[K12OSN] hide network shares
Terrell Prude' Jr.
microman at cmosnetworks.com
Wed Mar 7 22:53:44 UTC 2007
Actually, you'd use "-p udp" because NetBIOS name lookup is done on UDP,
not TCP. Also, you want to make sure you're specifying the interface.
In this specific case, it might not make much effective difference, but
that's bitten me in the butt before when I haven't done so, so I always
There's another important question here: does he want to stop *all*
NetBIOS traffic to *all* Windows machines everywhere, or does he want to
permit it to certain servers?
Here are the specific ports that you'd need to deal with. And for those
who are kinda new to packet filtering, know that *UDP vs. TCP MATTERS!!*
TCP 445 (this is the new Craptive Directory NetBIOS introduced with
Say you want to allow NetBIOS traffic in on eth1, your external
interface. However, you want to allow NetBIOS traffic to a Windows
server with IP address 10.0.0.10 (say the main school LAN is
10.0.0.0/24). Here's the ruleset that I would try adding to the
beginning of any ruleset that you already have:
# First, allow traffic from the server that we want.
iptables -A INPUT -i eth1 -p udp --source 10.0.0.10/32 --source-port 137
iptables -A INPUT -i eth1 -p udp --source 10.0.0.10/32 --source-port 138
iptables -A INPUT -i eth1 -p tcp --source 10.0.0.10/32 --source-port 139
iptables -A INPUT -i eth1 -p tcp --source 10.0.0.10/32 --source-port 445
#Now, block all other NetBIOS traffic
iptables -A INPUT -i eth1 -p udp --source-port 137 -j DROP
iptables -A INPUT -i eth1 -p udp --source-port 138 -j DROP
iptables -A INPUT -i eth1 -p tcp --source-port 139 -j DROP
iptables -A INPUT -i eth1 -p tcp --source-port 445 -j DROP
If you don't have any ruleset, there'll be a default-deny, so you'll get
to include a "permit whatever else" statement to your liking at the end
of your ruleset. I might do something like this, for "permit everything
else in the world":
iptables -A INPUT -i eth1 -p tcp -j ACCEPT
iptables -A INPUT -i eth1 -p udp -j ACCEPT
iptables -A INPUT -i eth1 -p icmp -j ACCEPT
Peter Scheie wrote:
> I haven't done this, but considering Windows shares use port 137-139,
> I'm pretty sure you could add a few rules to iptables to block
> outbound traffic destined for those ports. That way you don't have to
> mess with the Windows machines. Anyone who's good with iptables wanna
> take a crack at creating such a blocking rule? I'll make what is
> probably an incorrect attempt to start the discussion:
> iptables -A INPUT -p tcp --dport 137 -j DROP
> Add similar rules for ports 138 & 139 (there's a way to specify a
> range, but I can't recall the syntax) and your linux box won't be able
> to 'see' any Windows shares.
> Ray Garza wrote:
>> On Wednesday 07 March 2007 12:29, Terrell Prudé Jr. wrote:
>>> You can use share permissions or NTFS permissions; either will do the
>>> trick. They'll still be able to see that the shares exist, but they
>>> won't be able to actually access them. It's much like when you set 700
>>> permission on the /root directory in GNU/Linux or *BSD. Regular users
>>> can see that /root exists, but they can't do anything with it.
>> You mean change the Share permissions on each Staff PC? I could do
>> that but I was hoping to to do it at a single point (server) rather
>> than go around to each Staff PC and make the changes.
>> I'll give your suggestion more thought.
>> Thanks for the input.
>>> Do you GNU!?
>>> Microsoft Free since 2003 <http://www.gnu.org/>--the ultimate antivirus
>>> Ray Garza wrote:
>>>> Greetings group,
>>>> I'm using K12LTSP 6.0 in a mixed environment (Windows, Linux, K12LTSP)
>>>> and I would like to prevent users on the K12LTSP PC's from seeing the
>>>> network shares on the staff PC's.
>>>> I've tried to use Sabayon to delete the Networks submenu item under
>>>> Places (Gnome) but can't. I cannot even get rid of the Places Menu.
>>>> Any idea's to restrict access to Browsing the network?
>>>> K12OSN mailing list
>>>> K12OSN at redhat.com
>>>> For more info see <http://www.k12os.org>
>> K12OSN mailing list
>> K12OSN at redhat.com
>> For more info see <http://www.k12os.org>
> K12OSN mailing list
> K12OSN at redhat.com
> For more info see <http://www.k12os.org>
More information about the K12OSN