Tuesday, May 23, 2006

Streamlining Iptables for FTP and SMB/CIFS Traffic

There is an article at nixCraft on Connecting a Linux or UNIX system to Network attached storage device. The article itself is a good one, except for the part about iptables firewall rules to permit FTP and SMB/CIFS traffic between the Linux client and NAS. The errors are common misconceptions, so I thought I'd mention them, and show the standard iptables usage.

First, iptables, along with all modern firewalling systems, is a stateful firewall. That means it will record the "state" of new network onnections, and allow future packets that are related to or part of an established connection to traverse the firewall rules. While iptables can be used as a simple packet filter, it is usually not, since using it in this way results in more complex, less secure firewall rulesets. See the resources at the end of the post for more details.

Anyway, the article in question says this:

Please note that when configuring a firewall, the high order ports (1024-65535) are often used for outgoing connections and therefore should be permitted through the firewall. It is prudent to block incoming packets on the high order ports except for established connections.

This is actually information from the Securing Samba Howto. It is misleading, in that if you are using a stateful firewall, you don't need to allow return traffic on high ports. It will be allowed by a properly configured stateful ruleset.

Next, the list of ports the authors recommend opening is too broad. For FTP and Samba/CIFS, the following ports are used:

TCP 21 - FTP control TCP 20 - FTP data TCP 135, 139, 445 - smbd UDP 137, 138 - nmbd
We don't care about the FTP data connection (TCP 20), since it will be handled by iptables' FTP connection helper. The UDP ports 137 and 138 are used for domain browsing, and are not needed for mounting remote SMB shares. Of the three TCP ports, 445 is used by the smbmount (8) command, with a fallback to port 139 if 445 is not available.

In the network diagram given in the article, there is a Linux client with a (presumably) host-based firewall, directly connected to a NAS box. The iptables rules given for FTP and SMB/CIFS communication between the two boxes have a lot of unnecessary cruft in them, including the TCP high ports. Most host-based firewalls allow all outbound traffic, so you can simply do this:

iptables -A OUTPUT -m state --state ESTABLISHED, RELATED -j ACCEPT iptables -A OUTPUT -m state --state NEW -j ACCEPT
This will allow all outbound traffic from the Linux host itself, and statefully allow other outbound traffic as needed. The use of an unqualified state "NEW" here allows all but invalid packets. In fact, the INPUT chain, which is hit by packets coming into the Linux host directly (including replies to our outbound traffic), can be safely closed off to all but established or related packets in this instance:

iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A INPUT -j DROP
Just remember that you have blocked all (state NEW) inbound traffic here, so don't do this remotely!

If you want to filter outbound traffic explicitly by port, the following OUTPUT chain rules will allow FTP and SMB/CIFS mounts from the Linux host to the NAS box (I assume you have the IP address of the NAS box in the shell variable $NAS). It doesn't make sense to specify a source address here, since the OUTPUT chain is only hit by packets leaving the local host:

iptables -A OUTPUT -m state --state ESTABLISHED, RELATED -j ACCEPT iptables -A OUTPUT -p tcp -d $NAS --dport 21 -m state --state NEW -j ACCEPT iptables -A OUTPUT -p tcp -d $NAS -m multiport --destination-port 139,445 -m state --state NEW -j ACCEPT

One note, don't forget to set the default chain policies to "DROP" anytime you use iptables:

iptables -P INPUT DROP iptables -P OUTPUT DROP iptables -P FORWARD DROP
Finally, if you have a modular kernel (as in any Debian-based installation), you will have to load the FTP connection helper somewhere near the top of your firewall script:

/sbin/modprobe ip_conntrack_ftp
Related links:

Linux Iptables Firewall Scripts, TCP/IP and Linux Network Security with Iptables, Using Samba as a File Server, PDC or Domain Client, Accessing Windows Shares From a GNU/Linux Desktop, Iptables tutorial

Technorati Tags: , , , ,

No comments: