You are not logged in.

#1 2012-11-24 01:18:17

lmello
Member
From: Brazil
Registered: 2012-11-06
Posts: 300

[SOLVED] Simple Stateful Firewall and Samba

I'm yearning into the wonderful world of iptables. I found out that this page was very helpful. But as soon as implemented my firewall SAMBA stops working, even though I open the smbd and nmdb ports - tcp ports 139 and 445 and udp ports 137 and 138. Here's my iptables.rules:

# Generated by iptables-save v1.4.16.2 on Wed Nov 21 00:30:47 2012
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [141:34906]
:TCP - [0:0]
:UDP - [0:0]
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m conntrack --ctstate INVALID -j DROP
-A INPUT -p icmp -m icmp --icmp-type 8 -m conntrack --ctstate NEW -j ACCEPT
-A INPUT -p udp -m conntrack --ctstate NEW -j UDP
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m conntrack --ctstate NEW -j TCP
-A INPUT -j REJECT --reject-with icmp-proto-unreachable
-A INPUT -p tcp -m recent --set --name TCP-PORTSCAN --mask 255.255.255.255 --rsource -j REJECT --reject-with tcp-reset
-A INPUT -p udp -m recent --set --name UDP-PORTSCAN --mask 255.255.255.255 --rsource -j REJECT --reject-with icmp-port-unreachable
-A INPUT -p icmp -m icmp --icmp-type 8 -m limit --limit 30/min --limit-burst 8 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 8 -j DROP
-A TCP -p tcp -m recent --update --seconds 60 --name TCP-PORTSCAN --mask 255.255.255.255 --rsource -j REJECT --reject-with tcp-reset
-A TCP -p tcp -m tcp --dport 22 -j ACCEPT
-A TCP -p tcp -m tcp --dport 631 -j ACCEPT
-A TCP -p tcp -m tcp --dport 139 -j ACCEPT
-A TCP -p tcp -m tcp --dport 445 -j ACCEPT
-A TCP -p tcp -m tcp --dport 2049 -j ACCEPT
-A UDP -p udp -m recent --update --seconds 60 --name UDP-PORTSCAN --mask 255.255.255.255 --rsource -j REJECT --reject-with icmp-port-unreachable
-A UDP -p udp -m udp --dport 137 -j ACCEPT
-A UDP -p udp -m udp --dport 138 -j ACCEPT
-A UDP -p udp -m udp --dport 5353 -j ACCEPT
COMMIT
# Completed on Wed Nov 21 00:30:47 2012
(END)

With the firewall enabled I can use smbclient only on localhost and smbtree (and thus Nautilus' Windows Networks shows nothing) doesn't show a thing. Other services run fine, however...

Last edited by lmello (2013-07-08 03:28:41)


Fundamental Axiom of the Universe (aka Murphy's Law): Whatever can go wrong, will go wrong.
First Digital Deduction: Nothing obeys Murphy's Law so well as computers.
Second Digital Deduction: Everything go wrong at least once.
Third Digital Deduction: Things go wrong even when there's absolutely no possibility of anything go wrong.

Offline

#2 2013-03-15 17:33:48

jrussell
Member
From: Cape Town, South Africa
Registered: 2012-08-16
Posts: 510

Re: [SOLVED] Simple Stateful Firewall and Samba

Same problem hmm also cant see sshfs from avahi in nautilis


bitcoin: 1G62YGRFkMDwhGr5T5YGovfsxLx44eZo7U

Offline

#3 2013-03-15 19:35:44

ajbibb
Member
Registered: 2012-02-12
Posts: 127

Re: [SOLVED] Simple Stateful Firewall and Samba

There is a lot of stuff out there for Samba and firewalls, but there seems to be precious little dealing exclusively with the situation where you only want smbclient.  Mainly through experimentation I've found I only need the following ports open in the inbound direction for smbclient:

udp --sport 137
udp --dport 137

Of these I could actually make a connection without the second, but my firewall logs were showing the second being dropped.  When I looked at the log entries It appeared to be a broadcast from my machine out to the local network returning to me, so I put the rule in to allow it. 

All the other inbound ports that need to be open for smbclient seem to be handled by the RELATED,ESTABLISHED rule, or I assume they are.  My experiments basically involved eliminating rules one at a time until something broke, I was left with the two ports above.  You may also want to limit these openings to your local network. Something like:

-s 192.168.0.0/16 (replace the network range with whatever is appropriate for your system)     

By the way, your last 2 ping limiting rules will never be used as you will always accept because of this rule placed higher up.

-A INPUT -p icmp -m icmp --icmp-type 8 -m conntrack --ctstate NEW -j ACCEPT

If you want the ping limiting you need to delete or not use this rule.  Also note that placing the limiting rules at the end will only limit new ping connections, not the pings themselves.  If you want to limit the actual number of pings your system has to respond to the limiting rules need to appear before the RELATED,ESTABLISHED rule.

[edit] just saw something worse:

This rule:

-A INPUT -j REJECT --reject-with icmp-proto-unreachable

Will intercept everything after it in the INPUT chain.  It needs to be moved down to be your last rule.

Last edited by ajbibb (2013-03-15 19:55:56)

Offline

#4 2013-07-08 03:28:11

lmello
Member
From: Brazil
Registered: 2012-11-06
Posts: 300

Re: [SOLVED] Simple Stateful Firewall and Samba

@ajbibb,

Thank you very much. The --sport was the deal. The icmp protocol rules I took directly from the wiki, shouldn't you correct it?


Fundamental Axiom of the Universe (aka Murphy's Law): Whatever can go wrong, will go wrong.
First Digital Deduction: Nothing obeys Murphy's Law so well as computers.
Second Digital Deduction: Everything go wrong at least once.
Third Digital Deduction: Things go wrong even when there's absolutely no possibility of anything go wrong.

Offline

#5 2013-07-10 00:35:22

ajbibb
Member
Registered: 2012-02-12
Posts: 127

Re: [SOLVED] Simple Stateful Firewall and Samba

Glad the rules worked for you.

Regarding the icmp rules, I think the WIki is correct, and also I believe it does agree with what I posted.  Specifically the last paragraph in the Wiki section 2.8.1 that starts "If you choose to use either the rate limiting or the source limiting rules..."  I'm prepared to be proven wrong if people disagree however.

I was very confused at first about the paragraphs in Wiki section 2.8 where rules that were previously set up seemed to be added once again.  I think I now understand why it was written that way, but it might be a good idea to add some text to the first paragraph of 2.8 saying that everything in this section is optional and may change, delete, or overwrite several of the rules previously created.

Offline

Board footer

Powered by FluxBB