[K12OSN] hide network shares

Terrell Prude' Jr. microman at cmosnetworks.com
Wed Mar 7 23:12:31 UTC 2007 

Slight correction:  in the fourth paragraph, the first sentence should 
read as follows:

"Say you want to *deny* NetBIOS traffic in on eth1, your external 
interface."

Oops....

--TP

Terrell Prude' Jr. wrote:
> Actually, you'd use "-p udp" because NetBIOS name lookup is done on 
> UDP, not TCP.  Also, you want to make sure you're specifying the 
> interface.  In this specific case, it might not make much effective 
> difference, but that's bitten me in the butt before when I haven't 
> done so, so I always do it.
>
> There's another important question here:  does he want to stop *all* 
> NetBIOS traffic to *all* Windows machines everywhere, or does he want 
> to permit it to certain servers?
>
> Here are the specific ports that you'd need to deal with.  And for 
> those who are kinda new to packet filtering, know that *UDP vs. TCP 
> MATTERS!!*
>
> UDP 137
> UDP 138
> TCP 139
> TCP 445 (this is the new Craptive Directory NetBIOS introduced with 
> Windows 2000)
>
> Say you want to allow NetBIOS traffic in on eth1, your external 
> interface.  However, you want to allow NetBIOS traffic to a Windows 
> server with IP address 10.0.0.10 (say the main school LAN is 
> 10.0.0.0/24).  Here's the ruleset that I would try adding to the 
> beginning of any ruleset that you already have:
>
> # First, allow traffic from the server that we want.
> iptables -A INPUT -i eth1 -p udp --source 10.0.0.10/32 --source-port 
> 137 -j ACCEPT
> iptables -A INPUT -i eth1 -p udp --source 10.0.0.10/32 --source-port 
> 138 -j ACCEPT
> iptables -A INPUT -i eth1 -p tcp --source 10.0.0.10/32 --source-port 
> 139 -j ACCEPT
> iptables -A INPUT -i eth1 -p tcp --source 10.0.0.10/32 --source-port 
> 445 -j ACCEPT
> #
> #Now, block all other NetBIOS traffic
> iptables -A INPUT -i eth1 -p udp --source-port 137 -j DROP
> iptables -A INPUT -i eth1 -p udp --source-port 138 -j DROP
> iptables -A INPUT -i eth1 -p tcp --source-port 139 -j DROP
> iptables -A INPUT -i eth1 -p tcp --source-port 445 -j DROP
>
>
> If you don't have any ruleset, there'll be a default-deny, so you'll 
> get to include a "permit whatever else" statement to your liking at 
> the end of your ruleset.  I might do something like this, for "permit 
> everything else in the world":
>
> iptables -A INPUT -i eth1 -p tcp -j ACCEPT
> iptables -A INPUT -i eth1 -p udp -j ACCEPT
> iptables -A INPUT -i eth1 -p icmp -j ACCEPT
>
> Comments?
>
> --TP
>
> Peter Scheie wrote:
>> I haven't done this, but considering Windows shares use port 137-139, 
>> I'm pretty sure you could add a few rules to iptables to block 
>> outbound traffic destined for those ports.  That way you don't have 
>> to mess with the Windows machines.  Anyone who's good with iptables 
>> wanna take a crack at creating such a blocking rule?  I'll make what 
>> is probably an incorrect attempt to start the discussion:
>>
>> iptables -A INPUT -p tcp --dport 137 -j DROP
>>
>> Add similar rules for ports 138 & 139 (there's a way to specify a 
>> range, but I can't recall the syntax) and your linux box won't be 
>> able to 'see' any Windows shares.
>>
>> Petre
>>
>> Ray Garza wrote:
>>> On Wednesday 07 March 2007 12:29, Terrell Prudé Jr. wrote:
>>>> You can use share permissions or NTFS permissions; either will do the
>>>> trick.  They'll still be able to see that the shares exist, but they
>>>> won't be able to actually access them.  It's much like when you set 
>>>> 700
>>>> permission on the /root directory in GNU/Linux or *BSD.  Regular users
>>>> can see that /root exists, but they can't do anything with it.
>>>>
>>> You mean change the Share permissions on each Staff PC? I could do 
>>> that but I was hoping to to do it at a single point (server) rather 
>>> than go around to each Staff PC and make the changes.
>>> I'll give your suggestion more thought.
>>>
>>> Thanks for the input.
>>> Ray
>>>
>>>> --TP
>>>> _______________________________
>>>> Do you GNU!?
>>>> Microsoft Free since 2003 <http://www.gnu.org/>--the ultimate 
>>>> antivirus
>>>> protection!
>>>>
>>>> Ray Garza wrote:
>>>>> Greetings group,
>>>>>
>>>>> I'm using K12LTSP 6.0 in a mixed environment (Windows, Linux, 
>>>>> K12LTSP)
>>>>> and I would like to prevent users on the K12LTSP PC's from seeing the
>>>>> network shares on the staff PC's.
>>>>>
>>>>> I've tried to use Sabayon to delete the Networks submenu item under
>>>>> Places (Gnome) but can't. I cannot even get rid of the Places Menu.
>>>>>
>>>>> Any idea's to restrict access to Browsing the network?
>>>>>
>>>>> Thanks,
>>>>>
>>>>> Ray
>>>>>

More information about the K12OSN mailing list