On Friday 13 December 2002 10:08, Matt Miller wrote:
> On Fri, 2002-12-13 at 09:05, Todd Robinson wrote:
> > > This would drop most of it:
> > >
> > > iptables -A INPUT -i eth(x) -p tcp --dport 137:139 -j DROP
> >
> > Thanks, need another one for the udp traffic. Also not sure if you need
> > to do another set for source ports. I hadn't thought of consolodating
> > the rules yet, just been adding new ones as I saw them in the logs...
>
> You are absolutely correct. That was a snafu on my part.
> You could use two rules:
> iptables -A INPUT -i eth(x) -p tcp --dport 137:139 -j DROP
> iptables -A INPUT -i eth(x) -p udp --dport 137:139 -j DROP
Or,
iptables -A INPUT -i eth(x) -p tcp --dport 135,137:139,445 -j DROP
iptables -A INPUT -i eth(x) -p udp --dport 135,137:139,445 -j DROP
The proto/port combos you *really* need to worry about are:
TCP 135 - Microsoft DCE RPC
UDP 137 - NetBIOS name lookups
UDP 138 - NetBIOS datagram (\\MAILSLOT browse, network neighborhood)
TCP 139 - NetBIOS session (SMB over NetBIOS)
TCP 445 - SMB native (no NetBIOS)
Then there are the other ports, like PPTP, NetMeeting (H.323), and other
miscellaneous listeners that make a Microsoft box a true piece of swiss
cheese.
-- - Ian C. Blenke <icblenke@nks.net>(This message bound by the following: http://www.nks.net/email_disclaimer.html)
This archive was generated by hypermail 2.1.3 : Fri Aug 01 2014 - 19:13:51 EDT