[SOLVED] Firewalling Samba for one manually assigned IP

[amplatfus]

Hi all,

I am trying to restrict access to router external USB storage with SAMBA active.
I tried using below rules in firewall, but nothing worked

Could you please provide some things to try?

iptables -A FORWARD -s 172.16.0.242 -d 172.16.0.1 -p tcp --sport 137:139 -j DROP
iptables -A FORWARD -s 172.16.0.242 -d 172.16.0.1 -p udp --sport 137:139 -j DROP
iptables -A FORWARD -s 172.16.0.242 -d 172.16.0.1 -p tcp --sport 445 -j DROP
iptables -A FORWARD -s 172.16.0.242 -d 172.16.0.1 -p udp --sport 445 -j DROP

iptables -A OUTPUT -s 172.16.0.242 -d 172.16.0.1 -p tcp --sport 137:139 -j DROP
iptables -A OUTPUT -s 172.16.0.242 -d 172.16.0.1 -p udp --sport 137:139 -j DROP
iptables -A OUTPUT -s 172.16.0.242 -d 172.16.0.1 -p tcp --sport 445 -j DROP
iptables -A OUTPUT -s 172.16.0.242 -d 172.16.0.1 -p udp --sport 445 -j DROP

iptables -A INPUT -s 172.16.0.242 -d 172.16.0.1 -p tcp --sport 137:139 -j DROP
iptables -A INPUT -s 172.16.0.242 -d 172.16.0.1 -p udp --sport 137:139 -j DROP
iptables -A INPUT -s 172.16.0.242 -d 172.16.0.1 -p tcp --sport 445 -j DROP
iptables -A INPUT -s 172.16.0.242 -d 172.16.0.1 -p udp --sport 445 -j DROP

PS: I mention that I created also a separate VLAN for this IP.

Thank you so much,
amplatfus

 

[ColinTaylor]

It would be better to use the "hosts allow" parameter in smb.conf.

https://www.samba.org/samba/docs/current/man-html/smb.conf.5.html

 

[amplatfus]

So simple? So fast? It was possible with your fast help. You rock as always! It works!
Time to do some backups

Thank you so much!
amplatfus

 

[amplatfus]

Dear @ColinTaylor

Could you please share what approach to have in order to block access from this IP to any of router clients only for ports used for file sharing: SAMBA, FTP and HTTP/HTTPS/SSH?

Until now I manage to do it for HTTP/HTTPS/SSH for this IP banned.

I have played using separate VLAN: I manage to block access to internal HTTP printer, SSH, HTTPS router administrative page by TCP drop, but dropping UDP ports seems to not blocking the SAMBA.

Using your advice I blocked only the SAMBA located in router, but for instance if a friend is welcomed with his laptop in one of my LAN ports, by wire, I have to secure it and to not allow connections from banned VLAN to his shares, but only by dropping sharing ports, not to separate completly if this is possible.
This banned VLAN10 is a LAN attashed device by wire to the ASUS Merlin Router.

IPADDR=$(nvram get lan_ipaddr)

ebtables -t broute -I BROUTING -p IPv4 -i vlan10 --ip-dst ${IPADDR} --ip-proto tcp -j DROP
ebtables -t broute -I BROUTING -p IPv4 -i vlan10 --ip-dst ${IPADDR} --ip-proto udp --ip-destination-port 135:150 -j DROP
ebtables -t broute -I BROUTING -p IPv4 -i vlan10 --ip-dst ${IPADDR} --ip-proto udp --ip-destination-port 200:1800 -j DROP
ebtables -t broute -I BROUTING -p IPv4 -i vlan10 --ip-dst ${IPADDR} --ip-proto udp --ip-destination-port 2000:8000 -j DROP
ebtables -t broute -I BROUTING -p IPv4 -i vlan10 --ip-dst ${IPADDR} --ip-proto udp --ip-destination-port 9000:29000 -j DROP

ebtables -t broute -I BROUTING -p IPv4 -i vlan10 --ip-source 172.16.0.242 --ip-proto udp --ip-source-port 137 -j DROP
ebtables -t broute -I BROUTING -p IPv4 -i vlan10 --ip-source 172.16.0.242 --ip-proto udp --ip-source-port 138 -j DROP
ebtables -t broute -I BROUTING -p IPv4 -i vlan10 --ip-source 172.16.0.242 --ip-proto tcp --ip-source-port 139 -j DROP
ebtables -t broute -I BROUTING -p IPv4 -i vlan10 --ip-source 172.16.0.242 --ip-proto tcp --ip-source-port 445 -j DROP

I appreceiate any help.
Thank you,
amplatfus