James wrote: >> Daniel Iliev <danny <at> ilievnet.com> writes: >> > > > My iptables based firewall seem to be working, However, I keep getting > triplets > of this activity: > > curious.ip www.me.com tcp 2286 > netbios-ssn Seq=0 Len=0 MSS=1460 > www.me.com curious.ip tcp netbios-ssn > 2286 [RST, ACK] Seq=0 Ack=1 > Win=0 Len=0 > > similar problem (2469 > microsoft-ds) > Other problems are (info section is only difference) epmap > 3081 > > > > >> "iptables -A INPUT -p tcp --dport microsoft-ds -j DROP" ( < the packets >> have destination the FW itself) >> "iptables -A FORWARD -d *target-PC* -p tcp --dport microsoft-ds -j DROP" >> ( < the packets have destination the "target-PC". ) >> > > > Your advice is working, beautiful > > Much Thanks! > > > James > > > > I'm not sure if get this message right, but if it is a question how to deal with packets like these:
>curious.ip www.me.com tcp 2286 > netbios-ssn Seq=0 Len=0 MSS=1460 >www.me.com curious.ip tcp netbios-ssn > 2286 [RST, ACK] Seq=0 Ack=1 the answer is: Add the same rules, but replace "microsoft-ds" with "netbios-ssn" or the corresponding number from /etc/services. Those rules would look like: "iptables -A INPUT -p tcp --dport netbios-ssn -j DROP" it's the same as: "iptables -A INPUT -p tcp --dport 139 -j DROP" And if the target is not the FW: iptables -A FORWARD -d *target-PC* -p tcp --dport netbios-ssn -j DROP or iptables -A FORWARD -d *target-PC* -p tcp --dport 139 -j DROP It seems that you want to stop the ms netbios activity. The ports used for this service are 137,138,139 and 445 so the rule-set could be something like this: iptables -A FORWARD -d *target-PC* -p tcp --dport 445 -j DROP iptables -A FORWARD -d *target-PC* -p tcp --dport 137:139 -j DROP or iptables -A INPUT -p tcp --dport 445 -j DROP iptables -A INPUT -p tcp --dport 137:139 -j DROP -- Best regards, Daniel -- gentoo-user@gentoo.org mailing list
