[Samba] firewall
Hesham S. Ahmed
zlinux2002 at yahoo.com
Sun Nov 3 08:26:01 GMT 2002
Try adding the following rule before deny
/sbin/iptables -A INPUT -i eth0 -m state --state
ESTABLISHED,RELATED -j ACCEPT
replace eth0 with your interface. This would let ur
firewall accept any pre-established connections,
required for most cases where replies are sent to
random ports.
--- Justin Georgeson <jgeorgeson at unboundtech.com>
wrote:
> No change, interestingly enough, iptables says
> --cport is unknown
> without -m, and I don't see mention of what -m does
> in the man page. I
> have version 1.2.6a-2 of iptables, packaged by
> RedHat. Looking at
> tcpdump, the netbios-ns reply packets from the
> server are being dropped
> by my firewall. Having discovered that, I've found
> that I can mount a
> file share by IP with my current rules. I just can't
> do netbios-ns or
> netbios-dgm. Here is the full results of
> iptables-save
>
> *filter
> :INPUT ACCEPT [0:0]
> :FORWARD ACCEPT [0:0]
> :OUTPUT ACCEPT [0:0]
> -A INPUT -p tcp -m tcp --dport 22 --syn -j ACCEPT
> -A INPUT -p tcp -m tcp -s 192.168.1.0/24 --dport
> 137:139 --syn -j ACCEPT
> -A INPUT -p udp -m udp -s 0/0 --sport 67:68 -d 0/0
> --dport 67:68 -j ACCEPT
> -A INPUT -p udp -m udp -s 66.150.129.229 --sport 53
> -d 0/0 -j ACCEPT
> -A INPUT -p udp -m udp -s 24.219.4.35 --sport 53 -d
> 0/0 -j ACCEPT
> -A INPUT -p udp -m udp -s 192.168.1.0/24 --dport
> 137:139 -j ACCEPT
> -A INPUT -i lo -j ACCEPT
> -A INPUT -p tcp -m tcp --syn -j REJECT
> -A INPUT -p udp -m udp -j REJECT
> COMMIT
>
> How can I allow the reply packets, since they're
> addressed to a randomly
> selected port?
>
> James Hubbard wrote:
>
> > This depends on how restrictive your firewall
> rules are but why don't
> > you just use this:
> >
> > -A INPUT -p udp -s 192.168.1.0/24 --dport 137:139
> -i eth0 -j ACCEPT
> > -A INPUT -p tcp -s 192.168.1.0/24 --dport 137:139
> -i eth0 -j ACCEPT
> >
> > I'm not sure what the -m stands for. You'll need
> to change eth0 to
> > match your internal ethernet card. Make sure you
> insert this before the
> > reject rules.
> >
> > James Hubbard
> >
> > Justin Georgeson wrote:
> >
> > > Ok, so I know from `netstat --ip -lnp` that the
> only ports smbd and nmbd
> > > are using are TCP 139, and UDP 137 and 138. I
> find it a little odd
> > > though that nmbd is bound to both 0.0.0.0 AND my
> primary interface. My
> > > problem is that I can't access shares on a
> windows machine unless I turn
> > > off my firewall. I'm using RH 8 and the 2.2.6-2
> RPMs from the web page
> > > (working fine so far, barring this firewall
> thing). I have these rules
> > > added in iptables
> > >
> > > -A INPUT -p tcp -m tcp -s 192.168.1.0/24 --dport
> 139 --syn -j ACCEPT
> > > -A INPUT -p udp -m udp -s 192.168.1.0/24 --dport
> 137 -j ACCEPT
> > > -A INPUT -p udp -m udp -s 192.168.1.0/24 --dport
> 138 -j ACCEPT
> > >
> > > tcpdump shows ports TCP 139 and UDP 137 being
> accessed when I run
> > > findsmb. But nothing is listed when I do. If I
> turn off my firewall, the
> > > other machine on the LAN, my windows box, is
> listed. What am I missing?
> > >
>
>
> --
> To unsubscribe from this list go to the following
> URL and read the
> instructions:
http://lists.samba.org/mailman/listinfo/samba
__________________________________________________
Do you Yahoo!?
HotJobs - Search new jobs daily now
http://hotjobs.yahoo.com/
More information about the samba
mailing list