[Samba] please help me.

Radio Gong 2000 GmbH & Co. KG [Technik] sascha.bieler at radiogong.de
Mon May 31 22:23:42 GMT 2004 

But port 80 got nothing to do with samba and as u say, it works fine when u 
turn it off!

I made a script for u maybe u try it otherwise I have no more ideas. 

I added all rfc nets, because I don't know ur ip-range...
Maybe u have to change the path for iptables and so on....

Regards and good luck


#!/bin/sh 
#
#  This is automatically generated file. 
#  Firewall Builder  fwb_ipt v1.1.2-1 
# Tue Jun  1 00:18:52 2004 CEST 
#
#
#  
#
#
#

log() {
  test -x "$LOGGER" && $LOGGER -p info "$1"
}

va_num=1
add_addr() {
  addr=$1
  nm=$2
  dev=$3

  type=""
  aadd=""

  L=`$IP -4 link ls $dev | grep "$dev:"`
  if test -n "$L"; then
    OIFS=$IFS
    IFS=" /:,<"
    set $L
    type=$4
    IFS=$OIFS

    L=`$IP -4 addr ls $dev to $addr | grep " inet "`
    if test -n "$L"; then
      OIFS=$IFS
      IFS=" /"
      set $L
      aadd=$2
      IFS=$OIFS
    fi
  fi
  if test -z "$aadd"; then
    if test "$type" = "POINTOPOINT"; then
      $IP -4 addr add $addr dev $dev scope global label $dev:FWB${va_num}
      va_num=`expr $va_num + 1`
    fi
    if test "$type" = "BROADCAST"; then
      $IP -4 addr add $addr/$nm dev $dev brd + scope global label 
$dev:FWB${va_num}
      va_num=`expr $va_num + 1`
    fi
  fi
}
getaddr() {
  dev=$1
  name=$2
  L=`$IP -4 addr show dev $dev | grep inet`
  test -z "$L" && { 
    eval "$name=''"
    return
  }
  OIFS=$IFS
  IFS=" /"
  set $L
  eval "$name=$2"
  IFS=$OIFS
}


getinterfaces() {
  NAME=$1
  $IP link show | grep -E "$NAME[^ ]*: "| while read L; do
    OIFS=$IFS
    IFS=" :"
    set $L
    IFS=$OIFS
    echo $2
  done
}


LSMOD="/sbin/lsmod"
MODPROBE="/sbin/modprobe"
IPTABLES="/usr/sbin/iptables"
IP="/sbin/ip"
LOGGER="/bin/logger"



INTERFACES="eth0 ppp0 lo "
for i in $INTERFACES ; do
  $IP link show "$i" > /dev/null 2>&1 || {
    echo Interface $i does not exist
    exit 1
  }
done




add_addr 127.0.0.1 8 lo
$IP link set lo up

getaddr eth0  interface_eth0
getaddr ppp0  interface_ppp0


$IPTABLES -P OUTPUT  DROP
$IPTABLES -P INPUT   DROP
$IPTABLES -P FORWARD DROP



cat /proc/net/ip_tables_names | while read table; do
  $IPTABLES -t $table -L -n | while read c chain rest; do
      if test "X$c" = "XChain" ; then
        $IPTABLES -t $table -F $chain
      fi
  done
  $IPTABLES -t $table -X
done



MODULE_DIR="/lib/modules/`uname -r`/kernel/net/ipv4/netfilter/" 
MODULES=`(cd $MODULE_DIR; ls *_conntrack_*  *_nat_* | sed 's/\.o.*$//; 
s/\.ko$//')`
for module in $(echo $MODULES); do 
  if $LSMOD | grep ${module} >/dev/null; then continue; fi
  $MODPROBE ${module} ||  exit 1 
done



log "Activating firewall for samba-server"

#
#  Rule 0(NAT)
# 
# redirect to proxy
$IPTABLES -t nat -A PREROUTING  -p tcp  -s 10.0.0.0/8  --destination-port 80 
-j REDIRECT --to-ports 8080
$IPTABLES -t nat -A PREROUTING  -p tcp  -s 192.168.0.0/16  --destination-port 
80 -j REDIRECT --to-ports 8080
$IPTABLES -t nat -A PREROUTING  -p tcp  -s 172.16.0.0/12  --destination-port 
80 -j REDIRECT --to-ports 8080
#
#  Rule 1(NAT)
# 
# 
$IPTABLES -t nat -A POSTROUTING -o ppp0  -s 10.0.0.0/8 -j MASQUERADE  
$IPTABLES -t nat -A POSTROUTING -o ppp0  -s 192.168.0.0/16 -j MASQUERADE  
$IPTABLES -t nat -A POSTROUTING -o ppp0  -s 172.16.0.0/12 -j MASQUERADE  
#
#


$IPTABLES -A INPUT   -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A OUTPUT  -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

# 
# Rule 0(ppp0)
# 
# anti-spoofing Regel
# 
$IPTABLES -N ppp0_In_RULE_0
test -n "$interface_eth0" && $IPTABLES -A INPUT  -i ppp0  -s $interface_eth0  
-j ppp0_In_RULE_0 
test -n "$interface_ppp0" && $IPTABLES -A INPUT  -i ppp0  -s $interface_ppp0  
-j ppp0_In_RULE_0 
$IPTABLES -A INPUT  -i ppp0  -s 10.0.0.0/8  -j ppp0_In_RULE_0 
$IPTABLES -A INPUT  -i ppp0  -s 192.168.0.0/16  -j ppp0_In_RULE_0 
$IPTABLES -A INPUT  -i ppp0  -s 172.16.0.0/12  -j ppp0_In_RULE_0 
test -n "$interface_eth0" && $IPTABLES -A FORWARD  -i ppp0  -s $interface_eth0  
-j ppp0_In_RULE_0 
test -n "$interface_ppp0" && $IPTABLES -A FORWARD  -i ppp0  -s $interface_ppp0  
-j ppp0_In_RULE_0 
$IPTABLES -A FORWARD  -i ppp0  -s 10.0.0.0/8  -j ppp0_In_RULE_0 
$IPTABLES -A FORWARD  -i ppp0  -s 192.168.0.0/16  -j ppp0_In_RULE_0 
$IPTABLES -A FORWARD  -i ppp0  -s 172.16.0.0/12  -j ppp0_In_RULE_0 
$IPTABLES -A ppp0_In_RULE_0   -j LOG  --log-level info --log-prefix "RULE 0 -- 
DENY " 
$IPTABLES -A ppp0_In_RULE_0   -j DROP 
# 
# Rule 1(ppp0)
# 
# anti-spoofing Regel
# 
$IPTABLES -N Cid40BBAA6A.0
$IPTABLES -A OUTPUT  -o ppp0  -j Cid40BBAA6A.0 
$IPTABLES -A FORWARD  -o ppp0  -j Cid40BBAA6A.0 
test -n "$interface_eth0" && $IPTABLES -A Cid40BBAA6A.0  -o ppp0  -s 
$interface_eth0  -j RETURN 
test -n "$interface_ppp0" && $IPTABLES -A Cid40BBAA6A.0  -o ppp0  -s 
$interface_ppp0  -j RETURN 
$IPTABLES -A Cid40BBAA6A.0  -o ppp0  -s 10.0.0.0/8  -j RETURN 
$IPTABLES -A Cid40BBAA6A.0  -o ppp0  -s 192.168.0.0/16  -j RETURN 
$IPTABLES -A Cid40BBAA6A.0  -o ppp0  -s 172.16.0.0/12  -j RETURN 
$IPTABLES -N ppp0_Out_RULE_1_3
$IPTABLES -A Cid40BBAA6A.0  -o ppp0  -j ppp0_Out_RULE_1_3 
$IPTABLES -A ppp0_Out_RULE_1_3   -j LOG  --log-level info --log-prefix "RULE 1 
-- DENY " 
$IPTABLES -A ppp0_Out_RULE_1_3   -j DROP 
# 
# Rule 0(lo)
# 
# Erlaube alle Verbindungen zur 'loopback'-Schnittstelle
# 
$IPTABLES -A INPUT  -i lo  -j ACCEPT 
$IPTABLES -A OUTPUT  -o lo  -j ACCEPT 
# 
# Rule 0(global)
# 
# block fragments
# 
$IPTABLES -N RULE_0
$IPTABLES -A OUTPUT -p all  -f   -j RULE_0 
$IPTABLES -A INPUT -p all  -f   -j RULE_0 
$IPTABLES -A FORWARD -p all  -f   -j RULE_0 
$IPTABLES -A RULE_0  -j LOG  --log-level info --log-prefix "RULE 0 -- DENY " 
$IPTABLES -A RULE_0  -j DROP 
# 
# Rule 1(global)
# 
# allow ssh
# 
test -n "$interface_eth0" && $IPTABLES -A OUTPUT -p tcp  -d $interface_eth0  
--destination-port 22  -m state --state NEW  -j ACCEPT 
test -n "$interface_ppp0" && $IPTABLES -A OUTPUT -p tcp  -d $interface_ppp0  
--destination-port 22  -m state --state NEW  -j ACCEPT 
test -n "$interface_eth0" && $IPTABLES -A INPUT -p tcp  -d $interface_eth0  
--destination-port 22  -m state --state NEW  -j ACCEPT 
test -n "$interface_ppp0" && $IPTABLES -A INPUT -p tcp  -d $interface_ppp0  
--destination-port 22  -m state --state NEW  -j ACCEPT 
# 
# Rule 2(global)
# 
# allow windows services
# 
test -n "$interface_eth0" && $IPTABLES -A INPUT -p tcp  -m multiport  -s 
10.0.0.0/8  -d $interface_eth0  --destination-port 
139,135,42,445,88,389,636,3268,3269,53  -m state --state NEW  -j ACCEPT 
test -n "$interface_ppp0" && $IPTABLES -A INPUT -p tcp  -m multiport  -s 
10.0.0.0/8  -d $interface_ppp0  --destination-port 
139,135,42,445,88,389,636,3268,3269,53  -m state --state NEW  -j ACCEPT 
test -n "$interface_eth0" && $IPTABLES -A INPUT -p tcp  -m multiport  -s 
192.168.0.0/16  -d $interface_eth0  --destination-port 
139,135,42,445,88,389,636,3268,3269,53  -m state --state NEW  -j ACCEPT 
test -n "$interface_ppp0" && $IPTABLES -A INPUT -p tcp  -m multiport  -s 
192.168.0.0/16  -d $interface_ppp0  --destination-port 
139,135,42,445,88,389,636,3268,3269,53  -m state --state NEW  -j ACCEPT 
test -n "$interface_eth0" && $IPTABLES -A INPUT -p tcp  -m multiport  -s 
172.16.0.0/12  -d $interface_eth0  --destination-port 
139,135,42,445,88,389,636,3268,3269,53  -m state --state NEW  -j ACCEPT 
test -n "$interface_ppp0" && $IPTABLES -A INPUT -p tcp  -m multiport  -s 
172.16.0.0/12  -d $interface_ppp0  --destination-port 
139,135,42,445,88,389,636,3268,3269,53  -m state --state NEW  -j ACCEPT 
test -n "$interface_eth0" && $IPTABLES -A INPUT -p udp  -m multiport  -s 
10.0.0.0/8  -d $interface_eth0  --destination-port 138,137,53,88  -m state 
--state NEW  -j ACCEPT 
test -n "$interface_ppp0" && $IPTABLES -A INPUT -p udp  -m multiport  -s 
10.0.0.0/8  -d $interface_ppp0  --destination-port 138,137,53,88  -m state 
--state NEW  -j ACCEPT 
test -n "$interface_eth0" && $IPTABLES -A INPUT -p udp  -m multiport  -s 
192.168.0.0/16  -d $interface_eth0  --destination-port 138,137,53,88  -m 
state --state NEW  -j ACCEPT 
test -n "$interface_ppp0" && $IPTABLES -A INPUT -p udp  -m multiport  -s 
192.168.0.0/16  -d $interface_ppp0  --destination-port 138,137,53,88  -m 
state --state NEW  -j ACCEPT 
test -n "$interface_eth0" && $IPTABLES -A INPUT -p udp  -m multiport  -s 
172.16.0.0/12  -d $interface_eth0  --destination-port 138,137,53,88  -m state 
--state NEW  -j ACCEPT 
test -n "$interface_ppp0" && $IPTABLES -A INPUT -p udp  -m multiport  -s 
172.16.0.0/12  -d $interface_ppp0  --destination-port 138,137,53,88  -m state 
--state NEW  -j ACCEPT 
# 
# Rule 3(global)
# 
# allow dns service
# 
test -n "$interface_eth0" && $IPTABLES -A OUTPUT -p tcp  -s $interface_eth0  
--destination-port 53  -m state --state NEW  -j ACCEPT 
test -n "$interface_ppp0" && $IPTABLES -A OUTPUT -p tcp  -s $interface_ppp0  
--destination-port 53  -m state --state NEW  -j ACCEPT 
test -n "$interface_eth0" && $IPTABLES -A OUTPUT -p udp  -s $interface_eth0  
--destination-port 53  -m state --state NEW  -j ACCEPT 
test -n "$interface_ppp0" && $IPTABLES -A OUTPUT -p udp  -s $interface_ppp0  
--destination-port 53  -m state --state NEW  -j ACCEPT 
# 
# Rule 4(global)
# 
# DHCP server for the LAN?
# 
$IPTABLES -N Cid40BBAAC8.0
test -n "$interface_eth0" && $IPTABLES -A INPUT  -d $interface_eth0  -m state 
--state NEW  -j Cid40BBAAC8.0 
test -n "$interface_ppp0" && $IPTABLES -A INPUT  -d $interface_ppp0  -m state 
--state NEW  -j Cid40BBAAC8.0 
$IPTABLES -N Cid40BBAAC8.1
$IPTABLES -A Cid40BBAAC8.0 -p udp  -m multiport  --destination-port 68,67  -m 
state --state NEW  -j Cid40BBAAC8.1 
$IPTABLES -A Cid40BBAAC8.1  -s 10.0.0.0/8  -m state --state NEW  -j ACCEPT 
$IPTABLES -A Cid40BBAAC8.1  -s 192.168.0.0/16  -m state --state NEW  -j ACCEPT 
$IPTABLES -A Cid40BBAAC8.1  -s 172.16.0.0/12  -m state --state NEW  -j ACCEPT 
$IPTABLES -N Cid40BBAAC8.2
$IPTABLES -A INPUT -p udp  -m multiport  --destination-port 68,67  -m state 
--state NEW  -j Cid40BBAAC8.2 
$IPTABLES -A Cid40BBAAC8.2  -s 10.0.0.0/8  -d 255.255.255.255  -m state 
--state NEW  -j ACCEPT 
$IPTABLES -A Cid40BBAAC8.2  -s 192.168.0.0/16  -d 255.255.255.255  -m state 
--state NEW  -j ACCEPT 
$IPTABLES -A Cid40BBAAC8.2  -s 172.16.0.0/12  -d 255.255.255.255  -m state 
--state NEW  -j ACCEPT 
# 
# Rule 5(global)
# 
# again DHCP
# 
$IPTABLES -N Cid40BBAADA.0
$IPTABLES -A OUTPUT -p udp  -m multiport  --destination-port 68,67  -m state 
--state NEW  -j Cid40BBAADA.0 
$IPTABLES -N Cid40BBAADA.1
test -n "$interface_eth0" && $IPTABLES -A Cid40BBAADA.0  -s $interface_eth0  
-m state --state NEW  -j Cid40BBAADA.1 
test -n "$interface_ppp0" && $IPTABLES -A Cid40BBAADA.0  -s $interface_ppp0  
-m state --state NEW  -j Cid40BBAADA.1 
$IPTABLES -A Cid40BBAADA.1  -d 10.0.0.0/8  -m state --state NEW  -j ACCEPT 
$IPTABLES -A Cid40BBAADA.1  -d 192.168.0.0/16  -m state --state NEW  -j ACCEPT 
$IPTABLES -A Cid40BBAADA.1  -d 172.16.0.0/12  -m state --state NEW  -j ACCEPT 
# 
# Rule 6(global)
# 
# 'masquerading' rfc-nets
# 
$IPTABLES -A INPUT  -s 10.0.0.0/8  -m state --state NEW  -j ACCEPT 
$IPTABLES -A INPUT  -s 192.168.0.0/16  -m state --state NEW  -j ACCEPT 
$IPTABLES -A INPUT  -s 172.16.0.0/12  -m state --state NEW  -j ACCEPT 
$IPTABLES -A FORWARD  -s 10.0.0.0/8  -m state --state NEW  -j ACCEPT 
$IPTABLES -A FORWARD  -s 192.168.0.0/16  -m state --state NEW  -j ACCEPT 
$IPTABLES -A FORWARD  -s 172.16.0.0/12  -m state --state NEW  -j ACCEPT 
# 
# Rule 7(global)
# 
# 'catch all' 
# 
$IPTABLES -N RULE_7
$IPTABLES -A OUTPUT  -j RULE_7 
$IPTABLES -A INPUT  -j RULE_7 
$IPTABLES -A FORWARD  -j RULE_7 
$IPTABLES -A RULE_7  -j LOG  --log-level info --log-prefix "RULE 7 -- DENY " 
$IPTABLES -A RULE_7  -j DROP 
#
#
echo 1 > /proc/sys/net/ipv4/ip_forward

More information about the samba mailing list