[CentOS] Security help desperately needed - more info
Anne Wilson
cannewilson at googlemail.com
Fri Feb 8 10:16:57 UTC 2008
On Thursday 07 February 2008 21:30, mouss wrote:
> do an
> # iptables-save > somefile
>
> edit somefile and put the following 4 lines "somewhere" (before the
> lines that reject everything)
>
> -A RH-Firewall-1-INPUT -p udp -m udp -s 192.168.0.0/24 --dport 137 -j
> ACCEPT -A RH-Firewall-1-INPUT -p udp -m udp -s 192.168.0.0/24 --dport 138
> -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp -s
> 192.168.0.0/24 --dport 139 -j ACCEPT
> -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp -s
> 192.168.0.0/24 --dport 445 -j ACCEPT
>
> adjust the IP sources (the -s 192.168.0.0/24) as you need. I am assuming
> that you have a rule like this:
> -A RH-Firewall-1-INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
>
>
> then> -A RH-Firewall-1-INPUT -p udp -m udp -s 192.168.0.0/24 --dport 137 -j
> ACCEPT -A RH-Firewall-1-INPUT -p udp -m udp -s 192.168.0.0/24 --dport 138
> # iptables-restore < somefile
>
> if you're happy with that, then
> # iptables-save > /etc/sysconfig/iptables
> so that this survives a reboot.
Thanks for the reply, mouss. First, a few questions if you don't mind - it's
important to me to understand what's going on :-)
If I use system-config-securitylevels with samba enabled I get the following
two lines
-A RH-Firewall-1-INPUT -p udp -m state --state NEW -m udp --dport 137 -j
ACCEPT
-A RH-Firewall-1-INPUT -p udp -m state --state NEW -m udp --dport 138 -j
ACCEPT
while you advocate
> -A RH-Firewall-1-INPUT -p udp -m udp -s 192.168.0.0/24 --dport 137 -j
> ACCEPT -A RH-Firewall-1-INPUT -p udp -m udp -s 192.168.0.0/24 --dport 138
Since these two ports are labelled NETBIOS ports, I assume they are the ones
used for samba. Does the system-config-securitylevels setting mean that they
are accepted providing they match the state already defined above? And does
yours tie it down to a more secure version, udp only?
I specifically have opened port 143, as I was unable to read my mail without
it. IIUC your version will tell iptables to accept anything from the LAN.
Is that right? If so, I guess that specific port-opening can be removed.
When I need an imap connection from outside the lan, the router port-forwards
it. Is that then seen as a lan connection?
Thanks for your patience.
Anne
More information about the CentOS
mailing list