iptables: Samba

Ports that Samba uses

Samba uses NetBIOS ports 137,138 udp and 139 tcp. It also uses port 445 for SMB file sharing without NetBIOS.

Sample iptables rules for Samba:

SAMBA_SERVER=”192.168.1.100″

NETWORK=”192.168.1.0/24″

BROADCAST=”192.168.255.255″
iptables -A INPUT -i lo -j ACCEPT

iptables -A OUTPUT -o lo -j ACCEPT

iptables -A INPUT -p udp -s $NETWORK -d $SAMBA_SERVER -m multiport –dports 137,138 -j ACCEPT

iptables -A INPUT -p tcp -s $NETWORK -d $SAMBA_SERVER -m multiport –dports 139,445 -j ACCEPT

iptables -A INPUT -p udp -s $NETWORK -d $BROADCAST –dport 137 -j ACCEPT

iptables -A INPUT -p udp -d $SAMBA_SERVER -m multiport –dports 137,138 -j DROP

iptables -A INPUT -p tcp -d $SAMBA_SERVER -m multiport –dports 139,445 -j DROP

iptables -A OUTPUT -s $SAMBA_SERVER -d $NETWORK -m state –state ESTABLISHED, RELATED -j ACCEPT

iptables stop people who make too many connections in a time period

Well it’s a simple deal but iptables can count the number of connections in a time period and block based on it.  For example:

iptables -N SSH_CHECK
iptables -A INPUT -p tcp --dport 22 -m state NEW -j SSH_CHECK
iptables -A SSH_CHECK -m recent --set --name SSH
iptables -A SSH_CHECK -m recent --update --seconds 60 --hitcount 4 --name SSH -j DROP

So no more than 4 connections from the same ip in 60 seconds or you get blocked.




iptables log before you drop with a tag

It’s always a good thing to log anything you drop this allows you to troubleshoot issues later.   In iptables this is very easy.  If you place your drop at the bottom of a chain then all you have to do is place a log line right before the drop.  Now if you want to add something to identify drops in your log that’s possible too :

-A INPUT rule to trigger drop -j LOG –log-prefix “DROP “

Block outgoing smtp except to an approved relay in iptables

Just like most sysadmins I have to deal with developers who want to zip off a quick email after their application finishes processing, sounds good right?  Yes it is… but the internet is not a happy place and spam is around every corner.  I avoid getting tagged as spam your systems email should really be sent via an internal relay.  The internal relay should be registered with an MX entry in DNS to get the clear from all SPAM applicances and filtering.   As such I want to use iptables to stop outgoing smtp requests unless they go to my central relay (123.123.123.123)

-A OUTPUT -p tcp -d 123.123.123.123 --dport 25 -m state --state NEW -j ACCEPT

-A OUTPUT -p tcp –dport 25 -m state —state NEW -j DROP

Works great… if you use a local mail programs you might want to add this line first

-A OUTPUT -p tcp -d 127.0.0.1 –dport 25 -m state –state NEW -j ACCEPT

Oracle 11gR2 Rac GNS iptables

Well here goes another Oracle 11gR2 note for you all out there.  Let me just say Oracle’s documentation either does not exist or is so buried it’s impossible to find on this topic with 11gR2.

As always I want to lock down the system as much as possible which requires iptables.  Early in the process I gave up any chance of locking down communication between nodes and interconnects and focused on internal connections.  Like always any client needs to be able to talk to port 1521 TCP but GNS + 11Gr2 adds some new ports:

As may be aware GNS provides it’s own VIP equiped DNS server for it’s delegated subdomain.  So it’s critical that you open up DNS to your DNS systems.  So you need to open up 53 udp

-A INPUT -p udp -m udp --dport 53 -j ACCEPT

You might want to add a source port and lock it to your dns systems.

Otherwise it should work (providing your open up iptables between nodes)

Test TCP and UDP connections in Linux for firewalls

I am constantly having to check firewall rules for sevices I have not yet setup.  In this post I will reference the client (Source address) and server (Destination address).

Checking TCP

Server:

Open a tcp port with netcat so for example to open port 80 tcp I would use:

nc -l 80

Client:

Check the tcp port with telnet so to connect to port 80:

telnet destination_ip 80

Checking UDP

To open a udp (destination)listener on port 80 you would use the following command:

nc -lu 80

To Connect to your destination udp on port 80 use the following command from your source:

nc -zu destination_ip 80

Netcat fun

Netcat (nc) can also be used for a lot of other purposes.  It can also be used as a very fast basic port scanner:

To scan a range of UDP ports 80-4000

nc -zu destination_ip 80-4000

In order to get more information, you can add v, for more verbose, add another v

nc -vvzu destination_ip 80-4000

To scan a range of TCP ports 80-4000

nc -z destination_ip 80-4000

iptables Block all outgoing traffic

What is the use of blocking out going traffic?  Imagine if you have a web server and you want to allow customers to access your webserver but you do not want to allow rogue software to send message from yoru web server to other people.  This rule is for you.

iptables -A OUTPUT -m state –state ESTABLISHED -j ACCEPT

iptables -A OUTPUT -j REJECT

iptables Personal PC Firewalls

The average personal PC has need to be able to reach out into the internet and communicate but no need for people to reach from the internet to your PC.  This set of rules takes advantage of the stateful nature of iptables to allow incomming messages on ESTABLISHED (prevously set by OUTPUT) connections.

iptables -A input -m state –state ESTABLISHED -j ACCEPT

iptables -A input -j REJECT

iptables allow ssh and http

Allow web and ssh connections SSH and web both require out going messages on established tcp connections.

iptables -A OUTPUT -o eth0 -m state –state ESTABLISHED,RELATED -j ACCEPT

Then you need to allow incomming connections on port 80 and 22 and possibly 443

iptables -A INPUT -p tcp -i eth0 –dport 22 –sport 1024:65535 -m state –state NEW -j ACCEPT

iptables -A INPUT -p tcp -i eth0 –dport 80 –sport 1024:65535 -m state –state NEW -j ACCEPT

iptables -A INPUT -p tcp -i eth0 –dport 443 –sport 1024:65535 -m state –state NEW -j ACCEPT