View previous topic :: View next topic |
Author |
Message |
ozric n00b
Joined: 13 Oct 2006 Posts: 38 Location: Örebro, Sweden
|
Posted: Tue Mar 03, 2015 6:32 am Post subject: Adding samba service to iptables |
|
|
Hello! I am trying to add samba to my iptables rules. I've done this on earlier installs using the same syntax, but for some reason it doesn't work now.
Code: | DEVIANT samba # iptables -A INPUT -p tcp --dport samba -j ACCEPT
iptables v1.4.21: invalid port/service `samba' specified
Try `iptables -h' or 'iptables --help' for more information.
|
Samba is installed and added to default runlevel. What am I missing? Might add that I've successfully added ssh to the chain with the same synax. |
|
Back to top |
|
|
szatox Advocate
Joined: 27 Aug 2013 Posts: 3131
|
Posted: Tue Mar 03, 2015 6:54 am Post subject: |
|
|
Quote: | iptables v1.4.21: invalid port/service `samba' specified |
here it is, iptables does not understand what you want. Why won't you just use a port number? |
|
Back to top |
|
|
ozric n00b
Joined: 13 Oct 2006 Posts: 38 Location: Örebro, Sweden
|
Posted: Tue Mar 03, 2015 10:26 am Post subject: |
|
|
It is not like I am planning of using a different port than the default for smb, so I guess I could. But in the case of the ssh service - I change the listening port from time to time, and don't have to reconfigure my chain of rules in iptables when I do so. So for the convenience I would rather allow the samba service than a static port, if that makes any sense. |
|
Back to top |
|
|
Anon-E-moose Watchman
Joined: 23 May 2008 Posts: 6097 Location: Dallas area
|
Posted: Tue Mar 03, 2015 10:52 am Post subject: |
|
|
You can't use a "name" it doesn't understand.
All a name is, is a shorthand for a port number.
Quote: | I change the listening port from time to time, and don't have to reconfigure my chain of rules in iptables when I do so. |
You don't have to change iptables if it understands the new name, but I doubt very seriously that if you are changing the default port for ssh that iptables understands it, because it doesn't know that you want the ssh port to not refer to "22".
If you do "iptables -L -n" it will show everything it understand numberwise instead of name.
Edit to add:
From /etc/services
Code: | netbios-ssn 139/tcp # NETBIOS Session Service
netbios-ssn 139/udp
microsoft-ds 445/tcp Microsoft-DS
microsoft-ds 445/udp Microsoft-DS |
These are default ports for smb and you may use these names on the left (iptables should understand them) _________________ PRIME x570-pro, 3700x, 6.1 zen kernel
gcc 13, profile 17.0 (custom bare multilib), openrc, wayland |
|
Back to top |
|
|
ozric n00b
Joined: 13 Oct 2006 Posts: 38 Location: Örebro, Sweden
|
Posted: Tue Mar 03, 2015 12:01 pm Post subject: |
|
|
Ok, I'll add the ports instead. You're probably right Moose. I was under the impression that using the name of the service rather than a static port would somehow automagically use the information of what port to open from /etc/services. I've been away from this too long. But thanks anyway both of you! |
|
Back to top |
|
|
The_Great_Sephiroth Veteran
Joined: 03 Oct 2014 Posts: 1602 Location: Fayetteville, NC, USA
|
Posted: Tue Mar 03, 2015 2:48 pm Post subject: |
|
|
I allow only SAMBA and SSH through my firewall. This works well for me. Note that I am on a laptop and have two interfaces, but here is my firewall.
Code: |
-P INPUT DROP
-P FORWARD DROP
-P OUTPUT DROP
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -m state --state INVALID -j DROP
-A INPUT -i enp0s25 -p tcp -m tcp -m multiport --dports 445,135,139,22 -m state --state NEW -j ACCEPT
-A INPUT -i enp0s25 -p udp -m udp -m multiport --dports 138,137 -m state --state NEW -j ACCEPT
-A INPUT -i wlp12s0 -p tcp -m tcp -m multiport --dports 445,135,139,22 -m state --state NEW -j ACCEPT
-A INPUT -i wlp12s0 -p udp -m udp -m multiport --dports 138,137 -m state --state NEW -j ACCEPT
-A INPUT -i lo -m state --state NEW -j ACCEPT
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -m state --state INVALID -j DROP
-A FORWARD -m state --state NEW -j ACCEPT
-A FORWARD -i enp0s25 -p tcp -m tcp -m multiport --dports 445,135,139,22 -m state --state NEW -j ACCEPT
-A FORWARD -i enp0s25 -p udp -m udp -m multiport --dports 138,137 -m state --state NEW -j ACCEPT
-A FORWARD -i wlp12s0 -p tcp -m tcp -m multiport --dports 445,135,139,22 -m state --state NEW -j ACCEPT
-A FORWARD -i wlp12s0 -p udp -m udp -m multiport --dports 138,137 -m state --state NEW -j ACCEPT
-A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -m state --state INVALID -j DROP
-A OUTPUT -m state --state NEW -j ACCEPT
|
I also use VPN to connect to various client locations (I am an IT guy) so I added a simple script which runs whenever the VPN comes up which keeps my firewall on my LAN and WLAN, but allows everything on the VPN interface. I added a second script to remove that rule when the VPN disconnects. You can see how simple it is to do this HERE. _________________ Ever picture systemd as what runs "The Borg"? |
|
Back to top |
|
|
Hu Moderator
Joined: 06 Mar 2007 Posts: 21595
|
Posted: Wed Mar 04, 2015 12:24 am Post subject: |
|
|
ozric wrote: | I was under the impression that using the name of the service rather than a static port would somehow automagically use the information of what port to open from /etc/services. | It will use /etc/services. Moose's point was that if you change sshd_config to specify Port 522, then /etc/services still says ssh 22, so iptables still works on port 22. |
|
Back to top |
|
|
|
|
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
|
|