[K12OSN] hide network shares
Terrell Prude' Jr.
microman at cmosnetworks.com
Wed Mar 7 23:12:31 UTC 2007
Slight correction: in the fourth paragraph, the first sentence should
read as follows:
"Say you want to *deny* NetBIOS traffic in on eth1, your external
interface."
Oops....
--TP
Terrell Prude' Jr. wrote:
> Actually, you'd use "-p udp" because NetBIOS name lookup is done on
> UDP, not TCP. Also, you want to make sure you're specifying the
> interface. In this specific case, it might not make much effective
> difference, but that's bitten me in the butt before when I haven't
> done so, so I always do it.
>
> There's another important question here: does he want to stop *all*
> NetBIOS traffic to *all* Windows machines everywhere, or does he want
> to permit it to certain servers?
>
> Here are the specific ports that you'd need to deal with. And for
> those who are kinda new to packet filtering, know that *UDP vs. TCP
> MATTERS!!*
>
> UDP 137
> UDP 138
> TCP 139
> TCP 445 (this is the new Craptive Directory NetBIOS introduced with
> Windows 2000)
>
> Say you want to allow NetBIOS traffic in on eth1, your external
> interface. However, you want to allow NetBIOS traffic to a Windows
> server with IP address 10.0.0.10 (say the main school LAN is
> 10.0.0.0/24). Here's the ruleset that I would try adding to the
> beginning of any ruleset that you already have:
>
> # First, allow traffic from the server that we want.
> iptables -A INPUT -i eth1 -p udp --source 10.0.0.10/32 --source-port
> 137 -j ACCEPT
> iptables -A INPUT -i eth1 -p udp --source 10.0.0.10/32 --source-port
> 138 -j ACCEPT
> iptables -A INPUT -i eth1 -p tcp --source 10.0.0.10/32 --source-port
> 139 -j ACCEPT
> iptables -A INPUT -i eth1 -p tcp --source 10.0.0.10/32 --source-port
> 445 -j ACCEPT
> #
> #Now, block all other NetBIOS traffic
> iptables -A INPUT -i eth1 -p udp --source-port 137 -j DROP
> iptables -A INPUT -i eth1 -p udp --source-port 138 -j DROP
> iptables -A INPUT -i eth1 -p tcp --source-port 139 -j DROP
> iptables -A INPUT -i eth1 -p tcp --source-port 445 -j DROP
>
>
> If you don't have any ruleset, there'll be a default-deny, so you'll
> get to include a "permit whatever else" statement to your liking at
> the end of your ruleset. I might do something like this, for "permit
> everything else in the world":
>
> iptables -A INPUT -i eth1 -p tcp -j ACCEPT
> iptables -A INPUT -i eth1 -p udp -j ACCEPT
> iptables -A INPUT -i eth1 -p icmp -j ACCEPT
>
> Comments?
>
> --TP
>
> Peter Scheie wrote:
>> I haven't done this, but considering Windows shares use port 137-139,
>> I'm pretty sure you could add a few rules to iptables to block
>> outbound traffic destined for those ports. That way you don't have
>> to mess with the Windows machines. Anyone who's good with iptables
>> wanna take a crack at creating such a blocking rule? I'll make what
>> is probably an incorrect attempt to start the discussion:
>>
>> iptables -A INPUT -p tcp --dport 137 -j DROP
>>
>> Add similar rules for ports 138 & 139 (there's a way to specify a
>> range, but I can't recall the syntax) and your linux box won't be
>> able to 'see' any Windows shares.
>>
>> Petre
>>
>> Ray Garza wrote:
>>> On Wednesday 07 March 2007 12:29, Terrell Prudé Jr. wrote:
>>>> You can use share permissions or NTFS permissions; either will do the
>>>> trick. They'll still be able to see that the shares exist, but they
>>>> won't be able to actually access them. It's much like when you set
>>>> 700
>>>> permission on the /root directory in GNU/Linux or *BSD. Regular users
>>>> can see that /root exists, but they can't do anything with it.
>>>>
>>> You mean change the Share permissions on each Staff PC? I could do
>>> that but I was hoping to to do it at a single point (server) rather
>>> than go around to each Staff PC and make the changes.
>>> I'll give your suggestion more thought.
>>>
>>> Thanks for the input.
>>> Ray
>>>
>>>> --TP
>>>> _______________________________
>>>> Do you GNU!?
>>>> Microsoft Free since 2003 <http://www.gnu.org/>--the ultimate
>>>> antivirus
>>>> protection!
>>>>
>>>> Ray Garza wrote:
>>>>> Greetings group,
>>>>>
>>>>> I'm using K12LTSP 6.0 in a mixed environment (Windows, Linux,
>>>>> K12LTSP)
>>>>> and I would like to prevent users on the K12LTSP PC's from seeing the
>>>>> network shares on the staff PC's.
>>>>>
>>>>> I've tried to use Sabayon to delete the Networks submenu item under
>>>>> Places (Gnome) but can't. I cannot even get rid of the Places Menu.
>>>>>
>>>>> Any idea's to restrict access to Browsing the network?
>>>>>
>>>>> Thanks,
>>>>>
>>>>> Ray
>>>>>
More information about the K12OSN
mailing list