I’m trying to setup an iptables config such that outbound connections from my CentOS 6.2 server are allowed ONLY if they are of state ESTABLISHED. Currently, the following setup is working great for sshd, but all the Samba rules get totally ignored for a reason I cannot figure out.
iptables Bash script to setup ALL rules:
# Remove all existing rules iptables -F# Set default chain policies iptables -P INPUT DROP iptables -P FORWARD DROP iptables -P OUTPUT DROP# Allow incoming SSH iptables -A INPUT -i eth0 -p tcp --dport 22222 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A OUTPUT -o eth0 -p tcp --sport 22222 -m state --state ESTABLISHED -j ACCEPT# Allow incoming Samba iptables -A INPUT -i eth0 -s 10.1.1.0/24 -p udp --dport 137:138 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A OUTPUT -o eth0 -d 10.1.1.0/24 -p udp --sport 137:138 -m state --state ESTABLISHED -j ACCEPT iptables -A INPUT -i eth0 -s 10.1.1.0/24 -p tcp --dport 139 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A OUTPUT -o eth0 -d 10.1.1.0/24 -p tcp --sport 139 -m state --state ESTABLISHED -j ACCEPT# Enable these rules service iptables restart
iptables rule list after running the above script:
[root@repoman ~]# iptables -L Chain INPUT (policy DROP) target prot opt source destination ACCEPT tcp -- anywhere anywhere tcp dpt:22222 state NEW,ESTABLISHEDChain FORWARD (policy DROP) target prot opt source destinationChain OUTPUT (policy DROP) target prot opt source destination ACCEPT tcp -- anywhere anywhere tcp spt:22222 state ESTABLISHED
Ultimately, I’m trying to restrict Samba the same way I have done for sshd. In addition, I’m trying to restrict connections to the following IP address range:
10.1.1.12 – 10.1.1.19
Can you guys offer some pointers or possibly even a full-blown solution? I’ve read man iptables quite extensively, so I’m not sure why the Samba rules are getting thrown out.
Additionally, removing the -s 10.1.1.0/24 flags don’t change the fact the rules get ignored.
service iptables restart at the end that is the problem. When you run the
iptables commands, those rules are put into effect immediately. The
iptables service you’re restarting there uses a configuration file to load all the firewall rules when the system starts up. When you run it, it replaces all the rules you just made with whatever was in the stored configuration.
According to this what you’re supposed to do is use the
iptables commands to make the firewall work right, then
service iptables save to save the firewall configuration for next boot.
Leave a comment
- SCP transfer only modified files
- How can I automate clearing and resetting a Linux user’s home directory to a default?
- Cron expression that runs every 5 minutes from 1:30 am – 6:00 am [duplicate]
- Understanding redundant power supplies
- Is there a way for administrators to disable users from installing Firefox extensions?