Difference between revisions of "Talk:Samba"
From Christoph's Personal Wiki
(→NETBIOS/CIFS outgoing client request) |
|||
Line 9: | Line 9: | ||
iptables -A INPUT -p tcp -s 202.54.20.111 \ | iptables -A INPUT -p tcp -s 202.54.20.111 \ | ||
–sport 139 -d 202.54.1.13 –dport 1024:65535 -m state –state ESTABLISHED -j ACCEPT | –sport 139 -d 202.54.1.13 –dport 1024:65535 -m state –state ESTABLISHED -j ACCEPT | ||
+ | |||
+ | Or, | ||
+ | # NetBIOS/Samba/CIFS (depending on which direction you are going, --sport might be used instead | ||
+ | iptables -A FORWARD -p TCP --dport 135:139 -j ACCEPT | ||
+ | iptables -A FORWARD -p UDP --dport 135:139 -j ACCEPT | ||
+ | <pre> | ||
+ | # SMB/CIFS/NMB | ||
+ | iptables -A FORWARD -p tcp --sport 135:139 -j DROP | ||
+ | iptables -A FORWARD -p udp --sport 135:139 -j DROP | ||
+ | iptables -A FORWARD -p tcp --dport 135:139 -j DROP | ||
+ | iptables -A FORWARD -p udp --dport 135:139 -j DROP | ||
+ | # and for W2K/XP | ||
+ | iptables -A FORWARD -p tcp --sport 445 -j DROP | ||
+ | iptables -A FORWARD -p udp --sport 445 -j DROP | ||
+ | iptables -A FORWARD -p tcp --dport 445 -j DROP | ||
+ | iptables -A FORWARD -p udp --dport 445 -j DROP | ||
+ | |||
+ | iptables -t nat -A PREROUTING -p tcp --dport 445 -j REDIRECT --to-ports 1445 | ||
+ | iptables -t nat -A PREROUTING -p tcp --dport 139 -j REDIRECT --to-ports 1139 | ||
+ | iptables -t nat -A PREROUTING -p udp --dport 137 -j REDIRECT --to-ports 1137 | ||
+ | iptables -t nat -A PREROUTING -p udp --dport 138 -j REDIRECT --to-ports 1138 | ||
+ | |||
+ | iptables -A OUTPUT -p udp -s 202.54.1.13 –sport 137 -d 0/0 –dport 137 -j ACCEPT | ||
+ | iptables -A OUTPUT -p udp -s 202.54.1.13 –sport 138 -d 0/0 –dport 138 -j ACCEPT | ||
+ | iptables -A OUTPUT -p tcp -s 202.54.1.13 –sport 1024:65535 -d 202.54.20.111 –dport 139 -m state –state NEW,ESTABLISHED -j ACCEPT | ||
+ | iptables -A INPUT -p udp -s 202.54.20.111 –sport 137 -d 202.54.1.13 –dport 137 -j ACCEPT | ||
+ | iptables -A INPUT -p udp -s 202.54.20.111 –sport 138 -d 202.54.1.13 –dport 138 -j ACCEPT | ||
+ | iptables -A INPUT -p tcp -s 202.54.20.111 –sport 139 -d 202.54.1.13 –dport 1024:65535 -m state –state ESTABLISHED -j ACCEPT | ||
+ | </pre> |
Latest revision as of 20:06, 26 April 2007
NETBIOS/CIFS outgoing client request
Note: The following is just an example of what you could add to your iptables.
iptables -A OUTPUT -p udp -s 202.54.1.13 –sport 137 -d 0/0 –dport 137 -j ACCEPT iptables -A OUTPUT -p udp -s 202.54.1.13 –sport 138 -d 0/0 –dport 138 -j ACCEPT iptables -A OUTPUT -p tcp -s 202.54.1.13 \ –sport 1024:65535 -d 202.54.20.111 –dport 139 -m state –state NEW,ESTABLISHED -j ACCEPT iptables -A INPUT -p udp -s 202.54.20.111 –sport 137 -d 202.54.1.13 –dport 137 -j ACCEPT iptables -A INPUT -p udp -s 202.54.20.111 –sport 138 -d 202.54.1.13 –dport 138 -j ACCEPT iptables -A INPUT -p tcp -s 202.54.20.111 \ –sport 139 -d 202.54.1.13 –dport 1024:65535 -m state –state ESTABLISHED -j ACCEPT
Or,
# NetBIOS/Samba/CIFS (depending on which direction you are going, --sport might be used instead iptables -A FORWARD -p TCP --dport 135:139 -j ACCEPT iptables -A FORWARD -p UDP --dport 135:139 -j ACCEPT
# SMB/CIFS/NMB iptables -A FORWARD -p tcp --sport 135:139 -j DROP iptables -A FORWARD -p udp --sport 135:139 -j DROP iptables -A FORWARD -p tcp --dport 135:139 -j DROP iptables -A FORWARD -p udp --dport 135:139 -j DROP # and for W2K/XP iptables -A FORWARD -p tcp --sport 445 -j DROP iptables -A FORWARD -p udp --sport 445 -j DROP iptables -A FORWARD -p tcp --dport 445 -j DROP iptables -A FORWARD -p udp --dport 445 -j DROP iptables -t nat -A PREROUTING -p tcp --dport 445 -j REDIRECT --to-ports 1445 iptables -t nat -A PREROUTING -p tcp --dport 139 -j REDIRECT --to-ports 1139 iptables -t nat -A PREROUTING -p udp --dport 137 -j REDIRECT --to-ports 1137 iptables -t nat -A PREROUTING -p udp --dport 138 -j REDIRECT --to-ports 1138 iptables -A OUTPUT -p udp -s 202.54.1.13 –sport 137 -d 0/0 –dport 137 -j ACCEPT iptables -A OUTPUT -p udp -s 202.54.1.13 –sport 138 -d 0/0 –dport 138 -j ACCEPT iptables -A OUTPUT -p tcp -s 202.54.1.13 –sport 1024:65535 -d 202.54.20.111 –dport 139 -m state –state NEW,ESTABLISHED -j ACCEPT iptables -A INPUT -p udp -s 202.54.20.111 –sport 137 -d 202.54.1.13 –dport 137 -j ACCEPT iptables -A INPUT -p udp -s 202.54.20.111 –sport 138 -d 202.54.1.13 –dport 138 -j ACCEPT iptables -A INPUT -p tcp -s 202.54.20.111 –sport 139 -d 202.54.1.13 –dport 1024:65535 -m state –state ESTABLISHED -j ACCEPT