RE: Samba What a struggle

From: Eric Diamond (eric_at_ediamond.net)
Date: 03/04/04

Next message: Hervaen: "[SGML] impossible to use it in Emacs"

Previous message: John Thompson: "Re: Palm sync"
In reply to: Andrew Robinson: "Re: Samba What a struggle"
Next in thread: Alexandre Strube: "Fedora 2 with better firewall-config? Was: Samba What a struggle"
Reply: Alexandre Strube: "Fedora 2 with better firewall-config? Was: Samba What a struggle"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

To: <fedora-list@redhat.com>
Date: Thu, 4 Mar 2004 13:34:52 -0700

> Andrew Robinson wrote:
>
> Alexander Dalloz wrote:
> > Am Mi, den 03.03.2004 schrieb Andrew Robinson um 20:51:
> >
> >
> >># Samba access
> >>-A RH-Firewall-1-INPUT -m udp -p udp --dport 137:138 -j ACCEPT -A
> >>RH-Firewall-1-INPUT -m udp -p udp --sport 137:138 -j ACCEPT -A
> >>RH-Firewall-1-INPUT -m tcp -p tcp --dport 139 -j ACCEPT -A
> >>RH-Firewall-1-INPUT -m tcp -p tcp --dport 445 -j ACCEPT -A
> >>RH-Firewall-1-INPUT -m udp -p udp --dport 445 -j ACCEPT -A
> >>RH-Firewall-1-INPUT -m tcp -p tcp --dport 1512 -j ACCEPT -A
> >>RH-Firewall-1-INPUT -m udp -p udp --dport 1512 -j ACCEPT
> >>
> >>I don't think all of these iptables entries are required to
> get Samba
> >>to
> >>work. However, this works for me.
> >
> >
> > .oO Be aware what you open up this way! You are at high
> risk to open
> > your samba filesharing to the whole internet. Be sure you only open
> > those ports on your local net and not on outbound devices.
> >
>
> How would I restrict these entries to my local net? Do I add an "-s
> 192.168.1/24" to each line?
>
> Thanks!
>
> Andrew
>

That would work, but wouldn't prevent spoofing. If you're running samba on a
gateway device, then you really don't need the above rules. You should be
paranoiacally restrictive on your external interface, but unless you've
already been burned by internal hackers, you can probably trust your
internal interface.

redhat-config-securitylevel has checkbox options for trusting all traffic on
specific interfaces, or if you prefer to edit /etc/sysconfig/iptables
directly then something like this will do to create a basic black hole on
eth1 while trusting everything from eth0 and masquerading outbound traffic.

*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:no-conns-from-eth1 - [0:0]
-A INPUT -j no-conns-from-eth1
-A FORWARD -j no-conns-from-eth1
-A no-conns-from-eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A no-conns-from-eth1 -i ! eth1 -m state --state NEW -j ACCEPT
-A no-conns-from-eth1 -i eth1 -m limit --limit 3/hour -j LOG --log-prefix
"Bad packet from eth1:"
-A no-conns-from-eth1 -i ! eth1 -m limit --limit 3/hour -j LOG --log-prefix
"Bad packet NOT from eth1:"
-A no-conns-from-eth1 -j DROP
COMMIT
*nat
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A POSTROUTING -o eth1 -j MASQUERADE
COMMIT

Note: This is iptables-save output from a script that was (almost) copied
wholesale from Rusty's IP Filtering and NAT HowTo's. It is deliberately very
basic. Given the realities of being connected to the internet you will
probably want additional rules. Google 'iptables' for more resources. I
recommend Rusty's guides highly. After all, he did write the stuff...

You should then restrict samba to the internal interface with:

interfaces = eth0
bind interfaces only = yes

This also interacts with the host allow list so make sure you've included
all networks/subnets that will be accessing this server in your hosts allow
statement:

Hosts allow = 192.168.42. 10.42.0. 127.

Make doubly sure you include the 127. reference or nasty things can happen
when you implement bind interfaces only. See man smb.conf for details.

Hope this helps. Have fun!

Eric Diamond
eDiamond Networking & Security
303-246-9555
eric@ediamond.net

-- 
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: http://www.redhat.com/mailman/listinfo/fedora-list

Next message: Hervaen: "[SGML] impossible to use it in Emacs"

Previous message: John Thompson: "Re: Palm sync"
In reply to: Andrew Robinson: "Re: Samba What a struggle"
Next in thread: Alexandre Strube: "Fedora 2 with better firewall-config? Was: Samba What a struggle"
Reply: Alexandre Strube: "Fedora 2 with better firewall-config? Was: Samba What a struggle"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Relevant Pages

Re: Close ports 137 and 138 samba server?
... > I have a linux box with samba server and two network interface. ... > interface for internet and another for local network. ... That's nmbd listening on those ports. ...
(Focus-Linux)
Close ports 137 and 138 samba server
... I have a linux box with samba server and two network ... interface for internet and another for local network. ... listen on this ports on internet interface only? ...
(Security-Basics)
Close ports 137 and 138 samba server?
... I have a linux box with samba server and two network interface. ... And the samba stop to listen on internet interface on port 139, ... continue listening on ports 137 and 138 on both interface. ...
(Focus-Linux)
Re: Long Time Samba No Work-Need Expert Help On Samba/Networking
... I tried the samba commands I listed on the original ... added interface ip=192.168.1.64 bcast=192.168.1.255 ... WINS server resolution selected and no ...
(Ubuntu)
Re: Long Time Samba No Work-Need Expert Help On Samba/Networking
... Then try to mount the windows XP machine. ... I tried the samba commands I listed on the original ... added interface ip=192.168.1.64 bcast=192.168.1.255 ... WINS server resolution selected and no ...
(Ubuntu)