On Fri, 2002-12-13 at 10:52, Ian C. Blenke wrote:
> iptables -A INPUT -i eth(x) -p tcp --dport 135,137:139,445 -j DROP
> iptables -A INPUT -i eth(x) -p udp --dport 135,137:139,445 -j DROP
>
> The proto/port combos you *really* need to worry about are:
>
> TCP 135 - Microsoft DCE RPC
> UDP 137 - NetBIOS name lookups
> UDP 138 - NetBIOS datagram (\\MAILSLOT browse, network neighborhood)
> TCP 139 - NetBIOS session (SMB over NetBIOS)
> TCP 445 - SMB native (no NetBIOS)
Very true. That's why by default I assign everything I accept and drop
the rest.
In other words something like this:
# Accept the following packets
iptables -A INPUT -i eth(x) -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -i eth(x) -p udp --dport 22 -j ACCEPT
iptables -A INPUT -i eth(x) -p tcp --dport 25 -j ACCEPT
iptables -A INPUT -i eth(x) -p udp --dport 25 -j ACCEPT
iptables -A INPUT -i eth(x) -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -i eth(x) -p udp --dport 80 -j ACCEPT
iptables -A INPUT -i eth(x) -p udp --dport 500 -j ACCEPT
iptables -A INPUT -i eth(x) -p esp -j ACCEPT
# Drop and log the rest
iptables -A INPUT -i eth(x) -j LOG --log-level info \
--log-prefix "ETH(X) INPUT DROP: "
iptables -A INPUT -i eth(x) -j DROP
The logging is optional, but I do it anyways because I'm obviously a
masochist. :-) -- logging all dropped packets can fill up the logs
quickly.
-- Matt Miller Systems Administrator MP TotalCare gpg public key id: 08BC7B06-- An improperly trained Samurai dies quickly.
This archive was generated by hypermail 2.1.3 : Fri Aug 01 2014 - 19:14:14 EDT