo que se aplica con: iptables L n"
> # Permitimos la consulta a un primer DNS
> /sbin/iptables -A INPUT -s  192.168.2.4 -p udp -m udp --sport 53 -j
> ACCEPT /sbin/iptables -A OUTPUT -d  192.168.2.5 -p udp -m udp --dport
> 53 -j ACCEPT #salvando config
> /etc/init.d/iptables-persistent save
> echo " OK . Verifique que lo que se aplica con: iptables -L -n"
> # Fin del scrip
> 
> 
> My question is simple, what i'm doing wrong?
> 

It looks like your 'Samba server' is a DC so you are missing a couple of
ports: 137:udp and 138:udp
You also don't seem to have the NTP port: 123:udp

Finally, what version of Samba are you using ?
the ports 49152-65535 were used from 4.7.0, before that they should be
1024-1300

Rowland



More information about the samba mailing list