[Samba] opening ip chains for samba

Rodger Haynes rodger at thompsonprint.com
Fri Nov 1 14:04:01 GMT 2002 

This was sent to me some time back. It should help you.
Thanks to James Hubbard.

Since you've probably enabled the firewall settings when you installed
RedHat, you're probably going to need to modify the
/etc/sysconfig/ipchains file.

This line here is probably causing  you the most problem.
-A input -p tcp -s 0/0 -d 0/0 0:1023 -y -j REJECT

In order to allow smb packets to be accepted you're going to need to
open up the ports.  The easiest way to do this (I believe) is to insert
these 2 lines above the line listed above.
-A input -p tcp -s 0/0 -d 0/0 137:139 -y -j ACCEPT
-A input -p udp -s 0/0 -d 0/0 137:139 -y -j ACCEPT
(Restart ipchains:  /etc/rc.d/init.d/ipchains restart)

I can't remember if you need the udp or not.

This is also opens you up to anybody.  You'll probably want to insert
the acutal ip addresses of your two other machines in there.  This could
be a problem though.
-A input -p tcp -s obi-wan-ip -d luke-ip 137:139 -y -j ACCEPT
-A input -p udp -s obi-wan-ip -d luke-ip 137:139 -y -j ACCEPT
...

One way to tell if you're got the smb ports locked down is to go to
http://www.grc.com from your linux machine.
Click Shields Up.  It should tell you whether or not it can see your
windows share. After you add the lines to open up the ports, go back to
the site and try again.  It should tell you the basic stuff like
workgroup name.

You really should invest in some type of firewalling hardware/software,
preferrably something that filter packets before they get to your machines.

James Hubbard



DJ Busch wrote:
  > After receiving no response to yesterday's message, I tried some more
web
  > scouring and more tinkering and dinking around with Samba...and I
discovered
  > what may be a major key to my problem...
  >
  > I have 3 PC's...2 are Windoze and 1 is Linux.  Windoze machines are
likely to
  > understand how to share files across subnets using the same workgroup
  > name...but is Samba as adept?  I have a feeling that is at the heart
of my
  > problem.
  >
  > I enabled wins support in my smb.conf and assigned the Samba box's IP
address
  > as the primary wins server on the WFW box. I also set Samba to be the
domain
  > master browser according to the instructions in BROWSING.txt.  All of
this,
  > alas, was useless as I still couldn't browse the Win-duhs shares from
Linux
  > or the Linux shares from Winduhs.  I feel that I'm getting much
closer to my
  > goal (file sharing without using Windows) and would really appreciate
any
  > help any of you can offer.
  >
  > Thanks in advance for any help you can provide.
  >
  > DJ Busch
  >
  > Here is my latest attempt at smb.conf:
  >
  > [global]
  > 	workgroup = LEGEND
  > 	netbios name = LUKE
  > 	server string = Dave's Linux Experiment Gone Wrong
  > 	interfaces = eth0
  > 	bind interfaces only = Yes
  > 	security = SHARE
  > 	encrypt passwords = Yes
  > 	null passwords = Yes
  > 	log file = /var/log/samba/log.%m
  > 	debug level = 5
  > 	max log size = 50
  > ;	socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
  > 	os level = 2
  > 	lm announce = yes
  > 	preferred master = yes
  > 	domain master = yes
  > 	dns proxy = No
  > 	wins support = yes
  > 	guest account = doodles
  > 	hosts allow = ALL
  > 	hosts deny =
  >
  > [homes]
  > 	comment = Home Directories
  > 	path = /home
  > 	read only = No
  > 	guest ok = Yes
  >
  > [printers]
  > 	comment = All Printers
  > 	path = /var/spool/samba
  > 	printable = Yes
  > 	browseable = No
  >
  > [hp]
  > 	path = /var/spool/samba
  > 	read only = No
  > 	guest ok = Yes
  > 	printable = Yes
  > 	printer name = hp
  >

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

More information about the samba mailing list