Re: [Samba] RE: firewall

[Justin Georgeson]

Well, still no go. I've attached the script I used to create the firewall. Tcpdump still shows an icmp packet going back to the queried machine to say the UDP port is unreachable. Also, I don't see anything in any files in /var/log (I grepped for Packets).

Can anyone comment on what the -m flag is for?

Ulrich Kohlhase wrote:

Justin,


>-A INPUT -p tcp -m tcp -s 192.168.1.0/24 --dport 139 --syn -j ACCEPT
>-A INPUT -p udp -m udp -s 192.168.1.0/24 --dport 137 -j ACCEPT
>-A INPUT -p udp -m udp -s 192.168.1.0/24 --dport 138 -j ACCEPT


Did you specify OUTPUT rules also ? You may want to try the following
lines taken from a working server config. "keep_state" is a special
chain for stateful inspection and logging purposes:

-A INPUT   -p tcp -s 192.168.1.0/24 --sport 1024: --dport 137:139 -j
ACCEPT
-A OUTPUT  -p tcp -d 192.168.1.0/24 --sport 137:139 --dport 1024: -j
keep_state
-A OUTPUT  -p tcp -d 192.168.1.0/24 --sport 1024: --dport 137:139 -j
ACCEPT
-A INPUT   -p tcp -s 192.168.1.0/24 --sport 137:139 --dport 1024: -j
keep_state
-A INPUT   -p udp -s 192.168.1.0/24 --dport 137:139 -j ACCEPT
-A OUTPUT  -p udp -d 192.168.1.0/24 --dport 137:139 -j ACCEPT

-N keep_state
-A keep_state -m state --state INVALID -j DROP
-A keep_state -m state --state RELATED,ESTABLISHED -j ACCEPT
# debug, info, notice, warning, err, crit, alert und emerg
-A keep_state -m limit --limit 10/minute --limit-burst 10 -j LOG
--log-level notice --log-prefix "Packets dropped: "
-A keep_state -j DROP

--
Justin Georgeson
UnBound Technologies, Inc.
http://www.unboundtech.com
Main   713.329.9330
Fax    713.460.4051
Mobile 512.789.1962

5295 Hollister Road
Houston, TX 77040
Real Applications using Real Wireless Intelligence(tm)

fw.sh
Description: Bourne shell script