[K12OSN] hide network shares

Terrell Prude' Jr. microman at cmosnetworks.com
Wed Mar 7 22:53:44 UTC 2007 

Actually, you'd use "-p udp" because NetBIOS name lookup is done on UDP, 
not TCP.  Also, you want to make sure you're specifying the interface.  
In this specific case, it might not make much effective difference, but 
that's bitten me in the butt before when I haven't done so, so I always 
do it.

There's another important question here:  does he want to stop *all* 
NetBIOS traffic to *all* Windows machines everywhere, or does he want to 
permit it to certain servers?

Here are the specific ports that you'd need to deal with.  And for those 
who are kinda new to packet filtering, know that *UDP vs. TCP MATTERS!!*

UDP 137
UDP 138
TCP 139
TCP 445 (this is the new Craptive Directory NetBIOS introduced with 
Windows 2000)

Say you want to allow NetBIOS traffic in on eth1, your external 
interface.  However, you want to allow NetBIOS traffic to a Windows 
server with IP address 10.0.0.10 (say the main school LAN is 
10.0.0.0/24).  Here's the ruleset that I would try adding to the 
beginning of any ruleset that you already have:

# First, allow traffic from the server that we want.
iptables -A INPUT -i eth1 -p udp --source 10.0.0.10/32 --source-port 137 
-j ACCEPT
iptables -A INPUT -i eth1 -p udp --source 10.0.0.10/32 --source-port 138 
-j ACCEPT
iptables -A INPUT -i eth1 -p tcp --source 10.0.0.10/32 --source-port 139 
-j ACCEPT
iptables -A INPUT -i eth1 -p tcp --source 10.0.0.10/32 --source-port 445 
-j ACCEPT
#
#Now, block all other NetBIOS traffic
iptables -A INPUT -i eth1 -p udp --source-port 137 -j DROP
iptables -A INPUT -i eth1 -p udp --source-port 138 -j DROP
iptables -A INPUT -i eth1 -p tcp --source-port 139 -j DROP
iptables -A INPUT -i eth1 -p tcp --source-port 445 -j DROP


If you don't have any ruleset, there'll be a default-deny, so you'll get 
to include a "permit whatever else" statement to your liking at the end 
of your ruleset.  I might do something like this, for "permit everything 
else in the world":

iptables -A INPUT -i eth1 -p tcp -j ACCEPT
iptables -A INPUT -i eth1 -p udp -j ACCEPT
iptables -A INPUT -i eth1 -p icmp -j ACCEPT

Comments?

--TP

Peter Scheie wrote:
> I haven't done this, but considering Windows shares use port 137-139, 
> I'm pretty sure you could add a few rules to iptables to block 
> outbound traffic destined for those ports.  That way you don't have to 
> mess with the Windows machines.  Anyone who's good with iptables wanna 
> take a crack at creating such a blocking rule?  I'll make what is 
> probably an incorrect attempt to start the discussion:
>
> iptables -A INPUT -p tcp --dport 137 -j DROP
>
> Add similar rules for ports 138 & 139 (there's a way to specify a 
> range, but I can't recall the syntax) and your linux box won't be able 
> to 'see' any Windows shares.
>
> Petre
>
> Ray Garza wrote:
>> On Wednesday 07 March 2007 12:29, Terrell Prudé Jr. wrote:
>>> You can use share permissions or NTFS permissions; either will do the
>>> trick.  They'll still be able to see that the shares exist, but they
>>> won't be able to actually access them.  It's much like when you set 700
>>> permission on the /root directory in GNU/Linux or *BSD.  Regular users
>>> can see that /root exists, but they can't do anything with it.
>>>
>> You mean change the Share permissions on each Staff PC? I could do 
>> that but I was hoping to to do it at a single point (server) rather 
>> than go around to each Staff PC and make the changes.
>> I'll give your suggestion more thought.
>>
>> Thanks for the input.
>> Ray
>>
>>> --TP
>>> _______________________________
>>> Do you GNU!?
>>> Microsoft Free since 2003 <http://www.gnu.org/>--the ultimate antivirus
>>> protection!
>>>
>>> Ray Garza wrote:
>>>> Greetings group,
>>>>
>>>> I'm using K12LTSP 6.0 in a mixed environment (Windows, Linux, K12LTSP)
>>>> and I would like to prevent users on the K12LTSP PC's from seeing the
>>>> network shares on the staff PC's.
>>>>
>>>> I've tried to use Sabayon to delete the Networks submenu item under
>>>> Places (Gnome) but can't. I cannot even get rid of the Places Menu.
>>>>
>>>> Any idea's to restrict access to Browsing the network?
>>>>
>>>> Thanks,
>>>>
>>>> Ray
>>>>
>>>> _______________________________________________
>>>> K12OSN mailing list
>>>> K12OSN at redhat.com
>>>> https://www.redhat.com/mailman/listinfo/k12osn
>>>> For more info see <http://www.k12os.org>
>>
>>
>> _______________________________________________
>> K12OSN mailing list
>> K12OSN at redhat.com
>> https://www.redhat.com/mailman/listinfo/k12osn
>> For more info see <http://www.k12os.org>
>>
>
> _______________________________________________
> K12OSN mailing list
> K12OSN at redhat.com
> https://www.redhat.com/mailman/listinfo/k12osn
> For more info see <http://www.k12os.org>

More information about the K12OSN mailing list