Re: Re: blocking netbios traffic using iptables

At 04:37 AM 5/1/03 +0000, atul garg wrote:
>I have tried blocking 137:139 tcp/udp ports.
>but it doesn't seem to work..
>
>im trying the rules
>
>iptables -A OUTPUT -o eth0 -p tcp --dports 137:139 -j DROP
>iptables -A OUTPUT -o eth0 -p udp --dports 137:139 -j DROP
>
>actually I am running a win2k virtual machine inside a linux box..
>and all i want is that vm shouldn't be able to locate other windows
>machines on the network by their name.

Consider adding these rules:

iptables -A INPUT -i eth0 -p tcp --dports 137:139 -j DROP
iptables -A INPUT -i eth0 -p udp --dports 137:139 -j DROP

Also, does the virtual machine use its own network access?  Then you could 
be looking at a forwarding situation, where the W2K emulator talks through 
its own set of ports, so from the viewpoint of IPTABLES you have an 
"outside" system forwarding through the box.  If so, add these rules:

iptables -A FORWARD -i eth0 -p tcp --dports 137:139 -j DROP
iptables -A FORWARD -i eth0 -p udp --dports 137:139 -j DROP
iptables -A FORWARD -o eth0 -p tcp --dports 137:139 -j DROP
iptables -A FORWARD -o eth0 -p udp --dports 137:139 -j DROP

Alternatively, see what network ports are active in your box 
(/sbin/ifconfig) and add rules as appropriate.

--
X -> unknown; Spurt -> drip of water under pressure
Expert -> X-Spurt -> Unknown drip under pressure.

-
To unsubscribe from this list: send the line "unsubscribe linux-admin" in
the body of a message to majordomo <at> vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html