Hot Downloads

Welcome, Guest
Username: Password: Remember me

TOPIC: Linux Firewall

Linux Firewall 10 years 11 months ago #12085

  • gainil
  • gainil's Avatar
  • Offline
  • Frequent Member
  • Posts: 52
  • Karma: 0
Hi,

I have network consisting of Linux (RedHat 8,9 and Fedora) + Windows (All Versions) PCs. I use mount //servername/sharename -o username=username from Linux PC to access the files shared on windows machine. This thing works when the Firewall is fully disabled, I want to know how can i use customize firewall option to use only FTP, Telnet, SAMBA, WWW. Kindly tell me which port is to be opend if i want to connect to a windows PC for the above purpose.


To Enable/Disable/Customize firewall on RedHat Linux 9 I do :
#setup - then go to Firewall - then select the appropriate tab.

Kindly tell me how can i do the same from command prompt.

Thanks in advance and Merry X'Mas to all !! :)

gainil !!
The administrator has disabled public write access.

Re: Linux Firewall 10 years 11 months ago #12097

  • nske
  • nske's Avatar
  • Offline
  • Expert Member
  • Posts: 613
  • Karma: 0
You can do this by defining a default deny policy in your ruleset, and only passing traffic directed to the (default) ports:
Telnet: 23 TCP
FTP: 21 TCP
SAMBA: 137, 138, 139 & 445 TCP & UDP
HTTP: 80 TCP

Thanks to the stateful inspection feature you should not have any problems even for protocols that require initiating or accepting multiple connections in different ports like ftp, so you can set a default-deny policy to both incoming & outgoing traffic -correct me if I'm wrong.

You can customize the iptables ruleset more directly by editing the source file that is loaded by the init script (the init script should be located in /etc/init.d/iptables). I think on fedora/redhat the default ruleset file lays somewhere in /etc/sysconfig. You can also control the firewall through the init script, i.e. to restart, "/etc/init.d/iptables restart".

If you need a reference for the syntax, there are some great tutorials/howtos at the official site, www.netfilter.org/documentation/index.html .
If there's any problem let us know :)

Merry Christmas!
The administrator has disabled public write access.

Re: Linux Firewall 10 years 11 months ago #12323

  • gainil
  • gainil's Avatar
  • Offline
  • Frequent Member
  • Posts: 52
  • Karma: 0
Hi NSKE !!

i tried to do things recommended by u , but still it is giving "smb connect fail" if the firewall is enalbed. /etc/sysconfig/iptables files looks like this, can please correct/ suggest if any mistakes r there in this file

** the text with bold and underline is i have put

# Firewall configuration written by system-config-securitylevel
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A OUTPUT -j RH-Firewall-1-OUTPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
-A RH-Firewall-1-INPUT -p 51 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp --dport 5353 -d xxx.xxx.xxx.xxx -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 137 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 138 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 139 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 445 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 21 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited

-A RH-Firewall-1-OUTPUT -m state --state NEW -m tcp -p tcp --dport 137 -j ACCEPT
-A RH-Firewall-1-OUTPUT -m state --state NEW -m tcp -p tcp --dport 138 -j ACCEPT
-A RH-Firewall-1-OUTPUT -m state --state NEW -m tcp -p tcp --dport 139 -j ACCEPT
-A RH-Firewall-1-OUTPUT -m state --state NEW -m tcp -p tcp --dport 445 -j ACCEPT

COMMIT

i am using Fedora Core 3, i manually edited this file and restarted the iptables services.

Thanks in advance
The administrator has disabled public write access.

Re: Linux Firewall 10 years 11 months ago #12354

  • nske
  • nske's Avatar
  • Offline
  • Expert Member
  • Posts: 613
  • Karma: 0
try adding also:
-A RH-Firewall-1-OUTPUT -m state --state NEW -m udp -p udp --dport 137 -j ACCEPT
-A RH-Firewall-1-OUTPUT -m state --state NEW -m udp -p udp --dport 138 -j ACCEPT
-A RH-Firewall-1-OUTPUT -m state --state NEW -m udp -p udp --dport 139 -j ACCEPT
-A RH-Firewall-1-OUTPUT -m state --state NEW -m udp -p udp --dport 445 -j ACCEPT
The administrator has disabled public write access.
Time to create page: 0.077 seconds

CCENT/CCNA

Cisco Routers

  • SSL WebVPN
  • Securing Routers
  • Policy Based Routing
  • Router on-a-Stick

VPN Security

  • Understand DMVPN
  • GRE/IPSec Configuration
  • Site-to-Site IPSec VPN
  • IPSec Modes

Cisco Help

  • VPN Client Windows 8
  • VPN Client Windows 7
  • CCP Display Problem
  • Cisco Support App.

Windows 2012

  • New Features
  • Licensing
  • Hyper-V / VDI
  • Install Hyper-V

Linux

  • File Permissions
  • Webmin
  • Groups - Users
  • Samba Setup