securiting_samba
Differences
This shows you the differences between two versions of the page.
| — |
securiting_samba [2020/04/10 17:38] (current) |
||
|---|---|---|---|
| Line 1: | Line 1: | ||
| + | **Securiting Samba** | ||
| + | |||
| + | ====== Introduction ====== | ||
| + | |||
| + | Sometimes is important to configure a firewall in the system and define the interface(s) that will listening Samba4. | ||
| + | |||
| + | |||
| + | ====== Securiting Samba4 AD DC with iptables ====== | ||
| + | ---- | ||
| + | |||
| + | Before you configure IPTABLES, you moust to know [[samba_ports_usage|Samba4 ports usages]]. | ||
| + | |||
| + | IPTABLES example using INPUT DROP Policy, and FORWARD and OUTPUT ACCEPT Policy: | ||
| + | <code> | ||
| + | iptables -A INPUT -s 10.12.0.0/16 -i eth1 -p tcp --dport 53 -m state --state NEW -j ACCEPT # DNS | ||
| + | iptables -A INPUT -s 10.12.0.0/16 -i eth1 -p udp --dport 53 -m state --state NEW -j ACCEPT # DNS (UDP) | ||
| + | iptables -A INPUT -s 10.12.0.0/16 -i eth1 -p tcp --dport 88 -m state --state NEW -j ACCEPT # Kerberos | ||
| + | iptables -A INPUT -s 10.12.0.0/16 -i eth1 -p udp --dport 88 -m state --state NEW -j ACCEPT # Kerberos (UDP) | ||
| + | iptables -A INPUT -s 10.12.0.0/16 -i eth1 -p tcp --dport 123 -m state --state NEW -j ACCEPT # NTP | ||
| + | iptables -A INPUT -s 10.12.0.0/16 -i eth1 -p tcp --dport 135 -m state --state NEW -j ACCEPT # RPC | ||
| + | iptables -A INPUT -s 10.12.0.0/16 -i eth1 -p udp --dport 137 -m state --state NEW -j ACCEPT # NetBIOS Name Service | ||
| + | iptables -A INPUT -s 10.12.0.0/16 -i eth1 -p udp --dport 138 -m state --state NEW -j ACCEPT # NetBIOS Datagram Service | ||
| + | iptables -A INPUT -s 10.12.0.0/16 -i eth1 -p tcp --dport 139 -m state --state NEW -j ACCEPT # NetBIOS Session Service | ||
| + | iptables -A INPUT -s 10.12.0.0/16 -i eth1 -p tcp --dport 464 -m state --state NEW -j ACCEPT # Kerberos Password | ||
| + | iptables -A INPUT -s 10.12.0.0/16 -i eth1 -p udp --dport 464 -m state --state NEW -j ACCEPT # Kerberos Password (UDP) | ||
| + | iptables -A INPUT -s 10.12.0.0/16 -i eth1 -p tcp --dport 389 -m state --state NEW -j ACCEPT # LDAP | ||
| + | iptables -A INPUT -s 10.12.0.0/16 -i eth1 -p udp --dport 389 -m state --state NEW -j ACCEPT # LDAP (UDP) | ||
| + | iptables -A INPUT -s 10.12.0.0/16 -i eth1 -p tcp --dport 445 -m state --state NEW -j ACCEPT # MS Directory Service | ||
| + | iptables -A INPUT -s 10.12.0.0/16 -i eth1 -p tcp --dport 636 -m state --state NEW -j ACCEPT # LDAPS | ||
| + | iptables -A INPUT -s 10.12.0.0/16 -i eth1 -p tcp --dport 1024:5000 -m state --state NEW -j ACCEPT # DCOM | ||
| + | iptables -A INPUT -s 10.12.0.0/16 -i eth1 -p tcp --dport 3268 -m state --state NEW -j ACCEPT # MS Global Catalog | ||
| + | iptables -A INPUT -s 10.12.0.0/16 -i eth1 -p tcp --dport 3269 -m state --state NEW -j ACCEPT # MS Global Cataloge SSL | ||
| + | iptables -A INPUT -s 10.12.0.0/16 -i eth1 -p udp --dport 5353 -m state --state NEW -j ACCEPT # Multicast DNS | ||
| + | </code> | ||
| + | |||
| + | |||
| + | ====== Listen interfaces for Samba4 ====== | ||
| + | ---- | ||
| + | |||
| + | Sometimes you don't want Samba to listen on all interfaces of your host. If you limit Samba to listen only on the internal NIC(s), you don't need a firewall to prevent access from the outside. | ||
| + | |||
| + | Add the following to the [global] section of your smb.conf to bind Samba to eth0 and loopback: | ||
| + | <code> | ||
| + | bind interfaces only = yes | ||
| + | interfaces = lo eth1 | ||
| + | </code> | ||
| + | |||
| + | The "interfaces" parameter allows various ways to restrict. See the manpage for more details. After the changes, restart Samba. | ||
securiting_samba.txt ยท Last modified: 2020/04/10 17:38 (external edit)
Except where otherwise noted, content on this wiki is licensed under the following license: GNU Free Documentation License 1.3
