Help with creating SMB connection to a "safe" zone?

Archived from groups: comp.os.linux.security,comp.security.firewalls (More info?)

On my Fedora installation I have a firewall built through the Guarddog
GUI. It has the default zones (Local and Internet). When I enable
SMB on this network things work fine.

Now add a "Local LAN" zone. This zone is for my network 10.1.5.0/24.
The only place I should do SMB with is in this zone. After applying
changes, my firewall looks like this (simplified version):

iptables -N f0to1
(add rules for Internet-bound traffic)

iptables -N f0to2
(no traffic allowed from Internet to "Local LAN")

iptables -N f1to0
(add rules for traffic from Internet)

iptables -N f1to2
(add rules for traffic to "Local LAN", including SMB)

iptables -N f2to0
(no traffic allowed from "Local LAN" to Internet)

iptables -N f2to1
(add rules for traffic from "Local LAN", including SMB)

# Origin == Internet.
# Traffic to my computer == f0to1.
# Other traffic must be to "Local LAN" == f0to2.
iptables -N s0
iptables -A s0 -d 10.1.5.10 -j f0to1
iptables -A s0 -d 10.1.5.0/24 -j f0to2

# Origin == Local.
# Traffic from my computer to "Local LAN" == f1to2.
# Other traffic must be to Internet == f1to0.
iptables -N s1
iptables -A s1 -d 10.1.5.0/24 -j f1to2
iptables -A s1 -j f1to0

# Origin == "Local LAN".
# Traffic to my computer == f2to1.
# Other traffic must be to Internet == f2to0.
iptables -N s2 -d 10.1.5.10 -j f2to1
iptables -A s2 -j f2to0

# Origin is either "Local LAN" or the Internet.
iptables -N srcfilt
iptables -A srcfilt -s 10.1.5.0/24 -j s2
iptables -A srcfilt -j s0

# Accept traffic only from eth0.
iptables -N nicfilt
iptables -A nicfilt -i eth0 -j RETURN
iptables -A nicfilt -j DROP

# All output traffic is the s1 chain.
# All input traffic needs to be at eth0 (nicfilt)
# and then find its origin (srcfilt).
iptables -A INPUT -j nicfilt
iptables -A INPUT -j srcfilt
iptables -A OUTPUT -j s1

When I disable SMB from chains f0to1 and f1to0, then enable SMB on
chains f1to2 and f2to1 I don't succeed in accessing the SMB shares on
my network. I even tried enabling them "both ways", (duplicate rules
on the f1to2 and f2to1 chains) and enabling DNS to the "Local LAN"
network. No success.

Where am I going wrong?

Jerome.
1 answer Last reply
More about help creating connection safe zone
  1. Archived from groups: comp.os.linux.security,comp.security.firewalls (More info?)

    javaguy@sbcglobal.net (javaguy_in_wheaton) wrote in message news:<37af5faf.0406101334.28103c8a@posting.google.com>...
    > On my Fedora installation I have a firewall built through the Guarddog
    > GUI. It has the default zones (Local and Internet). When I enable
    > SMB on this network things work fine.
    >
    > Now add a "Local LAN" zone. This zone is for my network 10.1.5.0/24.
    > The only place I should do SMB with is in this zone. After applying
    > changes, my firewall looks like this (simplified version):

    [snip]

    Once again, answering my own posts.

    My network address is 10.1.5.0/24, but my network *controllers* are on
    10.1.4.0/24. Add that to my "Local LAN" zone and things work.

    Such is life...

    Jerome.
Ask a new question

Read More

Firewalls LAN SMB Internet Networking