Menu
What's new
By:
Filters Better Search

Block samba for client using iptables?

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

E

enrysan0

Occasional Visitor
I just want to block access to samba service on the router to a client with a given ip address.
I tried this, but it's not working:

Code: 
iptables -I INPUT -s ipaddress -p udp --dport 445 -j DROP
iptables -I INPUT -s ipaddress —p udp --dport 137 -j DROP
iptables -I INPUT -s ipaddress -p udp --dport 138 -j DROP
iptables -I INPUT -s ipaddress -p udp --dport 139 -j DROP
iptables -I INPUT -s ipaddress -p tcp --dport 445 -j DROP
iptables -I INPUT -s ipaddress —p tcp --dport 137 -j DROP
iptables -I INPUT -s ipaddress -p tcp --dport 138 -j DROP
iptables -I INPUT -s ipaddress -p tcp --dport 139 -j DROP
iptables -I OUTPUT -d ipaddress -p udp --dport 445 -j DROP
iptables -I OUTPUT -d ipaddress —p udp --dport 137 -j DROP
iptables -I OUTPUT -d ipaddress -p udp --dport 138 -j DROP
iptables -I OUTPUT -d ipaddress -p udp --dport 139 -j DROP
iptables -I OUTPUT -d ipaddress -p tcp --dport 445 -j DROP
iptables -I OUTPUT -d ipaddress —p tcp --dport 137 -j DROP
iptables -I OUTPUT -d ipaddress -p tcp --dport 138 -j DROP
iptables -I OUTPUT -d ipaddress -p tcp --dport 139 -j DROP

any suggestions? thanks
 
Thanks

I followed your suggestion and put this line in /jffs/configs/smb.conf.add

Code: 
hosts deny = ipaddress

where ipaddress is the ip to block in the form xxx.xxx.xxx.xxx

restarted the samba service
(do you know how to restart smb by command line in ssh?)

the line is correctly appended to the auto generated smb.con file

but same like with te iptables command the client can connect/browse/open file in the samba shares.

The only thing both iptables commands and the modded smb.conf obtain is to make non discoverable the samba share on scan. But if the client was already configured to access to samba, it however can connect.

I don't know what's is wrong

Here is my iptables rules:
Code: 
-P INPUT ACCEPT
-P FORWARD DROP
-P OUTPUT ACCEPT
-N FUPNP
-N PControls
-N dropkids
-N logaccept
-N logdrop
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -m set --match-set BlockedCountries src -j DROP
-A INPUT -m set --match-set TorNodes src -j DROP
-A INPUT -i tun21 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 1194 -j ACCEPT
-A INPUT -i tun11 -j ACCEPT
-A INPUT -m state --state INVALID -j DROP
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -m state --state NEW -j ACCEPT
-A INPUT -i br0 -m state --state NEW -j ACCEPT
-A INPUT -p udp -m udp --sport 67 --dport 68 -j ACCEPT
-A INPUT -j DROP
-A FORWARD -s 192.168.150.102/32 -i br0 -o eth0 -j DROP
-A FORWARD -s 192.168.150.135/32 -i br0 -o eth0 -j DROP
-A FORWARD -s 192.168.150.115/32 -i br0 -o eth0 -j DROP
-A FORWARD -m time --timestart 00:00:00 --timestop 05:00:00 --weekdays Sun -j dropkids
-A FORWARD -m time --timestart 23:00:00 --timestop 23:59:59 --weekdays Sun -j dropkids
-A FORWARD -m time --timestart 00:00:00 --timestop 05:00:00 --weekdays Mon,Tue,Wed,Thu,Fri,Sat -j dropkids
-A FORWARD -m time --timestart 23:30:00 --timestop 23:59:59 --weekdays Mon,Tue,Wed,Thu,Fri,Sat -j dropkids
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i tun21 -j ACCEPT
-A FORWARD -i tun11 -j ACCEPT
-A FORWARD ! -i br0 -o eth0 -j DROP
-A FORWARD -m state --state INVALID -j DROP
-A FORWARD -i br0 -o br0 -j ACCEPT
-A FORWARD -i eth0 -p icmp -j DROP
-A FORWARD -i eth0 -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 1/sec -j ACCEPT
-A FORWARD -i eth0 -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK RST -m limit --limit 1/sec -j ACCEPT
-A FORWARD -i eth0 -p icmp -m icmp --icmp-type 8 -m limit --limit 1/sec -j ACCEPT
-A FORWARD -m conntrack --ctstate DNAT -j ACCEPT
-A FORWARD -i br0 -j ACCEPT
-A FUPNP -d 192.168.150.135/32 -p udp -m udp --dport 51547 -j ACCEPT
-A PControls -j ACCEPT
-A dropkids -d 192.168.1.108/32 -j DROP
-A dropkids -s 192.168.1.108/32 -j DROP
-A dropkids -d 192.168.1.104/32 -j DROP
-A dropkids -s 192.168.1.104/32 -j DROP
-A dropkids -m mac --mac-source [B]AA:BB:CC:DD:EE:FF[/B] -j DROP
-A dropkids -m mac --mac-source [B]AA:BB:CC:DD:EE:FF[/B] -j DROP
-A logaccept -m state --state NEW -j LOG --log-prefix "ACCEPT " --log-tcp-sequence --log-tcp-options --log-ip-options
-A logaccept -j ACCEPT
-A logdrop -m state --state NEW -j LOG --log-prefix "DROP " --log-tcp-sequence --log-tcp-options --log-ip-options
-A logdrop -j DROP

NAT:
Code: 
-P PREROUTING ACCEPT
-P INPUT ACCEPT
-P OUTPUT ACCEPT
-P POSTROUTING ACCEPT
-N DNSFILTER
-N LOCALSRV
-N VSERVER
-N VUPNP
-A PREROUTING -p tcp -m tcp --dport 1194 -j ACCEPT
-A PREROUTING -d 192.168.1.64/32 -j VSERVER
-A PREROUTING -s 192.168.150.0/24 -p udp -m udp --dport 53 -j DNSFILTER
-A PREROUTING -s 192.168.150.0/24 -p tcp -m tcp --dport 53 -j DNSFILTER
-A POSTROUTING -s 192.168.150.0/24 -o tun11 -j MASQUERADE
-A POSTROUTING ! -s 192.168.1.64/32 -o eth0 -j MASQUERADE
-A POSTROUTING -s 192.168.150.0/24 -d 192.168.150.0/24 -o br0 -j MASQUERADE
-A DNSFILTER -m mac --mac-source [B]AA:BB:CC:DD:EE:FF[/B] -j DNAT --to-destination [B]xxx.xxx.xxx.xxx[/B]
-A DNSFILTER -m mac --mac-source [B]AA:BB:CC:DD:EE:FF[/B] -j DNAT --to-destination [B]xxx.xxx.xxx.xxx[/B]
-A DNSFILTER -m mac --mac-source [B]AA:BB:CC:DD:EE:FF[/B] -j DNAT --to-destination [B]xxx.xxx.xxx.xxx[/B]
-A DNSFILTER -m mac --mac-source [B]AA:BB:CC:DD:EE:FF[/B] -j DNAT --to-destination 192.168.150.1
-A DNSFILTER -m mac --mac-source [B]AA:BB:CC:DD:EE:FF[/B] -j DNAT --to-destination 208.67.222.222
-A DNSFILTER -m mac --mac-source [B]AA:BB:CC:DD:EE:FF[/B] -j DNAT --to-destination 208.67.222.222
-A DNSFILTER -j DNAT --to-destination 192.168.150.1
-A VSERVER -j VUPNP

Mangle (used for selecting routing to the VPN):
Code: 
-P PREROUTING ACCEPT
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-P POSTROUTING ACCEPT
-A PREROUTING -i br0 -m iprange --src-range 192.168.150.102-192.168.150.102 -j MARK --set-xmark 0xa/0xffffffff
-A PREROUTING -i br0 -m iprange --src-range 192.168.150.135-192.168.150.135 -j MARK --set-xmark 0xa/0xffffffff
-A PREROUTING -i br0 -m iprange --src-range 192.168.150.115-192.168.150.115 -j MARK --set-xmark 0xa/0xffffffff
-A FORWARD -s 192.168.150.0/24 -d 192.168.150.0/24 -o br0 -m state --state NEW -j MARK --set-xmark 0x1/0x7
-A FORWARD -p udp -m state --state NEW -j MARK --set-xmark 0x1/0x7

Thanks and merry christmas!
 
Last edited:
You must log in or register to reply here.

Similar threads

T
Internet connection via ISP despite existing VPN connection in the Asus RT-AC 86U
Replies
5
Views
380
tom
T
H
Port Forwarding Over WireGuard Connection?
2
Replies
22
Views
3K
houmi
houmi
GShlomi
Sharing my DualWan with port forwarding and DDNS experience
Replies
0
Views
435
GShlomi
GShlomi
R
Script to detect backup wan and disable certain devices from internet access
Replies
0
Views
702
RandomUser777
R
PaulA
Port isolation on RT-AX88U-Pro (router) w/ Merlin w/ Tagged internet ISP
Replies
2
Views
1K
dacotmeister
D
Similar threads
Thread starter Title Forum Replies Date
K Solved "Block internet access" does nothing Asuswrt-Merlin 7
R Addition of Block Internet Access Asuswrt-Merlin 5
K How to block LAN access for a wired device on ASUS Merlin (Firmware 3004.388.8_2)? Asuswrt-Merlin 12
M URL block List Asuswrt-Merlin 5
N IPv6 6RD tunnel block/allow by mac/IP Asuswrt-Merlin 3
elrengo RT-AX88U Pro - Block YouTube on Smart TV Asuswrt-Merlin 12
L "Block internet access" toggle in Client Status GUI doesn't stick Asuswrt-Merlin 3
C Is there any easy solution in Merlin for a VPN server that is hard to block/detect? Asuswrt-Merlin 13
C isp block dns over tls and poison any unencrypted dns resolution Asuswrt-Merlin 14
S Asus merlin: How to block communication between two device on the network? Asuswrt-Merlin 14

Similar threads

Latest threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!

Staff online

Members online

Total: 777 (members: 39, guests: 738)
Top