[K12OSN] hide network shares
Ray Garza
rgarza28 at gmail.com
Thu Mar 8 02:20:57 UTC 2007
I like this idea better. We do have a central shared drive (on a linux box)
that I'm trying to get all of the staff to use. It's an uphill educating
battle with the them. Who knows when some one will just decide to share a
drive and not tell me. Until then, it would be nice to block access to them
from the server.
Ray
On Wednesday 07 March 2007 16:53, Terrell Prude' Jr. wrote:
> Actually, you'd use "-p udp" because NetBIOS name lookup is done on UDP,
> not TCP. Also, you want to make sure you're specifying the interface.
> In this specific case, it might not make much effective difference, but
> that's bitten me in the butt before when I haven't done so, so I always
> do it.
>
> There's another important question here: does he want to stop *all*
> NetBIOS traffic to *all* Windows machines everywhere, or does he want to
> permit it to certain servers?
>
> Here are the specific ports that you'd need to deal with. And for those
> who are kinda new to packet filtering, know that *UDP vs. TCP MATTERS!!*
>
> UDP 137
> UDP 138
> TCP 139
> TCP 445 (this is the new Craptive Directory NetBIOS introduced with
> Windows 2000)
>
> Say you want to allow NetBIOS traffic in on eth1, your external
> interface. However, you want to allow NetBIOS traffic to a Windows
> server with IP address 10.0.0.10 (say the main school LAN is
> 10.0.0.0/24). Here's the ruleset that I would try adding to the
> beginning of any ruleset that you already have:
>
> # First, allow traffic from the server that we want.
> iptables -A INPUT -i eth1 -p udp --source 10.0.0.10/32 --source-port 137
> -j ACCEPT
> iptables -A INPUT -i eth1 -p udp --source 10.0.0.10/32 --source-port 138
> -j ACCEPT
> iptables -A INPUT -i eth1 -p tcp --source 10.0.0.10/32 --source-port 139
> -j ACCEPT
> iptables -A INPUT -i eth1 -p tcp --source 10.0.0.10/32 --source-port 445
> -j ACCEPT
> #
> #Now, block all other NetBIOS traffic
> iptables -A INPUT -i eth1 -p udp --source-port 137 -j DROP
> iptables -A INPUT -i eth1 -p udp --source-port 138 -j DROP
> iptables -A INPUT -i eth1 -p tcp --source-port 139 -j DROP
> iptables -A INPUT -i eth1 -p tcp --source-port 445 -j DROP
>
>
> If you don't have any ruleset, there'll be a default-deny, so you'll get
> to include a "permit whatever else" statement to your liking at the end
> of your ruleset. I might do something like this, for "permit everything
> else in the world":
>
> iptables -A INPUT -i eth1 -p tcp -j ACCEPT
> iptables -A INPUT -i eth1 -p udp -j ACCEPT
> iptables -A INPUT -i eth1 -p icmp -j ACCEPT
>
> Comments?
>
> --TP
>
> Peter Scheie wrote:
> > I haven't done this, but considering Windows shares use port 137-139,
> > I'm pretty sure you could add a few rules to iptables to block
> > outbound traffic destined for those ports. That way you don't have to
> > mess with the Windows machines. Anyone who's good with iptables wanna
> > take a crack at creating such a blocking rule? I'll make what is
> > probably an incorrect attempt to start the discussion:
> >
> > iptables -A INPUT -p tcp --dport 137 -j DROP
> >
> > Add similar rules for ports 138 & 139 (there's a way to specify a
> > range, but I can't recall the syntax) and your linux box won't be able
> > to 'see' any Windows shares.
> >
> > Petre
> >
> > Ray Garza wrote:
> >> On Wednesday 07 March 2007 12:29, Terrell Prudé Jr. wrote:
> >>> You can use share permissions or NTFS permissions; either will do the
> >>> trick. They'll still be able to see that the shares exist, but they
> >>> won't be able to actually access them. It's much like when you set 700
> >>> permission on the /root directory in GNU/Linux or *BSD. Regular users
> >>> can see that /root exists, but they can't do anything with it.
> >>
> >> You mean change the Share permissions on each Staff PC? I could do
> >> that but I was hoping to to do it at a single point (server) rather
> >> than go around to each Staff PC and make the changes.
> >> I'll give your suggestion more thought.
> >>
> >> Thanks for the input.
> >> Ray
> >>
> >>> --TP
> >>> _______________________________
> >>> Do you GNU!?
> >>> Microsoft Free since 2003 <http://www.gnu.org/>--the ultimate antivirus
> >>> protection!
> >>>
> >>> Ray Garza wrote:
> >>>> Greetings group,
> >>>>
> >>>> I'm using K12LTSP 6.0 in a mixed environment (Windows, Linux, K12LTSP)
> >>>> and I would like to prevent users on the K12LTSP PC's from seeing the
> >>>> network shares on the staff PC's.
> >>>>
> >>>> I've tried to use Sabayon to delete the Networks submenu item under
> >>>> Places (Gnome) but can't. I cannot even get rid of the Places Menu.
> >>>>
> >>>> Any idea's to restrict access to Browsing the network?
> >>>>
> >>>> Thanks,
> >>>>
> >>>> Ray
> >>>>
> >>>> _______________________________________________
> >>>> K12OSN mailing list
> >>>> K12OSN at redhat.com
> >>>> https://www.redhat.com/mailman/listinfo/k12osn
> >>>> For more info see <http://www.k12os.org>
> >>
> >> _______________________________________________
> >> K12OSN mailing list
> >> K12OSN at redhat.com
> >> https://www.redhat.com/mailman/listinfo/k12osn
> >> For more info see <http://www.k12os.org>
> >
> > _______________________________________________
> > K12OSN mailing list
> > K12OSN at redhat.com
> > https://www.redhat.com/mailman/listinfo/k12osn
> > For more info see <http://www.k12os.org>
>
> _______________________________________________
> K12OSN mailing list
> K12OSN at redhat.com
> https://www.redhat.com/mailman/listinfo/k12osn
> For more info see <http://www.k12os.org>
More information about the K12OSN
mailing list