Networking between Linux & windoze through a Linksys router.

[MEW]

I sniffed samba on my machine, and I see that it also uses port 137/udp ("netbios-ns").

[dalek]

That worked like a charm. For future reference:

[MEW]

1. The idea is that we want to allow incoming traffic to ports 137, 138, 139, and 445 on tcp and udp. To take the first line as an example:
"-I INPUT 2" means to Insert this rule into the INPUT table at position 2 (so it's ahead of the DROP all else rule, which had formerly occupied position 2). "-p udp" means that this rule only applies if the UDP protocol is in use. "--dport 445" means that this rule only applies if the destination port is 445. "--source 192.168.100.0/24" means that the rule only applies to traffic from the network 192.168.100.0/24 (which is any IP address whose first 24 bits match the first 24 of 192.168.100.0; that is, 192.168.100.0 - 192.168.100.255). "-j ACCEPT" means that the rule says that a packet that matches the criteria specified earlier should be ACCEPTed. (iptables rules work like "ACCEPT any packet whose protocol is udp, whose destination port is 445, and whose source matches 192.168.100.0/24", and it follows the first rule that it finds that matches the packet.)

2. It is probably spending most of that time trying to lookup names for various things (networks, ports, etc.). I don't know why it takes that long on your machine, but you can make it faster by running "iptables -L --numeric" or "iptables -Ln" so that it will just display the IP address, network address, or port number.

3. I have no experience with webmin and so can't help you with that.
_________________
Moo.

[dalek]

#1, that I can understand pretty well. If I tell it to put a rule to drop all packets in position number 1 then everything gets dropped and nothing gets through, correct? I understand about ports to just not what they are used for. I thing web browsing uses 80, email 25 and 110. I know those I guess.

#2. I was reading a guide and read about that. It says it actually tries to look up a list of addresses until it gets a time out. CPU and such really has nothing to do with that command.

#3. It does have it and I'm not sure how to use it either. Maybe I can learn something.

I still can't find a really good guide that I can understand though. I get bits and pieces is all. I got more out of your paragraph for #1 than I did out of 11 pages from what I was reading.

Thanks for the help and answering questions. I'm still secure, my Sweetie can back up her windoze box and I am happy.


_________________
My rig: Gigabyte GA-970A-UD3P mobo, AMD FX-8350 Eight-Core CPU, ZALMAN CNPS10X Performa CPU cooler,
G.SKILL 32GB DDR3 PC3 12800 Memory Nvidia GTX-650 video card LG W2253 Monitor
60TBs of hard drive space using LVM
Cooler Master HAF-932 Case

[dalek]

Well, after some reading I have another question. Let's say for example when her win XP machine was trying to access my machine it was "knocking" on a certain port. Is there a log to find out what port it was trying to get into? I use syslog-ng if that matters. I was reading about it in the man page but I was wondering about the unsucessful attempts on blocked ports. That way if I do something new, I can tell something needs a port open.

Thanks again. I'm learning something here.


_________________
My rig: Gigabyte GA-970A-UD3P mobo, AMD FX-8350 Eight-Core CPU, ZALMAN CNPS10X Performa CPU cooler,
G.SKILL 32GB DDR3 PC3 12800 Memory Nvidia GTX-650 video card LG W2253 Monitor
60TBs of hard drive space using LVM
Cooler Master HAF-932 Case

[robdd]

Hi there Dale

One good way of seeing what is going on over the network is to use ethereal, which is gui-based packet monitor. You should be able to 'emerge ethereal', then sit back and wait for a while. Once it's emerge'd OK you have to run it as root under X - just type 'ethereal' and it should start up. Then hit Start to start capturing packets. If you're impatient like me select the option to update the packet display in real time.

To see what is happening with the Windoze box you may have to turn off iptables (I've never used iptables myself). Etheral by default will show all traffic, but you can apply a display filter to just show traffic to and from another IP address. Down the bottom left of the ethereal screen there's a filter box - just type in 'ip.addr == 192.168.1.111' - or whatever the IP of the Windoze box is. Then you can see exactly which ports the Windoze box is addressing. (<rant>In my experience Windoze boxes are unbelievably chatty - they're always broadcasting crap. Which makes me wonder why it takes sooooooooooo long when you try to display Network Neighbourhood stuff on Windoze. Even after all that talking the box *still* has to check the network *again* while you twiddle your thumbs</rant>).

BTW - here's a link to stuff on TCP ports: http://www.webopedia.com/quick_ref/portnumbers.asp It may help when you're trying to figure out what ports the Windoze box is addressing.

Good Luck
_________________
Rob Diamond
Gentoo Hack, hack, hacker
Sydney, Australia

[dalek]

I have ethreal installed. I didn't even think about it though. I was just thinking I could check the log files every once in a while too, just in case. You never know when someone may try to come in.


_________________
My rig: Gigabyte GA-970A-UD3P mobo, AMD FX-8350 Eight-Core CPU, ZALMAN CNPS10X Performa CPU cooler,
G.SKILL 32GB DDR3 PC3 12800 Memory Nvidia GTX-650 video card LG W2253 Monitor
60TBs of hard drive space using LVM
Cooler Master HAF-932 Case

[MEW]

iptables packets are not logged by default, but you can make certain packets be logged. To log a packet, create a rule with the target set to "LOG" ("-j LOG") that matches it. You probably also want to specify some logging options, such as --log-prefix to have a description in the logfile. So, for example, `iptables -I INPUT 10 -m state --state NEW,INVALID -m limit --limit 3/minute -j LOG --log-prefix "Connection attempt stopped: "` adds a rule in position 10 (just before your DROP rule) that logs "-j LOG" any packets that try to create a new connection "--state NEW,INVALID" (you have to load the state module with "-m state" before you can use it). This rule will match a maximum average of 3 times per minute (with bursts up to 5 per minute (default)), so that your logs don't get filled. The log message will be prefixed with "Connection attempt stopped: " so that you can see why the packet is being logged; it will be logged with log level warning (by default).

An example of what a logged packet would look like (from a similar rule on my machine):