Results 1 to 2 of 2

Thread: Using IPTABLES to block access to samba except certain IPs

  1. #1

    Using IPTABLES to block access to samba except certain IPs

    I am running a samba server on Fedora Core 4 on a home DSL connection. I want to allow only the machines on my local network and my cousins computer who is on a different network to be able to connect to samba while blocking everyone else. With my current setup I recently discovered that other machines on the same subnet as me can see my Samba server and I am getting alot of different computers and IP addresses showing up in my logs.

    What I would like to do to prevent this is setup an IPTABLES firewall to block all access to samba and then create rules to allow only the IP addresses on my network and my cousin's network.

    Here is my current firewall configuration, as you can see I do not have the samba port listed so it is closed by default. What I need to know is how do I create the rules to open up access for the specific IPs.

    # import this saved configuration into your iptables configuration with the following command:
    # iptables-restore < web_server.config

    *nat
    :PREROUTING ACCEPT [127173:7033011]
    :POSTROUTING ACCEPT [31583:2332178]
    :OUTPUT ACCEPT [32021:2375633]
    COMMIT

    *mangle
    :PREROUTING ACCEPT [444:43563]
    :INPUT ACCEPT [444:43563] :FORWARD ACCEPT [0:0]
    :OUTPUT ACCEPT [402:144198]
    :POSTROUTING ACCEPT [402:144198]
    -A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j DROP
    -A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
    -A PREROUTING -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
    -A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
    COMMIT

    *filter
    :INPUT DROP [1:242]
    :FORWARD DROP [0:0]
    :OUTPUT DROP [0:0]
    :icmp_packets - [0:0]
    -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
    -A INPUT -p tcp -m tcp --dport 20 -j ACCEPT
    -A INPUT -p tcp -m tcp --dport 21 -j ACCEPT
    -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
    -A INPUT -p tcp -m tcp --dport 25 -j ACCEPT
    -A INPUT -p tcp -m tcp --dport 43 -j ACCEPT
    -A INPUT -p udp -m udp --dport 53 -j ACCEPT
    -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
    -A INPUT -p tcp -m tcp --dport 110 -j ACCEPT
    -A INPUT -p udp -m udp --dport 123 -j ACCEPT
    -A INPUT -p tcp -m tcp --dport 143 -j ACCEPT
    -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
    -A INPUT -p tcp -m tcp --dport 783 -j ACCEPT
    -A INPUT -p tcp -m tcp --dport 901 -j ACCEPT
    -A INPUT -p tcp -m tcp --dport 993 -j ACCEPT
    -A INPUT -p tcp -m tcp --dport 3306 -j ACCEPT
    -A INPUT -p tcp -m tcp --dport 3128 -j ACCEPT
    -A INPUT -p tcp -m tcp --dport 8000 -j ACCEPT
    -A INPUT -p tcp -m tcp --dport 8001 -j ACCEPT
    -A INPUT -p tcp -m tcp --dport 10000 -j ACCEPT
    -A INPUT -p tcp -m tcp --dport 12000 -j ACCEPT
    -A INPUT -p tcp -m tcp --dport 15000 -j ACCEPT
    -A INPUT -s 127.0.0.1 -j ACCEPT
    -A INPUT -p icmp -j icmp_packets
    -A INPUT -j LOG --log-prefix "IPTABLES-IN Default Drop: " --log-level 7


    -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
    -A OUTPUT -p tcp -m tcp --dport 20 -j ACCEPT
    -A OUTPUT -p tcp -m tcp --dport 21 -j ACCEPT
    -A OUTPUT -p tcp -m tcp --dport 22 -j ACCEPT
    -A OUTPUT -p tcp -m tcp --dport 23 -j ACCEPT
    -A OUTPUT -p tcp -m tcp --dport 25 -j ACCEPT
    -A OUTPUT -p tcp -m tcp --dport 43 -j ACCEPT
    -A OUTPUT -p udp -m udp --dport 53 -j ACCEPT
    -A OUTPUT -p tcp -m tcp --dport 80 -j ACCEPT
    -A OUTPUT -p tcp -m tcp --dport 110 -j ACCEPT
    -A OUTPUT -p udp -m udp --dport 123 -j ACCEPT
    -A OUTPUT -p tcp -m tcp --dport 143 -j ACCEPT
    -A OUTPUT -p tcp -m tcp --dport 443 -j ACCEPT
    -A OUTPUT -p tcp -m tcp --dport 783 -j ACCEPT
    -A OUTPUT -p tcp -m tcp --dport 901 -j ACCEPT
    -A OUTPUT -p tcp -m tcp --dport 993 -j ACCEPT
    -A OUTPUT -p tcp -m tcp --dport 3306 -j ACCEPT
    -A OUTPUT -p tcp -m tcp --dport 3128 -j ACCEPT
    -A OUTPUT -p tcp -m tcp --dport 8000 -j ACCEPT
    -A OUTPUT -p tcp -m tcp --dport 8001 -j ACCEPT
    -A OUTPUT -p tcp -m tcp --dport 10000 -j ACCEPT
    -A OUTPUT -p tcp -m tcp --dport 12000 -j ACCEPT
    -A OUTPUT -p tcp -m tcp --dport 15000 -j ACCEPT
    -A OUTPUT -p tcp -m tcp --dport 2210 -j ACCEPT
    -A OUTPUT -d 127.0.0.1 -j ACCEPT
    -A OUTPUT -p icmp -j icmp_packets
    -A OUTPUT -j LOG --log-prefix "IPTABLES-OUT Default Drop: " --log-level 7


    -A icmp_packets -p icmp -m icmp --icmp-type 0 -j ACCEPT
    -A icmp_packets -s 127.0.0.1 -p icmp -m icmp --icmp-type 8 -j ACCEPT
    -A icmp_packets -p icmp -m icmp --icmp-type 8 -j DROP
    -A icmp_packets -p icmp -m icmp --icmp-type 3 -j ACCEPT
    -A icmp_packets -p icmp -m icmp --icmp-type 11 -j ACCEPT
    COMMIT



    I tried using the following IPTABLES rules to open up access to my computer pnly but it has not been successful.

    iptables -A INPUT -s 192.168.1.46 -p tcp -m tcp --dport 445 -j ACCEPT
    iptables -A OUTPUT -s 192.168.1.46 -p tcp -m tcp --dport 445 -j ACCEPT


    I have also tried using 192.168.1.0/24 for the IP to open up access to all the machines on my local network and that doesn't work either.

    Does anyone have an idea of what I am doing incorrectly. I would appreciate any and all assistance. Thank you very much.

    Jason

  2. #2
    I've got a similar rule running for ssh. The only difference is I've left off the -m portion:

    iptables -A INPUT -s ip.ad.dr.ess -p tcp --dport 22 -j ACCEPT

    The -m option tells iptables to find an "explicit" match. You were already matching the tcp protocol with the -p.

    Here's an explanation from a linuxvoodoo tutorial...

    The difference between implicitly loaded matches and explicitly loaded ones, is that the implicitly loaded matches will automatically be loaded when, for example, you match on the properties of TCP packets, while explicitly loaded matches will never be loaded automatically - it is up to you to discover and activate explicit matches.

    http://www.linuxvoodoo.com/resources...l/matches.html

Similar Threads

  1. How can block 443 port per user using iptables
    By khaledjamel in forum Linux - Hardware, Networking & Security
    Replies: 1
    Last Post: 12-01-2011, 02:05 PM
  2. iptables, samba and ftp
    By dk639 in forum Security
    Replies: 0
    Last Post: 02-08-2007, 08:51 AM
  3. iptables & samba -- quick question
    By mcohn in forum Security
    Replies: 2
    Last Post: 10-07-2005, 06:41 AM
  4. iptables file to allow DNS access.
    By smith786 in forum Linux - General Topics
    Replies: 1
    Last Post: 10-06-2005, 08:14 PM
  5. IPTABLES: block ALL incoming and outgoing except...
    By Blaqb0x in forum Linux - Software, Applications & Programming
    Replies: 2
    Last Post: 07-06-2004, 03:17 AM

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •