Mike O'Neill <mikeo@redhillstudios.com> wrote:> Can someone please share their ipchains for samba? Do all the netbios
ports
> (135:139) need to be open? Are they all that's needed? -mike
Mike,
You can open up UDP Ports 137 (netbios_ns), 138 (netbios_dg) and TCP 139
(netbios_ss) for Win95/98/NT/ME client SMB access. I'm not sure what
services you are supporting on ports 135-136, so I'll assume it's a
typo. Please note that unlike most services, Netbios_NS communicates FROM port
137 TO port 137. You will need to also allow loopback (-i lo), explicit
REJECT/DENY statements/POLICIES, and MAY (depending on your setup) need your
fake address clients registered with a fake DNS and/or /etc/hosts. Here are
some samples. Qualify all variables with a Netmask (e.g., 10.1.1.1/24). If you
are going to play with any SMB stuff and are still new to what ports do what, it
would probably be a good idea to review
http://serendipity.magnet.ch/hermetic/crypto/cifs.txt (CIFS: Common Insecurities
Fail Scrutiny) backwards & forwards.
# Netbios_NS
/sbin/ipchains -A input -p udp -s $trusted 137 -d $extip 137 -j ACCEPT
/sbin/ipchains -A input -p udp -s $broadcast 137 -d $extip 137 -j ACCEPT
/sbin/ipchains -A output -p udp -s $extip 137 -d $broadcast 137 -j ACCEPT
/sbin/ipchains -A output -p udp -s $extip 137 -d $trusted 137 -j ACCEPT
# Netbios_DG
/sbin/ipchains -A input -p udp -s $trusted 1024:65535 -d $extip 138 -j ACCEPT
/sbin/ipchains -A input -p udp -s $broadcast -d $extip 138 -j ACCEPT
/sbin/ipchains -A output -p udp -s $extip -d $broadcast 138 -j ACCEPT
/sbin/ipchains -A output -p udp -s $extip 138 -d $trusted 1024:65535 -j ACCEPT
# Netbios_SS
/sbin/ipchains -A input -p tcp -s $trusted 1024:65535 -d $extip 139 -j ACCEPT
/sbin/ipchains -A output -p tcp -s $extip 139 -d $trusted 1024:65535 -j ACCEPT
Regards,
David Lechnyr