Iptables and SAMBA - I'm going MAAAAAAAAAAAAAAAAAADDDDDDD!!!

Hi,

i'm trying to setup a firewall with netfilter/iptables increasing security
from than one i actually have, on the linux box i use to share my adsl modem
(USB). On this linux box i have two net cards that go to two clients
(the two subnets: 192.168.0.x/255.255.255.0 and 10.0.0.x/255.255.255.0).


The script works well, but it doesn't work at all with my samba share.

(samba works perfectly if i shut down iptables)



Can someone help me to access SAMBA?





Thanks!





My firewall script is:





#### DEBUGGING ###
set -x

### FLUSHING CHAIN ### Azzera e pulisce ogni regola esistente
iptables -F
iptables -F -t nat
iptables -X
iptables -Z

### DEFAULT CHAIN ### Imposta le policy di default
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP
iptables -t nat -P POSTROUTING DROP

### SETTING IPFORWARDING ### Abilita il forwarding di pacchetti non locali -
FONDAMENTALE
/bin/echo "1" > /proc/sys/net/ipv4/ip_forward

### DISABLE RESPOND TO BROADCAST ### Non risponde ai ping inviati al
browadcast della subnet
/bin/echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

### ENABLE BAD ERROR MESSAGE PROTECTION ### Ignora finti messaggi di errore
ICMP
/bin/echo "1" > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses

### DISABLE ICMP REDIRECT ACCEPTANCE ### Non accetta pacchetti ICMP di route
redirection
/bin/echo "0" > /proc/sys/net/ipv4/conf/all/accept_redirects

### SETTING ANTISPOOFING PROTECTION ###
/bin/echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter

### DON'T RESPOND TO BROADCAST PINGS ###
/bin/echo "1" > /proc/sys/net/ipv4/conf/all/log_martians

### Qui vengono definite alcune variabili che successivamente sono usate
#nelle regole - MODIFICARE SECONDO I PROPRI PARAMETRI
# External Public Interface
EXTIF="ppp0"

# Internal Private Interface
INTIF_1="eth0"
INTIF_2="eth1"

# Internal LAN IP
LANIN_1="192.168.0.0/24"
LANIN_2="10.0.0.0/24"

# RFC IPs Classi di indirizzi dedicate a utilizzi privati o particolari e
#non routate su Internet
LOOPBACK="127.0.0.0/8"

# ANTISPOOF Adesso iniziano le regole vere e proprie.
iptables -A INPUT -i $EXTIF -d $LOOPBACK -j DROP

# LOOP RULE Permettiamo il traffico di loopback
iptables -A INPUT -s $LOOPBACK -j ACCEPT
iptables -A OUTPUT -d $LOOPBACK -j ACCEPT

# LAN IN ACCESS Regole che permettono l'accesso al firewall Linux dagli IP
#della rete Interna
iptables -A INPUT -i $INTIF_1 -s $LANIN_1 -j ACCEPT
iptables -A INPUT -i $INTIF_2 -s $LANIN_2 -j ACCEPT
iptables -A OUTPUT -o $INTIF_1 -d $LANIN_1 -j ACCEPT
iptables -A OUTPUT -o $INTIF_2 -d $LANIN_2 -j ACCEPT

# LAN IN OUT Seguono le regole che gestiscono il masquerading della rete
interna
#Forwarda tutti i pacchetti dalla rete interna a qualsiasi destinazione
iptables -A FORWARD -s $LANIN_1 -d 0/0 -j ACCEPT
iptables -A FORWARD -s $LANIN_2 -d 0/0 -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT


#DROPPA i nuovi pacchetti che dall'esterno cercano di raggiungere la rete
interna
#(TCP con flag SYN attivo)
iptables -A FORWARD -s 0/0 -d $LANIN_1 -p tcp --syn -j DROP
iptables -A FORWARD -s 0/0 -d $LANIN_2 -p tcp --syn -j DROP

#Lascia invece passare tutti gli altri pacchetti
iptables -A FORWARD -s 0/0 -d $LANIN_1 -j ACCEPT
iptables -A FORWARD -s 0/0 -d $LANIN_2 -j ACCEPT

#Maschera gli IP sorgenti Interni con l'IP dell'interfaccia pubblica
iptables -t nat -A POSTROUTING -o $EXTIF -s $LANIN_1 -j MASQUERADE
iptables -t nat -A POSTROUTING -o $EXTIF -s $LANIN_2 -j MASQUERADE

# GENERAL Regole generali per permettere all'host locale di collegarsi a
#IP remoti e ricevere i pacchetti di risposta (Nota: si riferiscono alle
#attività che vengono fatte direttamente dalla macchina Linux locale e non
#dagli host che la usano come firewall)
iptables -A OUTPUT -p tcp -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp -m state --state ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p udp -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -i $EXTIF -p udp -m state --state ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p icmp -m state --state NEW,ESTABLISHED,RELATED -j
ACCEPT
iptables -A INPUT -p icmp -m state --state ESTABLISHED,RELATED -j ACCEPT

# DNS Regole per permettere di ricevere risposta (dai server DNS
#specificati) a query DNS fatte dalla macchina locale

iptables -A OUTPUT -p udp -s 0/0 --dport 53 -j ACCEPT
iptables -A OUTPUT -p tcp -s 0/0 --dport 53 -j ACCEPT
iptables -A INPUT -p tcp -s 0/0 --sport 53 -j ACCEPT
iptables -A INPUT -p udp -s 0/0 --sport 53 -j ACCEPT

# SAMBA
iptables -A INPUT -p udp -s $LANIN_1 -d $LANIN_1 -m multiport --dports
135,137,138,631 -j ACCEPT
iptables -A INPUT -p tcp -s $LANIN_1 -d $LANIN_1 -m multiport --dports
135,137,138,139,445,631 -j ACCEPT
iptables -A OUTPUT -p udp -s $LANIN_1 -d $LANIN_1 -m multiport --sports
135,137,138,631 -j ACCEPT
iptables -A OUTPUT -p tcp -s $LANIN_1 -d $LANIN_1 -m multiport --sports
135,137,138,139,445,631 -j ACCEPT
#iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT




--
>>>>>>>>>>>>>>><<<<<<<<<<<<<<<

Arsenio Lupin

nmbd and smbd allow SAMBA to work. you must allow them access to ports
*within your network only!*

137 is smbd, IIRC, but I cannot recall what the other (UDP) port is needed.
Hey, it's late and I've had some beers....

Ta.

Arsenio Lupin wrote:

> Hi,
>
> i'm trying to setup a firewall with netfilter/iptables increasing security
> from than one i actually have, on the linux box i use to share my adsl
> modem (USB). On this linux box i have two net cards that go to two clients
> (the two subnets: 192.168.0.x/255.255.255.0 and 10.0.0.x/255.255.255.0).
>
>
> The script works well, but it doesn't work at all with my samba share.
>
> (samba works perfectly if i shut down iptables)
>
>
>
> Can someone help me to access SAMBA?
>
>
>
>
>
> Thanks!
>
>
>
>
>
> My firewall script is:
>
>
>
>
>
> #### DEBUGGING ###
> set -x
>
> ### FLUSHING CHAIN ### Azzera e pulisce ogni regola esistente
> iptables -F
> iptables -F -t nat
> iptables -X
> iptables -Z
>
> ### DEFAULT CHAIN ### Imposta le policy di default
> iptables -P INPUT DROP
> iptables -P FORWARD DROP
> iptables -P OUTPUT DROP
> iptables -t nat -P POSTROUTING DROP
>
> ### SETTING IPFORWARDING ### Abilita il forwarding di pacchetti non locali
> ### -
> FONDAMENTALE
> /bin/echo "1" > /proc/sys/net/ipv4/ip_forward
>
> ### DISABLE RESPOND TO BROADCAST ### Non risponde ai ping inviati al
> browadcast della subnet
> /bin/echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
>
> ### ENABLE BAD ERROR MESSAGE PROTECTION ### Ignora finti messaggi di
> ### errore
> ICMP
> /bin/echo "1" > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
>
> ### DISABLE ICMP REDIRECT ACCEPTANCE ### Non accetta pacchetti ICMP di
> ### route
> redirection
> /bin/echo "0" > /proc/sys/net/ipv4/conf/all/accept_redirects
>
> ### SETTING ANTISPOOFING PROTECTION ###
> /bin/echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter
>
> ### DON'T RESPOND TO BROADCAST PINGS ###
> /bin/echo "1" > /proc/sys/net/ipv4/conf/all/log_martians
>
> ### Qui vengono definite alcune variabili che successivamente sono usate
> #nelle regole - MODIFICARE SECONDO I PROPRI PARAMETRI
> # External Public Interface
> EXTIF="ppp0"
>
> # Internal Private Interface
> INTIF_1="eth0"
> INTIF_2="eth1"
>
> # Internal LAN IP
> LANIN_1="192.168.0.0/24"
> LANIN_2="10.0.0.0/24"
>
> # RFC IPs Classi di indirizzi dedicate a utilizzi privati o particolari e
> #non routate su Internet
> LOOPBACK="127.0.0.0/8"
>
> # ANTISPOOF Adesso iniziano le regole vere e proprie.
> iptables -A INPUT -i $EXTIF -d $LOOPBACK -j DROP
>
> # LOOP RULE Permettiamo il traffico di loopback
> iptables -A INPUT -s $LOOPBACK -j ACCEPT
> iptables -A OUTPUT -d $LOOPBACK -j ACCEPT
>
> # LAN IN ACCESS Regole che permettono l'accesso al firewall Linux dagli IP
> #della rete Interna
> iptables -A INPUT -i $INTIF_1 -s $LANIN_1 -j ACCEPT
> iptables -A INPUT -i $INTIF_2 -s $LANIN_2 -j ACCEPT
> iptables -A OUTPUT -o $INTIF_1 -d $LANIN_1 -j ACCEPT
> iptables -A OUTPUT -o $INTIF_2 -d $LANIN_2 -j ACCEPT
>
> # LAN IN OUT Seguono le regole che gestiscono il masquerading della rete
> interna
> #Forwarda tutti i pacchetti dalla rete interna a qualsiasi destinazione
> iptables -A FORWARD -s $LANIN_1 -d 0/0 -j ACCEPT
> iptables -A FORWARD -s $LANIN_2 -d 0/0 -j ACCEPT
> iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
>
>
> #DROPPA i nuovi pacchetti che dall'esterno cercano di raggiungere la rete
> interna
> #(TCP con flag SYN attivo)
> iptables -A FORWARD -s 0/0 -d $LANIN_1 -p tcp --syn -j DROP
> iptables -A FORWARD -s 0/0 -d $LANIN_2 -p tcp --syn -j DROP
>
> #Lascia invece passare tutti gli altri pacchetti
> iptables -A FORWARD -s 0/0 -d $LANIN_1 -j ACCEPT
> iptables -A FORWARD -s 0/0 -d $LANIN_2 -j ACCEPT
>
> #Maschera gli IP sorgenti Interni con l'IP dell'interfaccia pubblica
> iptables -t nat -A POSTROUTING -o $EXTIF -s $LANIN_1 -j MASQUERADE
> iptables -t nat -A POSTROUTING -o $EXTIF -s $LANIN_2 -j MASQUERADE
>
> # GENERAL Regole generali per permettere all'host locale di collegarsi a
> #IP remoti e ricevere i pacchetti di risposta (Nota: si riferiscono alle
> #attività che vengono fatte direttamente dalla macchina Linux locale e non
> #dagli host che la usano come firewall)
> iptables -A OUTPUT -p tcp -m state --state NEW,ESTABLISHED -j ACCEPT
> iptables -A INPUT -p tcp -m state --state ESTABLISHED -j ACCEPT
> iptables -A OUTPUT -p udp -m state --state NEW,ESTABLISHED -j ACCEPT
> iptables -A INPUT -i $EXTIF -p udp -m state --state ESTABLISHED -j ACCEPT
> iptables -A OUTPUT -p icmp -m state --state NEW,ESTABLISHED,RELATED -j
> ACCEPT
> iptables -A INPUT -p icmp -m state --state ESTABLISHED,RELATED -j ACCEPT
>
> # DNS Regole per permettere di ricevere risposta (dai server DNS
> #specificati) a query DNS fatte dalla macchina locale
>
> iptables -A OUTPUT -p udp -s 0/0 --dport 53 -j ACCEPT
> iptables -A OUTPUT -p tcp -s 0/0 --dport 53 -j ACCEPT
> iptables -A INPUT -p tcp -s 0/0 --sport 53 -j ACCEPT
> iptables -A INPUT -p udp -s 0/0 --sport 53 -j ACCEPT
>
> # SAMBA
> iptables -A INPUT -p udp -s $LANIN_1 -d $LANIN_1 -m multiport --dports
> 135,137,138,631 -j ACCEPT
> iptables -A INPUT -p tcp -s $LANIN_1 -d $LANIN_1 -m multiport --dports
> 135,137,138,139,445,631 -j ACCEPT
> iptables -A OUTPUT -p udp -s $LANIN_1 -d $LANIN_1 -m multiport --sports
> 135,137,138,631 -j ACCEPT
> iptables -A OUTPUT -p tcp -s $LANIN_1 -d $LANIN_1 -m multiport --sports
> 135,137,138,139,445,631 -j ACCEPT
> #iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
>
>
>
>

On Thu, 13 Nov 2003 18:33:07 +0000, Arsenio Lupin wrote:

> Hi,
>
> i'm trying to setup a firewall with netfilter/iptables increasing security
> from than one i actually have, on the linux box i use to share my adsl modem
> (USB). On this linux box i have two net cards that go to two clients
> (the two subnets: 192.168.0.x/255.255.255.0 and 10.0.0.x/255.255.255.0).
>
>
> The script works well, but it doesn't work at all with my samba share.
>
> (samba works perfectly if i shut down iptables)
>
>
>
> Can someone help me to access SAMBA?
>
>
>
>
>
> Thanks!
>


samba uses tcp and udp ports in the range 137 to 139.


You basically need:

Allow outbound on lan1 from 137-139 tcp
Allow outbound on lan1 from 137-139 udp
Allow inbound on lan1 from 137-139 tcp
Allow inbound on lan1 from 137-139 udp

Allow outbound on lan2 from 137-139 tcp
Allow outbound on lan2 from 137-139 udp
Allow inbound on lan2 from 137-139 tcp
Allow inbound on lan2 from 137-139 udp


allow forward when source is lan1 and dst is lan2
allow forward when source is lan2 and dst is lan1

Arsenio Lupin in D7Qsb.17102$(E-Mail Removed) magna cum audacia dixit:

> The script works well, but it doesn't work at all with my samba share.
> (samba works perfectly if i shut down iptables)

[blablabla]

!!!!! I've found the problem .!!!!

> ### DEFAULT CHAIN ### Imposta le policy di default
> iptables -P INPUT DROP
> iptables -P FORWARD DROP
> iptables -P OUTPUT DROP
> iptables -t nat -P POSTROUTING DROP
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
is this policy that drop the packets i need.
The clients have full access to the server with the rules that follow, i
think:

[cut]
> # LAN IN ACCESS Regole che permettono l'accesso al firewall Linux
> dagli IP #della rete Interna
> iptables -A INPUT -i $INTIF_1 -s $LANIN_1 -j ACCEPT
> iptables -A INPUT -i $INTIF_2 -s $LANIN_2 -j ACCEPT
> iptables -A OUTPUT -o $INTIF_1 -d $LANIN_1 -j ACCEPT
> iptables -A OUTPUT -o $INTIF_2 -d $LANIN_2 -j ACCEPT
[cut]

That rules about SAMBA are probably useless.

> # SAMBA
> iptables -A INPUT -p udp -s $LANIN_1 -d $LANIN_1 -m multiport --dports
> 135,137,138,631 -j ACCEPT
> iptables -A INPUT -p tcp -s $LANIN_1 -d $LANIN_1 -m multiport --dports
> 135,137,138,139,445,631 -j ACCEPT
> iptables -A OUTPUT -p udp -s $LANIN_1 -d $LANIN_1 -m multiport
> --sports 135,137,138,631 -j ACCEPT
> iptables -A OUTPUT -p tcp -s $LANIN_1 -d $LANIN_1 -m multiport
> --sports 135,137,138,139,445,631 -j ACCEPT
> #iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

--
>>>>>>>>>>>>>>><<<<<<<<<<<<<<<

Arsenio Lupin

>> iptables -t nat -P POSTROUTING DROP
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> is this policy that drop the packets i need.

Oh, yes. I've gotten nailed by this before.

When I was building my firewall I got too zealous and set DROP policies in
all of the chains in the mangle and nat tables. My system ground to a
halt, since even loopback traffic was blocked. It took me a week to figure
it out.

--
To reply by email, change "deadspam.com" to "alumni.utexas.net"

Andrew Schulman in bp3vvi$1kmjgg$(E-Mail Removed) magna cum
audacia dixit:

>>> iptables -t nat -P POSTROUTING DROP
>> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
>> is this policy that drop the packets i need.
>
> Oh, yes. I've gotten nailed by this before.
>
> When I was building my firewall I got too zealous and set DROP
> policies in all of the chains in the mangle and nat tables. My
> system ground to a halt, since even loopback traffic was blocked. It
> took me a week to figure it out.

I started the same way: DROP DROP and DROP even my finger when i try to
power on the pc!
But then i had to review all the policy and now works.

BTW i'm happy to know that someone else had a similar problem! I'm not the
only one!


Thanks
Bye!

--
>>>>>>>>>>>>>>><<<<<<<<<<<<<<<

Arsenio Lupin