Ports that Samba uses
Samba uses NetBIOS ports 137,138 udp and 139 tcp. It also uses port 445 for SMB file sharing without NetBIOS.
Sample iptables rules for Samba:
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
iptables -A INPUT -p udp -s $NETWORK -d $SAMBA_SERVER -m multiport –dports 137,138 -j ACCEPT
iptables -A INPUT -p tcp -s $NETWORK -d $SAMBA_SERVER -m multiport –dports 139,445 -j ACCEPT
iptables -A INPUT -p udp -s $NETWORK -d $BROADCAST –dport 137 -j ACCEPT
iptables -A INPUT -p udp -d $SAMBA_SERVER -m multiport –dports 137,138 -j DROP
iptables -A INPUT -p tcp -d $SAMBA_SERVER -m multiport –dports 139,445 -j DROP
iptables -A OUTPUT -s $SAMBA_SERVER -d $NETWORK -m state –state ESTABLISHED, RELATED -j ACCEPT
Well it’s a simple deal but iptables can count the number of connections in a time period and block based on it. For example:
iptables -N SSH_CHECK
iptables -A INPUT -p tcp --dport 22 -m state NEW -j SSH_CHECK
iptables -A SSH_CHECK -m recent --set --name SSH
iptables -A SSH_CHECK -m recent --update --seconds 60 --hitcount 4 --name SSH -j DROP
So no more than 4 connections from the same ip in 60 seconds or you get blocked.
It’s always a good thing to log anything you drop this allows you to troubleshoot issues later. In iptables this is very easy. If you place your drop at the bottom of a chain then all you have to do is place a log line right before the drop. Now if you want to add something to identify drops in your log that’s possible too :
-A INPUT rule to trigger drop -j LOG –log-prefix “DROP “
Just like most sysadmins I have to deal with developers who want to zip off a quick email after their application finishes processing, sounds good right? Yes it is… but the internet is not a happy place and spam is around every corner. I avoid getting tagged as spam your systems email should really be sent via an internal relay. The internal relay should be registered with an MX entry in DNS to get the clear from all SPAM applicances and filtering. As such I want to use iptables to stop outgoing smtp requests unless they go to my central relay (184.108.40.206)
-A OUTPUT -p tcp -d 220.127.116.11
--dport 25 -m state --state NEW -j ACCEPT
-A OUTPUT -p tcp –dport 25 -m state —state NEW -j DROP
Works great… if you use a local mail programs you might want to add this line first
-A OUTPUT -p tcp -d 127.0.0.1 –dport 25 -m state –state NEW -j ACCEPT
Well here goes another Oracle 11gR2 note for you all out there. Let me just say Oracle’s documentation either does not exist or is so buried it’s impossible to find on this topic with 11gR2.
As always I want to lock down the system as much as possible which requires iptables. Early in the process I gave up any chance of locking down communication between nodes and interconnects and focused on internal connections. Like always any client needs to be able to talk to port 1521 TCP but GNS + 11Gr2 adds some new ports:
As may be aware GNS provides it’s own VIP equiped DNS server for it’s delegated subdomain. So it’s critical that you open up DNS to your DNS systems. So you need to open up 53 udp
-A INPUT -p udp -m udp --dport 53 -j ACCEPT
You might want to add a source port and lock it to your dns systems.
Otherwise it should work (providing your open up iptables between nodes)
I am constantly having to check firewall rules for sevices I have not yet setup. In this post I will reference the client (Source address) and server (Destination address).
Open a tcp port with netcat so for example to open port 80 tcp I would use:
nc -l 80
Check the tcp port with telnet so to connect to port 80:
telnet destination_ip 80
To open a udp (destination)listener on port 80 you would use the following command:
nc -lu 80
To Connect to your destination udp on port 80 use the following command from your source:
nc -zu destination_ip 80
Netcat (nc) can also be used for a lot of other purposes. It can also be used as a very fast basic port scanner:
To scan a range of UDP ports 80-4000
nc -zu destination_ip 80-4000
In order to get more information, you can add v, for more verbose, add another v
nc -vvzu destination_ip 80-4000
To scan a range of TCP ports 80-4000
nc -z destination_ip 80-4000
What is the use of blocking out going traffic? Imagine if you have a web server and you want to allow customers to access your webserver but you do not want to allow rogue software to send message from yoru web server to other people. This rule is for you.
iptables -A OUTPUT -m state –state ESTABLISHED -j ACCEPT
iptables -A OUTPUT -j REJECT
The average personal PC has need to be able to reach out into the internet and communicate but no need for people to reach from the internet to your PC. This set of rules takes advantage of the stateful nature of iptables to allow incomming messages on ESTABLISHED (prevously set by OUTPUT) connections.
iptables -A input -m state –state ESTABLISHED -j ACCEPT
iptables -A input -j REJECT
You want to stop all traffic. Allowing nothing in our out.
iptables -A INPUT -j REJECT
iptables -A OUTPUT -j REJECT
iptables -A FORWARD -j REJECT
Allow web and ssh connections SSH and web both require out going messages on established tcp connections.
iptables -A OUTPUT -o eth0 -m state –state ESTABLISHED,RELATED -j ACCEPT
Then you need to allow incomming connections on port 80 and 22 and possibly 443
iptables -A INPUT -p tcp -i eth0 –dport 22 –sport 1024:65535 -m state –state NEW -j ACCEPT
iptables -A INPUT -p tcp -i eth0 –dport 80 –sport 1024:65535 -m state –state NEW -j ACCEPT
iptables -A INPUT -p tcp -i eth0 –dport 443 –sport 1024:65535 -m state –state NEW -j ACCEPT