[Samba] Samba4 and iptables
nc-codewete at netcologne.de
nc-codewete at netcologne.de
Wed Feb 16 08:54:07 MST 2011
Hello List-Members,
I working still on a perfect firewall-configuration for a Samba4-AD, but
it seems to be a tricky work. Maybe somebody have any idea about my fail.
When I set back the firewall-rules, all is working perfect. The
network-devices will be connected and I can work with dsa.msc . But it
fails with following rules:
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state
RELATED,ESTABLISHED
ACCEPT icmp -- 192.168.0.0/24 192.168.0.2 icmp type 8
state NEW
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT tcp -- 192.168.0.0/24 192.168.0.2 tcp dpt:53
state NEW,ESTABLISHED
ACCEPT udp -- 192.168.0.0/24 192.168.0.2 udp dpt:53
state NEW,RELATED,ESTABLISHED
ACCEPT tcp -- 192.168.0.0/24 192.168.0.2 tcp dpt:88
state NEW,ESTABLISHED
ACCEPT udp -- 192.168.0.0/24 192.168.0.2 udp dpt:88
state NEW,RELATED,ESTABLISHED
ACCEPT udp -- 192.168.0.0/24 192.168.0.2 udp dpt:123
state NEW,RELATED,ESTABLISHED
ACCEPT tcp -- 192.168.0.0/24 192.168.0.2 tcp dpt:135
state NEW,ESTABLISHED
ACCEPT udp -- 192.168.0.0/24 192.168.0.2 udp dpt:137
state NEW,RELATED,ESTABLISHED
ACCEPT udp -- 192.168.0.0/24 192.168.0.2 udp dpt:138
state NEW,RELATED,ESTABLISHED
ACCEPT tcp -- 192.168.0.0/24 192.168.0.2 tcp dpt:139
state NEW,ESTABLISHED
ACCEPT tcp -- 192.168.0.0/24 192.168.0.2 tcp dpt:389
state NEW,ESTABLISHED
ACCEPT udp -- 192.168.0.0/24 192.168.0.2 udp dpt:389
state NEW,RELATED,ESTABLISHED
ACCEPT tcp -- 192.168.0.0/24 192.168.0.2 tcp dpt:445
state NEW,ESTABLISHED
ACCEPT udp -- 192.168.0.0/24 192.168.0.2 udp dpt:445
state NEW,RELATED,ESTABLISHED
ACCEPT tcp -- 192.168.0.0/24 192.168.0.2 tcp dpt:464
state NEW,ESTABLISHED
ACCEPT udp -- 192.168.0.0/24 192.168.0.2 udp dpt:464
state NEW,RELATED,ESTABLISHED
ACCEPT tcp -- 192.168.0.0/24 192.168.0.2 tcp dpt:636
state NEW,ESTABLISHED
ACCEPT tcp -- 192.168.0.0/24 192.168.0.2 tcp
dpts:1024:65535 state NEW,ESTABLISHED
ACCEPT udp -- 192.168.0.0/24 192.168.0.2 udp
dpts:1024:65535 state NEW,RELATED,ESTABLISHED
Chain FORWARD (policy DROP)
target prot opt source destination
Chain OUTPUT (policy DROP)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state
NEW,RELATED,ESTABLISHED
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT tcp -- 192.168.0.2 192.168.0.0/24 tcp spt:53
state ESTABLISHED
ACCEPT udp -- 192.168.0.2 192.168.0.0/24 udp spt:53
state RELATED,ESTABLISHED
ACCEPT tcp -- 192.168.0.2 192.168.0.0/24 tcp spt:88
state ESTABLISHED
ACCEPT udp -- 192.168.0.2 192.168.0.0/24 udp spt:88
state RELATED,ESTABLISHED
ACCEPT udp -- 192.168.0.2 192.168.0.0/24 udp spt:123
state RELATED,ESTABLISHED
ACCEPT tcp -- 192.168.0.2 192.168.0.0/24 tcp spt:135
state ESTABLISHED
ACCEPT udp -- 192.168.0.2 192.168.0.0/24 udp spt:137
state RELATED,ESTABLISHED
ACCEPT udp -- 192.168.0.2 192.168.0.0/24 udp spt:138
state RELATED,ESTABLISHED
ACCEPT tcp -- 192.168.0.2 192.168.0.0/24 tcp spt:139
state ESTABLISHED
ACCEPT tcp -- 192.168.0.2 192.168.0.0/24 tcp spt:389
state ESTABLISHED
ACCEPT udp -- 192.168.0.2 192.168.0.0/24 udp spt:389
state RELATED,ESTABLISHED
ACCEPT tcp -- 192.168.0.2 192.168.0.0/24 tcp spt:445
state ESTABLISHED
ACCEPT udp -- 192.168.0.2 192.168.0.0/24 udp spt:445
state RELATED,ESTABLISHED
ACCEPT tcp -- 192.168.0.2 192.168.0.0/24 tcp spt:464
state ESTABLISHED
ACCEPT udp -- 192.168.0.2 192.168.0.0/24 udp spt:464
state RELATED,ESTABLISHED
ACCEPT tcp -- 192.168.0.2 192.168.0.0/24 tcp spt:636
state ESTABLISHED
ACCEPT tcp -- 192.168.0.2 192.168.0.0/24 tcp
spts:1024:65535 state ESTABLISHED
ACCEPT udp -- 192.168.0.2 192.168.0.0/24 udp
spts:1024:65535 state RELATED,ESTABLISHED
I think I have noted all important ports by the documentations. Your
will see, that I have opened the ports 1024:65535 for the local network,
so I guess, that I have to open a additional port between 1 and 1023 !?
Maybe I have a fail with the state-Rules?? If I not set --sport and
--dport for the clients, so I believe, that the clients can use the
ports 1:65535 ??
Best regards
Bert
Am 14.02.2011 22:30, schrieb nc-codewete at netcologne.de:
> ... I found a very interesting thread ->
> <http://art.ubuntuforums.org/showthread.php?p=9599313>
>
> Regards
>
> Bert
>
>
> Am 14.02.2011 22:05, schrieb tms3 at tms3.com:
>>
>>
>>
>>> Hello tms3 and list-members,
>>>
>>> many thanks for your help. I spend a lot of time to configure my
>>> firewall.
>>>
>>> I opened all here
>>> <http://technet.microsoft.com/en-us/library/dd772723%28WS.10%29.aspx> listed
>>> ports, but at the first time without success. I don't know why, but
>>> the port 1024
>> That's a DCOM port. I wouldn't have thought that one was necessary.
>> Maybe a question as to why on technical is in order.
>>> seems to be very important. I found this port step by step with less
>>> and less port-ranges.
>>>
>>> After I had opened this port I was able to logon the domain.
>>>
>>> netstat give me following result:
>>>
>>> ...
>>> tcp 0 0 0.0.0.0:464 0.0.0.0:*
>>> LISTEN 1361/samba
>>> ...
>>> tcp 0 0 192.168.0.1:53 0.0.0.0:*
>>> LISTEN 1183/named
>>> ...
>>> tcp 0 0 0.0.0.0:88 0.0.0.0:*
>>> LISTEN 1361/samba
>>> ...
>>> tcp 0 0 127.0.0.1:953 0.0.0.0:*
>>> LISTEN 1183/named
>>> tcp 0 0 0.0.0.0:636 0.0.0.0:*
>>> LISTEN 1356/samba
>>> tcp 0 0 0.0.0.0:445 0.0.0.0:*
>>> LISTEN 1343/samba
>>> ...
>>> tcp 0 0 0.0.0.0:1024 0.0.0.0:*
>>> LISTEN 1346/samba
>>> tcp 0 0 0.0.0.0:3268 0.0.0.0:*
>>> LISTEN 1356/samba
>>> tcp 0 0 0.0.0.0:389 0.0.0.0:*
>>> LISTEN 1356/samba
>>> tcp 0 0 0.0.0.0:135 0.0.0.0:*
>>> LISTEN 1346/samba
>>> tcp 0 0 0.0.0.0:139 0.0.0.0:*
>>> LISTEN 1343/samba
>>>
>>> I tested this with one winxp-client and tomorrow I will start a test
>>> with more clients.
>>>
>>>
>>> I hope this will somebody help to make the server a litte bit more
>>> secured.
>>>
>>>
>>> Regards
>>>
>>> Bert
>>>
>>>
>>>
>>>
>>> Am 10.02.2011 15:53, schrieb tms3 at tms3.com:
>>>
>>>
>>>
>>>
>>> Hello everybody,
>>>
>>> I have a running an installation of Samba4 as AD. All is
>>> working fine,
>>> but when I start the firewall, the clients have problems to
>>> login.
>>>
>>> By my firewall-rules from the past, I had opened the ports
>>> 137:139 and
>>> 445 for samba and new for bind the port 53.
>>>
>>> Kerberos is on port 88
>>>
>>> LDAP is on 339 636
>>>
>>> Here is a list of AD port requirements and their uses.
>>>
>>> http://technet.microsoft.com/en-us/library/dd772723%28WS.10%29.aspx
>>>
>>>
>>>
>>>
>>> The clients (WinXP) seems to have problems to read and write
>>> from/to the
>>> home directories. Maybe samba4 need additional or other ports
>>> to working
>>> fine?
>>>
>>> Here my current iptables-rules:
>>>
>>> IPTABLES=/sbin/iptables
>>>
>>> #Bind
>>> $IPTABLES -A INPUT -p tcp --dport 53 -m state --state
>>> NEW,ESTABLISHED -j
>>> ACCEPT;
>>> $IPTABLES -A OUTPUT -p tcp --sport 53 -m state --state
>>> ESTABLISHED -j
>>> ACCEPT;
>>>
>>> $IPTABLES -A INPUT -p udp --dport 53 -m state --state
>>> NEW,ESTABLISHED -j
>>> ACCEPT;
>>> $IPTABLES -A OUTPUT -p udp --sport 53 -m state --state
>>> ESTABLISHED -j
>>> ACCEPT;
>>>
>>> #Samba
>>> $IPTABLES -A INPUT -p udp --dport 137:139 -m state --state
>>> NEW,ESTABLISHED,RELATED -j ACCEPT;
>>> $IPTABLES -A OUTPUT -p udp --sport 137:139 -m state --state
>>> ESTABLISHED,RELATED -j ACCEPT;
>>>
>>> $IPTABLES -A INPUT -p tcp --dport 137:139 -m state --state
>>> NEW,ESTABLISHED,RELATED -j ACCEPT;
>>> $IPTABLES -A OUTPUT -p tcp --sport 137:139 -m state --state
>>> ESTABLISHED,RELATED -j ACCEPT;
>>>
>>> $IPTABLES -A INPUT -p udp --dport 445 -m state --state
>>> NEW,ESTABLISHED,RELATED -j ACCEPT;
>>> $IPTABLES -A OUTPUT -p udp --sport 445 -m state --state
>>> ESTABLISHED,RELATED -j ACCEPT;
>>>
>>> $IPTABLES -A INPUT -p tcp --dport 445 -m state --state
>>> ESTABLISHED,RELATED -j ACCEPT;
>>> $IPTABLES -A OUTPUT -p tcp --sport 445 -m state --state
>>> ESTABLISHED,RELATED -j ACCEPT;
>>>
>>>
>>> iptables --list
>>>
>>> ACCEPT tcp -- anywhere anywhere tcp
>>> spt:domain state ESTABLISHED
>>> ACCEPT udp -- anywhere anywhere udp
>>> spt:domain state ESTABLISHED
>>> ACCEPT udp -- anywhere anywhere udp
>>> spts:netbios-ns:netbios-ssn state RELATED,ESTABLISHED
>>> ACCEPT tcp -- anywhere anywhere tcp
>>> spts:netbios-ns:netbios-ssn state RELATED,ESTABLISHED
>>> ACCEPT udp -- anywhere anywhere udp
>>> spt:microsoft-ds state RELATED,ESTABLISHED
>>> ACCEPT tcp -- anywhere anywhere tcp
>>> spt:microsoft-ds state RELATED,ESTABLISHED
>>>
>>>
>>> Note! I have the profiles configured with server-copies from
>>> the
>>> home-directorys! That's the reason for the necessary
>>> read-/write-possibility. When I login with a client, so the
>>> client look
>>> for the server-home-directory. When a client logout, the client
>>> synchronizes the local-home-directory to the ad-server.
>>> Without the
>>> running firewall on the AD it's work perfect. With the runnig
>>> firewall I
>>> get the message on login, that the client can't read the
>>> home-directory
>>> and when I logout, that the client can't synchronize the
>>> home-directory.
>>> The domain-login is always successful.
>>>
>>> Thanks in advance!
>>>
>>> Bert
>>>
>>>
>>>
>>>
>>>
>>> -- To unsubscribe from this list go to the following
>>> URL and
>>> read the
>>> instructions: https://lists.samba.org/mailman/options/samba
>>>
>>>
>>>
>>
>
More information about the samba
mailing list