| View previous topic :: View next topic |
| Author |
Message |
ozric
n00b
Joined: 13 Oct 2006
Posts: 38
Location: Örebro, Sweden
|
 Posted: Tue Mar 03, 2015 6:32 am Post subject: Adding samba service to iptables |
 |
|
Hello! I am trying to add samba to my iptables rules. I've done this on earlier installs using the same syntax, but for some reason it doesn't work now.
| Code: | DEVIANT samba # iptables -A INPUT -p tcp --dport samba -j ACCEPT
iptables v1.4.21: invalid port/service `samba' specified
Try `iptables -h' or 'iptables --help' for more information.
|
Samba is installed and added to default runlevel. What am I missing?  Might add that I've successfully added ssh to the chain with the same synax. |
|
| Back to top |
|
 |
szatox
Advocate
Joined: 27 Aug 2013
Posts: 3131
|
| Posted: Tue Mar 03, 2015 6:54 am Post subject: |
|
|
| Quote: | | iptables v1.4.21: invalid port/service `samba' specified |
here it is, iptables does not understand what you want. Why won't you just use a port number? |
|
| Back to top |
|
|
ozric
n00b
Joined: 13 Oct 2006
Posts: 38
Location: Örebro, Sweden
|
| Posted: Tue Mar 03, 2015 10:26 am Post subject: |
|
|
| It is not like I am planning of using a different port than the default for smb, so I guess I could. But in the case of the ssh service - I change the listening port from time to time, and don't have to reconfigure my chain of rules in iptables when I do so. So for the convenience I would rather allow the samba service than a static port, if that makes any sense. |
|
| Back to top |
|
|
Anon-E-moose
Watchman
Joined: 23 May 2008
Posts: 6097
Location: Dallas area
|
| Posted: Tue Mar 03, 2015 10:52 am Post subject: |
|
|
You can't use a "name" it doesn't understand.
All a name is, is a shorthand for a port number.
| Quote: | | I change the listening port from time to time, and don't have to reconfigure my chain of rules in iptables when I do so. |
You don't have to change iptables if it understands the new name, but I doubt very seriously that if you are changing the default port for ssh that iptables understands it, because it doesn't know that you want the ssh port to not refer to "22".
If you do "iptables -L -n" it will show everything it understand numberwise instead of name.
Edit to add:
From /etc/services
| Code: | netbios-ssn 139/tcp # NETBIOS Session Service
netbios-ssn 139/udp
microsoft-ds 445/tcp Microsoft-DS
microsoft-ds 445/udp Microsoft-DS |
These are default ports for smb and you may use these names on the left (iptables should understand them)
_________________
PRIME x570-pro, 3700x, 6.1 zen kernel
gcc 13, profile 17.0 (custom bare multilib), openrc, wayland |
|
| Back to top |
|
|
ozric
n00b
Joined: 13 Oct 2006
Posts: 38
Location: Örebro, Sweden
|
| Posted: Tue Mar 03, 2015 12:01 pm Post subject: |
|
|
| Ok, I'll add the ports instead. You're probably right Moose. I was under the impression that using the name of the service rather than a static port would somehow automagically use the information of what port to open from /etc/services. I've been away from this too long. But thanks anyway both of you! |
|
| Back to top |
|
|
The_Great_Sephiroth
Veteran
Joined: 03 Oct 2014
Posts: 1602
Location: Fayetteville, NC, USA
|
| Posted: Tue Mar 03, 2015 2:48 pm Post subject: |
|
|
I allow only SAMBA and SSH through my firewall. This works well for me. Note that I am on a laptop and have two interfaces, but here is my firewall.
| Code: |
-P INPUT DROP
-P FORWARD DROP
-P OUTPUT DROP
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -m state --state INVALID -j DROP
-A INPUT -i enp0s25 -p tcp -m tcp -m multiport --dports 445,135,139,22 -m state --state NEW -j ACCEPT
-A INPUT -i enp0s25 -p udp -m udp -m multiport --dports 138,137 -m state --state NEW -j ACCEPT
-A INPUT -i wlp12s0 -p tcp -m tcp -m multiport --dports 445,135,139,22 -m state --state NEW -j ACCEPT
-A INPUT -i wlp12s0 -p udp -m udp -m multiport --dports 138,137 -m state --state NEW -j ACCEPT
-A INPUT -i lo -m state --state NEW -j ACCEPT
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -m state --state INVALID -j DROP
-A FORWARD -m state --state NEW -j ACCEPT
-A FORWARD -i enp0s25 -p tcp -m tcp -m multiport --dports 445,135,139,22 -m state --state NEW -j ACCEPT
-A FORWARD -i enp0s25 -p udp -m udp -m multiport --dports 138,137 -m state --state NEW -j ACCEPT
-A FORWARD -i wlp12s0 -p tcp -m tcp -m multiport --dports 445,135,139,22 -m state --state NEW -j ACCEPT
-A FORWARD -i wlp12s0 -p udp -m udp -m multiport --dports 138,137 -m state --state NEW -j ACCEPT
-A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -m state --state INVALID -j DROP
-A OUTPUT -m state --state NEW -j ACCEPT
|
I also use VPN to connect to various client locations (I am an IT guy) so I added a simple script which runs whenever the VPN comes up which keeps my firewall on my LAN and WLAN, but allows everything on the VPN interface. I added a second script to remove that rule when the VPN disconnects. You can see how simple it is to do this HERE.
_________________
Ever picture systemd as what runs "The Borg"? |
|
| Back to top |
|
|
Hu
Moderator
Joined: 06 Mar 2007
Posts: 21595
|
| Posted: Wed Mar 04, 2015 12:24 am Post subject: |
|
|
| ozric wrote: | | I was under the impression that using the name of the service rather than a static port would somehow automagically use the information of what port to open from /etc/services. |
It will use /etc/services. Moose's point was that if you change sshd_config to specify Port 522, then /etc/services still says ssh 22, so iptables still works on port 22. |
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
Networking & Security
