From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from lists.gentoo.org ([140.105.134.102] helo=robin.gentoo.org) by nuthatch.gentoo.org with esmtp (Exim 4.60) (envelope-from ) id 1GG0Ok-00080T-Cu for garchives@archives.gentoo.org; Wed, 23 Aug 2006 21:36:30 +0000 Received: from robin.gentoo.org (localhost [127.0.0.1]) by robin.gentoo.org (8.13.7/8.13.6) with SMTP id k7NLY38p030633; Wed, 23 Aug 2006 21:34:03 GMT Received: from ilievnet.com ([84.21.204.200]) by robin.gentoo.org (8.13.7/8.13.6) with ESMTP id k7NLW0TE028014 for ; Wed, 23 Aug 2006 21:32:00 GMT Received: (qmail 8672 invoked from network); 24 Aug 2006 00:33:08 +0300 Received: from mail.ilievnet.com (HELO ?10.0.1.1?) (10.0.1.1) by mail.ilievnet.com with SMTP; 24 Aug 2006 00:33:08 +0300 Message-ID: <44ECC994.8020705@ilievnet.com> Date: Thu, 24 Aug 2006 00:33:08 +0300 From: Daniel Iliev User-Agent: Thunderbird 1.5.0.5 (X11/20060802) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-user@gentoo.org Reply-to: gentoo-user@lists.gentoo.org MIME-Version: 1.0 To: gentoo-user@lists.gentoo.org Subject: Re: [gentoo-user] Re: OT: A netbios-ssn blocking rule? References: <44E63477.3000800@ilievnet.com> In-Reply-To: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-Archives-Salt: 6d8dc6ae-e83b-4cd8-b787-868a612fc8ef X-Archives-Hash: f3ac9539215b6639ff06ec8349fd8fd6 James wrote: >> Daniel Iliev ilievnet.com> writes: >> > > > My iptables based firewall seem to be working, However, I keep getting triplets > of this activity: > > curious.ip www.me.com tcp 2286 > netbios-ssn Seq=0 Len=0 MSS=1460 > www.me.com curious.ip tcp netbios-ssn > 2286 [RST, ACK] Seq=0 Ack=1 > Win=0 Len=0 > > similar problem (2469 > microsoft-ds) > Other problems are (info section is only difference) epmap > 3081 > > > > >> "iptables -A INPUT -p tcp --dport microsoft-ds -j DROP" ( < the packets >> have destination the FW itself) >> "iptables -A FORWARD -d *target-PC* -p tcp --dport microsoft-ds -j DROP" >> ( < the packets have destination the "target-PC". ) >> > > > Your advice is working, beautiful > > Much Thanks! > > > James > > > > I'm not sure if get this message right, but if it is a question how to deal with packets like these: >curious.ip www.me.com tcp 2286 > netbios-ssn Seq=0 Len=0 MSS=1460 >www.me.com curious.ip tcp netbios-ssn > 2286 [RST, ACK] Seq=0 Ack=1 the answer is: Add the same rules, but replace "microsoft-ds" with "netbios-ssn" or the corresponding number from /etc/services. Those rules would look like: "iptables -A INPUT -p tcp --dport netbios-ssn -j DROP" it's the same as: "iptables -A INPUT -p tcp --dport 139 -j DROP" And if the target is not the FW: iptables -A FORWARD -d *target-PC* -p tcp --dport netbios-ssn -j DROP or iptables -A FORWARD -d *target-PC* -p tcp --dport 139 -j DROP It seems that you want to stop the ms netbios activity. The ports used for this service are 137,138,139 and 445 so the rule-set could be something like this: iptables -A FORWARD -d *target-PC* -p tcp --dport 445 -j DROP iptables -A FORWARD -d *target-PC* -p tcp --dport 137:139 -j DROP or iptables -A INPUT -p tcp --dport 445 -j DROP iptables -A INPUT -p tcp --dport 137:139 -j DROP -- Best regards, Daniel -- gentoo-user@gentoo.org mailing list