1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Iptables for blocking cifs through vpn

Discussion in 'Tomato Firmware' started by Gromit, Apr 11, 2012.

  1. Gromit

    Gromit Networkin' Nut Member

    Hello,

    I'm just discovering Tomato ... which seems to be great !
    I'm running fine a vpn client and I tried cifs features. But, although samba binds br0, so, local interface, I'd like be sure that any samba traffic go through the vpn connection.

    Does an iptable rule like that could ensure me ?

    iptables -I FORWARD -o tun0 -p tcp -m multiport --ports 135,137,138,139,445 -j DROP
    iptables -I FORWARD -o tun0 -p udp -m multiport --ports 135,137,138,139,445 -j DROP

    and perhaps, same thing with :
    iptables -I OUTPUT -o vlan2

    as vlan2 seems to be the output interface.

    Thanks a lot for yours ideas or advices !
    best regards
     
  2. rs232

    rs232 Network Guru Member

    How about using host allow/host denied in the samba configuration?
     
  3. Gromit

    Gromit Networkin' Nut Member

    Hi rs232,

    Yes, I put in smb.conf:
    interface br0 172.16.1.1 #(=ip of lan interface of router)
    bind interfaces only = true
    hosts allow = 127.0.0.1 192.168.1.100 #(local int. is connected to the wan interface of a gateway/proxy 192.168.1.100)
    hosts deny = ALL

    But I fear the ip spoofing possibility... and no possibility to use layer 2 mac addr with samba !

    Indeed, my vpn provider told me to use these iptables rules:

    iptables -I FORWARD -i br0 -o tap0 -j ACCEPT
    iptables -I FORWARD -i tap0 -o br0 -j ACCEPT
    iptables -I INPUT -i tap0 -j REJECT
    iptables -t nat -A POSTROUTING -o tap0 -j MASQUERADE

    And the first one worries me, as all traffic coming in br0 is forwarded to "exit" via tap0.
    That's why I was looking for a way to restrict the forwarded traffic which get out via tun0 (the rules I wrote in my 1st post).

    But, perhaps an another way is dropping incoming traffic on vlan2 for these ports, like that ?
    iptables -I INPUT -i vlan2 -p tcp -m multiport --dport 135,137,138,139,445 -j DROP

    I'm quite confuse, the only thing I known is I don't want to send cifs shares to my vpn provider...

    Thanks.
     
  4. Gromit

    Gromit Networkin' Nut Member

    I'm really stupid ...
    Working on vlan2 is stupid .... It's inside the vpn I want to drop packets !
     
  5. Gromit

    Gromit Networkin' Nut Member

    Hi,

    Ok, I understood the "good" iptable's rule.
    Thanks.
     

Share This Page