You are not logged in.
Hey guys I hope one of you who knows iptables can please help me out. I am trying to connect to a windows share on a local network when I have my firewall active.
Here is my iptables.rules which I have opened up ports 135-139 & 445 (tcp/udp), can any of you see what the problem is.
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [304170:18214390]
:interfaces - [0:0]
:open - [0:0]
-A INPUT -p icmp -m icmp --icmp-type 18 -j DROP
-A INPUT -p icmp -m icmp --icmp-type 17 -j DROP
-A INPUT -p icmp -m icmp --icmp-type 10 -j DROP
-A INPUT -p icmp -m icmp --icmp-type 9 -j DROP
-A INPUT -p icmp -m icmp --icmp-type 5 -j DROP
-A INPUT -s 127.0.0.0/8 -i eth0 -j DROP
-A INPUT -s 192.168.0.0/16 -i eth0 -j DROP
-A INPUT -s 172.16.0.0/12 -i eth0 -j DROP
-A INPUT -s 10.0.0.0/8 -i eth0 -j DROP
-A INPUT -p icmp -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -j interfaces
-A INPUT -j open
-A INPUT -p tcp -j REJECT --reject-with tcp-reset
-A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable
-A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j DROP
-A INPUT -f -j DROP
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j DROP
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
-A INPUT -i eth0 -p icmp -m icmp --icmp-type 8 -j DROP
-A interfaces -i lo -j ACCEPT
-A open -p tcp -m tcp --dport 22 -j ACCEPT
-A open -p udp -m udp --dport 135:139 -j ACCEPT
-A open -p tcp -m tcp --dport 135:139 -j ACCEPT
-A open -p udp -m udp --dport 445 -j ACCEPT
-A open -p tcp -m tcp --dport 445 -j ACCEPT
COMMIT
Last edited by Tyriel (2009-06-18 10:02:24)
The software required Windows XP or better, so I installed archlinux.
Offline
if i interpret the iptables manual correctly:
the line
-A INPUT -j interfaces
matches ALL PACKETS, so the rules below are ignored
UNLESS
you add a RETURN rule in your chain:
-A interfaces -i lo -j ACCEPT
-A interfaces -j RETURN
edit: or specify RETURN as default policy for your chains
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [304170:18214390]
:interfaces RETURN [0:0]
:open RETURN [0:0]
Last edited by robmaloy (2009-06-18 07:18:53)
☃ Snowman ☃
Offline
add "-m state --state NEW" to your rules in the open table?
you also don't need "-m tcp" or "-m udp" in the rules in the open table (but it shouldn't hurt to have them)
also.. you are actively dropping all packets from these networks
-A INPUT -s 192.168.0.0/16 -i eth0 -j DROP
-A INPUT -s 172.16.0.0/12 -i eth0 -j DROP
-A INPUT -s 10.0.0.0/8 -i eth0 -j DROP
if the machine you are trying to connect to is in one of those net-blocks..
pop goes the weasel (as those rules appear earlier than the state allowance for related,established)
Last edited by cactus (2009-06-18 07:31:15)
"Be conservative in what you send; be liberal in what you accept." -- Postel's Law
"tacos" -- Cactus' Law
"t̥͍͎̪̪͗a̴̻̩͈͚ͨc̠o̩̙͈ͫͅs͙͎̙͊ ͔͇̫̜t͎̳̀a̜̞̗ͩc̗͍͚o̲̯̿s̖̣̤̙͌ ̖̜̈ț̰̫͓ạ̪͖̳c̲͎͕̰̯̃̈o͉ͅs̪ͪ ̜̻̖̜͕" -- -̖͚̫̙̓-̺̠͇ͤ̃ ̜̪̜ͯZ͔̗̭̞ͪA̝͈̙͖̩L͉̠̺͓G̙̞̦͖O̳̗͍
Offline
if i interpret the iptables manual correctly:
the line-A INPUT -j interfaces
matches ALL PACKETS, so the rules below are ignored
UNLESS
you add a RETURN rule in your chain:
User-defined chains don't have default policies, so if no rules are matched, it will JUMP back to where it came from even without a RETURN rule. It's good practise to add a RETURN rule anyway though.
Without knowing more, I'm agreeing with cactus that the connections are coming from one of the private IP ranges that are explicitly dropped early in the rules (192..., 172... or 10....)
Are you familiar with our Forum Rules, and How To Ask Questions The Smart Way?
BlueHackers // fscanary // resticctl
Offline
yep, appears that connections from internal IP ranges are dropped first. Maybe move your ACCEPT rules for port 135:139 and 445 earlier. Remember that once the kernel accepts the packet, it goes through, ignoring other rules. Typically the same applies for DROP rules.
As a general rule, rules with a wider scope belong at the top and more specific rules go near the end.
Offline
Thanks for your help guys, it was a case of dropping all packets from "-A INPUT -s 192.168.0.0/16 -i eth0 -j DROP". I really appreciate the help as my knowledge with using iptables is very limited.
Speaking of which I would not mind learning more so could anyone give an example of this or even a good document so I can learn more about iptables?
The software required Windows XP or better, so I installed archlinux.
Offline
robmaloy wrote:if i interpret the iptables manual correctly:
the line-A INPUT -j interfaces
matches ALL PACKETS, so the rules below are ignored
UNLESS
you add a RETURN rule in your chain:User-defined chains don't have default policies, so if no rules are matched, it will JUMP back to where it came from even without a RETURN rule. It's good practise to add a RETURN rule anyway though.
Without knowing more, I'm agreeing with cactus that the connections are coming from one of the private IP ranges that are explicitly dropped early in the rules (192..., 172... or 10....)
good to know, ty
☃ Snowman ☃
Offline