Re: Iptables rule for windows file sharing?
From: Temlakos (temlakos_at_gmail.com)
Date: 01/29/05
- Previous message: Robert L Cochran: "Options For Installing Fedora To Older Laptop"
- In reply to: cjlesh: "Iptables rule for windows file sharing?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Date: Sat, 29 Jan 2005 16:45:08 -0500 To: cjlesh@gmail.com, For users of Fedora Core releases <fedora-list@redhat.com>
On Fri, 28 Jan 2005 19:50:02 +0100, cjlesh
<no-reply-gw@fcp.homelinux.org> wrote:
> Hey all:
>
> I have a laptop running Fedora Core 3 and a dekstop with Widows XP, both connected via a Linksys router.
>
> I am trying to figure out a way to allow the laptop 'see' the shared directories on the Windows machine. If I disable the Fedora firewall, it works.
>
> I would like to do this without disabling the firewall.
> A google search turns up to following command:
>
> iptables -A INPUT -p ALL -i eth0 -s 192.168.0.1 --destination-port 137:139 -j ACCEPT
>
> however this results in an error.
>
> Any help on a reasonable firewall rule to allow windows share traffic on my local network only?
I finally found the answer, after experimenting with this all day. My
insight comes from running an Ethereal capture of a three-minute
session, during which I browsed a Samba server (actually, two of
them--my own machine and another machine on the network) and printed
to a Samba printer (on the other machine).
In your iptables rule set, make sure you have the following as your last rules:
-A RH-Firewall-1-INPUT -p udp -m udp -s 192.168.1.0/24 --dport 137 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp -s 192.168.1.0/24 --dport
32700:32800 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp -s 192.168.1.0/24 --dport 139 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp -s 192.168.1.0/24 --dport 445 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp -s 192.168.1.0/24 --dport
32800:32900 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT
Note carefully: insert all rules quoting 192.168.1.0/24 as the source
(-s) directly above the -m state rule accepting ESTABLISHED and
RELATED states.
The above are for a network based on a Linksys router having on it a
Windows machine and/or any UNIX/Linux box running the Samba services.
The rationale is this:
UDP Port 137: NetBIOS name service.
UDP Port range 32700:32800: the upper end of a NetBIOS name service
conversation.
TCP Port 139: NetBIOS-SSN.
TCP Port 445: Microsoft-DS
TCP Port range 32800:32900: the upper end of all SMB TCP conversations.
Open these ports, and their ranges, but /only/ for 192.168.1.0/24 as a
source, and you should have Windows file and print sharing, but will
/not/ have to worry about anyone detecting you on the outside.
If I have time, I might refine this to tighten up the range. But as it
stands now, it works, and it's a lot more narrow than simply opening
my system up to /everything/ having 192.168.1.0/24 as its source.
My next experiment will probably be to restrict everything to
transactions having UDP port 137 or TCP ports 139 and 445 as /either
source or destination port./ Right now, I was concerned strictly with
opening every destination port that might come up. I have something
that works, and is less vulnerable.
Temlakos
-- Temlakos <temlakos@gmail.com> -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: http://www.redhat.com/mailman/listinfo/fedora-list
- Previous message: Robert L Cochran: "Options For Installing Fedora To Older Laptop"
- In reply to: cjlesh: "Iptables rule for windows file sharing?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Relevant Pages
|
