filtering SMB ?
Jeff Waller
jeffw@141monkeys.org
Fri, 12 Oct 2001 18:32:09 -0400 (EDT)
>
> I have a case where two networks wish to allow SMB file
> sharing in just one direction. The textbook example is:
>
> [ Accounting ] ---->|---- [ Engineering ]
> 192.168.100.x 192.168.200.x
>
> 1) If the firewall is a 2.4.12 Linux machine running netfilter, what
> rules are required to permit this access?
>
> 2) If "Accounting" is using NAT when they pass through the firewall,
We have a similar situation (2 private networks). Though under our
setup, information is free to pass both ways and hense your situation is
likely to complicate matters beyone what I have experience with, one
thing I'd like to mention is that a sure way to cause problems with
windows name resolution/sharing is to use NAT. Like us, I don't see any
reason for you to have NAT in place between the 2 networks other than
easing routing issues.
As a starting point, you might try something like
iptables -A FORWARD --match state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i eth0 -o eth1 -j ACCEPT
iptables -A FORWARD -i eth1 -o eth0 -j REJECT
assuming eth0 corresponds to the accounting net and eth1 is the Engineering
net.