[CentOS] Security help desperately needed - more info

Fri Feb 8 10:16:57 UTC 2008
Anne Wilson <cannewilson at googlemail.com>

On Thursday 07 February 2008 21:30, mouss wrote:
> do an
> # iptables-save > somefile
> edit somefile and put the following 4 lines "somewhere" (before the
> lines that reject everything)
> -A RH-Firewall-1-INPUT -p udp -m udp -s --dport 137 -j
> ACCEPT -A RH-Firewall-1-INPUT -p udp -m udp -s --dport 138
> -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp -s
> --dport 139 -j ACCEPT
> -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp -s
> --dport 445 -j ACCEPT
> adjust the IP sources (the -s as you need. I am assuming
> that you have a rule like this:
> -A  RH-Firewall-1-INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
> then> -A RH-Firewall-1-INPUT -p udp -m udp -s --dport 137 -j
> ACCEPT -A RH-Firewall-1-INPUT -p udp -m udp -s --dport 138
> # iptables-restore < somefile
> if you're happy with that, then
> # iptables-save > /etc/sysconfig/iptables
> so that this survives a reboot.

Thanks for the reply, mouss.  First, a few questions if you don't mind  - it's 
important to me to understand what's going on :-)

If I use system-config-securitylevels with samba enabled I get the following 
two lines

-A RH-Firewall-1-INPUT -p udp -m state --state NEW -m udp --dport 137 -j 
-A RH-Firewall-1-INPUT -p udp -m state --state NEW -m udp --dport 138 -j 

while you advocate

> -A RH-Firewall-1-INPUT -p udp -m udp -s --dport 137 -j
> ACCEPT -A RH-Firewall-1-INPUT -p udp -m udp -s --dport 138

Since these two ports are labelled NETBIOS ports, I assume they are the ones 
used for samba.  Does the system-config-securitylevels setting mean that they 
are accepted providing they match the state already defined above?  And does 
yours tie it down to a more secure version, udp only?

I specifically have opened port 143, as I was unable to read my mail without 
it.  IIUC your version will tell iptables to accept anything from the LAN.   
Is that right?  If so, I guess that specific port-opening can be removed.

When I need an imap connection from outside the lan, the router port-forwards 
it.  Is that then seen as a lan connection?

Thanks for your patience.
