Why can I access files with Samba from my Windows after making iptables ALL DROP

Takeshi · 3 May 2021 15:29

I set up iptables along with here. I thought I couldn't connect to the shared directory in Garuda Linux from Windows with Samba which was installed in Garuda before because I didn't set any settings into iptables allowing Samba to work. But I could.

It confused me. So I decided to experiment if iptables works. I changed all policies to DROP.

$ sudo iptables --flush
$ sudo iptables -P INPUT DROP
$ sudo iptables -P OUTPUT DROP
$ sudo iptables -P FORWARD DROP

$ sudo iptables -nvL --line-numbers
Chain INPUT (policy DROP 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination

Chain FORWARD (policy DROP 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy DROP 14 packets, 1114 bytes)
num   pkts bytes target     prot opt in     out     source               destination

Chain TCP (0 references)
num   pkts bytes target     prot opt in     out     source               destination

Chain UDP (0 references)
num   pkts bytes target     prot opt in     out     source               destination

But still I can access to the files in the shared directory from Windows. Even, I can make new files, edit, save and delete them.

What happened? Is there any bypass?

RUanauR · 3 May 2021 15:33

Sorry SGS for stealing your line
Read

Garuda Linux wiki

Reporting bugs

How and where to report bugs

Garuda Linux wiki

How to search for solutions the right way

Find out what steps to take in order to find a solution to a problem

please
and post

inxi -Fxxxza

as text!

Even if you personally think it is unnecessary.

Takeshi · 3 May 2021 15:45

Is this a bug?

System:    Kernel: 5.11.16-zen1-1-zen x86_64 bits: 64 compiler: gcc v: 10.2.0 
parameters: BOOT_IMAGE=/@/boot/vmlinuz-linux-zen root=UUID=2f0e4133-dd23-4545-92f0-082ddf7a35b3 rw 
rootflags=subvol=@ quiet splash rd.udev.log_priority=3 vt.global_cursor_default=0 
systemd.unified_cgroup_hierarchy=1 loglevel=3 
Desktop: KDE Plasma 5.21.4 tk: Qt 5.15.2 info: latte-dock wm: kwin_x11 vt: 2 dm: SDDM Distro: Garuda Linux 
base: Arch Linux 
Machine:   Type: Laptop System: Dell product: Inspiron 15-3567 v: N/A serial: <filter> Chassis: type: 9 serial: <filter> 
Mobo: Dell model: 033HWX v: A00 serial: <filter> UEFI: Dell v: 2.9.0 date: 01/17/2019 
Battery:   ID-1: BAT0 charge: 39.4 Wh (100.0%) condition: 39.4/41.4 Wh (95.0%) volts: 16.7 min: 14.8 model: SMP DELL GR43778 
type: Li-ion serial: <filter> status: Full 
CPU:       Info: Dual Core model: Intel Core i3-7020U bits: 64 type: MT MCP arch: Amber/Kaby Lake note: check family: 6 
model-id: 8E (142) stepping: 9 microcode: DE cache: L2: 3 MiB 
flags: avx avx2 lm nx pae sse sse2 sse3 sse4_1 sse4_2 ssse3 vmx bogomips: 18399 
Speed: 2300 MHz min/max: 400/2300 MHz Core speeds (MHz): 1: 2300 2: 2300 3: 2300 4: 2300 
Vulnerabilities: Type: itlb_multihit status: KVM: VMX disabled 
Type: l1tf mitigation: PTE Inversion; VMX: conditional cache flushes, SMT vulnerable 
Type: mds mitigation: Clear CPU buffers; SMT vulnerable 
Type: meltdown mitigation: PTI 
Type: spec_store_bypass mitigation: Speculative Store Bypass disabled via prctl and seccomp 
Type: spectre_v1 mitigation: usercopy/swapgs barriers and __user pointer sanitization 
Type: spectre_v2 mitigation: Full generic retpoline, IBPB: conditional, IBRS_FW, STIBP: conditional, RSB filling 
Type: srbds mitigation: Microcode 
Type: tsx_async_abort status: Not affected 
Graphics:  Device-1: Intel vendor: Dell driver: i915 v: kernel bus-ID: 00:02.0 chip-ID: 8086:5921 class-ID: 0300 
Device-2: Realtek Integrated_Webcam_HD type: USB driver: uvcvideo bus-ID: 1-5:2 chip-ID: 0bda:5769 class-ID: 0e02 
serial: <filter> 
Display: x11 server: X.Org 1.20.11 compositor: kwin_x11 driver: loaded: intel unloaded: modesetting 
alternate: fbdev,vesa display-ID: :0 screens: 1 
Screen-1: 0 s-res: 3286x1080 s-dpi: 96 s-size: 868x285mm (34.2x11.2") s-diag: 914mm (36") 
Monitor-1: eDP1 res: 1366x768 hz: 60 dpi: 102 size: 340x190mm (13.4x7.5") diag: 389mm (15.3") 
Monitor-2: HDMI1 res: 1920x1080 hz: 60 dpi: 92 size: 530x300mm (20.9x11.8") diag: 609mm (24") 
OpenGL: renderer: Mesa Intel HD Graphics 620 (KBL GT2F) v: 4.6 Mesa 21.0.3 direct render: Yes
Audio:     Device-1: Intel Sunrise Point-LP HD Audio vendor: Dell driver: snd_hda_intel v: kernel alternate: snd_soc_skl
bus-ID: 00:1f.3 chip-ID: 8086:9d71 class-ID: 0403
Sound Server-1: ALSA v: k5.11.16-zen1-1-zen running: yes
Sound Server-2: JACK v: 0.125.0 running: no
Sound Server-3: PulseAudio v: 14.2 running: yes
Sound Server-4: PipeWire v: 0.3.26 running: no
Network:   Device-1: Qualcomm Atheros QCA9377 802.11ac Wireless Network Adapter vendor: Dell driver: ath10k_pci v: kernel
port: f040 bus-ID: 01:00.0 chip-ID: 168c:0042 class-ID: 0280
IF: wlp1s0 state: down mac: <filter>
Device-2: Realtek RTL810xE PCI Express Fast Ethernet vendor: Dell driver: r8169 v: kernel port: e000
bus-ID: 02:00.0 chip-ID: 10ec:8136 class-ID: 0200
IF: enp2s0 state: up speed: 100 Mbps duplex: full mac: <filter>
Bluetooth: Device-1: Qualcomm Atheros type: USB driver: btusb v: 0.8 bus-ID: 1-8:4 chip-ID: 0cf3:e009 class-ID: e001
Report: bt-adapter ID: hci0 rfk-id: 0 state: up address: <filter>
Drives:    Local Storage: total: 119.24 GiB used: 17.89 GiB (15.0%)
SMART Message: Unable to run smartctl. Root privileges required.
ID-1: /dev/sda maj-min: 8:0 vendor: SK Hynix model: SC311 SATA 128GB size: 119.24 GiB block-size: physical: 4096 B
logical: 512 B speed: 6.0 Gb/s rotation: SSD serial: <filter> rev: 0P10 scheme: GPT
Partition: ID-1: / raw-size: 118.99 GiB size: 118.99 GiB (100.00%) used: 17.89 GiB (15.0%) fs: btrfs dev: /dev/sda2
maj-min: 8:2
ID-2: /boot/efi raw-size: 256 MiB size: 252 MiB (98.46%) used: 546 KiB (0.2%) fs: vfat dev: /dev/sda1 maj-min: 8:1
ID-3: /home raw-size: 118.99 GiB size: 118.99 GiB (100.00%) used: 17.89 GiB (15.0%) fs: btrfs dev: /dev/sda2
maj-min: 8:2
ID-4: /var/log raw-size: 118.99 GiB size: 118.99 GiB (100.00%) used: 17.89 GiB (15.0%) fs: btrfs dev: /dev/sda2
maj-min: 8:2
ID-5: /var/tmp raw-size: 118.99 GiB size: 118.99 GiB (100.00%) used: 17.89 GiB (15.0%) fs: btrfs dev: /dev/sda2
maj-min: 8:2
Swap:      Kernel: swappiness: 10 (default 60) cache-pressure: 75 (default 100)
ID-1: swap-1 type: zram size: 948.3 MiB used: 0 KiB (0.0%) priority: 32767 dev: /dev/zram0
ID-2: swap-2 type: zram size: 948.3 MiB used: 0 KiB (0.0%) priority: 32767 dev: /dev/zram1
ID-3: swap-3 type: zram size: 948.3 MiB used: 0 KiB (0.0%) priority: 32767 dev: /dev/zram2
ID-4: swap-4 type: zram size: 948.3 MiB used: 0 KiB (0.0%) priority: 32767 dev: /dev/zram3
Sensors:   System Temperatures: cpu: 41.0 C mobo: 41.0 C
Fan Speeds (RPM): cpu: 0
Info:      Processes: 216 Uptime: 1h 38m wakeups: 29 Memory: 3.7 GiB used: 2.09 GiB (56.5%) Init: systemd v: 248
tool: systemctl Compilers: gcc: 10.2.0 clang: 11.1.0 Packages: pacman: 1598 lib: 463 Shell: fish v: 3.2.1
running-in: konsole inxi: 3.3.04

RUanauR · 3 May 2021 15:45

It might be

Takeshi · 3 May 2021 16:05

All DROP iptables blocks ping from Windows. So I can't understand why samba can still communicate with win. I'm not sure whose bug this is, garuda's or samba's.

perewa · 3 May 2021 17:58

I think you may have some leftover user chain, try as root or sudo:

iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP
iptables -F
iptables -X

If you will not use smb/nmb you can disable it instead - as you may already know, if is just the case of blocking incoming smb requests you may find ufw easier to understand than iptables.

jonathon · 3 May 2021 19:36

Also, iptables only operates on IPv4 chains; ip6tables is for IPv6.

Other than ufw, firewalld also works well (and abstracts away IPv4 vs IPv6 differences).

Takeshi · 4 May 2021 02:14

Thanks for the advice guys. I succeeded to control samba connection using ufw. Here is the steps I tried.

(root or sudo)
ufw enable
ufw default DENY       # samba is disconnected here
ufw allow 137:138/udp
ufw allow 139,445/tcp  # samba reconnects here

I ran iptables -nL after this and it shows a lot of lines. iptables is more complicated than I had expected. Maybe, settings I made were not enough.

My first purpose was to make my garuda more secure. So I started to set up iptables along arch wiki and I wanted to check if my settings work. Samba is only software that accepts connection from outside of garuda then. That's why I used it.

I don't wanna block samba, but just wanna test iptables to ensure my garuda gets secure. I'm gonna use ufw to set up security settings.

Anyway, thanks guys!

@perewa I tried that but the connection was still maintained. I understood samba uses a secret way to connect with windows like avoiding iptables policy lol. (I know ufw just overwraps iptables' commands. But this issue goes beyond my understanding!)

system · 6 May 2021 02:15

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.