[Samba] firewall

Justin Georgeson jgeorgeson at unboundtech.com
Sun Nov 3 09:05:01 GMT 2002


Hrm, no change. :( Would that need the ip_conntrakc module loaded? It 
didn't have any change whether the module was loaded or not. Ultimately 
this isn't too big a deal, I'll never be doing SMB over the internet, 
and I don't have any multiple-subnet LANS anywhere, so I can just 
disable the firewall when I need SMB.

Hesham S. Ahmed wrote:

> Try adding the following rule before deny
>
> /sbin/iptables -A INPUT -i eth0 -m state --state
> ESTABLISHED,RELATED -j ACCEPT
>
> replace eth0 with your interface. This would let ur
> firewall accept any pre-established connections,
> required for most cases where replies are sent to
> random ports.
>
> --- Justin Georgeson
> wrote:
>
> >No change, interestingly enough, iptables says
> >--cport is unknown
> >without -m, and I don't see mention of what -m does
> >in the man page. I
> >have version 1.2.6a-2 of iptables, packaged by
> >RedHat. Looking at
> >tcpdump, the netbios-ns reply packets from the
> >server are being dropped
> >by my firewall. Having discovered that, I've found
> >that I can mount a
> >file share by IP with my current rules. I just can't
> >do netbios-ns or
> >netbios-dgm. Here is the full results of
> >iptables-save
> >
> >*filter
> >:INPUT ACCEPT [0:0]
> >:FORWARD ACCEPT [0:0]
> >:OUTPUT ACCEPT [0:0]
> >-A INPUT -p tcp -m tcp --dport 22 --syn -j ACCEPT
> >-A INPUT -p tcp -m tcp -s 192.168.1.0/24 --dport
> >137:139 --syn -j ACCEPT
> >-A INPUT -p udp -m udp -s 0/0 --sport 67:68 -d 0/0
> >--dport 67:68 -j ACCEPT
> >-A INPUT -p udp -m udp -s 66.150.129.229 --sport 53
> >-d 0/0 -j ACCEPT
> >-A INPUT -p udp -m udp -s 24.219.4.35 --sport 53 -d
> >0/0 -j ACCEPT
> >-A INPUT -p udp -m udp -s 192.168.1.0/24 --dport
> >137:139 -j ACCEPT
> >-A INPUT -i lo -j ACCEPT
> >-A INPUT -p tcp -m tcp --syn -j REJECT
> >-A INPUT -p udp -m udp -j REJECT
> >COMMIT
> >
> >How can I allow the reply packets, since they're
> >addressed to a randomly
> >selected port?
> >
> >James Hubbard wrote:
> >
> >
> >>This depends on how restrictive your firewall
> >
> >rules are but why don't
> >
> >>you just use this:
> >>
> >>-A INPUT -p udp -s 192.168.1.0/24 --dport 137:139
> >
> >-i eth0 -j ACCEPT
> >
> >>-A INPUT -p tcp -s 192.168.1.0/24 --dport 137:139
> >
> >-i eth0 -j ACCEPT
> >
> >>I'm not sure what the -m stands for.  You'll need
> >
> >to change eth0 to
> >
> >>match your internal ethernet card.  Make sure you
> >
> >insert this before the
> >
> >>reject rules.
> >>
> >>James Hubbard
> >>
> >>Justin Georgeson wrote:
> >>
> >>
> >>>Ok, so I know from `netstat --ip -lnp` that the
> >
> >only ports smbd and nmbd
> >
> >>>are using are TCP 139, and UDP 137 and 138. I
> >
> >find it a little odd
> >
> >>>though that nmbd is bound to both 0.0.0.0 AND my
> >
> >primary interface. My
> >
> >>>problem is that I can't access shares on a
> >
> >windows machine unless I turn
> >
> >>>off my firewall. I'm using RH 8 and the 2.2.6-2
> >
> >RPMs from the web page
> >
> >>>(working fine so far, barring this firewall
> >
> >thing). I have these rules
> >
> >>>added in iptables
> >>>
> >>>-A INPUT -p tcp -m tcp -s 192.168.1.0/24 --dport
> >
> >139 --syn -j ACCEPT
> >
> >>>-A INPUT -p udp -m udp -s 192.168.1.0/24 --dport
> >
> >137 -j ACCEPT
> >
> >>>-A INPUT -p udp -m udp -s 192.168.1.0/24 --dport
> >
> >138 -j ACCEPT
> >
> >>>tcpdump shows ports TCP 139 and UDP 137 being
> >
> >accessed when I run
> >
> >>>findsmb. But nothing is listed when I do. If I
> >
> >turn off my firewall, the
> >
> >>>other machine on the LAN, my windows box, is
> >
> >listed. What am I missing?
> >
> >
> >--
> >To unsubscribe from this list go to the following
> >URL and read the
> >instructions:
>
> http://lists.samba.org/mailman/listinfo/samba
>
>
> __________________________________________________
> Do you Yahoo!?
> HotJobs - Search new jobs daily now
> http://hotjobs.yahoo.com/


-- 
Justin Georgeson
UnBound Technologies, Inc.
http://www.unboundtech.com
Main   713.329.9330
Fax    713.460.4051
Mobile 512.789.1962

5295 Hollister Road
Houston, TX 77040
Real Applications using Real Wireless Intelligence(tm)




More information about the samba mailing list