[Firehol-support] Prevent routing of Microsoft Networking

Daniel L. Miller dmiller at amfes.com
Tue Nov 15 17:45:50 GMT 2005 

Redeeman wrote:

>are you sure you have the needed iptables support in your kernel?
>  
>
Output of lsmod | grep 'ip'
ipv6                  266400  8
ip_nat_ftp              3232  0
ip_conntrack_ftp        8016  1 ip_nat_ftp
ip_nat_irc              2464  0
ip_conntrack_irc        6576  1 ip_nat_irc
ipt_REJECT              5696  12
ipt_limit               2176  34
ipt_state               1696  249
ipt_ULOG                8036  141
iptable_nat             7812  1
ip_nat                 19316  3 ip_nat_ftp,ip_nat_irc,iptable_nat
iptable_filter          2784  1
ip_tables              20096  6 
ipt_REJECT,ipt_limit,ipt_state,ipt_ULOG,iptable_nat,iptable_filter
ip_conntrack           54640  7 
ip_nat_ftp,ip_conntrack_ftp,ip_nat_irc,ip_conntrack_irc,ipt_state,iptable_nat,ip_nat
nfnetlink               6392  2 ip_nat,ip_conntrack

>On Mon, 2005-11-14 at 18:29 -0800, Daniel L. Miller wrote:
>  
>
>>I'm trying to prevent my Samba servers and Windoze clients from 
>>advertising on the Internet.  Some of the netbios services are being 
>>processed fine, others are giving me errors during firehol compilation.  
>>At the moment, I get the following:
>>
>>foxy:/var/log/ulog# firehol try
>>
>>
>>--------------------------------------------------------------------------------
>>ERROR   : # 1.
>>WHAT    : A runtime command failed to execute (returned error 1).
>>SOURCE  : line 85 of /etc/firehol/firehol.conf
>>COMMAND : /sbin/iptables -t filter -A in_lan2x_netbios_ns_s4 -p udp 
>>--sport 1024:65535 --dport 137 -m state --state NEW\,ESTABLISHED -j 
>>REJECT --reject-with tcp-reset
>>OUTPUT  :
>>
>>iptables: Invalid argument
>>
>>
>>
>>--------------------------------------------------------------------------------
>>ERROR   : # 2.
>>WHAT    : A runtime command failed to execute (returned error 1).
>>SOURCE  : line 85 of /etc/firehol/firehol.conf
>>COMMAND : /sbin/iptables -t filter -A out_lan2x_netbios_ns_s4 -p udp 
>>--sport 137 --dport 1024:65535 -m state --state ESTABLISHED -j REJECT 
>>--reject-with tcp-reset
>>OUTPUT  :
>>
>>iptables: Invalid argument
>>
>>
>>
>>--------------------------------------------------------------------------------
>>ERROR   : # 3.
>>WHAT    : A runtime command failed to execute (returned error 1).
>>SOURCE  : line 85 of /etc/firehol/firehol.conf
>>COMMAND : /sbin/iptables -t filter -A in_lan2x_netbios_ns_s4 -p udp 
>>--sport 137 --dport 137 -m state --state NEW\,ESTABLISHED -j REJECT 
>>--reject-with tcp-reset
>>OUTPUT  :
>>
>>iptables: Invalid argument
>>
>>
>>
>>--------------------------------------------------------------------------------
>>ERROR   : # 4.
>>WHAT    : A runtime command failed to execute (returned error 1).
>>SOURCE  : line 85 of /etc/firehol/firehol.conf
>>COMMAND : /sbin/iptables -t filter -A out_lan2x_netbios_ns_s4 -p udp 
>>--sport 137 --dport 137 -m state --state ESTABLISHED -j REJECT 
>>--reject-with tcp-reset
>>OUTPUT  :
>>
>>iptables: Invalid argument
>>
>>
>>
>>--------------------------------------------------------------------------------
>>ERROR   : # 5.
>>WHAT    : A runtime command failed to execute (returned error 1).
>>SOURCE  : line 85 of /etc/firehol/firehol.conf
>>COMMAND : /sbin/iptables -t filter -A in_lan2x_netbios_dgm_s5 -p udp 
>>--sport 1024:65535 --dport 138 -m state --state NEW\,ESTABLISHED -j 
>>REJECT --reject-with tcp-reset
>>OUTPUT  :
>>
>>iptables: Invalid argument
>>
>>
>>
>>--------------------------------------------------------------------------------
>>ERROR   : # 6.
>>WHAT    : A runtime command failed to execute (returned error 1).
>>SOURCE  : line 85 of /etc/firehol/firehol.conf
>>COMMAND : /sbin/iptables -t filter -A out_lan2x_netbios_dgm_s5 -p udp 
>>--sport 138 --dport 1024:65535 -m state --state ESTABLISHED -j REJECT 
>>--reject-with tcp-reset
>>OUTPUT  :
>>
>>iptables: Invalid argument
>>
>>
>>
>>--------------------------------------------------------------------------------
>>ERROR   : # 7.
>>WHAT    : A runtime command failed to execute (returned error 1).
>>SOURCE  : line 85 of /etc/firehol/firehol.conf
>>COMMAND : /sbin/iptables -t filter -A in_lan2x_netbios_dgm_s5 -p udp 
>>--sport 138 --dport 138 -m state --state NEW\,ESTABLISHED -j REJECT 
>>--reject-with tcp-reset
>>OUTPUT  :
>>
>>iptables: Invalid argument
>>
>>
>>
>>--------------------------------------------------------------------------------
>>ERROR   : # 8.
>>WHAT    : A runtime command failed to execute (returned error 1).
>>SOURCE  : line 85 of /etc/firehol/firehol.conf
>>COMMAND : /sbin/iptables -t filter -A out_lan2x_netbios_dgm_s5 -p udp 
>>--sport 138 --dport 138 -m state --state ESTABLISHED -j REJECT 
>>--reject-with tcp-reset
>>OUTPUT  :
>>
>>iptables: Invalid argument
>>
>>Stopped: Couldn't activate new firewall.
>>
>>FireHOL: Restoring old firewall: OK
>>
>>
>>The area generating this is:
>>router lan2x inface "${LAN_IF}" outface "${EXT_X_IF}" src "${LAN_LAN}" 
>>dst not "${UNROUTABLE_IPS}"
>>        route "microsoft_ds netbios_ssn rdp" reject with tcp-reset
>>        route "netbios_ns netbios_dgm" reject with tcp-reset
>>        route all accept log "lan2x"
>>
>>-- 
>>Daniel
>>    
>>
-- 

Daniel

More information about the Firehol-support mailing list