Web lists-archives.com

[Samba] help with samba and iptables




Hi community, i have a samba server that work's great, but my friends of IT security said that is vulnerable without a firewall,  i try to set an iptables firewall using the official documentation but is not working (obviously), this ti my config:


#!/bin/sh
echo n Aplicando Reglas de Firewall...
## FLUSH de reglas
iptables -F
iptables -X
iptables -Z
iptables -t nat -F
## Establecemos politica por defecto
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
## Empezamos a filtrar
# El localhost se deja (por ejemplo conexiones locales a mysql)
/sbin/iptables -A INPUT -i lo -j ACCEPT
# Permito las IP
iptables -A INPUT -s 192.168.1.5 -j ACCEPT
#permito el acceso a servicio ntp
/sbin/iptables -A INPUT -s 192.168.2.3 -p udp -m udp --dport 123 -j ACCEPT
/sbin/iptables -A INPUT -s 192.168.2.3 -p udp -m udp --sport 123 -m state --state RELATED,ESTABLISHED -j ACCEPT
#permito el acceso a smb-udp
#lan dvm
/sbin/iptables -A INPUT -s 192.168.1.0/24 -p udp -m udp --dport 88 -j ACCEPT
/sbin/iptables -A INPUT -s 192.168.1.0/24 -p udp -m udp --sport 88 -m state --state RELATED,ESTABLISHED -j ACCEPT /sbin/iptables -A INPUT -s 192.168.1.0/24 -p udp -m udp --dport 137 -j ACCEPT /sbin/iptables -A INPUT -s 192.168.1.0/24 -p udp -m udp --sport 137 -m state --state RELATED,ESTABLISHED -j ACCEPT /sbin/iptables -A INPUT -s 192.168.1.0/24 -p udp -m udp --dport 138 -j ACCEPT /sbin/iptables -A INPUT -s 192.168.1.0/24 -p udp -m udp --sport 138 -m state --state RELATED,ESTABLISHED -j ACCEPT /sbin/iptables -A INPUT -s 192.168.1.0/24 -p udp -m udp --dport 389 -j ACCEPT /sbin/iptables -A INPUT -s 192.168.1.0/24 -p udp -m udp --sport 389 -m state --state RELATED,ESTABLISHED -j ACCEPT /sbin/iptables -A INPUT -s 192.168.1.0/24 -p udp -m udp --dport 464 -j ACCEPT /sbin/iptables -A INPUT -s 192.168.1.0/24 -p udp -m udp --sport 464 -m state --state RELATED,ESTABLISHED -j ACCEPT /sbin/iptables -A INPUT -s 192.168.1.0/24 -p udp -m udp --dport 32700:32800 -j ACCEPT /sbin/iptables -A INPUT -s 192.168.1.0/24 -p udp -m udp --sport 32700:32800 -m state --state RELATED,ESTABLISHED -j ACCEPT
#permito el acceso a smb-tcp
#lan dvm
/sbin/iptables -A INPUT -s 192.168.1.0/24 -p tcp -m tcp --dport 88 -j ACCEPT
/sbin/iptables -A INPUT -s 192.168.1.0/24 -p tcp -m tcp --sport 88 -m state --state RELATED,ESTABLISHED -j ACCEPT /sbin/iptables -A INPUT -s 192.168.1.0/24 -p tcp -m tcp --dport 135 -j ACCEPT /sbin/iptables -A INPUT -s 192.168.1.0/24 -p tcp -m tcp --sport 135 -m state --state RELATED,ESTABLISHED -j ACCEPT /sbin/iptables -A INPUT -s 192.168.1.0/24 -p tcp -m tcp --dport 139 -j ACCEPT /sbin/iptables -A INPUT -s 192.168.1.0/24 -p tcp -m tcp --sport 139 -m state --state RELATED,ESTABLISHED -j ACCEPT /sbin/iptables -A INPUT -s 192.168.1.0/24 -p tcp -m tcp --dport 389 -j ACCEPT /sbin/iptables -A INPUT -s 192.168.1.0/24 -p tcp -m tcp --sport 389 -m state --state RELATED,ESTABLISHED -j ACCEPT /sbin/iptables -A INPUT -s 192.168.1.0/24 -p udp -m udp --dport 445 -j ACCEPT /sbin/iptables -A INPUT -s 192.168.1.0/24 -p udp -m udp --sport 445 -m state --state RELATED,ESTABLISHED -j ACCEPT /sbin/iptables -A INPUT -s 192.168.1.0/24 -p udp -m udp --dport 464 -j ACCEPT /sbin/iptables -A INPUT -s 192.168.1.0/24 -p udp -m udp --sport 464 -m state --state RELATED,ESTABLISHED -j ACCEPT /sbin/iptables -A INPUT -s 192.168.1.0/24 -p udp -m udp --dport 636 -j ACCEPT /sbin/iptables -A INPUT -s 192.168.1.0/24 -p udp -m udp --sport 636 -m state --state RELATED,ESTABLISHED -j ACCEPT /sbin/iptables -A INPUT -s 192.168.1.0/24 -p udp -m udp --dport 3268 -j ACCEPT /sbin/iptables -A INPUT -s 192.168.1.0/24 -p udp -m udp --sport 3268 -m state --state RELATED,ESTABLISHED -j ACCEPT /sbin/iptables -A INPUT -s 192.168.1.0/24 -p udp -m udp --dport 49152:65535 -j ACCEPT /sbin/iptables -A INPUT -s 192.168.1.0/24 -p udp -m udp --sport 49152:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT

echo " OK . Verifique que lo que se aplica con: iptables L n"
# Permitimos la consulta a un primer DNS
/sbin/iptables -A INPUT -s  192.168.2.4 -p udp -m udp --sport 53 -j ACCEPT
/sbin/iptables -A OUTPUT -d  192.168.2.5 -p udp -m udp --dport 53 -j ACCEPT
#salvando config
/etc/init.d/iptables-persistent save
echo " OK . Verifique que lo que se aplica con: iptables -L -n"
# Fin del scrip


My question is simple, what i'm doing wrong?

--
Saludos Cordiales

Lic. Alex Gutiérrez Martínez

Tel. +53 7 2710327




--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba