I've read through a few tutorials and learnt the basics of opening and closing ports but it's got to the point now where I need to allow certain ports to certain IPs. The tutorials don't seem to cover this, or they do and I don't quite understand where the examples are for that so I was hoping somebody could show me the line iptables would accept to block all incoming connections to a specified port, besides a specified IP.
The problem is that I have Samba running on a server which is a DMZ host and I only want the internal network to be able to access the Samba server. The router's hard to work with and the last time I tried to disable DMZ and port forward the required ports I locked myself out and spent 25 minutes on the phone guiding somebody through enabling DMZ again.
If you can see another way to only allow internal traffic to access Samba it would be good if you showed me, using a firewall seems a dirty way to do the job.
Configuring iptables
Moderator: General Moderators
iptables syntax, or samba config file
iptables syntax is as follows:
NOTE: using a firewall will guarantee that no-unwanted interactions AT ALL occur w/ samba.
if you are however willing to trust samba's security implementation, you can try to use the hosts allow directive in /etc/samba/smb.conf
to allow all local traffic, specify something like this within defined share volume:
[printer]
Two other interesting samba config directives are:
force user will make sure that any files created by samba users are created using the specified user id, while create mask chmods the files to the specified chmod settings.
HTH
Code: Select all
iptables -A INPUT -s 0/0 -i eth0 -d 192.168.1.1 -p TCP --dport PORTNUM -j DROPif you are however willing to trust samba's security implementation, you can try to use the hosts allow directive in /etc/samba/smb.conf
to allow all local traffic, specify something like this within defined share volume:
[printer]
Code: Select all
hosts allow = 192.168.1.Two other interesting samba config directives are:
Code: Select all
force user = samba_guest
create mask = 0755HTH
- Ollie Saunders
- DevNet Master
- Posts: 3179
- Joined: Tue May 24, 2005 6:01 pm
- Location: UK
Don't go there. Use firehol if you can, it makes it really easy. I tried iptables, it's too complex to be any good unless you have the time to do detailed testing against your configuration and read a book on tcp/ip. If you are still determined have a look at my recent struggle (note: I say in that thread that firehol wasn't compatable with my kernel. I was wrong. My iptables had in fact completely broken and my host fixed it for me, firehol is basically a layer on top of iptables).