[TriLUG] Setup suggestions requested

Corey Mutter mutterc at nc.rr.com
Sat Jun 28 22:49:22 EDT 2003


If you use the "interfaces" line, don't forget to also have "lo" in that
line so Samba listens on the loopback - Samba uses the loopback to also
communicate with itself.

If you want the Samba to only be accessible to the internal network, and
you want the Web server to be accessible to the Outside, and the Web service
is the only service that needs to be accessible from the Outside, then set
iptables to block new connections from the Outside, to every port except
80 (and 443 if you are using SSL). 

Supposing your internal network was 192.168.1.0/24, this could be done
with:

# Allow Web from anywhere
iptables -A INPUT -i eth0 -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --dport 443 -j ACCEPT
# Allow replies to our previously-sent packets, form anywhere
iptables -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
# Allow anything else from the internal network (you may want to change this!)
iptables -A INPUT -i eth0 -s 192.168.1.0/24 -j ACCEPT
# It was from outside and unauthorized, drop and log
iptables -A INPUT -i eth0 -j log --log-level info --prefix "Dropped outside pkt:"
iptables -A INPUT -i eth0 -j REJECT

with various embellishments possible...

Corey

On Fri, Jun 27, 2003 at 11:12:38AM -0400, Andrew Perrin wrote:
> Samba has an interface = line; you can use it to specify what interfaces
> you'll allow. If you'll have only one NIC (why, by the way?), presumably
> you'll be giving it two aliases? (e.g., eth0:0 and eth0:1)? If so, just
> do:
> 
> interfaces = eth0:0
> 
> if that's the one on your internal network.
> 
> Best,
> A
> 
> ----------------------------------------------------------------------
> Andrew J Perrin - http://www.unc.edu/~aperrin
> Assistant Professor of Sociology, U of North Carolina, Chapel Hill
> clists at perrin.socsci.unc.edu * andrew_perrin (at) unc.edu
> 
> 
> On Fri, 27 Jun 2003, Roy Vestal wrote:
> 
> > I'm getting ready to setup a server at home. I want to share, via SAMBA,
> > a couple of drives, and at the same time use it as a webserver. i know
> > that this isn't the most ideal thing, but I only have room for one
> > server.
> >
> > My Question: How do I lock it down so that only my internal network can
> > see the SAMBA shares? I will only have one NIC. I'll be using IPTABLES
> > as well. I want to be able to ssh in from the outside as well.
> >
> > Any suggestions?
> >
> > _______________________________________________
> > TriLUG mailing list
> >     http://www.trilug.org/mailman/listinfo/trilug
> > TriLUG Organizational FAQ:
> >     http://www.trilug.org/faq/TriLUG-faq.html
> >
> _______________________________________________
> TriLUG mailing list
>     http://www.trilug.org/mailman/listinfo/trilug
> TriLUG Organizational FAQ:
>     http://www.trilug.org/faq/TriLUG-faq.html



More information about the TriLUG mailing list