stopping netbios domain requests with iptables

stopping netbios domain requests with iptables

Post by Richard Sayd » Tue, 25 Dec 2001 11:51:52



I set up a firewall with iptables and I have tried to block all netbios
ports.
I only want my firewall to dial up when I need access to the internet and
netbios seems to send out messages frequently.

I have blocked ports 137:139 on INPUT, OUTPUT, and FORWARD.
But I keep getting the following ethernet followed by dial up messages
(as seen by tcpdump):

14:24:19.519634 eth0 < rs.netbios-ns > 146.115.8.20.domain: 44+ A? HOME.
(34)
14:24:19.519634 ppp0 >
207-172-97-86.s86.apx1.sbo.ma.dialup.rcn.com.netbios-ns >
146.115.8.20.domain: 44+ A? HOME. (34)

If I understand the tcpdump man page well enough the ethernet message is
coming from
host rs at port netbios-ns. It is sent to the domain server with port
domain. It is
asking for the ip address of my HOME netbios area. This gets sent on through
ppp0
and of course the domain server returns NXDOMAIN every time.

I do have the following rules:

iptables -A INPUT -i eth0 --protocol udp --source-port 137:139 -j DROP
iptables -A INPUT -i eth0 --protocol tcp --source-port 137:139 -j DROP

I have also tried various other combinations with OUTPUT and FORWARD, always
dropping the 137:139 ports but those packets keep waking up my ppp dialer.
Does anyone know what I am doing wrong?

Thanks!!
Richard

 
 
 

stopping netbios domain requests with iptables

Post by Dean Thompso » Tue, 25 Dec 2001 22:55:20


Hi!,

Quote:> I set up a firewall with iptables and I have tried to block all netbios
> ports. I only want my firewall to dial up when I need access to the
> internet and netbios seems to send out messages frequently.

> I have blocked ports 137:139 on INPUT, OUTPUT, and FORWARD.
> But I keep getting the following ethernet followed by dial up messages
> (as seen by tcpdump):

> 14:24:19.519634 eth0 < rs.netbios-ns > 146.115.8.20.domain: 44+ A? HOME.
> (34)
> 14:24:19.519634 ppp0 >
> 207-172-97-86.s86.apx1.sbo.ma.dialup.rcn.com.netbios-ns >
> 146.115.8.20.domain: 44+ A? HOME. (34)

> If I understand the tcpdump man page well enough the ethernet message is
> coming from
> host rs at port netbios-ns. It is sent to the domain server with port
> domain. It is
> asking for the ip address of my HOME netbios area. This gets sent on
> through ppp0 and of course the domain server returns NXDOMAIN every time.

> I do have the following rules:

> iptables -A INPUT -i eth0 --protocol udp --source-port 137:139 -j DROP
> iptables -A INPUT -i eth0 --protocol tcp --source-port 137:139 -j DROP

> I have also tried various other combinations with OUTPUT and FORWARD,
> always dropping the 137:139 ports but those packets keep waking up my ppp
> dialer. Does anyone know what I am doing wrong?

Of course, these rules append to the INPUT chain.  Is there a chain entry
which might allow the packets in before these are processed, try doing the
following:

iptables -I INPUT 1 -i eth0 --protocol udp --source-port 137:139 -j DROP
iptables -I INPUT 1 -i eth0 --protocol tcp --source-port 137:139 -j DROP

Presuming that eth0 is the interface connected to your internal network and
that the requests are not coming from your machine directly.

See ya

Dean Thompson

--
+____________________________+____________________________________________+

| Bach. Computing (Hons)     | ICQ     - 45191180                         |
| PhD Student                | Office  - <Off-Campus>                     |
| School Comp.Sci & Soft.Eng | Phone   - +61 3 9903 2787 (Gen. Office)    |
| MONASH (Caulfield Campus)  | Fax     - +61 3 9903 1077                  |
| Melbourne, Australia       |                                            |
+----------------------------+--------------------------------------------+

 
 
 

stopping netbios domain requests with iptables

Post by Richard Sayd » Thu, 27 Dec 2001 02:43:25


Thanks! That was not my problem but you made me realize that
the rules are order dependent. In retrospect, I should have known
that!

Anyway, when I reordered my FORWARD rules, I got them to
work correctly!

Thanks again!
Richard


Quote:

> Hi!,

> > I set up a firewall with iptables and I have tried to block all netbios
> > ports. I only want my firewall to dial up when I need access to the
> > internet and netbios seems to send out messages frequently.

> > I have blocked ports 137:139 on INPUT, OUTPUT, and FORWARD.
> > But I keep getting the following ethernet followed by dial up messages
> > (as seen by tcpdump):

> > 14:24:19.519634 eth0 < rs.netbios-ns > 146.115.8.20.domain: 44+ A? HOME.
> > (34)
> > 14:24:19.519634 ppp0 >
> > 207-172-97-86.s86.apx1.sbo.ma.dialup.rcn.com.netbios-ns >
> > 146.115.8.20.domain: 44+ A? HOME. (34)

> > If I understand the tcpdump man page well enough the ethernet message is
> > coming from
> > host rs at port netbios-ns. It is sent to the domain server with port
> > domain. It is
> > asking for the ip address of my HOME netbios area. This gets sent on
> > through ppp0 and of course the domain server returns NXDOMAIN every
time.

> > I do have the following rules:

> > iptables -A INPUT -i eth0 --protocol udp --source-port 137:139 -j DROP
> > iptables -A INPUT -i eth0 --protocol tcp --source-port 137:139 -j DROP

> > I have also tried various other combinations with OUTPUT and FORWARD,
> > always dropping the 137:139 ports but those packets keep waking up my
ppp
> > dialer. Does anyone know what I am doing wrong?

> Of course, these rules append to the INPUT chain.  Is there a chain entry
> which might allow the packets in before these are processed, try doing the
> following:

> iptables -I INPUT 1 -i eth0 --protocol udp --source-port 137:139 -j DROP
> iptables -I INPUT 1 -i eth0 --protocol tcp --source-port 137:139 -j DROP

> Presuming that eth0 is the interface connected to your internal network
and
> that the requests are not coming from your machine directly.

> See ya

> Dean Thompson

> --

+____________________________+____________________________________________+

|
> | Bach. Computing (Hons)     | ICQ     - 45191180
|
> | PhD Student                | Office  - <Off-Campus>
|
> | School Comp.Sci & Soft.Eng | Phone   - +61 3 9903 2787 (Gen. Office)
|
> | MONASH (Caulfield Campus)  | Fax     - +61 3 9903 1077
|
> | Melbourne, Australia       |
|

+----------------------------+--------------------------------------------+
 
 
 

1. Help with iptables - RH 8.0 - stopped working after "iptables -F"

Hello, I setup Redhat 8.0 as a gateway for VPN. VPN part (CIPE) worked
well and I was able to connect to the other network via VPN, but
clients won't connect to any Internet sites. I thought I will play
with the iptables to see if there was anything to do there. I ran
"iptables -t nat -F" and "iptables -F" thinking it will flush and
restart with default settings as earler.

Now, I can not connect to the Internet from the server as well as the
clients and obviousely my VPN does not work either. I re-installed
iptables rpm as mentioned in another post and that did not help
either.

Any help is greatly appreciated and Thanks in Advance.

DK

2. where can I FTP Woody for the Powerpc??

3. Iptables blocking NetBIOS crap??

4. which packages ???

5. NetBIOS with NAT using iptables helper module

6. Hanging while exiting modem manager

7. Using SLiRP for PPP: help!!

8. Blocking netbios to the internet with iptables

9. Samba-netbios requests and firewall

10. Linux NetBIOS requests regarding group "*"?!

11. Stop netbios port 137, 138, 139 to bring up diald

12. NETBIOS-DD-SERVER and NETBIOS-SCOPE dhcpd.conf ????