Configuring iptables

Whether you are using Linux on the desktop or as a server, it's still good that you're using Linux. Linux related questions go here.

Moderator: General Moderators

Post Reply
impulse()
Forum Regular
Posts: 748
Joined: Wed Aug 09, 2006 8:36 am
Location: Staffordshire, UK
Contact:

Configuring iptables

Post by impulse() »

I've read through a few tutorials and learnt the basics of opening and closing ports but it's got to the point now where I need to allow certain ports to certain IPs. The tutorials don't seem to cover this, or they do and I don't quite understand where the examples are for that so I was hoping somebody could show me the line iptables would accept to block all incoming connections to a specified port, besides a specified IP.

The problem is that I have Samba running on a server which is a DMZ host and I only want the internal network to be able to access the Samba server. The router's hard to work with and the last time I tried to disable DMZ and port forward the required ports I locked myself out and spent 25 minutes on the phone guiding somebody through enabling DMZ again.

If you can see another way to only allow internal traffic to access Samba it would be good if you showed me, using a firewall seems a dirty way to do the job.
inn3rflow
Forum Newbie
Posts: 2
Joined: Thu Feb 01, 2007 11:45 am

iptables syntax, or samba config file

Post by inn3rflow »

iptables syntax is as follows:

Code: Select all

iptables -A INPUT -s 0/0 -i eth0 -d 192.168.1.1  -p TCP --dport PORTNUM -j DROP
NOTE: using a firewall will guarantee that no-unwanted interactions AT ALL occur w/ samba.

if you are however willing to trust samba's security implementation, you can try to use the hosts allow directive in /etc/samba/smb.conf
to allow all local traffic, specify something like this within defined share volume:

[printer]

Code: Select all

hosts allow = 192.168.1.

Two other interesting samba config directives are:

Code: Select all

force user = samba_guest
create mask = 0755
force user will make sure that any files created by samba users are created using the specified user id, while create mask chmods the files to the specified chmod settings.

HTH
impulse()
Forum Regular
Posts: 748
Joined: Wed Aug 09, 2006 8:36 am
Location: Staffordshire, UK
Contact:

Post by impulse() »

Thank you for that.
User avatar
Ollie Saunders
DevNet Master
Posts: 3179
Joined: Tue May 24, 2005 6:01 pm
Location: UK

Post by Ollie Saunders »

Don't go there. Use firehol if you can, it makes it really easy. I tried iptables, it's too complex to be any good unless you have the time to do detailed testing against your configuration and read a book on tcp/ip. If you are still determined have a look at my recent struggle (note: I say in that thread that firehol wasn't compatable with my kernel. I was wrong. My iptables had in fact completely broken and my host fixed it for me, firehol is basically a layer on top of iptables).
Post Reply