[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [K12OSN] hide network shares



Slight correction: in the fourth paragraph, the first sentence should read as follows:

"Say you want to *deny* NetBIOS traffic in on eth1, your external interface."

Oops....

--TP

Terrell Prude' Jr. wrote:
Actually, you'd use "-p udp" because NetBIOS name lookup is done on UDP, not TCP. Also, you want to make sure you're specifying the interface. In this specific case, it might not make much effective difference, but that's bitten me in the butt before when I haven't done so, so I always do it.

There's another important question here: does he want to stop *all* NetBIOS traffic to *all* Windows machines everywhere, or does he want to permit it to certain servers?

Here are the specific ports that you'd need to deal with. And for those who are kinda new to packet filtering, know that *UDP vs. TCP MATTERS!!*

UDP 137
UDP 138
TCP 139
TCP 445 (this is the new Craptive Directory NetBIOS introduced with Windows 2000)

Say you want to allow NetBIOS traffic in on eth1, your external interface. However, you want to allow NetBIOS traffic to a Windows server with IP address 10.0.0.10 (say the main school LAN is 10.0.0.0/24). Here's the ruleset that I would try adding to the beginning of any ruleset that you already have:

# First, allow traffic from the server that we want.
iptables -A INPUT -i eth1 -p udp --source 10.0.0.10/32 --source-port 137 -j ACCEPT iptables -A INPUT -i eth1 -p udp --source 10.0.0.10/32 --source-port 138 -j ACCEPT iptables -A INPUT -i eth1 -p tcp --source 10.0.0.10/32 --source-port 139 -j ACCEPT iptables -A INPUT -i eth1 -p tcp --source 10.0.0.10/32 --source-port 445 -j ACCEPT
#
#Now, block all other NetBIOS traffic
iptables -A INPUT -i eth1 -p udp --source-port 137 -j DROP
iptables -A INPUT -i eth1 -p udp --source-port 138 -j DROP
iptables -A INPUT -i eth1 -p tcp --source-port 139 -j DROP
iptables -A INPUT -i eth1 -p tcp --source-port 445 -j DROP


If you don't have any ruleset, there'll be a default-deny, so you'll get to include a "permit whatever else" statement to your liking at the end of your ruleset. I might do something like this, for "permit everything else in the world":

iptables -A INPUT -i eth1 -p tcp -j ACCEPT
iptables -A INPUT -i eth1 -p udp -j ACCEPT
iptables -A INPUT -i eth1 -p icmp -j ACCEPT

Comments?

--TP

Peter Scheie wrote:
I haven't done this, but considering Windows shares use port 137-139, I'm pretty sure you could add a few rules to iptables to block outbound traffic destined for those ports. That way you don't have to mess with the Windows machines. Anyone who's good with iptables wanna take a crack at creating such a blocking rule? I'll make what is probably an incorrect attempt to start the discussion:

iptables -A INPUT -p tcp --dport 137 -j DROP

Add similar rules for ports 138 & 139 (there's a way to specify a range, but I can't recall the syntax) and your linux box won't be able to 'see' any Windows shares.

Petre

Ray Garza wrote:
On Wednesday 07 March 2007 12:29, Terrell Prudé Jr. wrote:
You can use share permissions or NTFS permissions; either will do the
trick.  They'll still be able to see that the shares exist, but they
won't be able to actually access them. It's much like when you set 700
permission on the /root directory in GNU/Linux or *BSD.  Regular users
can see that /root exists, but they can't do anything with it.

You mean change the Share permissions on each Staff PC? I could do that but I was hoping to to do it at a single point (server) rather than go around to each Staff PC and make the changes.
I'll give your suggestion more thought.

Thanks for the input.
Ray

--TP
_______________________________
Do you GNU!?
Microsoft Free since 2003 <http://www.gnu.org/>--the ultimate antivirus
protection!

Ray Garza wrote:
Greetings group,

I'm using K12LTSP 6.0 in a mixed environment (Windows, Linux, K12LTSP)
and I would like to prevent users on the K12LTSP PC's from seeing the
network shares on the staff PC's.

I've tried to use Sabayon to delete the Networks submenu item under
Places (Gnome) but can't. I cannot even get rid of the Places Menu.

Any idea's to restrict access to Browsing the network?

Thanks,

Ray



[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]