[Samba] Comprehensive list of ports used by samba when being used with active directory

Andrew Sherlock-CF andrew.sherlock at bbc.co.uk
Fri Oct 12 09:01:50 GMT 2007 

Hi all,

I was wondering if anybody had a comprehensive list of default ports
that should be open when using samba with active directory.

Right now I get some slightly odd performance issues when running
iptables with samba-3.0.10-1.4E.9.x86_64 - but with iptables off, all
runs smoothly. I've also noticed that net ads join and kerberos
operations can be flaky with the below iptables config. Sometimes they
work, sometimes not. Again - with iptables disabled all is fine.

Are there any additional ports I should have open that anybody can spot?
Is there some other problem with the below config?

Many thanks for any help!

# IPtables config
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [26:8868]
-A INPUT -i lo -j ACCEPT 
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A INPUT -p tcp -m tcp --dport 88 -j ACCEPT 
-A INPUT -p udp -m udp --dport 88 -j ACCEPT 
-A INPUT -p tcp -m multiport --dports 139,445 -j ACCEPT 
-A INPUT -p udp -m multiport --dports 139,445 -j ACCEPT 
-A INPUT -p tcp -m multiport --dports 137,138 -j ACCEPT 
-A INPUT -p udp -m multiport --dports 137,138 -j ACCEPT 
-A INPUT -p udp -m udp --dport 135 -j ACCEPT 
-A INPUT -p tcp -s 10.80.19.217 -m tcp --dport 22 -m state --state NEW
-m limit --limit 3/min --limit-burst 3 -j ACCEPT
-A INPUT -p tcp --dport 22 -m state --state ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT 
-A INPUT -p udp -m udp --dport 123 -j ACCEPT
-A INPUT -p udp -m udp --dport 1984 -j ACCEPT
-A INPUT -s 127.0.0.1 -p tcp -m tcp --dport 25 -j ACCEPT
-A INPUT -j DROP

-A OUTPUT -o lo -j ACCEPT 
-A OUTPUT -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -p icmp -j ACCEPT
-A OUTPUT -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT
-A OUTPUT -d 127.0.0.1 -p tcp -m tcp --dport 25 -j ACCEPT
-A OUTPUT -p udp -m udp --dport 53 -j ACCEPT 
-A OUTPUT -p tcp -m tcp --dport 53 -j ACCEPT 
-A OUTPUT -p tcp -m tcp --dport 88 -j ACCEPT 
-A OUTPUT -p udp -m udp --dport 123 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 135 -j ACCEPT 
-A OUTPUT -p tcp -m multiport --dports 139,445 -j ACCEPT 
-A OUTPUT -p udp -m multiport --dports 137,138 -j ACCEPT 
-A OUTPUT -p udp -m udp --dport 389 -j ACCEPT 
-A OUTPUT -p tcp -m tcp --dport 636 -j ACCEPT 
-A OUTPUT -p udp -m udp --dport 1984 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 3268 -j ACCEPT 
-A OUTPUT -p tcp -m tcp --dport 3269 -j ACCEPT 
COMMIT

http://www.bbc.co.uk/
This e-mail (and any attachments) is confidential and may contain personal views which are not the views of the BBC unless specifically stated.
If you have received it in error, please delete it from your system.
Do not use, copy or disclose the information in any way nor act in reliance on it and notify the sender immediately.
Please note that the BBC monitors e-mails sent or received.
Further communication will signify your consent to this.

More information about the samba mailing list