[Samba] Cross-subnet authentication & firewall

Misty Stanley-Jones misty at borkholder.com
Tue Jul 1 00:01:42 GMT 2008

I've got two subnets joined by an OpenVPN bridge.  I used to have my PDC on
the router, and the DMS happily authenticated to

Now, for security and other reasons I have put my PDC behind a firewall.
The PDC now lives at, and my router is still on and

In the router's iptables rules, I have added the following:
iptables -t nat -A PREROUTING -p tcp --dport 137:139 -i tap0 -j DNAT --to
iptables -t nat -A PREROUTING -p tcp --dport 445 -i tap0 -j DNAT --to

iptables -t nat -A PREROUTING -p udp --dport 137:139 -i tap0 -j DNAT --to
iptables -t nat -A PREROUTING -p udp --dport 445 -i tap0 -j DNAT --to

(tap0 is the interface)

In the DMS's smb.conf. I have the following:

    workgroup = CORP
    netbios name = FURNSRV
    server string = Furniture File Server
    security = domain
    password server =
    wins server =
    wins support = no
    wins proxy = no
    name resolve order = wins
    dns proxy = no
    local master = yes
    domain master = no
    preferred master = yes
    os level = 65
    socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 SO_BROADCAST
    printing = cups
    printcap = cups
    remote browse sync =

When I start Samba on the DMB, I can do 'net join' just fine.  I can ping
the PDC.  I can list shares on the PDC.  I can't list shares on the client!

root at honk:/etc/samba# smbclient -L localhost
session setup failed: NT_STATUS_NO_LOGON_SERVERS

I'm a little befuddled here.  Is there something I've forgotten in iptables?
Is something else missing?  I'm not sure exactly what to debug.  I have done
tcpdump on the PDC and I can see requests and responses, but I'm not 100%
clear what to look for.

I appreciate any help at all!


More information about the samba mailing list