[Samba] Samba4 and iptables

tms3 at tms3.com tms3 at tms3.com
Thu Feb 10 07:53:39 MST 2011




>
> Hello everybody,
>
> I have a running an installation of Samba4 as AD. All is working fine,
> but when I start the firewall, the clients have problems to login.
>
> By my firewall-rules from the past, I had opened the ports 137:139 and
> 445 for samba and new for bind the port 53.

Kerberos is on port 88

LDAP is on 339 636

Here is a list of AD port requirements and their uses.

http://technet.microsoft.com/en-us/library/dd772723%28WS.10%29.aspx


>
>
>
> The clients (WinXP) seems to have problems to read and write from/to 
> the
> home directories. Maybe samba4 need additional or other ports to 
> working
> fine?
>
> Here my current iptables-rules:
>
> IPTABLES=/sbin/iptables
>
> #Bind
> $IPTABLES -A INPUT -p tcp --dport 53 -m state --state NEW,ESTABLISHED 
> -j
> ACCEPT;
> $IPTABLES -A OUTPUT -p tcp --sport 53 -m state --state ESTABLISHED -j
> ACCEPT;
>
> $IPTABLES -A INPUT -p udp --dport 53 -m state --state NEW,ESTABLISHED 
> -j
> ACCEPT;
> $IPTABLES -A OUTPUT -p udp --sport 53 -m state --state ESTABLISHED -j
> ACCEPT;
>
> #Samba
> $IPTABLES -A INPUT -p udp --dport 137:139 -m state --state
> NEW,ESTABLISHED,RELATED -j ACCEPT;
> $IPTABLES -A OUTPUT -p udp --sport 137:139 -m state --state
> ESTABLISHED,RELATED -j ACCEPT;
>
> $IPTABLES -A INPUT -p tcp --dport 137:139 -m state --state
> NEW,ESTABLISHED,RELATED -j ACCEPT;
> $IPTABLES -A OUTPUT -p tcp --sport 137:139 -m state --state
> ESTABLISHED,RELATED -j ACCEPT;
>
> $IPTABLES -A INPUT -p udp --dport 445 -m state --state
> NEW,ESTABLISHED,RELATED -j ACCEPT;
> $IPTABLES -A OUTPUT -p udp --sport 445 -m state --state
> ESTABLISHED,RELATED -j ACCEPT;
>
> $IPTABLES -A INPUT -p tcp --dport 445 -m state --state
> ESTABLISHED,RELATED -j ACCEPT;
> $IPTABLES -A OUTPUT -p tcp --sport 445 -m state --state
> ESTABLISHED,RELATED -j ACCEPT;
>
>
> iptables --list
>
> ACCEPT     tcp  --  anywhere             anywhere            tcp
> spt:domain state ESTABLISHED
> ACCEPT     udp  --  anywhere             anywhere            udp
> spt:domain state ESTABLISHED
> ACCEPT     udp  --  anywhere             anywhere            udp
> spts:netbios-ns:netbios-ssn state RELATED,ESTABLISHED
> ACCEPT     tcp  --  anywhere             anywhere            tcp
> spts:netbios-ns:netbios-ssn state RELATED,ESTABLISHED
> ACCEPT     udp  --  anywhere             anywhere            udp
> spt:microsoft-ds state RELATED,ESTABLISHED
> ACCEPT     tcp  --  anywhere             anywhere            tcp
> spt:microsoft-ds state RELATED,ESTABLISHED
>
>
> Note! I have the profiles configured with server-copies from the
> home-directorys! That's the reason for the necessary
> read-/write-possibility. When I login with a client, so the client 
> look
> for the server-home-directory. When a client logout, the client
> synchronizes the local-home-directory to the ad-server. Without the
> running firewall on the AD it's work perfect. With the runnig firewall 
> I
> get the message on login, that the client can't read the 
> home-directory
> and when I logout, that the client can't synchronize the 
> home-directory.
> The domain-login is always successful.
>
> Thanks in advance!
>
> Bert
>
>
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba



More information about the samba mailing list