From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from lists.gentoo.org ([140.105.134.102] helo=robin.gentoo.org)
	by nuthatch.gentoo.org with esmtp (Exim 4.60)
	(envelope-from <gentoo-user+bounces-49107-garchives=archives.gentoo.org@gentoo.org>)
	id 1GG0e4-0000gR-Ud
	for garchives@archives.gentoo.org; Wed, 23 Aug 2006 21:52:21 +0000
Received: from robin.gentoo.org (localhost [127.0.0.1])
	by robin.gentoo.org (8.13.7/8.13.6) with SMTP id k7NLmgT2031701;
	Wed, 23 Aug 2006 21:48:42 GMT
Received: from wx-out-0506.google.com (wx-out-0506.google.com [66.249.82.229])
	by robin.gentoo.org (8.13.7/8.13.6) with ESMTP id k7NLkZLW030558
	for <gentoo-user@lists.gentoo.org>; Wed, 23 Aug 2006 21:46:35 GMT
Received: by wx-out-0506.google.com with SMTP id r21so285596wxc
        for <gentoo-user@lists.gentoo.org>; Wed, 23 Aug 2006 14:46:34 -0700 (PDT)
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws;
        s=beta; d=gmail.com;
        h=received:message-id:disposition-notification-to:date:from:reply-to:user-agent:mime-version:to:subject:references:in-reply-to:x-enigmail-version:content-type:content-transfer-encoding;
        b=FQbcf2fsXdMixK0Z7kQ4dcvxbbVqk5mQgbdhw+QxC3vYheOlBlJ1fRoh+6Y1KrXI1LxnR8iDyeGBkk7xxVFsc8Uzttim+lcIi37wF2+BL/GPp5YxVoQL8ohbeJNLUUN+N81zs2slCKjgT4ItOguRydLDO5sf/WyyXAt0ohDmXm4=
Received: by 10.70.116.1 with SMTP id o1mr1342781wxc;
        Wed, 23 Aug 2006 14:46:33 -0700 (PDT)
Received: from ?192.168.0.102? ( [63.207.177.13])
        by mx.gmail.com with ESMTP id h10sm837049wxd.2006.08.23.14.46.32;
        Wed, 23 Aug 2006 14:46:33 -0700 (PDT)
Message-ID: <44ECCCB1.3000806@gmail.com>
Date: Wed, 23 Aug 2006 14:46:25 -0700
From: gentuxx <gentuxx@gmail.com>
User-Agent: Thunderbird 1.5.0.5 (X11/20060802)
Precedence: bulk
List-Post: <mailto:gentoo-user@lists.gentoo.org>
List-Help: <mailto:gentoo-user+help@gentoo.org>
List-Unsubscribe: <mailto:gentoo-user+unsubscribe@gentoo.org>
List-Subscribe: <mailto:gentoo-user+subscribe@gentoo.org>
List-Id: Gentoo Linux mail <gentoo-user.gentoo.org>
X-BeenThere: gentoo-user@gentoo.org
Reply-to: gentoo-user@lists.gentoo.org
MIME-Version: 1.0
To: gentoo-user@lists.gentoo.org
Subject: Re: [gentoo-user]  Re: OT: A netbios-ssn blocking rule?
References: <loom.20060818T212303-706@post.gmane.org> <44E63477.3000800@ilievnet.com> <loom.20060821T060849-267@post.gmane.org> <44ECC994.8020705@ilievnet.com>
In-Reply-To: <44ECC994.8020705@ilievnet.com>
X-Enigmail-Version: 0.94.0.0
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
X-Archives-Salt: 6623640a-ac82-4d2d-8774-9161d4b0b572
X-Archives-Hash: 2f9d94cb5fdfdd97e3f1aac2a17b466d

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Daniel Iliev wrote:
> James wrote:
>>> Daniel Iliev <danny <at> ilievnet.com> writes:
>>>     
>>
>> My iptables based firewall seem to be working, However, I keep getting triplets
>> of this activity:
>>
>> curious.ip www.me.com tcp     2286 > netbios-ssn Seq=0 Len=0 MSS=1460
>> www.me.com curious.ip tcp     netbios-ssn > 2286 [RST, ACK] Seq=0 Ack=1 
>>  Win=0 Len=0
>>
>> similar problem (2469 > microsoft-ds)
>>  Other problems are (info section is only difference) epmap > 3081
>>
>>
>>
>>   
>>> "iptables -A INPUT -p tcp --dport microsoft-ds -j DROP" ( < the packets
>>> have destination the FW itself)
>>> "iptables -A FORWARD -d *target-PC* -p tcp --dport microsoft-ds -j DROP"
>>> ( < the packets have destination the "target-PC". )
>>>     
>>
>> Your advice is working, beautiful
>>
>> Much Thanks!
>>
>>
>> James
>>
>>
>>
>>   
> I'm not sure if get this message right, but if it is a question how to
> deal with packets like these:
> 
>> curious.ip www.me.com tcp     2286 > netbios-ssn Seq=0 Len=0 MSS=1460
>> www.me.com curious.ip tcp     netbios-ssn > 2286 [RST, ACK] Seq=0 Ack=1 
> 
> the answer is: Add the same rules, but replace "microsoft-ds" with "netbios-ssn" or the corresponding number from /etc/services. Those rules would look like:
> "iptables -A INPUT -p tcp --dport netbios-ssn -j DROP"
>  it's the same as:
> "iptables -A INPUT -p tcp --dport 139 -j DROP"
> 
> And if the target is not the FW:
> iptables -A FORWARD -d *target-PC* -p tcp --dport netbios-ssn -j DROP
> or
> iptables -A FORWARD -d *target-PC* -p tcp --dport 139 -j DROP
> 
> 
> It seems that you want to stop the ms netbios activity. The ports used
> for this service are 137,138,139 and 445 so the rule-set could be
> something like this:
> 
> iptables -A FORWARD -d *target-PC* -p tcp --dport 445 -j DROP
> iptables -A FORWARD -d *target-PC* -p tcp --dport 137:139 -j DROP
> 
> or 
> 
> iptables -A INPUT -p tcp --dport 445 -j DROP
> iptables -A INPUT -p tcp --dport 137:139 -j DROP
> 
> 

Actually, some of those ports are UDP.  /etc/services says the same for
both TCP and UDP.  So if -p is required for --dport, you would have to
add rules for UDP as well.

iptables -A FORWARD -d *target-PC* -p udp --dport 137:139 -j DROP
iptables -A INPUT -p udp --dport 137:139 -j DROP

- --
gentux
echo "hfouvyyAhnbjm/dpn" | perl -pe 's/(.)/chr(ord($1)-1)/ge'

gentux's gpg fingerprint ==> 5495 0388 67FF 0B89 1239  D840 4CF0 39E2
18D3 4A9E
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFE7MyxTPA54hjTSp4RAhjGAKCUmxCgS62ZjCKhGsUW28M25UfnVgCfeHer
R9eOM9mQA999cNZ43ICRqAQ=
=SX5D
-----END PGP SIGNATURE-----
-- 
gentoo-user@gentoo.org mailing list