User Tools

Site Tools


securiting_samba

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

securiting_samba [2015/06/29 12:10] (current)
Line 1: Line 1:
 +**Securiting Samba**
 +
 +====== Introduction ======
 +
 +Sometimes is important to configure a firewall in the system and define the interface(s) that will listening Samba4.
 +
 +
 +====== Securiting Samba4 AD DC with iptables ======
 +----
 +
 +Before you configure IPTABLES, you moust to know [[samba_ports_usage|Samba4 ports usages]].
 +
 +IPTABLES example using INPUT DROP Policy, and FORWARD and OUTPUT ACCEPT Policy:
 +<​code>​
 + ​iptables -A INPUT -s 10.12.0.0/​16 -i eth1 -p tcp --dport 53 -m state --state NEW -j ACCEPT ​   # DNS
 + ​iptables -A INPUT -s 10.12.0.0/​16 -i eth1 -p udp --dport 53 -m state --state NEW -j ACCEPT ​   # DNS (UDP)
 + ​iptables -A INPUT -s 10.12.0.0/​16 -i eth1 -p tcp --dport 88 -m state --state NEW -j ACCEPT ​   # Kerberos
 + ​iptables -A INPUT -s 10.12.0.0/​16 -i eth1 -p udp --dport 88 -m state --state NEW -j ACCEPT ​   # Kerberos (UDP)
 + ​iptables -A INPUT -s 10.12.0.0/​16 -i eth1 -p tcp --dport 123 -m state --state NEW -j ACCEPT ​  # NTP
 + ​iptables -A INPUT -s 10.12.0.0/​16 -i eth1 -p tcp --dport 135 -m state --state NEW -j ACCEPT ​  # RPC
 + ​iptables -A INPUT -s 10.12.0.0/​16 -i eth1 -p udp --dport 137 -m state --state NEW -j ACCEPT ​  # NetBIOS Name Service
 + ​iptables -A INPUT -s 10.12.0.0/​16 -i eth1 -p udp --dport 138 -m state --state NEW -j ACCEPT ​  # NetBIOS Datagram Service
 + ​iptables -A INPUT -s 10.12.0.0/​16 -i eth1 -p tcp --dport 139 -m state --state NEW -j ACCEPT ​  # NetBIOS Session Service
 + ​iptables -A INPUT -s 10.12.0.0/​16 -i eth1 -p tcp --dport 464 -m state --state NEW -j ACCEPT ​  # Kerberos Password
 + ​iptables -A INPUT -s 10.12.0.0/​16 -i eth1 -p udp --dport 464 -m state --state NEW -j ACCEPT ​  # Kerberos Password (UDP)
 + ​iptables -A INPUT -s 10.12.0.0/​16 -i eth1 -p tcp --dport 389 -m state --state NEW -j ACCEPT ​  # LDAP
 + ​iptables -A INPUT -s 10.12.0.0/​16 -i eth1 -p udp --dport 389 -m state --state NEW -j ACCEPT ​  # LDAP (UDP)
 + ​iptables -A INPUT -s 10.12.0.0/​16 -i eth1 -p tcp --dport 445 -m state --state NEW -j ACCEPT ​  # MS Directory Service
 + ​iptables -A INPUT -s 10.12.0.0/​16 -i eth1 -p tcp --dport 636 -m state --state NEW -j ACCEPT ​  # LDAPS
 + ​iptables -A INPUT -s 10.12.0.0/​16 -i eth1 -p tcp --dport 1024:5000 -m state --state NEW -j ACCEPT ​ # DCOM
 + ​iptables -A INPUT -s 10.12.0.0/​16 -i eth1 -p tcp --dport 3268 -m state --state NEW -j ACCEPT ​ # MS Global Catalog
 + ​iptables -A INPUT -s 10.12.0.0/​16 -i eth1 -p tcp --dport 3269 -m state --state NEW -j ACCEPT ​ # MS Global Cataloge SSL
 + ​iptables -A INPUT -s 10.12.0.0/​16 -i eth1 -p udp --dport 5353 -m state --state NEW -j ACCEPT ​ # Multicast DNS
 +</​code>​
 +
 +
 +====== Listen interfaces for Samba4 ======
 +----
 +
 +Sometimes you don't want Samba to listen on all interfaces of your host. If you limit Samba to listen only on the internal NIC(s), you don't need a firewall to prevent access from the outside.
 +
 +Add the following to the [global] section of your smb.conf to bind Samba to eth0 and loopback:
 +<​code>​
 + bind interfaces only = yes
 + ​interfaces = lo eth1
 +</​code>​
 +
 +The "​interfaces"​ parameter allows various ways to restrict. See the manpage for more details. After the changes, restart Samba.
  
securiting_samba.txt ยท Last modified: 2015/06/29 12:10 (external edit)