One thing I forgot to mention: I want to use SMB from the webserver. For example, when I log in on it with SSH, I want to be able to do:
nmblookup niels (niels is a server on the lan) This works with FW off, but not when it is on. ----- Original Message ----- From: "Kai Klopper" <[EMAIL PROTECTED]> To: <[email protected]> Sent: Wednesday, January 02, 2002 4:31 PM Subject: SMB in iptables > I have created a firewall setup for a pc that serves as web and database > server > on our university network > > It is basically a setup with an input deny and output allow policy. No NAT > or masquerading is used whatsoever. > Kernel is a self-compiled 2.4.16 > The firewall functions good for most things: > All ports are blocked except ssh, http,ftp and mysql. > However, I have some questions: > 1. How do I get SMB to work? it does not function with the rules below. I > have experimented with the following lines: > # > iptables -A INPUT -i eth0 -p 137 -j ACCEPT > iptables -A INPUT -i eth0 -p 138 -j ACCEPT > iptables -A INPUT -i eth0 -p 139 -j ACCEPT > iptables -A INPUT -p ALL -i eth0 -d 131.211.221.255 -j ACCEPT > iptables -A INPUT -p ALL -i eth0 -d 131.211.255.255 -j ACCEPT > iptables -A INPUT -p ALL -i eth0 -d 255.255.255.255 -j ACCEPT > # > However, they all make no difference whatsoever. > > 2. Should I open both ports 20 and 21 for ftp? I use pure-ftpd. > > 3. Should I deny UDP packets on interfaces that basically use TCP? > > 4. Is it wise to check for malformed packets, such as christmas packets and > the like?? > > Thanks for helping me, > > Kai Klopper > > #!/bin/sh > ##Create chain which blocks new connections, except if coming from inside. > #iptables -P FORWARD DROP > iptables -F > iptables -X block > iptables -P INPUT DROP > iptables -P OUTPUT ACCEPT > > iptables -N block > iptables -A block -m state --state ESTABLISHED,RELATED -j ACCEPT > iptables -A block -m state --state NEW -i ! eth0 -j ACCEPT > iptables -A block -j DROP > > ## Jump to that chain from INPUT and FORWARD chains. > #iptables -A FORWARD -j block > > iptables -A INPUT -p tcp -i eth0 --dport 80 -j ACCEPT > # only allow mysql from university ip-addresses > iptables -A INPUT -p tcp -i eth0 -s 131.211.0.0/16 --dport 3306 -j ACCEPT > iptables -A INPUT -p tcp -i eth0 --dport 22 -j ACCEPT > iptables -A INPUT -p tcp -i eth0 --dport 20 -j ACCEPT > iptables -A INPUT -p tcp -i eth0 --dport 21 -j ACCEPT > iptables -A INPUT -j block > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] > >
