Sign in with
Sign up | Sign in
Your question

Help with creating SMB connection to a "safe" zone?

Last response: in Networking
Share
Anonymous
June 10, 2004 6:34:17 PM

Archived from groups: comp.os.linux.security,comp.security.firewalls (More info?)

On my Fedora installation I have a firewall built through the Guarddog
GUI. It has the default zones (Local and Internet). When I enable
SMB on this network things work fine.

Now add a "Local LAN" zone. This zone is for my network 10.1.5.0/24.
The only place I should do SMB with is in this zone. After applying
changes, my firewall looks like this (simplified version):

iptables -N f0to1
(add rules for Internet-bound traffic)

iptables -N f0to2
(no traffic allowed from Internet to "Local LAN")

iptables -N f1to0
(add rules for traffic from Internet)

iptables -N f1to2
(add rules for traffic to "Local LAN", including SMB)

iptables -N f2to0
(no traffic allowed from "Local LAN" to Internet)

iptables -N f2to1
(add rules for traffic from "Local LAN", including SMB)

# Origin == Internet.
# Traffic to my computer == f0to1.
# Other traffic must be to "Local LAN" == f0to2.
iptables -N s0
iptables -A s0 -d 10.1.5.10 -j f0to1
iptables -A s0 -d 10.1.5.0/24 -j f0to2

# Origin == Local.
# Traffic from my computer to "Local LAN" == f1to2.
# Other traffic must be to Internet == f1to0.
iptables -N s1
iptables -A s1 -d 10.1.5.0/24 -j f1to2
iptables -A s1 -j f1to0

# Origin == "Local LAN".
# Traffic to my computer == f2to1.
# Other traffic must be to Internet == f2to0.
iptables -N s2 -d 10.1.5.10 -j f2to1
iptables -A s2 -j f2to0

# Origin is either "Local LAN" or the Internet.
iptables -N srcfilt
iptables -A srcfilt -s 10.1.5.0/24 -j s2
iptables -A srcfilt -j s0

# Accept traffic only from eth0.
iptables -N nicfilt
iptables -A nicfilt -i eth0 -j RETURN
iptables -A nicfilt -j DROP

# All output traffic is the s1 chain.
# All input traffic needs to be at eth0 (nicfilt)
# and then find its origin (srcfilt).
iptables -A INPUT -j nicfilt
iptables -A INPUT -j srcfilt
iptables -A OUTPUT -j s1

When I disable SMB from chains f0to1 and f1to0, then enable SMB on
chains f1to2 and f2to1 I don't succeed in accessing the SMB shares on
my network. I even tried enabling them "both ways", (duplicate rules
on the f1to2 and f2to1 chains) and enabling DNS to the "Local LAN"
network. No success.

Where am I going wrong?

Jerome.
Anonymous
June 11, 2004 9:37:26 AM

Archived from groups: comp.os.linux.security,comp.security.firewalls (More info?)

javaguy@sbcglobal.net (javaguy_in_wheaton) wrote in message news:<37af5faf.0406101334.28103c8a@posting.google.com>...
> On my Fedora installation I have a firewall built through the Guarddog
> GUI. It has the default zones (Local and Internet). When I enable
> SMB on this network things work fine.
>
> Now add a "Local LAN" zone. This zone is for my network 10.1.5.0/24.
> The only place I should do SMB with is in this zone. After applying
> changes, my firewall looks like this (simplified version):

[snip]

Once again, answering my own posts.

My network address is 10.1.5.0/24, but my network *controllers* are on
10.1.4.0/24. Add that to my "Local LAN" zone and things work.

Such is life...

Jerome.
!