Thought I has sent this to the list. Here's my final setup, which works
for me. It uses iptables, so not all of it may carry over back to ipchains.
Ok, here's what I have, and it works. I get the impression that the
RELATED,ESTABLISHED stuff doesn't apply to UDP, so I just said to ACCEPT
anything UDP from 137:139 to 1024+ with a source IP on my same subnet.
-A INPUT -p tcp -m tcp --dport 22 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A INPUT -s 192.168.1.0/255.255.255.0 -p tcp -m tcp --dport 137:139 \
--tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A INPUT -s 192.168.1.0/255.255.255.0 -p udp -m udp --sport 67:68 \
--dport 67:68 -j ACCEPT
-A INPUT -s 66.150.129.229 -p udp -m udp --sport 53 -j ACCEPT
-A INPUT -s 24.219.4.35 -p udp -m udp --sport 53 -j ACCEPT
-A INPUT -s 192.168.1.0/255.255.255.0 -p udp -m udp --dport 137:139 -j \
ACCEPT
-A INPUT -s 192.168.1.0/255.255.255.0 -p udp -m udp --sport 137:139 \
--dport 1024:65535 -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -s 192.168.1.0/255.255.255.0 -m state --state \
RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -j REJECT \
--reject-with icmp-port-unreachable
-A INPUT -p udp -m udp -j REJECT --reject-with icmp-port-unreachable
--
To unsubscribe from this list go to the following URL and read the
instructions: http://lists.samba.org/mailman/listinfo/samba
- [Samba] RE: RE: firewall Ulrich Kohlhase
- Justin Georgeson
