[Samba] Samba4 and iptables

nc-codewete at netcologne.de nc-codewete at netcologne.de
Wed Feb 16 08:54:07 MST 2011


Hello List-Members,

I working still on a perfect firewall-configuration for a Samba4-AD, but 
it seems to be a tricky work. Maybe somebody have any idea about my fail.

When I set back the firewall-rules, all is working perfect. The 
network-devices will be connected and I can work with dsa.msc . But it 
fails with following rules:

Chain INPUT (policy DROP)
target     prot opt source               destination
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           state 
RELATED,ESTABLISHED
ACCEPT     icmp --  192.168.0.0/24       192.168.0.2        icmp type 8 
state NEW
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0
ACCEPT     tcp  --  192.168.0.0/24       192.168.0.2        tcp dpt:53 
state NEW,ESTABLISHED
ACCEPT     udp  --  192.168.0.0/24       192.168.0.2        udp dpt:53 
state NEW,RELATED,ESTABLISHED
ACCEPT     tcp  --  192.168.0.0/24       192.168.0.2        tcp dpt:88 
state NEW,ESTABLISHED
ACCEPT     udp  --  192.168.0.0/24       192.168.0.2        udp dpt:88 
state NEW,RELATED,ESTABLISHED
ACCEPT     udp  --  192.168.0.0/24       192.168.0.2        udp dpt:123 
state NEW,RELATED,ESTABLISHED
ACCEPT     tcp  --  192.168.0.0/24       192.168.0.2        tcp dpt:135 
state NEW,ESTABLISHED
ACCEPT     udp  --  192.168.0.0/24       192.168.0.2        udp dpt:137 
state NEW,RELATED,ESTABLISHED
ACCEPT     udp  --  192.168.0.0/24       192.168.0.2        udp dpt:138 
state NEW,RELATED,ESTABLISHED
ACCEPT     tcp  --  192.168.0.0/24       192.168.0.2        tcp dpt:139 
state NEW,ESTABLISHED
ACCEPT     tcp  --  192.168.0.0/24       192.168.0.2        tcp dpt:389 
state NEW,ESTABLISHED
ACCEPT     udp  --  192.168.0.0/24       192.168.0.2        udp dpt:389 
state NEW,RELATED,ESTABLISHED
ACCEPT     tcp  --  192.168.0.0/24       192.168.0.2        tcp dpt:445 
state NEW,ESTABLISHED
ACCEPT     udp  --  192.168.0.0/24       192.168.0.2        udp dpt:445 
state NEW,RELATED,ESTABLISHED
ACCEPT     tcp  --  192.168.0.0/24       192.168.0.2        tcp dpt:464 
state NEW,ESTABLISHED
ACCEPT     udp  --  192.168.0.0/24       192.168.0.2        udp dpt:464 
state NEW,RELATED,ESTABLISHED
ACCEPT     tcp  --  192.168.0.0/24       192.168.0.2        tcp dpt:636 
state NEW,ESTABLISHED
ACCEPT     tcp  --  192.168.0.0/24       192.168.0.2        tcp 
dpts:1024:65535 state NEW,ESTABLISHED
ACCEPT     udp  --  192.168.0.0/24       192.168.0.2        udp 
dpts:1024:65535 state NEW,RELATED,ESTABLISHED

Chain FORWARD (policy DROP)
target     prot opt source               destination

Chain OUTPUT (policy DROP)
target     prot opt source               destination
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           state 
NEW,RELATED,ESTABLISHED
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0
ACCEPT     tcp  --  192.168.0.2         192.168.0.0/24      tcp spt:53 
state ESTABLISHED
ACCEPT     udp  --  192.168.0.2         192.168.0.0/24      udp spt:53 
state RELATED,ESTABLISHED
ACCEPT     tcp  --  192.168.0.2         192.168.0.0/24      tcp spt:88 
state ESTABLISHED
ACCEPT     udp  --  192.168.0.2         192.168.0.0/24      udp spt:88 
state RELATED,ESTABLISHED
ACCEPT     udp  --  192.168.0.2         192.168.0.0/24      udp spt:123 
state RELATED,ESTABLISHED
ACCEPT     tcp  --  192.168.0.2         192.168.0.0/24      tcp spt:135 
state ESTABLISHED
ACCEPT     udp  --  192.168.0.2         192.168.0.0/24      udp spt:137 
state RELATED,ESTABLISHED
ACCEPT     udp  --  192.168.0.2         192.168.0.0/24      udp spt:138 
state RELATED,ESTABLISHED
ACCEPT     tcp  --  192.168.0.2         192.168.0.0/24      tcp spt:139 
state ESTABLISHED
ACCEPT     tcp  --  192.168.0.2         192.168.0.0/24      tcp spt:389 
state ESTABLISHED
ACCEPT     udp  --  192.168.0.2         192.168.0.0/24      udp spt:389 
state RELATED,ESTABLISHED
ACCEPT     tcp  --  192.168.0.2         192.168.0.0/24      tcp spt:445 
state ESTABLISHED
ACCEPT     udp  --  192.168.0.2         192.168.0.0/24      udp spt:445 
state RELATED,ESTABLISHED
ACCEPT     tcp  --  192.168.0.2         192.168.0.0/24      tcp spt:464 
state ESTABLISHED
ACCEPT     udp  --  192.168.0.2         192.168.0.0/24      udp spt:464 
state RELATED,ESTABLISHED
ACCEPT     tcp  --  192.168.0.2         192.168.0.0/24      tcp spt:636 
state ESTABLISHED
ACCEPT     tcp  --  192.168.0.2         192.168.0.0/24      tcp 
spts:1024:65535 state ESTABLISHED
ACCEPT     udp  --  192.168.0.2         192.168.0.0/24      udp 
spts:1024:65535 state RELATED,ESTABLISHED

I think I have noted all important ports by the documentations. Your 
will see, that I have opened the ports 1024:65535 for the local network, 
so I guess, that I have to open a additional port between 1 and 1023 !? 
Maybe I have a fail with the state-Rules?? If I not set --sport and 
--dport for the clients, so I believe, that the clients can use the 
ports 1:65535 ??

Best regards

Bert



Am 14.02.2011 22:30, schrieb nc-codewete at netcologne.de:
> ... I found a very interesting thread -> 
> <http://art.ubuntuforums.org/showthread.php?p=9599313>
>
> Regards
>
> Bert
>
>
> Am 14.02.2011 22:05, schrieb tms3 at tms3.com:
>>
>>
>>
>>> Hello tms3 and list-members,
>>>
>>> many thanks for your help. I spend a lot of time to configure my 
>>> firewall.
>>>
>>> I opened all here 
>>> <http://technet.microsoft.com/en-us/library/dd772723%28WS.10%29.aspx> listed 
>>> ports, but at the first time without success. I don't know why, but 
>>> the port 1024
>> That's a DCOM port. I wouldn't have thought that one was necessary. 
>> Maybe a question as to why on technical is in order.
>>> seems to be very important. I found this port step by step with less 
>>> and less port-ranges.
>>>
>>> After I had opened this port I was able to logon the domain.
>>>
>>> netstat give me following result:
>>>
>>> ...
>>> tcp        0      0 0.0.0.0:464             0.0.0.0:*               
>>> LISTEN      1361/samba
>>> ...
>>> tcp        0      0 192.168.0.1:53         0.0.0.0:*               
>>> LISTEN      1183/named
>>> ...
>>> tcp        0      0 0.0.0.0:88              0.0.0.0:*               
>>> LISTEN      1361/samba
>>> ...
>>> tcp        0      0 127.0.0.1:953           0.0.0.0:*               
>>> LISTEN      1183/named
>>> tcp        0      0 0.0.0.0:636             0.0.0.0:*               
>>> LISTEN      1356/samba
>>> tcp        0      0 0.0.0.0:445             0.0.0.0:*               
>>> LISTEN      1343/samba
>>> ...
>>> tcp        0      0 0.0.0.0:1024            0.0.0.0:*               
>>> LISTEN      1346/samba
>>> tcp        0      0 0.0.0.0:3268            0.0.0.0:*               
>>> LISTEN      1356/samba
>>> tcp        0      0 0.0.0.0:389             0.0.0.0:*               
>>> LISTEN      1356/samba
>>> tcp        0      0 0.0.0.0:135             0.0.0.0:*               
>>> LISTEN      1346/samba
>>> tcp        0      0 0.0.0.0:139             0.0.0.0:*               
>>> LISTEN      1343/samba
>>>
>>> I tested this with one winxp-client and tomorrow I will start a test 
>>> with more clients.
>>>
>>>
>>> I hope this will somebody help to make the server a litte bit more 
>>> secured.
>>>
>>>
>>> Regards
>>>
>>> Bert
>>>
>>>
>>>
>>>
>>> Am 10.02.2011 15:53, schrieb tms3 at tms3.com:
>>>
>>>
>>>
>>>
>>>         Hello everybody,
>>>
>>>         I have a running an installation of Samba4 as AD. All is
>>>         working fine,
>>>         but when I start the firewall, the clients have problems to
>>>         login.
>>>
>>>         By my firewall-rules from the past, I had opened the ports
>>>         137:139 and
>>>         445 for samba and new for bind the port 53.
>>>
>>>     Kerberos is on port 88
>>>
>>>     LDAP is on 339 636
>>>
>>>     Here is a list of AD port requirements and their uses.
>>>
>>>     http://technet.microsoft.com/en-us/library/dd772723%28WS.10%29.aspx
>>>
>>>
>>>
>>>
>>>         The clients (WinXP) seems to have problems to read and write
>>>         from/to the
>>>         home directories. Maybe samba4 need additional or other ports
>>>         to working
>>>         fine?
>>>
>>>         Here my current iptables-rules:
>>>
>>>         IPTABLES=/sbin/iptables
>>>
>>>         #Bind
>>>         $IPTABLES -A INPUT -p tcp --dport 53 -m state --state
>>>         NEW,ESTABLISHED -j
>>>         ACCEPT;
>>>         $IPTABLES -A OUTPUT -p tcp --sport 53 -m state --state
>>>         ESTABLISHED -j
>>>         ACCEPT;
>>>
>>>         $IPTABLES -A INPUT -p udp --dport 53 -m state --state
>>>         NEW,ESTABLISHED -j
>>>         ACCEPT;
>>>         $IPTABLES -A OUTPUT -p udp --sport 53 -m state --state
>>>         ESTABLISHED -j
>>>         ACCEPT;
>>>
>>>         #Samba
>>>         $IPTABLES -A INPUT -p udp --dport 137:139 -m state --state
>>>         NEW,ESTABLISHED,RELATED -j ACCEPT;
>>>         $IPTABLES -A OUTPUT -p udp --sport 137:139 -m state --state
>>>         ESTABLISHED,RELATED -j ACCEPT;
>>>
>>>         $IPTABLES -A INPUT -p tcp --dport 137:139 -m state --state
>>>         NEW,ESTABLISHED,RELATED -j ACCEPT;
>>>         $IPTABLES -A OUTPUT -p tcp --sport 137:139 -m state --state
>>>         ESTABLISHED,RELATED -j ACCEPT;
>>>
>>>         $IPTABLES -A INPUT -p udp --dport 445 -m state --state
>>>         NEW,ESTABLISHED,RELATED -j ACCEPT;
>>>         $IPTABLES -A OUTPUT -p udp --sport 445 -m state --state
>>>         ESTABLISHED,RELATED -j ACCEPT;
>>>
>>>         $IPTABLES -A INPUT -p tcp --dport 445 -m state --state
>>>         ESTABLISHED,RELATED -j ACCEPT;
>>>         $IPTABLES -A OUTPUT -p tcp --sport 445 -m state --state
>>>         ESTABLISHED,RELATED -j ACCEPT;
>>>
>>>
>>>         iptables --list
>>>
>>>         ACCEPT tcp -- anywhere anywhere tcp
>>>         spt:domain state ESTABLISHED
>>>         ACCEPT udp -- anywhere anywhere udp
>>>         spt:domain state ESTABLISHED
>>>         ACCEPT udp -- anywhere anywhere udp
>>>         spts:netbios-ns:netbios-ssn state RELATED,ESTABLISHED
>>>         ACCEPT tcp -- anywhere anywhere tcp
>>>         spts:netbios-ns:netbios-ssn state RELATED,ESTABLISHED
>>>         ACCEPT udp -- anywhere anywhere udp
>>>         spt:microsoft-ds state RELATED,ESTABLISHED
>>>         ACCEPT tcp -- anywhere anywhere tcp
>>>         spt:microsoft-ds state RELATED,ESTABLISHED
>>>
>>>
>>>         Note! I have the profiles configured with server-copies from 
>>> the
>>>         home-directorys! That's the reason for the necessary
>>>         read-/write-possibility. When I login with a client, so the
>>>         client look
>>>         for the server-home-directory. When a client logout, the client
>>>         synchronizes the local-home-directory to the ad-server.
>>>         Without the
>>>         running firewall on the AD it's work perfect. With the runnig
>>>         firewall I
>>>         get the message on login, that the client can't read the
>>>         home-directory
>>>         and when I logout, that the client can't synchronize the
>>>         home-directory.
>>>         The domain-login is always successful.
>>>
>>>         Thanks in advance!
>>>
>>>         Bert
>>>
>>>
>>>
>>>
>>>
>>>         --         To unsubscribe from this list go to the following 
>>> URL and
>>>         read the
>>>         instructions: https://lists.samba.org/mailman/options/samba
>>>
>>>
>>>
>>
>



More information about the samba mailing list