[TUTORIAL] Firewall rules for a Samba AD DC

ph0x

Renowned Member
Jul 5, 2020
1,220
191
63
/dev/null
I finally managed to fully enable the firewall (Input+Output DROP) on all of my VMs, including a Samba AD DC and a Samba File Server.
Since the firewall macro "SMB" is not sufficient in this case, and because I didn't find an answer in the forums, here are the necessary directives:

Samba AD DC
Code:
OUT NTP(ACCEPT) -log nolog # External NTP sync
OUT ACCEPT -dest +domain_members -p udp -sport 137:138 -log nolog # NetBIOS Broadcast
OUT ACCEPT -dest +domain_members -p udp -dport 137:138 -log nolog # NetBIOS Answer
GROUP dns_apt_ssh_ntp # My standard VM firewall group: DNS out, Web (Apt-Mirror) out, NTP out, SSH in
IN ACCEPT -source +user_networks -p udp -dport 53 -log nolog # DNS
IN ACCEPT -source +user_networks -p tcp -dport 53 -log nolog # DNS
IN ACCEPT -source +domain_members -p udp -dport 88 -log nolog # Kerberos
IN ACCEPT -source +domain_members -p tcp -dport 88 -log nolog # Kerberos
IN ACCEPT -source +user_networks -p udp -dport 123 -log nolog # NTP
IN ACCEPT -source +domain_members -p tcp -dport 135 -log nolog # RPC Locator
IN ACCEPT -source +domain_members -p udp -dport 137:138 -log nolog # NetBIOS Request
IN ACCEPT -source +domain_members -p tcp -dport 139 -log nolog # NetBIOS Session
IN ACCEPT -source +user_networks -p udp -dport 389 -log nolog # LDAP
IN ACCEPT -source +user_networks -p tcp -dport 389 -log nolog # LDAP
IN ACCEPT -source +domain_members -p tcp -dport 445 -log nolog # SMB over TCP
IN ACCEPT -source +domain_members -p udp -dport 464 -log nolog # Kerberos password
IN ACCEPT -source +domain_members -p tcp -dport 464 -log nolog # Kerberos password
IN ACCEPT -source +user_networks -p tcp -dport 636 -log nolog # LDAPS
IN ACCEPT -source +domain_members -p tcp -dport 3268 -log nolog # Global Catalog
IN ACCEPT -source +domain_members -p tcp -dport 3269 -log nolog # Global Catalog SSL
IN ACCEPT -source +domain_members -p udp -dport 49152:65535 -sport 137 -log nolog # Dynamic RPC

Samba Fileserver
Code:
GROUP dns_apt_ssh_ntp -i net0 # My standard VM firewall group: DNS out, Web (Apt-Mirror) out, NTP out, SSH in
GROUP domain_members -i net0 # Necessary rules for all domain members, plus the following:
IN ACCEPT -i net0 -source +domain_members -p udp -dport 137:138 -log nolog # NetBIOS Request
IN ACCEPT -i net0 -source +domain_members -p tcp -dport 139 -log nolog # NetBIOS Session
IN ACCEPT -i net0 -source +domain_members -p tcp -dport 445 -log nolog # SMB over TCP
IN ACCEPT -i net0 -source +domain_members -p tcp -dport 49152:65535 -sport 137 -log nolog # Dynamic RPC
IN Ceph(ACCEPT) -i net1 -source +vlan_ceph_p -log nolog # Samba shares are hosted on CephFS, therefore these last two rules
OUT Ceph(ACCEPT) -i net1 -dest +vlan_ceph_p -log nolog

Used groups
Code:
[group domain_members] # Traffic for Samba Domain Members

IN ACCEPT -source +domain_members -p udp -sport 137:138 -log nolog # NetBIOS Request
OUT ACCEPT -dest +samba_ad_dc -p udp -dport 53 -log nolog # DNS
OUT ACCEPT -dest +samba_ad_dc -p tcp -dport 53 -log nolog # DNS
OUT ACCEPT -dest +samba_ad_dc -p udp -dport 88 -log nolog # Kerberos
OUT ACCEPT -dest +samba_ad_dc -p tcp -dport 88 -log nolog # Kerberos
OUT ACCEPT -dest +samba_ad_dc -p udp -dport 123 -log nolog # NTP
OUT ACCEPT -dest +samba_ad_dc -p tcp -dport 135 -log nolog # RPC Locator
OUT ACCEPT -dest +domain_members -p udp -dport 137:138 -log nolog # NetBIOS Answer
OUT ACCEPT -dest +domain_members -p udp -sport 137:138 -log nolog # NetBIOS Broadcast
OUT ACCEPT -dest +domain_members -p tcp -dport 139 -log nolog # NetBIOS Session
OUT ACCEPT -dest +samba_ad_dc -p udp -dport 389 -log nolog # LDAP
OUT ACCEPT -dest +samba_ad_dc -p tcp -dport 389 -log nolog # LDAP
OUT ACCEPT -dest +domain_members -p tcp -dport 445 -log nolog # SMB over TCP
OUT ACCEPT -dest +samba_ad_dc -p udp -dport 464 -log nolog # Kerberos password
OUT ACCEPT -dest +samba_ad_dc -p tcp -dport 464 -log nolog # Kerberos password
OUT ACCEPT -dest +samba_ad_dc -p tcp -dport 636 -log nolog # LDAPS
OUT ACCEPT -dest +samba_ad_dc -p tcp -dport 3268 -log nolog # Global Catalog
OUT ACCEPT -dest +samba_ad_dc -p tcp -dport 3269 -log nolog # Global Catalog SSL
OUT ACCEPT -dest +domain_members -p tcp -dport 49152:65535 -sport 137 -log nolog # Dynamic RPC


[group dns_apt_ssh_ntp] # Standard management tasks

OUT NTP(ACCEPT) -dest +ntp_servers -log nolog
OUT DNS(ACCEPT) -dest +dns_servers -log nolog
OUT Web(ACCEPT) -dest +apt_mirror -log nolog
IN SSH(ACCEPT) -source +admin_devices -log nolog

Used IP-Sets
Code:
[IPSET domain_members] # Members of the Samba Windows domain

172.16.10.xx # Machine 1
172.16.10.xy # Machine 2
172.16.10.yz # Host 3
172.16.10.255 # Broadcast VLAN 10, this is relevant for NetBIOS lookups
172.16.20.xx # Host 4
172.16.20.xy # Host 5
172.16.20.xz # Machine 6
172.16.20.255 # Broadcast VLAN 20, see above
172.16.20.yy # DC1
172.16.20.yz # Samba-Server


[IPSET user_networks] # VLANs with potential subscribers (LDAP, LDAPS, NTP, DNS)

172.16.10.0/24 # VLAN 10
172.16.20.0/24 # VLAN 20


[IPSET samba_ad_dc] # Domain Controller

172.16.20.yy # DC1


[IPSET dns_servers] # DNS servers

172.16.10.1 # Router
172.16.20.1 # Router
172.16.20.yy # DC1


[IPSET apt_mirror] # APT-Mirror

172.16.20.ab


[IPSET admin_devices] # Hosts with administrative tasks

172.16.10.abc # Desktop
172.16.10.def # Laptop
172.16.10.ghi # Ansible-VM

Hopefully someone can profit of the work!


Best regards
Marco
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get your own in 60 seconds.

Buy now!