[Samba] firewall

Justin Georgeson jgeorgeson at unboundtech.com
Sun Nov 3 06:07:01 GMT 2002 

No change, interestingly enough, iptables says --cport is unknown 
without -m, and I don't see mention of what -m does in the man page. I 
have version 1.2.6a-2 of iptables, packaged by RedHat. Looking at 
tcpdump, the netbios-ns reply packets from the server are being dropped 
by my firewall. Having discovered that, I've found that I can mount a 
file share by IP with my current rules. I just can't do netbios-ns or 
netbios-dgm. Here is the full results of iptables-save

*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -p tcp -m tcp --dport 22 --syn -j ACCEPT
-A INPUT -p tcp -m tcp -s 192.168.1.0/24 --dport 137:139 --syn -j ACCEPT
-A INPUT -p udp -m udp -s 0/0 --sport 67:68 -d 0/0 --dport 67:68 -j ACCEPT
-A INPUT -p udp -m udp -s 66.150.129.229 --sport 53 -d 0/0 -j ACCEPT
-A INPUT -p udp -m udp -s 24.219.4.35 --sport 53 -d 0/0 -j ACCEPT
-A INPUT -p udp -m udp -s 192.168.1.0/24 --dport 137:139 -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m tcp --syn -j REJECT
-A INPUT -p udp -m udp -j REJECT
COMMIT

How can I allow the reply packets, since they're addressed to a randomly 
selected port?

James Hubbard wrote:

> This depends on how restrictive your firewall rules are but why don't
> you just use this:
>
> -A INPUT -p udp -s 192.168.1.0/24 --dport 137:139 -i eth0 -j ACCEPT
> -A INPUT -p tcp -s 192.168.1.0/24 --dport 137:139 -i eth0 -j ACCEPT
>
> I'm not sure what the -m stands for.  You'll need to change eth0 to
> match your internal ethernet card.  Make sure you insert this before the
> reject rules.
>
> James Hubbard
>
> Justin Georgeson wrote:
>
> > Ok, so I know from `netstat --ip -lnp` that the only ports smbd and nmbd
> > are using are TCP 139, and UDP 137 and 138. I find it a little odd
> > though that nmbd is bound to both 0.0.0.0 AND my primary interface. My
> > problem is that I can't access shares on a windows machine unless I turn
> > off my firewall. I'm using RH 8 and the 2.2.6-2 RPMs from the web page
> > (working fine so far, barring this firewall thing). I have these rules
> > added in iptables
> >
> > -A INPUT -p tcp -m tcp -s 192.168.1.0/24 --dport 139 --syn -j ACCEPT
> > -A INPUT -p udp -m udp -s 192.168.1.0/24 --dport 137 -j ACCEPT
> > -A INPUT -p udp -m udp -s 192.168.1.0/24 --dport 138 -j ACCEPT
> >
> > tcpdump shows ports TCP 139 and UDP 137 being accessed when I run
> > findsmb. But nothing is listed when I do. If I turn off my firewall, the
> > other machine on the LAN, my windows box, is listed. What am I missing?
> >

More information about the samba mailing list