[SOLVED] B3: How to set a firewall rule for port 445

[oliver]

Hi there,

I want to open in my B3 (direct attached to internet) port 445 (SMB secure) for an external, official, ip-adress in the internet. It should be possible to connect to a network share from my win 7 client which is connected behind my B3.

win7 client ---- B3 ---- internet ---- hidrive smb-share

the port should only be open for the ip-adress of the hidrive smb-share.

any help is highly welcome.

thanks

oliver

[Gordon]

The B3 allows every address on the LAN to access every address and every port on the internet by replacing the original sender address (which is invalid as far as the internet is concerned) with it's own internet address. This includes port 445 and the other side will never see any difference between the B3 and the original Windows machine doing the requests.

Or does the originating port in this scheme also have to be a designated port (445)?

[matthew]

Hi Oliver,

to cut it short, u have to add/insert an rule, after ssh-login and su like this:

Code: Select all

iptables -A INPUT -p tcp -s [hidrive smb-share-ip-adress] -i eth0 --dport 445 -m state --state NEW -j ACCEPT 

This call adds a new rule to your INPUT-chain, which accepts tcp-packets, with flag NEW on port 445 from the source ip-nr. I think, thats all.

Afterwards, you can check your ruleset if everything is fine for example with:

Code: Select all

iptables -vnL --line-numbers

That lists the ruleset and you can look for your rule at the end of your INPUT-chain.

...make your tests with your external device.

By the way, to delete that rule, you can look at the output of the last command. In the first column there are line-numbers for every chain (INPUT,OUTPUT,FORWARD) . This number you can use to delete with the following command:

Code: Select all

iptables -D INPUT number

I hope this is it.

Sorry for my not very well trained english

[Ubi]

although the above is correct and a proper way to add rules to the firewall, I always like the practical.

To be safe, first install nmap

Code: Select all

apt-get install nmap

Your firewall rules are present in "/etc/network/firewall.conf". Let's copy this first

Code: Select all

cp /etc/network/firewall.conf /etc/network/firewall.conf.ori
cp /etc/network/firewall.conf /etc/network/firewall.conf.edit

Then edit the second file (firewall.conf.edit). My example here is from a B3 + wifi. the without-wifi edition is different.

Code: Select all

# Generated by iptables-save v1.4.8 on Tue Jan 31 19:59:56 2012
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [1:52]
-A INPUT -p tcp -m tcp --tcp-flags SYN,ACK SYN,ACK -m state --state NEW -j REJECT --reject-with tcp-reset
-A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j DROP
-A INPUT -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i br0 -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -i eth0 -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 3/4 -j ACCEPT
-A FORWARD -i br0 -j ACCEPT
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -p icmp -m icmp --icmp-type 3/4 -j ACCEPT
COMMIT
# Completed on Tue Jan 31 19:59:56 2012
# Generated by iptables-save v1.4.8 on Tue Jan 31 19:59:56 2012
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -o eth0 -j MASQUERADE
COMMIT
# Completed on Tue Jan 31 19:59:56 2012

then add the line you want. The order of lines is important. Here I'll add the line after the last "INPUT ..... ACCEPT"

Code: Select all

...
-A INPUT -p icmp -m icmp --icmp-type 3/4 -j ACCEPT
-A INPUT -p tcp -s [hidrive smb-share-ip-adress] -i eth0 --dport 445 -m state --state NEW -j ACCEPT
-A FORWARD -i br0 -j ACCEPT
...

then load the firewall rules into the system

Code: Select all

iptables-restore -c < /etc/network/firewall.conf.edit

Now we do some tests: first and foremost test if you can log onto the box via a second SSH shell. Attention: do NOT end the shell you were in at the time.
If the SSH works, test the ports:

Code: Select all

nmap -p 22,445 ip.of.your.b3

if you are happy with the results, formalize them

Code: Select all

cp /etc/network/firewall.conf.edit /etc/network/firewall.conf

Oh yes, if you accidently bugger the firewall rules and lock yourself out, DO NOT reboot the machine via the button on the back of the B3. This actually fixes the current (incorrect) rules. Instead, pull the plug and give it a hard down. Then start up again and you are presented with the last ruleset.

[matthew]

Yes, of course this is right way to check the rules and make them persistent. There are a helper-command to be safe with changing the ruleset...

Code: Select all

man iptables-apply

If you make your changes for example with a file, iptables "will try to apply a new ruleset" and then "prompt the user whether the changes are okay"...if you can't answer, iptables makes a rollback. So the problem with locking out yourself is not existing. nice, isn't it?

[Ubi]

Definitely a cool tool. I never heard of it to be honest.
But it is not a prevention of locking yourself out. This is because the firewall generally accepts established traffic, but has rules against new connections. So if you accidentally close port 22 with the new rules, the current session will not be closed, and iptables-apply will flag a success, but you WILL be locked out the next time you try to connect.
If you want to be sure you can still connect via SSH, try to connect via SSH.

[matthew]

I hadn't considered this fact, so I can underline, too:

If you want to be sure you can still connect via SSH, try to connect via SSH.

thanks, best regards...

[Gordon]

...then add the line you want. The order of lines is important. Here I'll add the line after the last "INPUT ..... ACCEPT"

Code: Select all

...
-A INPUT -p icmp -m icmp --icmp-type 3/4 -j ACCEPT
-A INPUT -p tcp -s [hidrive smb-share-ip-adress] -i eth0 --dport 445 -m state --state NEW -j ACCEPT
-A FORWARD -i br0 -j ACCEPT
...

I think you're overlooking the fact that no internet based service can ever (correctly) target a private address - without a nat rule this bit of code will have no effect no all.

Oh yes, if you accidently bugger the firewall rules and lock yourself out, DO NOT reboot the machine via the button on the back of the B3. This actually fixes the current (incorrect) rules. Instead, pull the plug and give it a hard down. Then start up again and you are presented with the last ruleset.

Now that's a tip people can use! Yes, with a normal reboot as initiated by the button on the back the rules that are current at that time are saved and will be restored on startup. To prevent this saving of the rules you need to do what you should never do - it's also a fabulous method for destroying in memory viruses that write back their image and startup commands at shutdown.

In any case, either I'm reading this wrong or everyone else is. The object appears to me that a LAN device (a Windows 7 operated machine) should be allowed to access an internet device ('hidrive'). Maybe Oliver can enlighten us on the correct direction of this challenge and the type of problems he's confronted with?

[oliver]

In any case, either I'm reading this wrong or everyone else is. The object appears to me that a LAN device (a Windows 7 operated machine) should be allowed to access an internet device ('hidrive'). Maybe Oliver can enlighten us on the correct direction of this challenge and the type of problems he's confronted with?

@all: thanks all for your postings and help. Very nice !
@Gordon: my challenge is:
- I want to connect from my win7 notebook to my external SMB-share at strato.hidrive.com
- the connection shall be done with SMB as "windows network fileshare" so that I can use this share as normal drive within my windows explorer

In the faq of Strato they are telling that I need to open port 445 in my firewall otherwise it wont work. And it´s true: win7 can´t see the share

I am now looking for a way to this work with my win7 notebook, b3 and hidrive

Can anybody advise me a smart way ?

Thanks

Oliver

btw: @gordon: enough information ?

[Gordon]

btw: @gordon: enough information ?

Yes,
I may have actually been taken a bit off-guard by the "SMB secure" statement, but more on this later.

First: the B3 is good the way it is. There's nothing you need or even can change to make this work.

On to port 445: this is in fact NetBios over TCP/IP, a.k.a. CIFS. It is *not* secure and is generally regarded as dangerous by many ISP's. The heart of the matter is that with many of them people would plug in their Windows machine to the modem they provided and would receive a public IP straight on their computer, exposing their unshielded Windows to every hacker around. A lot has changed since then and in most every home you'll now see a modem that hands out private IP's, but the way ISP's look at us has not changed. They still feel like they need to protect us even though the new router-modems make the old exploits impossible. They will block access to several ports, including 25, 137-139 and 445 and they will do it in their servers and in the modems they provide you.

If you ask me it's kind of stupid of Strato not to offer a by-pass on this service. All they need is a secondary port that you can redirect to and that won't be blocked by people trying to be smarter than their customers.

[ryz]

Just a dump question why do you not use the web admin interface to add a port forward rule for port 445 in the firewall?

This is taken from the B3 documentation

The Port forward tells your router in B3 which computer on the LAN to send
the data to. When you have set up the port forwarding rules, your router
takes the data from the external IP-address:port number (for example
93.122.158.30:551, where 93.122.158.30 is the IP address and 551 is the port
number) and sends that data to an internal IP-address:port number (for example
192.168.10.10:551

[oliver]

Just a dump question why do you not use the web admin interface to add a port forward rule for port 445 in the firewall?

Thanks for your question. I have tried that before and it seams not to work at all

[Gordon]

Just a dump question why do you not use the web admin interface to add a port forward rule for port 445 in the firewall?

Thanks for your question. I have tried that before and it seams not to work at all

Please note that if you add a port forward rule for port 445 in the B3 firewall, this is to give someone on the internet access to *your* shares. This is clearly not what is intended here, because the object is to be able to access a share that is hosted by another party (Strato).

[oliver]

@all: thanks so much for your very help comments. Will get it run and let you know the results . Thanks for your continuing support.

Oliver

[oliver]

Please note that if you add a port forward rule for port 445 in the B3 firewall, this is to give someone on the internet access to *your* shares. This is clearly not what is intended here, because the object is to be able to access a share that is hosted by another party (Strato).

Gordon, you are right with your impression. Thanks !

Best regards

Oliver