You are not logged in.
- Topics: Active | Unanswered
#1 2015-11-28 21:49:42
- wolfdogg
- Member
- From: Portland, OR, USA
- Registered: 2011-05-21
- Posts: 545
iptables samba need i say more
so after installation of iptables, i cant get samba back. its been working for more than a year, so i dont really want to tweak any SAMBA settings, i think i fugged something up in the network.
what i have messed with
bind dns server, zone rules
nginx web server
apache web server
iptables galore, i have been working on a script for that, this is what i came up with, is this a decent method to ensure firewall consistancy, to put it to script, verbose the chained outputs to console for a final visual inspection?
!/bin/bash
# Iptables Firewall 11/2015
##############
# Clean first
##############
# Make sure service is started
systemctl restart iptables.service &&
# Clean rules firs, start from scratch
# Resets iptables rules,
# It's your choice how you wan to do this, method a or b
# Method a
# clean
# iptables-restore < /etc/iptables/empty.rules &&
# Method b (skipping forward and input)
iptables -F -v &&
iptables -X -v &&
iptables -t nat -F -v &&
iptables -t nat -X -v &&
iptables -t mangle -F -v &&
iptables -t mangle -X -v &&
iptables -t raw -F -v &&
iptables -t raw -X -v &&
iptables -t security -F -v &&
iptables -t security -X -v &&
iptables -P OUTPUT ACCEPT -v &&
# Tighten and start some chains
iptables -P FORWARD DROP -v &&
iptables -P INPUT DROP -v &&
iptables -N TCP -v &&
iptables -N UDP -v &&
# Accept - keep alive existing to salvage any ssh conn
iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -v &&
iptables -A INPUT -i lo -j ACCEPT -v &&
iptables -A INPUT -m conntrack --ctstate INVALID -j DROP -v &&
# Accept - icmp echo request, important for good traffic flow, first packet only is new
iptables -A INPUT -p icmp --icmp-type 8 -m conntrack --ctstate NEW -j ACCEPT -v &&
# Command UDP and TCP input chains to take new incoming connections
iptables -A INPUT -p udp -m conntrack --ctstate NEW -j UDP -v &&
iptables -A INPUT -p tcp --syn -m conntrack --ctstate NEW -j TCP -v &&
##########################
# Explicit Incoming rules
##########################
# www
iptables -A TCP -p tcp --dport 80 -j ACCEPT -v &&
#fileshare
## DNS
iptables -A UDP -s 192.168.1.99 -p udp --dport 53 -j ACCEPT -v &&
iptables -A TCP -s 192.168.1.99 -p tcp --dport 953 -j ACCEPT -v &&
## Samba
#TRY THESE
#iptables -I INPUT 1 -p tcp --source 10.0.0.1/255.255.255.0 --dport 137:139 -j ACCEPT
#iptables -I INPUT 1 -p udp --source 10.0.0.1/255.255.255.0 --dport 137:139 -j ACCEPT
iptables -A TCP -s 192.168.1.99 -p tcp --dport 88 -j ACCEPT -v &&
iptables -A UDP -s 192.168.1.99 -p udp --dport 123 -j ACCEPT -v &&
iptables -A UDP -s 192.168.1.99 -p udp --dport 137:138 -j ACCEPT -v &&
iptables -A TCP -s 192.168.1.99 -p tcp --dport 139 -j ACCEPT -v &&
iptables -A TCP -s 192.168.1.99 -p tcp --dport 443 -j ACCEPT -v &&
iptables -A UDP -s 192.168.1.99 -p udp --dport 445 -j ACCEPT -v &&
iptables -A TCP -s 192.168.1.99 -p tcp --dport 445 -j ACCEPT -v &&
# ssh
# a more stringent rule below for this, lets test only that first
# iptables -A TCP -p tcp --dport 22-j ACCEPT -v &&
################
#More Hardening
################
# Mitigate brute force attacks
iptables -N IN_SSH -v &&
#iptables -A TCP -p tcp --dport ssh -m conntrack --ctstate NEW -j IN_SSH -v &&
#iptables -A TCP -p tcp --dport 22 -m conntrack --ctstate NEW -j IN_SSH -v &&
iptables -A TCP -p tcp --dport 22 -j IN_SSH -v &&
iptables -A IN_SSH -m recent --name sshbf --rttl --rcheck --hitcount 3 --seconds 10 -j DROP -v &&
iptables -A IN_SSH -m recent --name sshbf --rttl --rcheck --hitcount 4 --seconds 1800 -j DROP -v &&
iptables -A IN_SSH -m recent --name sshbf --set -j ACCEPT -v &&
#more ssh stuff, testing
iptables -A INPUT -p icmp -m icmp --icmp-type 8 -m conntrack --ctstate NEW -j ACCEPT -v &&
# iptables -A TCP -p tcp --dport 22 -m conntrack --ctstate NEW -j IN_SSH -v &&
iptables -A TCP -p tcp --dport 22 -j IN_SSH -v &&
# iptables -A UDP -p udp -m conntrack --ctstate NEW -j UDP -v &&
iptables -A UDP -p udp -j UDP -v &&
#BLOCK PORT SCANNER?
iptables -I INPUT -p tcp --dport 80 -m string --algo bm --string 'GET /w00tw00t.at.ISC.SANS.' -j DROP -v &&
#########################
# Final Rules,
# nothing go after these
#########################
# Reject -final rule to input chain, reject if ports arent opened
iptables -A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable -v &&
iptables -A INPUT -p tcp -j REJECT --reject-with tcp-reset -v &&
#######################
# End iptables ruleset
#
# Save the rules
######################
iptables-save > /etc/iptables/iptables.rules &&
# Restart iptables and other services so rules can take effect
systemctl restart iptables &&
systemctl restart smbd &&
systemctl restart nmbd
########
# NOTES
########
# for self testing watch incoming attempts `cat /proc/net/xt_recent/sshbf`
# unblock IP during testing, from root `# echo / > /proc/net/xt_recent/sshbfIgnore the -s <ip-address>, its a way i was trying to get it to work, i have tried 192.168.1.0/24 also yes..
outputs;
iptables_fullserve
Flushing chain `INPUT'
Flushing chain `FORWARD'
Flushing chain `OUTPUT'
Flushing chain `IN_SSH'
Flushing chain `TCP'
Flushing chain `UDP'
Deleting chain `IN_SSH'
Deleting chain `TCP'
Deleting chain `UDP'
Flushing chain `PREROUTING'
Flushing chain `INPUT'
Flushing chain `OUTPUT'
Flushing chain `POSTROUTING'
Flushing chain `PREROUTING'
Flushing chain `INPUT'
Flushing chain `FORWARD'
Flushing chain `OUTPUT'
Flushing chain `POSTROUTING'
Flushing chain `PREROUTING'
Flushing chain `OUTPUT'
Flushing chain `INPUT'
Flushing chain `FORWARD'
Flushing chain `OUTPUT'
ACCEPT all opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 ctstate RELATED,ESTABLISHED
ACCEPT all opt -- in lo out * 0.0.0.0/0 -> 0.0.0.0/0
DROP all opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 ctstate INVALID
ACCEPT icmp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 icmptype 8 ctstate NEW
UDP udp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 ctstate NEW
TCP tcp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 tcp flags:0x17/0x02 ctstate NEW
ACCEPT tcp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 tcp dpt:80
ACCEPT udp opt -- in * out * 192.168.1.99 -> 0.0.0.0/0 udp dpt:53
ACCEPT tcp opt -- in * out * 192.168.1.99 -> 0.0.0.0/0 tcp dpt:953
ACCEPT tcp opt -- in * out * 192.168.1.99 -> 0.0.0.0/0 tcp dpt:88
ACCEPT udp opt -- in * out * 192.168.1.99 -> 0.0.0.0/0 udp dpt:123
ACCEPT udp opt -- in * out * 192.168.1.99 -> 0.0.0.0/0 udp dpts:137:138
ACCEPT tcp opt -- in * out * 192.168.1.99 -> 0.0.0.0/0 tcp dpt:139
ACCEPT tcp opt -- in * out * 192.168.1.99 -> 0.0.0.0/0 tcp dpt:443
ACCEPT udp opt -- in * out * 192.168.1.99 -> 0.0.0.0/0 udp dpt:445
ACCEPT tcp opt -- in * out * 192.168.1.99 -> 0.0.0.0/0 tcp dpt:445
IN_SSH tcp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 tcp dpt:22
DROP all opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 recent: CHECK seconds: 10 hit_count: 3 TTL-Match name: sshbf side: source mask: 255.255.255.255
DROP all opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 recent: CHECK seconds: 1800 hit_count: 4 TTL-Match name: sshbf side: source mask: 255.255.255.255
ACCEPT all opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 recent: SET name: sshbf side: source mask: 255.255.255.255
ACCEPT icmp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 icmptype 8 ctstate NEW
IN_SSH tcp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 tcp dpt:22
UDP udp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0
iptables: Too many levels of symbolic links.well either way, i can reset all rules, disable iptables, or run the rules, i still get NO samba from my other local machine(win box) at 192.168.1.99 connecting this samba server at 192.168.1.10.
Any ideas?
Last edited by wolfdogg (2015-11-28 22:11:06)
Offline
#2 2015-11-28 22:13:08
- wolfdogg
- Member
- From: Portland, OR, USA
- Registered: 2011-05-21
- Posts: 545
Re: iptables samba need i say more
well, it works today. man, i spent all night on this. The working configuration i had just updated above. so if you go with whats above, your good.
Now, can someone critique my script? Have i done anything majorly stupid? do i need the `&&` is it atlest wise?
whats the error message at the bottom from, i think it might be from a recent adjustment.
iptables: Too many levels of symbolic links.
Edit, man i had that so fuggered up, heres my new script, and it doesnt show any symlink issues, and looks perfectly clean and maintainable to me anyway. hope its useful to someone else.
http://pastebin.com/2LyhfsrN
Last edited by wolfdogg (2015-11-29 05:52:33)
Offline
#3 2015-11-29 13:27:02
- post-factum
- Member
- From: /cz
- Registered: 2008-09-12
- Posts: 152
- Website
Re: iptables samba need i say more
Use /etc/iptables/ folder configs instead of custom-brewed script.
I guess, your issue is the plethora of «&&» there.
uname == latest pf-kernel
Offline
#4 2015-11-29 14:23:47
- oliver
- Member
- Registered: 2007-12-12
- Posts: 448
Re: iptables samba need i say more
Now, can someone critique my script? Have i done anything majorly stupid? do i need the `&&` is it atlest wise?
Is your goal to stop processing if an error is encountered? If so, you could use this at the top:
set -o errexitJust be aware that there may be times when it's OK for your command to return non-zero so you'd have to program around it (or disable the errexit with 'set +e' and then 'set -e')
Offline
#5 2015-12-19 04:11:39
- wolfdogg
- Member
- From: Portland, OR, USA
- Registered: 2011-05-21
- Posts: 545
Re: iptables samba need i say more
yeah my goal wasnt only that, but more importantly along that was to be runnign them in sync so that if one failed, the error out put would happen simutaneous so that it would be clear at which point any failure occurs. that was my initial logic. is that still covered by
set -o errexit? if so that sounds great
Offline