
#-----------------------------------------------------------------------
# CHANGES
#-----------------------------------------------------------------------
#
# 2001-04-20  Dougal Holmes <dholmes@bigpond.net.au>
#             Corrected chains for broadcast packets
# 2001-04-19  Dougal Holmes <dholmes@bigpond.net.au>
#             Modified to work with clusters
#             Changed DENY rules to use $IPADDR and not $ANY so as to
#             allow later cluster rules to work with interface denied
#             Added broadcast rules to the DENY rules
# 2001-02-04  Jean-Sebastien Morisset <jsmoriss@mvlan.net>
#             Added entry for inbound TCP from netbios-ssn to unprivport.
# 2000-11-15  Edwin ten Brink <edwin@privateer.student.utwente.nl>
#             Added broadcast accept again, it mysteriously vanished
#             since the first release
# 2000-11-13  Edwin ten Brink <edwin@privateer.student.utwente.nl>
#             Fixed port 139 ignore rule (udp -> tcp)
#             Added port 445 (microsoft-ds), currently unsupported by
#             Samba.
# 2000-11-05  Jean-Sebastien Morisset <jsmoriss@jsm-mv.dyndns.org>
#             Added port 139 to ignore rule.
# 2000-10-27  Jean-Sebastien Morisset <jsmoriss@jsm-mv.dyndns.org>
#             Removed OUTCHAINs from IGNORE/DENY block -- we only have
#             to deny incoming packets. Also changed incoming dest-
#             ination to ANY instead of IPADDR.
# 2000-10-14  Jean-Sebastien Morisset <jsmoriss@jsm-mv.dyndns.org>
#             Initial module written for v5.0.
#             These SMB rules were written by Edwin ten Brink
#             <edwin@privateer.student.utwente.nl>
#
#-----------------------------------------------------------------------
# MODULE CONFIGURATION
#-----------------------------------------------------------------------
#
#m# 123
#a# accept ignore deny
#i# cluster
#n# smb
#t# hosts
#
#   |--------------------------------------------------------------------|
#d# The SMB, Netbios, and Lanman protocols are used for file sharing under
#d# MS-Windows, OS/2 and UNIX Samba servers.
#d#
#d# The accept option lets you use shares, printers, etc. to/from your
#d# Samba server from/to these hosts. USE WITH CAUTION! SMB (like NFS) is 
#d# NOT a secure service! Only give SMB access to trusted hosts which you 
#d# know are secure (firewalled).
#d#
#d# The ignore and deny options allow you to exclude hosts from this
#d# service. Perhaps you'd like anyone in your subnet (for example) to 
#d# have access to your SMB shares, but you'd like to exclude a few 
#d# specific hosts. They could have tried to attack this service, 
#d# shouldn't know about it, etc. Note: The deny option logs every failed
#d# packet where-as the ignore option doesn't.
#d#
#d# Examples:
#d#   accept-eth1-smb-hosts = 206.167.0.0/16
#d#     deny-eth1-smb-hosts = 206.167.10.123 206.167.21.0/24
#d#
#d# This lets anyone in the 206.167.0.0 network connect to your SMB 
#d# service, except 206.167.10.123 and hosts in the 206.167.21.0 subnet.
#   |--------------------------------------------------------------------|
#
#-----------------------------------------------------------------------
# START OF MODULE CODE
#-----------------------------------------------------------------------

if [ "$CLUSTER_NAME" ]
then
	inchain="$OUTCHAIN"
	outchain="$INCHAIN"
else
	inchain="$INCHAIN"
	outchain="$OUTCHAIN"
fi

for action in ignore deny
do
	case $action in
		ignore)	action_log_msg="$LOG_MSG"; action_log="$LOG";;
		deny)	action_log_msg="(logged)"; action_log="-l"  ;;
	esac
	for host in `Option_Value $action $INTOPT smb hosts`
	do
		echo "Reject/Deny $INTOPT $IPADDR SMB <- $host $action_log_msg"

		ipchains -A $inchain -j DENY -p udp -s $host -d $IPADDR 137:138 $action_log
		ipchains -A $inchain -j DENY -p tcp -s $host -d $IPADDR 139     $action_log
		ipchains -A $inchain -j DENY -p tcp -s $host -d $IPADDR 445     $action_log
		ipchains -A $inchain -j DENY -p udp -s $host -d $BROADCAST 137:138 $action_log
		ipchains -A $inchain -j DENY -p tcp -s $host -d $BROADCAST 139     $action_log
	done
done
unset action action_log_msg action_log

if [ "`Option_Value accept $INTOPT smb hosts`" ]
then
	if [ ! "$CLUSTER_NAME" ]
	then
		echo "Accept $INTOPT $IPADDR SMB <-> $BROADCAST SMB $LOG_MSG"

		# Added by Jean-Sebastien Morisset <jsmoriss@mvlan.net> on January 14th, 2001
		ipchains -A $inchain  -j ACCEPT -p udp -s $IPADDR    netbios-ns   -d $BROADCAST netbios-ns $LOG
		
		# Commented by Dougal Holmes <dholmes@bigpond.net.au> 2001-04-20
		####ipchains -A $inchain  -j ACCEPT -p udp -s $BROADCAST netbios-ns -d $IPADDR  netbios-ns $LOG

		ipchains -A $outchain -j ACCEPT -p udp -s $IPADDR    netbios-ns   -d $BROADCAST netbios-ns $LOG
		ipchains -A $inchain  -j ACCEPT -p udp -s $IPADDR    $UNPRIVPORTS -d $BROADCAST netbios-ns $LOG
		ipchains -A $outchain -j ACCEPT -p udp -s $IPADDR    $UNPRIVPORTS -d $BROADCAST netbios-ns $LOG

		# Added by Jean-Sebastien Morisset <jsmoriss@mvlan.net> on January 14th, 2001
		ipchains -A $inchain  -j ACCEPT -p udp -s $IPADDR    netbios-dgm  -d $BROADCAST netbios-dgm $LOG
	
		# Commented by Dougal Holmes <dholmes@bigpond.net.au> 2001-04-20
		####ipchains -A $inchain  -j ACCEPT -p udp -s $BROADCAST netbios-dgm -d $IPADDR netbios-dgm $LOG

		ipchains -A $outchain -j ACCEPT -p udp -s $IPADDR    netbios-dgm -d $BROADCAST netbios-dgm $LOG

		ipchains -A $inchain  -j DENY   -p tcp -s $BROADCAST netbios-ssn -d $IPADDR    netbios-ssn $LOG
		ipchains -A $outchain -j REJECT -p tcp -s $IPADDR    netbios-ssn -d $BROADCAST netbios-ssn $LOG
	fi
fi

for host in `Option_Value accept $INTOPT smb hosts`
do
	echo "Accept $INTOPT $IPADDR SMB <-> $host SMB $LOG_MSG"

	#
	# netbios-ns
	#
	ipchains -A $inchain  -j ACCEPT -p udp -s $host     netbios-ns -d $BROADCAST netbios-ns $LOG
	ipchains -A $inchain  -j ACCEPT -p udp -s $host   $UNPRIVPORTS -d $BROADCAST netbios-ns $LOG

	ipchains -A $inchain  -j ACCEPT -p udp -s $host   $UNPRIVPORTS -d $IPADDR    netbios-ns $LOG
	ipchains -A $outchain -j ACCEPT -p udp -s $IPADDR   netbios-ns -d $host    $UNPRIVPORTS $LOG

	ipchains -A $inchain  -j ACCEPT -p udp -s $host     netbios-ns -d $IPADDR    netbios-ns $LOG
	ipchains -A $outchain -j ACCEPT -p udp -s $IPADDR   netbios-ns -d $host      netbios-ns $LOG

	ipchains -A $inchain  -j ACCEPT -p udp -s $host     netbios-ns -d $IPADDR  $UNPRIVPORTS $LOG
	ipchains -A $outchain -j ACCEPT -p udp -s $IPADDR $UNPRIVPORTS -d $host      netbios-ns $LOG

	#
	# netbios-dgm
	#
	ipchains -A $inchain  -j ACCEPT -p udp -s $host    netbios-dgm -d $BROADCAST netbios-dgm $LOG
	ipchains -A $inchain  -j ACCEPT -p udp -s $host   $UNPRIVPORTS -d $BROADCAST netbios-dgm $LOG

	ipchains -A $inchain  -j ACCEPT -p udp -s $host    netbios-dgm -d $IPADDR    netbios-dgm $LOG
	ipchains -A $outchain -j ACCEPT -p udp -s $IPADDR  netbios-dgm -d $host      netbios-dgm $LOG

	# Commented by Dougal Holmes <dholmes@bigpond.net.au> 2001-04-20
	####ipchains -A $outchain -j ACCEPT -p udp -s $IPADDR $UNPRIVPORTS -d $host  netbios-dgm $LOG

	#
	# netbios-ssn
	#
	ipchains -A $inchain  -j ACCEPT -p tcp -s $host    netbios-ssn -d $IPADDR  netbios-ssn $LOG
	ipchains -A $outchain -j ACCEPT -p tcp -s $IPADDR  netbios-ssn -d $host    netbios-ssn $LOG

	ipchains -A $inchain  -j ACCEPT -p tcp         -s $host   $UNPRIVPORTS -d $IPADDR netbios-ssn  $LOG
	ipchains -A $outchain -j ACCEPT -p tcp $SYNOPT -s $IPADDR  netbios-ssn  -d $host   $UNPRIVPORTS $LOG

	ipchains -A $outchain -j ACCEPT -p tcp         -s $IPADDR $UNPRIVPORTS -d $host   netbios-ssn  $LOG
	ipchains -A $inchain  -j ACCEPT -p tcp $SYNOPT -s $host    netbios-ssn -d $IPADDR $UNPRIVPORTS $LOG

	#
	# microsoft-ds
	#
	# This new part of the protocol is not supported by Samba, so we can
	# ignore the traffic for now. This may change in the future, however.
	#
	ipchains -A $inchain -j DENY -p tcp -s $host $UNPRIVPORTS -d $IPADDR 445 $LOG

done
unset host

