[Samba] Samba4 and iptables
nc-codewete at netcologne.de
nc-codewete at netcologne.de
Mon Feb 14 14:30:33 MST 2011
... I found a very interesting thread ->
<http://art.ubuntuforums.org/showthread.php?p=9599313>
Regards
Bert
Am 14.02.2011 22:05, schrieb tms3 at tms3.com:
>
>
>
>> Hello tms3 and list-members,
>>
>> many thanks for your help. I spend a lot of time to configure my
>> firewall.
>>
>> I opened all here
>> <http://technet.microsoft.com/en-us/library/dd772723%28WS.10%29.aspx>
>> listed ports, but at the first time without success. I don't know
>> why, but the port 1024
> That's a DCOM port. I wouldn't have thought that one was necessary.
> Maybe a question as to why on technical is in order.
>> seems to be very important. I found this port step by step with less
>> and less port-ranges.
>>
>> After I had opened this port I was able to logon the domain.
>>
>> netstat give me following result:
>>
>> ...
>> tcp 0 0 0.0.0.0:464 0.0.0.0:*
>> LISTEN 1361/samba
>> ...
>> tcp 0 0 192.168.0.1:53 0.0.0.0:*
>> LISTEN 1183/named
>> ...
>> tcp 0 0 0.0.0.0:88 0.0.0.0:*
>> LISTEN 1361/samba
>> ...
>> tcp 0 0 127.0.0.1:953 0.0.0.0:*
>> LISTEN 1183/named
>> tcp 0 0 0.0.0.0:636 0.0.0.0:*
>> LISTEN 1356/samba
>> tcp 0 0 0.0.0.0:445 0.0.0.0:*
>> LISTEN 1343/samba
>> ...
>> tcp 0 0 0.0.0.0:1024 0.0.0.0:*
>> LISTEN 1346/samba
>> tcp 0 0 0.0.0.0:3268 0.0.0.0:*
>> LISTEN 1356/samba
>> tcp 0 0 0.0.0.0:389 0.0.0.0:*
>> LISTEN 1356/samba
>> tcp 0 0 0.0.0.0:135 0.0.0.0:*
>> LISTEN 1346/samba
>> tcp 0 0 0.0.0.0:139 0.0.0.0:*
>> LISTEN 1343/samba
>>
>> I tested this with one winxp-client and tomorrow I will start a test
>> with more clients.
>>
>>
>> I hope this will somebody help to make the server a litte bit more
>> secured.
>>
>>
>> Regards
>>
>> Bert
>>
>>
>>
>>
>> Am 10.02.2011 15:53, schrieb tms3 at tms3.com:
>>
>>
>>
>>
>> Hello everybody,
>>
>> I have a running an installation of Samba4 as AD. All is
>> working fine,
>> but when I start the firewall, the clients have problems to
>> login.
>>
>> By my firewall-rules from the past, I had opened the ports
>> 137:139 and
>> 445 for samba and new for bind the port 53.
>>
>> Kerberos is on port 88
>>
>> LDAP is on 339 636
>>
>> Here is a list of AD port requirements and their uses.
>>
>> http://technet.microsoft.com/en-us/library/dd772723%28WS.10%29.aspx
>>
>>
>>
>>
>> The clients (WinXP) seems to have problems to read and write
>> from/to the
>> home directories. Maybe samba4 need additional or other ports
>> to working
>> fine?
>>
>> Here my current iptables-rules:
>>
>> IPTABLES=/sbin/iptables
>>
>> #Bind
>> $IPTABLES -A INPUT -p tcp --dport 53 -m state --state
>> NEW,ESTABLISHED -j
>> ACCEPT;
>> $IPTABLES -A OUTPUT -p tcp --sport 53 -m state --state
>> ESTABLISHED -j
>> ACCEPT;
>>
>> $IPTABLES -A INPUT -p udp --dport 53 -m state --state
>> NEW,ESTABLISHED -j
>> ACCEPT;
>> $IPTABLES -A OUTPUT -p udp --sport 53 -m state --state
>> ESTABLISHED -j
>> ACCEPT;
>>
>> #Samba
>> $IPTABLES -A INPUT -p udp --dport 137:139 -m state --state
>> NEW,ESTABLISHED,RELATED -j ACCEPT;
>> $IPTABLES -A OUTPUT -p udp --sport 137:139 -m state --state
>> ESTABLISHED,RELATED -j ACCEPT;
>>
>> $IPTABLES -A INPUT -p tcp --dport 137:139 -m state --state
>> NEW,ESTABLISHED,RELATED -j ACCEPT;
>> $IPTABLES -A OUTPUT -p tcp --sport 137:139 -m state --state
>> ESTABLISHED,RELATED -j ACCEPT;
>>
>> $IPTABLES -A INPUT -p udp --dport 445 -m state --state
>> NEW,ESTABLISHED,RELATED -j ACCEPT;
>> $IPTABLES -A OUTPUT -p udp --sport 445 -m state --state
>> ESTABLISHED,RELATED -j ACCEPT;
>>
>> $IPTABLES -A INPUT -p tcp --dport 445 -m state --state
>> ESTABLISHED,RELATED -j ACCEPT;
>> $IPTABLES -A OUTPUT -p tcp --sport 445 -m state --state
>> ESTABLISHED,RELATED -j ACCEPT;
>>
>>
>> iptables --list
>>
>> ACCEPT tcp -- anywhere anywhere tcp
>> spt:domain state ESTABLISHED
>> ACCEPT udp -- anywhere anywhere udp
>> spt:domain state ESTABLISHED
>> ACCEPT udp -- anywhere anywhere udp
>> spts:netbios-ns:netbios-ssn state RELATED,ESTABLISHED
>> ACCEPT tcp -- anywhere anywhere tcp
>> spts:netbios-ns:netbios-ssn state RELATED,ESTABLISHED
>> ACCEPT udp -- anywhere anywhere udp
>> spt:microsoft-ds state RELATED,ESTABLISHED
>> ACCEPT tcp -- anywhere anywhere tcp
>> spt:microsoft-ds state RELATED,ESTABLISHED
>>
>>
>> Note! I have the profiles configured with server-copies from the
>> home-directorys! That's the reason for the necessary
>> read-/write-possibility. When I login with a client, so the
>> client look
>> for the server-home-directory. When a client logout, the client
>> synchronizes the local-home-directory to the ad-server.
>> Without the
>> running firewall on the AD it's work perfect. With the runnig
>> firewall I
>> get the message on login, that the client can't read the
>> home-directory
>> and when I logout, that the client can't synchronize the
>> home-directory.
>> The domain-login is always successful.
>>
>> Thanks in advance!
>>
>> Bert
>>
>>
>>
>>
>>
>> --
>> To unsubscribe from this list go to the following URL and
>> read the
>> instructions: https://lists.samba.org/mailman/options/samba
>>
>>
>>
>
More information about the samba
mailing list