3

my main goal is to setup iptables that work as a VPN killswitch for my openvpn connection. Thanks to a post from forest, this was pretty straight forward: OpenVPN kill switch on Linux . So. everything that is not going to TUN1 should be blocked.

Now there is an issue while configuring an exception as the smb mount to the local NAS should not be tunneled. I tried to add the different ports a suggested here: https://serverfault.com/questions/346196/tcp-ip-ports-necessary-for-cifs-smb-operation but the mount can not be executed. Without any iptable rules, the mount works fine.

Here is my set of iptables:

iptables -F
iptables -A INPUT -p tcp -s 192.168.1.0/24 --dport 9365 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp --sport 9365 -m conntrack --ctstate ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp --dport 8080 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp --sport 8080 -m conntrack --ctstate ESTABLISHED -j ACCEPT
iptables -A OUTPUT -j ACCEPT -m owner --gid-owner openvpn
iptables -A OUTPUT -j ACCEPT -o lo
iptables -A OUTPUT -j ACCEPT -o tun1
iptables -A INPUT -s 192.168.1.0/24 -p udp -m udp --dport 137 -j ACCEPT
iptables -A INPUT -s 192.168.1.0/24 -p udp -m udp --dport 138 -j ACCEPT
iptables -A INPUT -s 192.168.1.0/24 -p tcp -m tcp --dport 139 -j ACCEPT
iptables -A INPUT -s 192.168.1.0/24 -p tcp -m tcp --dport 445 -j ACCEPT
iptables -A OUTPUT -p udp --sport 137 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p udp --sport 138 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp --sport 139 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp --sport 445 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -j ACCEPT -m state --state ESTABLISHED
iptables -P OUTPUT DROP
iptables -P INPUT DROP

If I allow the access to the complete local network with iptables -A OUTPUT -d 192.168.1.0/24 -j ACCEPT, the mount works fine. But I do not want to allow complete access to the local network on all ports ... and also want to understand what's missing. I investigated the connection without rules and the mount is connected to the port 445.

  1. What is missing in the iptables to allow the smb connection?
  2. Will port 445 be sufficient or do I need the other 3 ports as well?

Thanks in advance ;)

Best, René

renpen
  • 31
  • 1
  • I figured the first one out, but I do not understand it. `tcp 0 0 192.168.1.220:33850 192.168.1.2:445 ESTABLISHED - ` Therefore a change from `iptables -A INPUT -s 192.168.1.0/24 -p tcp -m tcp --sport 445 -j ACCEPT` to `iptables -A INPUT -s 192.168.1.0/24 -p tcp -m tcp --dport 445 -j ACCEPT` solved the issue. The second questions remains ;) Hope you can help me with that. – renpen Apr 04 '20 at 21:47

0 Answers0