[Samba] samba with iptables
mups.cp
mups.cp at gmail.com
Sat Sep 29 23:35:49 GMT 2007
Firstly this is a iptables issue and not Samba.
Your default OUTPUT policy was set to DROP, so you need also specify
rules to catch the ports that samba uses and allow them.
Review your iptables rules accordingly.
On 9/29/07, Seo, Jong Hwa <cheeky at realtime.ssu.ac.kr> wrote:
> Hi,
>
> system info:
> ubuntu 7.04 (Host OS)
> samba 3.0.24 (installed with apt-get)
> vmware-server 6.0.1
> windows XP (Guest OS)
>
> I was using the iptables script provided by iptablesrocks.org. It's been
> quite useful, but I ran into a problem when I tried to connect samba.
>
> Without any iptables rules, I have no problem when connecting host
> os(ubuntu samba server) from guest os Windows XP.
>
> I referenced this article, http://troy.jdmz.net/samba/fw/, so I put the
> following sources in the middle of the source.
>
> -A INPUT -p udp -m udp --dport 137 -j ACCEPT
> -A INPUT -p udp -m udp --dport 138 -j ACCEPT
> -A INPUT -p tcp -m tcp --dport 139 -j ACCEPT
> -A INPUT -p tcp -m tcp --dport 445 -j ACCEPT
>
>
> Finally, it doesn't work. I feel now very frustrated... I tried with a
> lot of combinations, but all failed due to errors as shown below:
>
>
>
> # smbclient -U cheeky -L 172.16.6.1
> timeout connecting to 172.16.6.1:445
> timeout connecting to 172.16.6.1:139
> Error connecting to 172.16.6.1 (Operation already in progress)
> Connection to 172.16.6.1 failed
>
>
> I'd like to share some files between ubuntu host os and windows vmware
> guest os. I don't think samba is wrong because everything's okay without
> iptables.
>
>
>
> the full iptables script shows as follows:
>
> # import this saved configuration into your iptables configuration with
> the following command:
> # iptables-restore < web_server.config
>
> *nat
> :PREROUTING ACCEPT [127173:7033011]
> :POSTROUTING ACCEPT [31583:2332178]
> :OUTPUT ACCEPT [32021:2375633]
> COMMIT
>
> *mangle
> :PREROUTING ACCEPT [444:43563]
> :INPUT ACCEPT [444:43563] :FORWARD ACCEPT [0:0]
> :OUTPUT ACCEPT [402:144198]
> :POSTROUTING ACCEPT [402:144198]
> -A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG
> FIN,PSH,URG -j DROP
> -A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j
> DROP
> -A PREROUTING -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
> -A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
> COMMIT
>
> *filter
> :INPUT DROP [1:242]
> :FORWARD DROP [0:0]
> :OUTPUT DROP [0:0]
> :icmp_packets - [0:0]
> -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
> #-A INPUT -p tcp -m tcp --dport 20 -j ACCEPT
> #-A INPUT -p tcp -m tcp --dport 21 -j ACCEPT
> #-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
> #-A INPUT -p tcp -m tcp --dport 25 -j ACCEPT
> -A INPUT -p tcp -m tcp --dport 43 -j ACCEPT
> -A INPUT -p udp -m udp --dport 53 -j ACCEPT
> #-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
> #-A INPUT -p tcp -m tcp --dport 110 -j ACCEPT
> #-A INPUT -p udp -m udp --dport 123 -j ACCEPT
> -A INPUT -p udp -m udp --dport 137 -j ACCEPT
> -A INPUT -p udp -m udp --dport 138 -j ACCEPT
> -A INPUT -p tcp -m tcp --dport 139 -j ACCEPT
> #-A INPUT -p tcp -m tcp --dport 143 -j ACCEPT
> #-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
> -A INPUT -p tcp -m tcp --dport 445 -j ACCEPT
> #-A INPUT -p tcp -m tcp --dport 783 -j ACCEPT
> #-A INPUT -p tcp -m tcp --dport 993 -j ACCEPT
> #-A INPUT -p tcp -m tcp --dport 3306 -j ACCEPT
> #-A INPUT -p tcp -m tcp --dport 12000 -j ACCEPT
> #-A INPUT -p tcp -m tcp --dport 15000 -j ACCEPT
> -A INPUT -s 127.0.0.1 -j ACCEPT
> -A INPUT -p icmp -j icmp_packets
> -A INPUT -j LOG --log-prefix "IPTABLES-IN Default Drop: " --log-level 7
>
>
> -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
> -A OUTPUT -p tcp -m tcp --dport 20 -j ACCEPT
> -A OUTPUT -p tcp -m tcp --dport 21 -j ACCEPT
> -A OUTPUT -p tcp -m tcp --dport 22 -j ACCEPT
> #-A OUTPUT -p tcp -m tcp --dport 23 -j ACCEPT
> -A OUTPUT -p tcp -m tcp --dport 25 -j ACCEPT
> -A OUTPUT -p tcp -m tcp --dport 43 -j ACCEPT
> -A OUTPUT -p udp -m udp --dport 53 -j ACCEPT
> -A OUTPUT -p tcp -m tcp --dport 80 -j ACCEPT
> -A OUTPUT -p tcp -m tcp --dport 110 -j ACCEPT
> -A OUTPUT -p udp -m udp --dport 123 -j ACCEPT
> #-A OUTPUT -p tcp -m tcp --dport 143 -j ACCEPT
> -A OUTPUT -p tcp -m tcp --dport 443 -j ACCEPT
> #-A OUTPUT -p tcp -m tcp --dport 783 -j ACCEPT
> #-A OUTPUT -p tcp -m tcp --dport 993 -j ACCEPT
> #-A OUTPUT -p tcp -m tcp --dport 3306 -j ACCEPT
> #-A OUTPUT -p tcp -m tcp --dport 12000 -j ACCEPT
> #-A OUTPUT -p tcp -m tcp --dport 15000 -j ACCEPT
> #-A OUTPUT -p tcp -m tcp --dport 2210 -j ACCEPT
> -A OUTPUT -d 127.0.0.1 -j ACCEPT
> -A OUTPUT -p icmp -j icmp_packets
> -A OUTPUT -j LOG --log-prefix "IPTABLES-OUT Default Drop: " --log-level
> 7
>
>
> -A icmp_packets -p icmp -m icmp --icmp-type 0 -j ACCEPT
> -A icmp_packets -s 127.0.0.1 -p icmp -m icmp --icmp-type 8 -j ACCEPT
> -A icmp_packets -p icmp -m icmp --icmp-type 8 -j DROP
> -A icmp_packets -p icmp -m icmp --icmp-type 3 -j ACCEPT
> -A icmp_packets -p icmp -m icmp --icmp-type 11 -j ACCEPT
> COMMIT
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/listinfo/samba
>
More information about the samba
mailing list