Talk:Samba

From Christoph's Personal Wiki
Jump to: navigation, search

NETBIOS/CIFS outgoing client request

Note: The following is just an example of what you could add to your iptables.

iptables -A OUTPUT -p udp -s 202.54.1.13 –sport 137 -d 0/0 –dport 137 -j ACCEPT
iptables -A OUTPUT -p udp -s 202.54.1.13 –sport 138 -d 0/0 –dport 138 -j ACCEPT
iptables -A OUTPUT -p tcp -s 202.54.1.13 \
   –sport 1024:65535 -d 202.54.20.111 –dport 139 -m state –state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -p udp -s 202.54.20.111 –sport 137 -d 202.54.1.13 –dport 137 -j ACCEPT
iptables -A INPUT -p udp -s 202.54.20.111 –sport 138 -d 202.54.1.13 –dport 138 -j ACCEPT
iptables -A INPUT -p tcp -s 202.54.20.111 \
   –sport 139 -d 202.54.1.13 –dport 1024:65535 -m state –state ESTABLISHED -j ACCEPT

Or,

# NetBIOS/Samba/CIFS (depending on which direction you are going, --sport might be used instead
iptables -A FORWARD -p TCP --dport 135:139 -j ACCEPT
iptables -A FORWARD -p UDP --dport 135:139 -j ACCEPT
# SMB/CIFS/NMB
iptables -A FORWARD -p tcp --sport 135:139 -j DROP
iptables -A FORWARD -p udp --sport 135:139 -j DROP
iptables -A FORWARD -p tcp --dport 135:139 -j DROP
iptables -A FORWARD -p udp --dport 135:139 -j DROP
# and for W2K/XP
iptables -A FORWARD -p tcp --sport 445 -j DROP
iptables -A FORWARD -p udp --sport 445 -j DROP
iptables -A FORWARD -p tcp --dport 445 -j DROP
iptables -A FORWARD -p udp --dport 445 -j DROP

iptables -t nat -A PREROUTING -p tcp --dport 445 -j REDIRECT --to-ports 1445
iptables -t nat -A PREROUTING -p tcp --dport 139 -j REDIRECT --to-ports 1139
iptables -t nat -A PREROUTING -p udp --dport 137 -j REDIRECT --to-ports 1137
iptables -t nat -A PREROUTING -p udp --dport 138 -j REDIRECT --to-ports 1138

iptables -A OUTPUT -p udp -s 202.54.1.13 –sport 137 -d 0/0 –dport 137 -j ACCEPT
iptables -A OUTPUT -p udp -s 202.54.1.13 –sport 138 -d 0/0 –dport 138 -j ACCEPT
iptables -A OUTPUT -p tcp -s 202.54.1.13 –sport 1024:65535 -d 202.54.20.111 –dport 139 -m state –state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -p udp -s 202.54.20.111 –sport 137 -d 202.54.1.13 –dport 137 -j ACCEPT
iptables -A INPUT -p udp -s 202.54.20.111 –sport 138 -d 202.54.1.13 –dport 138 -j ACCEPT
iptables -A INPUT -p tcp -s 202.54.20.111 –sport 139 -d 202.54.1.13 –dport 1024:65535 -m state –state ESTABLISHED -j ACCEPT