iptables - blokování SMB provozu

David Hartman linux na linux.cz
Úterý Září 20 08:13:34 CEST 2005 

Dobrý den,
tak jsem pravidla hodil do FORWARDu a vynechal interface.

gw ~ # iptables -L
Chain INPUT (policy DROP)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             212.71.178.152/29
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:ssh
ACCEPT     udp  --  anywhere             anywhere            udp spt:domain
ACCEPT     udp  --  anywhere             anywhere            udp spt:ntp
ACCEPT     icmp --  anywhere             anywhere            icmp echo-reply
ACCEPT     icmp --  anywhere             anywhere            icmp 
destination-unreachable
ACCEPT     icmp --  anywhere             anywhere            icmp 
echo-request
ACCEPT     icmp --  anywhere             anywhere            icmp 
time-exceeded
REJECT     tcp  --  anywhere             anywhere            tcp 
dpt:auth reject-with icmp-port-unreachable
ACCEPT     tcp  --  anywhere             anywhere            tcp 
dpts:1025:65535

Chain FORWARD (policy DROP)
target     prot opt source               destination
REJECT     tcp  --  anywhere             anywhere            tcp 
dpts:netbios-ns:netbios-ssn reject-with icmp-port-unreachable
REJECT     udp  --  anywhere             anywhere            udp 
dpts:netbios-ns:netbios-ssn reject-with icmp-port-unreachable
REJECT     tcp  --  anywhere             anywhere            tcp 
dpt:microsoft-ds reject-with icmp-port-unreachable
REJECT     udp  --  anywhere             anywhere            udp 
dpt:microsoft-ds reject-with icmp-port-unreachable
REJECT     tcp  --  anywhere             anywhere            tcp 
spts:netbios-ns:netbios-ssn reject-with icmp-port-unreachable
REJECT     udp  --  anywhere             anywhere            udp 
spts:netbios-ns:netbios-ssn reject-with icmp-port-unreachable
REJECT     tcp  --  anywhere             anywhere            tcp 
spt:microsoft-ds reject-with icmp-port-unreachable
REJECT     udp  --  anywhere             anywhere            udp 
spt:microsoft-ds reject-with icmp-port-unreachable
ACCEPT     all  --  anywhere             212.71.178.152/29
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere            state 
RELATED,ESTABLISHED
ACCEPT     all  --  anywhere             anywhere            state NEW

Chain OUTPUT (policy DROP)
target     prot opt source               destination
ACCEPT     all  --  localhost            anywhere
ACCEPT     all  --  gw.hrdejovice.net    anywhere
ACCEPT     all  --  10.10.10.1           anywhere
ACCEPT     all  --  matteo2.cb.gin.cz    anywhere
ACCEPT     all  --  212.71.178.153       anywhere

gw ~ # iptables -t nat -L
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination
REDIRECT   tcp  --  192.168.0.0/24       anywhere            tcp 
dpt:http redir ports 3128
DNAT       tcp  --  192.168.0.0/24       anywhere            tcp 
dpt:smtp to:212.71.175.5:25

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  212.71.178.152/29    anywhere
SNAT       all  --  anywhere             anywhere            
to:212.71.133.115

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Konfigurák je v příloze. Koukněte na to, sdílení pořád funguje...! :o(

Díky, David



Dalibor Straka napsal(a):

>On Mon, Sep 19, 2005 at 09:55:06PM +0200, David Hartman wrote:
>  
>
>>Dobrý den,
>>mám router s vnitřní síťovou kartou wlan1 (hostap, funguje jako AP) a
>>venkovní wlan0 (připojení k Internetu, NAT). Chci zabránit ve vnitřní
>>síti sdílení souborů a tiskáren. Na routeru SAMBA nejede.
>>
>>Vytvořil jsem následující pravidla:
>>-A INPUT -i wlan1 -p tcp --dport 137:139 -j DROP
>>-A INPUT -i wlan1 -p udp --dport 137:139 -j DROP
>>-A INPUT -i wlan1 -p tcp --dport 445 -j DROP
>>-A INPUT -i wlan1 -p udp --dport 445 -j DROP
>>
>>Bohužel bez jakéhokoli efektu - sdílení funguje dál. Tyto 4 řádky jsou
>>uvedeny úplně jako první. Zkoušel jsem ta samá pravidla dát i do řetězce
>>FORWARD, ale také bez úspěchu... :o(
>>
>>    
>>
>Rozhodne uvedena pravidla patri do FORWARD. Dale nam poslete
>konfiguracni soubor a jeste vypis iptables -L a iptables -t nat -L.
>Pokud nechcete uzivatelum v siti zpomalit zivot(*) dejte jako cil
>-j REJECT. Pokud se s tim chcete jeste chvili trapit sam, zajistete
>si prvenstvi radku insertem -I FORWARD.
>
>(*)V okynkach jsou maximalizovany obrazy svatych: Svaty Jack, ktery
>pokorne cekal na start Windows a pritom umrel hlady...
>(www.panelnet.cz/linux/Bill_s_vami.txt)
>
------------- další část ---------------
# Generated by iptables-save v1.3.2 on Tue Sep 20 08:12:26 2005
*nat
:PREROUTING ACCEPT [3:783]
:POSTROUTING ACCEPT [1:347]
:OUTPUT ACCEPT [1:80]
-A PREROUTING -s 192.168.0.0/255.255.255.0 -i ! wlan0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128 
-A PREROUTING -s 192.168.0.0/255.255.255.0 -p tcp -m tcp --dport 25 -j DNAT --to-destination 212.71.175.5:25 
-A POSTROUTING -s 212.71.178.152/255.255.255.248 -o wlan0 -j ACCEPT 
-A POSTROUTING -o wlan0 -j SNAT --to-source 212.71.133.115 
COMMIT
# Completed on Tue Sep 20 08:12:26 2005
# Generated by iptables-save v1.3.2 on Tue Sep 20 08:12:26 2005
*mangle
:PREROUTING ACCEPT [182:17489]
:INPUT ACCEPT [179:17062]
:FORWARD ACCEPT [3:427]
:OUTPUT ACCEPT [227:19321]
:POSTROUTING ACCEPT [230:19748]
COMMIT
# Completed on Tue Sep 20 08:12:26 2005
# Generated by iptables-save v1.3.2 on Tue Sep 20 08:12:26 2005
*filter
:INPUT DROP [1:404]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
-A INPUT -i lo -j ACCEPT 
-A INPUT -i wlan1 -j ACCEPT 
-A INPUT -i eth0 -j ACCEPT 
-A INPUT -d 212.71.178.152/255.255.255.248 -i eth0 -j ACCEPT 
-A INPUT -i wlan0 -p tcp -m tcp --dport 22 -j ACCEPT 
-A INPUT -i wlan0 -p udp -m udp --sport 53 -j ACCEPT 
-A INPUT -i wlan0 -p udp -m udp --sport 123 -j ACCEPT 
-A INPUT -i wlan0 -p icmp -m icmp --icmp-type 0 -j ACCEPT 
-A INPUT -i wlan0 -p icmp -m icmp --icmp-type 3 -j ACCEPT 
-A INPUT -i wlan0 -p icmp -m icmp --icmp-type 8 -j ACCEPT 
-A INPUT -i wlan0 -p icmp -m icmp --icmp-type 11 -j ACCEPT 
-A INPUT -i wlan0 -p tcp -m tcp --dport 113 -j REJECT --reject-with icmp-port-unreachable 
-A INPUT -i wlan0 -p tcp -m tcp --dport 1025:65535 -j ACCEPT 
-A FORWARD -p tcp -m tcp --dport 137:139 -j REJECT --reject-with icmp-port-unreachable 
-A FORWARD -p udp -m udp --dport 137:139 -j REJECT --reject-with icmp-port-unreachable 
-A FORWARD -p tcp -m tcp --dport 445 -j REJECT --reject-with icmp-port-unreachable 
-A FORWARD -p udp -m udp --dport 445 -j REJECT --reject-with icmp-port-unreachable 
-A FORWARD -p tcp -m tcp --sport 137:139 -j REJECT --reject-with icmp-port-unreachable 
-A FORWARD -p udp -m udp --sport 137:139 -j REJECT --reject-with icmp-port-unreachable 
-A FORWARD -p tcp -m tcp --sport 445 -j REJECT --reject-with icmp-port-unreachable 
-A FORWARD -p udp -m udp --sport 445 -j REJECT --reject-with icmp-port-unreachable 
-A FORWARD -d 212.71.178.152/255.255.255.248 -j ACCEPT 
-A FORWARD -i wlan1 -j ACCEPT 
-A FORWARD -i eth0 -j ACCEPT 
-A FORWARD -i wlan0 -o wlan1 -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A FORWARD -i wlan0 -o wlan1 -m state --state NEW -j ACCEPT 
-A OUTPUT -s 127.0.0.1 -j ACCEPT 
-A OUTPUT -s 192.168.0.1 -j ACCEPT 
-A OUTPUT -s 10.10.10.1 -j ACCEPT 
-A OUTPUT -s 212.71.133.115 -j ACCEPT 
-A OUTPUT -s 212.71.178.153 -j ACCEPT 
COMMIT
# Completed on Tue Sep 20 08:12:26 2005

Další informace o konferenci Linux