[Samba] iptables on samba in AD native

John Stile john at stilen.com
Sun Nov 14 21:03:26 GMT 2004

Hello Samba group,
  I have setup iptables on a Samba-3.0.8 member server (with one IP) in
a native mode Active Directory domain.

  Searching Samba list archives directs me to read
http;//www.netfilter.org documentation and doesn't attempt to describe
ports needed for samba to function as a member server in native AD.

  I would appreciate any constructive feedback regarding whether these
iptables rules look correct, or grant too much or too little?  They do
work, and they express my understanding of samba server network

 iptables -P INPUT DROP
 iptables -P FORWARD DROP
 iptables -P OUTPUT ACCEPT
 # RPC mapper
 iptables -A INPUT -s $ANY -p udp --dport 135 -j ACCEPT
 # NetBIOS Name Service (nbname)/Datagram Service (nbdatagram)
 iptables -A INPUT -s $ANY -p udp --dport 137:138 -j ACCEPT
 # NetBIOS Session Service (nbsession)
 iptables -A INPUT -s $ANY -p tcp --dport 139 -j ACCEPT
 # TCP Connection - establish 3-way handshake
 iptables -A INPUT -s $ANY -p tcp --dport 445 -j ACCEPT
 # Kerberos V5 communication <2K Packets
 iptables -A INPUT -p udp -m udp --dport 88 -j ACCEPT
 # Kerberos V5 communication >2K Packets 
 iptables -A INPUT -p tcp -m tcp --dport 88 -j ACCEPT
 # NTP communication, for Kerberose V5 tickets?
 iptables -A INPUT -s $ANY -p udp --dport 123 -j ACCEPT

Note: Limiting the OUTPUT rules kills communications to KDC, so I left
it open.
|   \0/    John Stile |
| UniX Administration |
|   / \  510-305-3800 |     
|     john at stilen.com |

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba/attachments/20041114/1daef63d/attachment.bin

More information about the samba mailing list