Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-user

From: Daniel Iliev <danny@××××××××.com>
To: gentoo-user@l.g.o
Subject: Re: [gentoo-user] Re: OT: A netbios-ssn blocking rule?
Date: Wed, 23 Aug 2006 21:36:30
Message-Id: 44ECC994.8020705@ilievnet.com
In Reply to: [gentoo-user] Re: OT: A netbios-ssn blocking rule? by James
1 James wrote:
2 >> Daniel Iliev <danny <at> ilievnet.com> writes:
3 >>
4 >
5 >
6 > My iptables based firewall seem to be working, However, I keep getting triplets
7 > of this activity:
8 >
9 > curious.ip www.me.com tcp 2286 > netbios-ssn Seq=0 Len=0 MSS=1460
10 > www.me.com curious.ip tcp netbios-ssn > 2286 [RST, ACK] Seq=0 Ack=1
11 > Win=0 Len=0
12 >
13 > similar problem (2469 > microsoft-ds)
14 > Other problems are (info section is only difference) epmap > 3081
15 >
16 >
17 >
18 >
19 >> "iptables -A INPUT -p tcp --dport microsoft-ds -j DROP" ( < the packets
20 >> have destination the FW itself)
21 >> "iptables -A FORWARD -d *target-PC* -p tcp --dport microsoft-ds -j DROP"
22 >> ( < the packets have destination the "target-PC". )
23 >>
24 >
25 >
26 > Your advice is working, beautiful
27 >
28 > Much Thanks!
29 >
30 >
31 > James
32 >
33 >
34 >
35 >
36 I'm not sure if get this message right, but if it is a question how to
37 deal with packets like these:
38
39 >curious.ip www.me.com tcp 2286 > netbios-ssn Seq=0 Len=0 MSS=1460
40 >www.me.com curious.ip tcp netbios-ssn > 2286 [RST, ACK] Seq=0 Ack=1
41
42 the answer is: Add the same rules, but replace "microsoft-ds" with "netbios-ssn" or the corresponding number from /etc/services. Those rules would look like:
43 "iptables -A INPUT -p tcp --dport netbios-ssn -j DROP"
44 it's the same as:
45 "iptables -A INPUT -p tcp --dport 139 -j DROP"
46
47 And if the target is not the FW:
48 iptables -A FORWARD -d *target-PC* -p tcp --dport netbios-ssn -j DROP
49 or
50 iptables -A FORWARD -d *target-PC* -p tcp --dport 139 -j DROP
51
52
53 It seems that you want to stop the ms netbios activity. The ports used
54 for this service are 137,138,139 and 445 so the rule-set could be
55 something like this:
56
57 iptables -A FORWARD -d *target-PC* -p tcp --dport 445 -j DROP
58 iptables -A FORWARD -d *target-PC* -p tcp --dport 137:139 -j DROP
59
60 or
61
62 iptables -A INPUT -p tcp --dport 445 -j DROP
63 iptables -A INPUT -p tcp --dport 137:139 -j DROP
64
65
66
67
68 --
69 Best regards,
70 Daniel
71
72
73 --
74 gentoo-user@g.o mailing list

Replies

Subject Author
Re: [gentoo-user] Re: OT: A netbios-ssn blocking rule? gentuxx <gentuxx@×××××.com>
Report Message
Find on MARC Find on Google Groups