This shows you the differences between two versions of the page.
— |
securiting_samba [2020/04/10 17:38] (current) |
||
---|---|---|---|
Line 1: | Line 1: | ||
+ | **Securiting Samba** | ||
+ | |||
+ | ====== Introduction ====== | ||
+ | |||
+ | Sometimes is important to configure a firewall in the system and define the interface(s) that will listening Samba4. | ||
+ | |||
+ | |||
+ | ====== Securiting Samba4 AD DC with iptables ====== | ||
+ | ---- | ||
+ | |||
+ | Before you configure IPTABLES, you moust to know [[samba_ports_usage|Samba4 ports usages]]. | ||
+ | |||
+ | IPTABLES example using INPUT DROP Policy, and FORWARD and OUTPUT ACCEPT Policy: | ||
+ | <code> | ||
+ | iptables -A INPUT -s 10.12.0.0/16 -i eth1 -p tcp --dport 53 -m state --state NEW -j ACCEPT # DNS | ||
+ | iptables -A INPUT -s 10.12.0.0/16 -i eth1 -p udp --dport 53 -m state --state NEW -j ACCEPT # DNS (UDP) | ||
+ | iptables -A INPUT -s 10.12.0.0/16 -i eth1 -p tcp --dport 88 -m state --state NEW -j ACCEPT # Kerberos | ||
+ | iptables -A INPUT -s 10.12.0.0/16 -i eth1 -p udp --dport 88 -m state --state NEW -j ACCEPT # Kerberos (UDP) | ||
+ | iptables -A INPUT -s 10.12.0.0/16 -i eth1 -p tcp --dport 123 -m state --state NEW -j ACCEPT # NTP | ||
+ | iptables -A INPUT -s 10.12.0.0/16 -i eth1 -p tcp --dport 135 -m state --state NEW -j ACCEPT # RPC | ||
+ | iptables -A INPUT -s 10.12.0.0/16 -i eth1 -p udp --dport 137 -m state --state NEW -j ACCEPT # NetBIOS Name Service | ||
+ | iptables -A INPUT -s 10.12.0.0/16 -i eth1 -p udp --dport 138 -m state --state NEW -j ACCEPT # NetBIOS Datagram Service | ||
+ | iptables -A INPUT -s 10.12.0.0/16 -i eth1 -p tcp --dport 139 -m state --state NEW -j ACCEPT # NetBIOS Session Service | ||
+ | iptables -A INPUT -s 10.12.0.0/16 -i eth1 -p tcp --dport 464 -m state --state NEW -j ACCEPT # Kerberos Password | ||
+ | iptables -A INPUT -s 10.12.0.0/16 -i eth1 -p udp --dport 464 -m state --state NEW -j ACCEPT # Kerberos Password (UDP) | ||
+ | iptables -A INPUT -s 10.12.0.0/16 -i eth1 -p tcp --dport 389 -m state --state NEW -j ACCEPT # LDAP | ||
+ | iptables -A INPUT -s 10.12.0.0/16 -i eth1 -p udp --dport 389 -m state --state NEW -j ACCEPT # LDAP (UDP) | ||
+ | iptables -A INPUT -s 10.12.0.0/16 -i eth1 -p tcp --dport 445 -m state --state NEW -j ACCEPT # MS Directory Service | ||
+ | iptables -A INPUT -s 10.12.0.0/16 -i eth1 -p tcp --dport 636 -m state --state NEW -j ACCEPT # LDAPS | ||
+ | iptables -A INPUT -s 10.12.0.0/16 -i eth1 -p tcp --dport 1024:5000 -m state --state NEW -j ACCEPT # DCOM | ||
+ | iptables -A INPUT -s 10.12.0.0/16 -i eth1 -p tcp --dport 3268 -m state --state NEW -j ACCEPT # MS Global Catalog | ||
+ | iptables -A INPUT -s 10.12.0.0/16 -i eth1 -p tcp --dport 3269 -m state --state NEW -j ACCEPT # MS Global Cataloge SSL | ||
+ | iptables -A INPUT -s 10.12.0.0/16 -i eth1 -p udp --dport 5353 -m state --state NEW -j ACCEPT # Multicast DNS | ||
+ | </code> | ||
+ | |||
+ | |||
+ | ====== Listen interfaces for Samba4 ====== | ||
+ | ---- | ||
+ | |||
+ | Sometimes you don't want Samba to listen on all interfaces of your host. If you limit Samba to listen only on the internal NIC(s), you don't need a firewall to prevent access from the outside. | ||
+ | |||
+ | Add the following to the [global] section of your smb.conf to bind Samba to eth0 and loopback: | ||
+ | <code> | ||
+ | bind interfaces only = yes | ||
+ | interfaces = lo eth1 | ||
+ | </code> | ||
+ | |||
+ | The "interfaces" parameter allows various ways to restrict. See the manpage for more details. After the changes, restart Samba. | ||