[Samba] Samba4 and iptables
tms3 at tms3.com
tms3 at tms3.com
Thu Feb 10 07:53:39 MST 2011
>
> Hello everybody,
>
> I have a running an installation of Samba4 as AD. All is working fine,
> but when I start the firewall, the clients have problems to login.
>
> By my firewall-rules from the past, I had opened the ports 137:139 and
> 445 for samba and new for bind the port 53.
Kerberos is on port 88
LDAP is on 339 636
Here is a list of AD port requirements and their uses.
http://technet.microsoft.com/en-us/library/dd772723%28WS.10%29.aspx
>
>
>
> The clients (WinXP) seems to have problems to read and write from/to
> the
> home directories. Maybe samba4 need additional or other ports to
> working
> fine?
>
> Here my current iptables-rules:
>
> IPTABLES=/sbin/iptables
>
> #Bind
> $IPTABLES -A INPUT -p tcp --dport 53 -m state --state NEW,ESTABLISHED
> -j
> ACCEPT;
> $IPTABLES -A OUTPUT -p tcp --sport 53 -m state --state ESTABLISHED -j
> ACCEPT;
>
> $IPTABLES -A INPUT -p udp --dport 53 -m state --state NEW,ESTABLISHED
> -j
> ACCEPT;
> $IPTABLES -A OUTPUT -p udp --sport 53 -m state --state ESTABLISHED -j
> ACCEPT;
>
> #Samba
> $IPTABLES -A INPUT -p udp --dport 137:139 -m state --state
> NEW,ESTABLISHED,RELATED -j ACCEPT;
> $IPTABLES -A OUTPUT -p udp --sport 137:139 -m state --state
> ESTABLISHED,RELATED -j ACCEPT;
>
> $IPTABLES -A INPUT -p tcp --dport 137:139 -m state --state
> NEW,ESTABLISHED,RELATED -j ACCEPT;
> $IPTABLES -A OUTPUT -p tcp --sport 137:139 -m state --state
> ESTABLISHED,RELATED -j ACCEPT;
>
> $IPTABLES -A INPUT -p udp --dport 445 -m state --state
> NEW,ESTABLISHED,RELATED -j ACCEPT;
> $IPTABLES -A OUTPUT -p udp --sport 445 -m state --state
> ESTABLISHED,RELATED -j ACCEPT;
>
> $IPTABLES -A INPUT -p tcp --dport 445 -m state --state
> ESTABLISHED,RELATED -j ACCEPT;
> $IPTABLES -A OUTPUT -p tcp --sport 445 -m state --state
> ESTABLISHED,RELATED -j ACCEPT;
>
>
> iptables --list
>
> ACCEPT tcp -- anywhere anywhere tcp
> spt:domain state ESTABLISHED
> ACCEPT udp -- anywhere anywhere udp
> spt:domain state ESTABLISHED
> ACCEPT udp -- anywhere anywhere udp
> spts:netbios-ns:netbios-ssn state RELATED,ESTABLISHED
> ACCEPT tcp -- anywhere anywhere tcp
> spts:netbios-ns:netbios-ssn state RELATED,ESTABLISHED
> ACCEPT udp -- anywhere anywhere udp
> spt:microsoft-ds state RELATED,ESTABLISHED
> ACCEPT tcp -- anywhere anywhere tcp
> spt:microsoft-ds state RELATED,ESTABLISHED
>
>
> Note! I have the profiles configured with server-copies from the
> home-directorys! That's the reason for the necessary
> read-/write-possibility. When I login with a client, so the client
> look
> for the server-home-directory. When a client logout, the client
> synchronizes the local-home-directory to the ad-server. Without the
> running firewall on the AD it's work perfect. With the runnig firewall
> I
> get the message on login, that the client can't read the
> home-directory
> and when I logout, that the client can't synchronize the
> home-directory.
> The domain-login is always successful.
>
> Thanks in advance!
>
> Bert
>
>
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
More information about the samba
mailing list