[Samba] samba with iptables

Seo, Jong Hwa cheeky at realtime.ssu.ac.kr
Sat Sep 29 22:45:34 GMT 2007 

Hi,

system info:
ubuntu 7.04 (Host OS)
samba 3.0.24 (installed with apt-get)
vmware-server 6.0.1
windows XP (Guest OS)

I was using the iptables script provided by iptablesrocks.org. It's been
quite useful, but I ran into a problem when I tried to connect samba.

Without any iptables rules, I have no problem when connecting host
os(ubuntu samba server) from guest os Windows XP.

I referenced this article, http://troy.jdmz.net/samba/fw/, so I put the
following sources in the middle of the source.

-A INPUT -p udp -m udp --dport 137 -j ACCEPT 
-A INPUT -p udp -m udp --dport 138 -j ACCEPT 
-A INPUT -p tcp -m tcp --dport 139 -j ACCEPT 
-A INPUT -p tcp -m tcp --dport 445 -j ACCEPT 


Finally, it doesn't work. I feel now very frustrated... I tried with a
lot of combinations, but all failed due to errors as shown below:



# smbclient -U cheeky -L 172.16.6.1
timeout connecting to 172.16.6.1:445
timeout connecting to 172.16.6.1:139
Error connecting to 172.16.6.1 (Operation already in progress)
Connection to 172.16.6.1 failed


I'd like to share some files between ubuntu host os and windows vmware
guest os. I don't think samba is wrong because everything's okay without
iptables.



the full iptables script shows as follows:

# import this saved configuration into your iptables configuration with
the following command:
# iptables-restore < web_server.config

*nat 
:PREROUTING ACCEPT [127173:7033011]
:POSTROUTING ACCEPT [31583:2332178]
:OUTPUT ACCEPT [32021:2375633] 
COMMIT

*mangle 
:PREROUTING ACCEPT [444:43563] 
:INPUT ACCEPT [444:43563] :FORWARD ACCEPT [0:0] 
:OUTPUT ACCEPT [402:144198] 
:POSTROUTING ACCEPT [402:144198] 
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG
FIN,PSH,URG -j DROP 
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j
DROP 
-A PREROUTING -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP 
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP 
COMMIT

*filter 
:INPUT DROP [1:242]
:FORWARD DROP [0:0] 
:OUTPUT DROP [0:0]
:icmp_packets - [0:0]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT 
#-A INPUT -p tcp -m tcp --dport 20 -j ACCEPT 
#-A INPUT -p tcp -m tcp --dport 21 -j ACCEPT 
#-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT 
#-A INPUT -p tcp -m tcp --dport 25 -j ACCEPT 
-A INPUT -p tcp -m tcp --dport 43 -j ACCEPT 
-A INPUT -p udp -m udp --dport 53 -j ACCEPT 
#-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT 
#-A INPUT -p tcp -m tcp --dport 110 -j ACCEPT 
#-A INPUT -p udp -m udp --dport 123 -j ACCEPT
-A INPUT -p udp -m udp --dport 137 -j ACCEPT 
-A INPUT -p udp -m udp --dport 138 -j ACCEPT 
-A INPUT -p tcp -m tcp --dport 139 -j ACCEPT 
#-A INPUT -p tcp -m tcp --dport 143 -j ACCEPT 
#-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT 
-A INPUT -p tcp -m tcp --dport 445 -j ACCEPT 
#-A INPUT -p tcp -m tcp --dport 783 -j ACCEPT 
#-A INPUT -p tcp -m tcp --dport 993 -j ACCEPT 
#-A INPUT -p tcp -m tcp --dport 3306 -j ACCEPT 
#-A INPUT -p tcp -m tcp --dport 12000 -j ACCEPT 
#-A INPUT -p tcp -m tcp --dport 15000 -j ACCEPT 
-A INPUT -s 127.0.0.1 -j ACCEPT 
-A INPUT -p icmp -j icmp_packets 
-A INPUT -j LOG --log-prefix "IPTABLES-IN Default Drop: " --log-level 7 


-A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A OUTPUT -p tcp -m tcp --dport 20 -j ACCEPT 
-A OUTPUT -p tcp -m tcp --dport 21 -j ACCEPT 
-A OUTPUT -p tcp -m tcp --dport 22 -j ACCEPT 
#-A OUTPUT -p tcp -m tcp --dport 23 -j ACCEPT 
-A OUTPUT -p tcp -m tcp --dport 25 -j ACCEPT 
-A OUTPUT -p tcp -m tcp --dport 43 -j ACCEPT 
-A OUTPUT -p udp -m udp --dport 53 -j ACCEPT 
-A OUTPUT -p tcp -m tcp --dport 80 -j ACCEPT 
-A OUTPUT -p tcp -m tcp --dport 110 -j ACCEPT 
-A OUTPUT -p udp -m udp --dport 123 -j ACCEPT
#-A OUTPUT -p tcp -m tcp --dport 143 -j ACCEPT 
-A OUTPUT -p tcp -m tcp --dport 443 -j ACCEPT 
#-A OUTPUT -p tcp -m tcp --dport 783 -j ACCEPT 
#-A OUTPUT -p tcp -m tcp --dport 993 -j ACCEPT 
#-A OUTPUT -p tcp -m tcp --dport 3306 -j ACCEPT 
#-A OUTPUT -p tcp -m tcp --dport 12000 -j ACCEPT 
#-A OUTPUT -p tcp -m tcp --dport 15000 -j ACCEPT 
#-A OUTPUT -p tcp -m tcp --dport 2210 -j ACCEPT 
-A OUTPUT -d 127.0.0.1 -j ACCEPT 
-A OUTPUT -p icmp -j icmp_packets 
-A OUTPUT -j LOG --log-prefix "IPTABLES-OUT Default Drop: " --log-level
7 


-A icmp_packets -p icmp -m icmp --icmp-type 0 -j ACCEPT 
-A icmp_packets -s 127.0.0.1 -p icmp -m icmp --icmp-type 8 -j ACCEPT 
-A icmp_packets -p icmp -m icmp --icmp-type 8 -j DROP 
-A icmp_packets -p icmp -m icmp --icmp-type 3 -j ACCEPT 
-A icmp_packets -p icmp -m icmp --icmp-type 11 -j ACCEPT 
COMMIT

More information about the samba mailing list