| View previous topic :: View next topic |
| Author |
Message |
Keiko
Tux's lil' helper
Joined: 27 Dec 2005
Posts: 98
|
 Posted: Sat Mar 11, 2006 7:57 am Post subject: iptables and samba, need some support {solved} |
 |
|
Hia,
I've bumped into yet another problem. I've been concentrating on improoving my iptables script for the last week, and just went to test how it was looking from another machine, when i relished i couldn't access my linux machine at all, its presence is indicated by a workgroup icon in network neighbourhood (XP Pro), but upon trying to enter, i get a network path not found error. At first i thought i must have overridden my smb.conf, when i did an emerge -uav world last night, so i replaced them with backups of my originals and it still didn't work.
[edit]
Hia, sorry, i've just cleared my firewall, and everything is back up, strange as i've tested it and implemented changes gradually, i think i must have done my recent tests on my local machine only, which foggied the picture. I guess now i have to figure out what part of my script is causing the problems, i need samba and dns working, but obviously with my firewall too.
I'm feeling kinda down with my system now, it seems as soon as i'm half way to getting something working something else breaks, ands somewhat distressing, i dont supose someone could help me find whats causing this in my firewall script, i'll feel better if i new someone else was hunting down the problem too, maybe stop me from tearing my hair out...
Thank you, my iptables script is bellow :
Keiko.
===========================================================================
#!/bin/bash
IPTABLES=/sbin/iptables
# Constant Declarations
InFace1='eth0'
ExIP='10.0.0.8'
ssh='22'
# Kernel Security
# By enabling SYN Cookies, with the following command, the OS will wait until the 3 way TCP hand shake has
# finished before handing the connection over to the daemon, most SYN attacks judt do the first part of the
# handshake, so enabling this can increase the systems security.
# see " https://forums.gentoo.org/viewtopic-t-352610-highlight-tcpsyncookies.html " and " http://cr.yp.to/syncookies.html "
echo 1 >/proc/sys/net/ipv4/tcp_syncookies
echo "Starting firewall ... "
#----------------------------------- This Script -----------------------------------------------------#
#
# This is my iptables firewall script, it contains the rules that will correctly configure iptables.
#
# This script was created from a very good guide on " http://www.pettingers.org/code/firewall.html " and with
# support and help from various people within the linux community, Thanks must go to those who helped me a
# great deal on the Gentoo forums," https://forums.gentoo.org/ ".
#
# Originally Created on 06/03/2006 by Keiko. Updated on 10/03/06 by Keiko.
#
#
# If you want this script to automatically setup iptables when you boot your computer (Gentoo), ensure it is
# named firewall and place it into your /etc/init.d/ directory.
# Now using your preffered editor open /etc/conf.d/local.start and add the following line (without quotes)
# "/etc/init.d/firewall" these rules will then be passed to iptables upon boot.
# To test that the rules have been passed to iptables correctly as super user (root) type the following in a
# terminal (without quotes) "iptables -L" this will list the rules and chains that iptables is using.
#
#------------------------------------------------------------------------------------------------------#
# The defaul policy of the INPUT chain is now changed, to allow all packets to enter, this is only temporary
# however and will be changed later.
iptables -P INPUT ACCEPT
# We will now flush (delete) any rules for the existing chains, which could affect the new rules we are going to implement.
iptables -F
# And delete any existing custom chains.
iptables -X
# We are going to create five custom chains. We will use these as targets for our new rules.
iptables -N SPAM
iptables -N WEB
iptables -N BLACKLIST
iptables -N THRU
iptables -N LOGDROP
#echo " Error Marker-1 = Passed "
#---------------------------------------- The Rules-----------------------------------------------------#
# The first rule bellow, will allow parckets through if they are part of an established connection, and the
# second rule will allow packets through if they are part of a related connection, such as a program like
# bittorrent openning up new ports. However we will only permit related connections to open related ports
# between port numbers 1025 and 65535.
iptables -A INPUT -i $InFace1 -m state --state ESTABLISHED -j ACCEPT
iptables -t filter -A INPUT -p tcp --dport 1025:65535 -m state --state RELATED -j ACCEPT
# This rule allows in all packets from the localhost interface.
iptables -A INPUT -i lo -j ACCEPT
# The next rule will send any packets coming in from port 25 to our SPAM custom chain, to be checked, if
# the originating ip address is one known to the system as a spammer's address.
iptables -A INPUT -i $InFace1 -p tcp -m tcp --dport 25 -j SPAM
# The following rule does the same thing but checks for wbe hackers instead of spammers via the WEB custom chain,
# the "tcp-flags" are optional, in this case, they are set to look for new connections with "SYN,RST,ACK SYN".
iptables -A INPUT -i $InFace1 -p tcp -m tcp --dport 80 --tcp-flags SYN,RST,ACK SYN -j WEB
# The next rule, ensures that any packets that have gotten through the above rules will be jumped to our
# "general blacklist" the BLACKLIST custom chain.
iptables -A INPUT -j BLACKLIST
#echo " Error Marker-2 = Passed "
# Some IP addresses that we require to block, due to recent ssh breakin attemptsl, from these addresses.
iptables -A BLACKLIST -s 81.56.126.41 -j LOGDROP
iptables -A BLACKLIST -s 213.145.191.238 -j LOGDROP
iptables -A BLACKLIST -s 69.93.81.10 -j LOGDROP
iptables -A BLACKLIST -s 165.228.11.218 -j LOGDROP
iptables -A BLACKLIST -s 216.118.117.112 -j LOGDROP
iptables -A BLACKLIST -s 210.188.207.233 -j LOGDROP
iptables -A BLACKLIST -s 62.2.130.138 -j LOGDROP
# Simirly this rule will jump any packets that have gotten through the BLACKLIST chain to our THRU custom chain.
# The THRU custom chain, is used to allow packets in if they are explictley allowed, such as form trusted hosts.
iptables -A INPUT -j THRU
# Next we will create a log entry for the logging daemon each time we drop a packet, however to reduce the riks of
# denial-of-service attacks this logging will be restricted to one entry per second. The log level 7, means that,
# the priority will be set to debug, so these log entries can be exported to a file with syslog / syslog-ng by
# matching "facility(kernel) and level(debug).
iptables -A INPUT -m limit --limit 30/min -j LOG --log-prefix "drop_packet" --log-level 7
#echo " Error Marker-3 = Passed "
# We are now going to setup some rules, that will explictley allow packets into particular ports to ensure
# the services we run (i.e webserver, mail server, ssh server) will continue to fuction.
# - NOTE - By default only port 22 will be open for ssh, other populor service ports are included bellow for
# completness and will need to be un-commented (remove the preceding #) if you require them open.
# FTP (tcp port 21)
#
# iptables -A THRU -i $InFace1 -p tcp --dport 21 -j ACCEPT
# SSH (tcp port 22)
iptables -A THRU -i $InFace1 -p tcp --dport $ssh -j ACCEPT
# SMTP (tcp port 25)
#
# iptables -A THRU -i $InFace1 -p tcp -m tcp --dport 25 -j ACCEPT
# HTTP (tcp port 80)
#
# iptables -A THRU -i $InFace1 -p tcp -m tcp --dport 80 -j ACCEPT
# POP3 (tcp port 110)
#
# iptables -A THRU -i $InFace1 -p tcp -m tcp --dport 110 -j ACCEPT
# If you require to find out what port number your particular service uses, a complete listing of ports and services
# can be found here: http://www.iana.org/assignments/port-numbers
#echo " Error Marker-4 = Passed "
# We will dissable echo-requets and and outgoing echo-reply pings (ICMP type  .
iptables -A INPUT -p icmp --icmp-type echo-request -d $ExIP -j DROP
iptables -A OUTPUT -p icmp --icmp-type echo-reply -s $ExIP -j DROP
# We will also disable incoming redirect (icmp type 5) and outgoing destingation unreachable pings (icmp type 3)
# This will further protect use from dos (denial of service) attacks.
iptables -A INPUT -p icmp --icmp-type redirect -d $ExIP -j DROP
iptables -A OUTPUT -p icmp --icmp-type destination-unreachable -s $ExIP -j DROP
# We will now explicitley disable outgoing X-sessions, to protect our machine from the vulnerabilities with forwarding X11.
# REJECT is used here, so that the connecting user is made efficiently aware that this service is not offered, following advise,
# on Drop vs Reject, found here : " http://www.chiark.greenend.org.uk/~peterb/network/drop-vs-reject ".
iptables -A OUTPUT -p tcp -s $ExIP -o $InFace1 --dport 6000:6010 -j REJECT
iptables -A OUTPUT -p udp -s $ExIP -o $InFace1 --dport 6000:6010 -j REJECT
# We will now add our final rule to the INPUT chain, which will drop all packets, that havn't been accepted
# via any of the previous rules, we will also now change the default policy for INPUT to DROP.
iptables -A INPUT -j DROP
iptables -P INPUT DROP
# We will alos set the default policy for the FORWARD chain to DROP, as it should not be used, in this configuration.
iptables -P FORWARD DROP
#echo " Error Marker-5 = Passed "
# The following rules are for our final custom chain LOGDROP. These will place descriptive annotations
# on the log entries, to aid with log analysis later on.
iptables -A LOGDROP -p tcp -m tcp --dport $ssh -m limit --limit 1/sec -j LOG --log-prefix "ssh_blacklist" --log-level 7
iptables -A LOGDROP -p tcp -m tcp --dport 25 -m limit --limit 1/sec -j LOG --log-prefix "spam_blacklist" --log-level 7
iptables -A LOGDROP -p tcp -m tcp --dport 80 -m limit --limit 1/sec -j LOG --log-prefix "web_blacklist" --log-level 7
# The following line specifies how we will respond to packets that have gone through the LOGDROP custom chain.
iptables -A LOGDROP -j REJECT --reject-with icmp-host-prohibited
#
# - NOTE - To make use of our various blacklists, you can manually add rules to the respective chain, such
# as the following examples:
#
# iptables -A BLACKLIST -s 192.168.254.5 -j LOGDROP
# iptables -A BLACKLIST -s 192.168.220.9/24 -p tcp --dport 22 -j LOGDROP
# iptables -A SPAM -s scum.spammers.org -j LOGDROP
# iptables -A WEB -s script.kiddies.com -j LOGDROP
#
# - NOTE - the " -s " flag indicates a source.
#
#--------------------------------------- End of Configuration----------------------------------------------#
#echo " Error Marker-6 = Passed "
echo "Firewall started and configured"
exit
Last edited by Keiko on Mon Mar 13, 2006 10:40 pm; edited 1 time in total |
|
| Back to top |
|
 |
magic919
Advocate
Joined: 17 Jun 2005
Posts: 2182
Location: Berkshire, UK
|
| Posted: Sat Mar 11, 2006 8:15 am Post subject: |
|
|
You've got the options of opening up all LAN traffic if you trust it - like you've done with Localhost.
Or ports 137-139 plus 445 will do. You don't need TCP and UDP for all of these, though it won't hurt, and a quick web search will show you which ones only need UDP. |
|
| Back to top |
|
|
Keiko
Tux's lil' helper
Joined: 27 Dec 2005
Posts: 98
|
| Posted: Sat Mar 11, 2006 8:53 am Post subject: |
|
|
Hia,
your idea made immediate sense, though i found it strange that this would fix it, as those ports have always been open after doign an nmap scan, it may be something to do with them connection s being established, and i was trying to create new ones which i didn't explictedly allow...
Anyways, its working again, i added the following for this, perhaps i can fine tune it some more but for now it works okay.
========================================
iptables -A INPUT -i $InFace1 -s 10.0.0.0/24 -p udp --dport 137:138 -j ACCEPT
iptables -A INPUT -i $InFace1 -s 10.0.0.0/24 -p tcp --dport 139 -j ACCEPT
iptables -A INPUT -i $InFace1 -s 10.0.0.0/24 -p tcp --dport 445 -j ACCEPT
Thanks for the help, Keiko. |
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
Networking & Security
