[Samba] Samba4 on CentOS 6.3 - IPTABLES how-to???

Stephen Jones lloydsystems at fastmail.com.au
Mon Nov 26 10:46:09 MST 2012 

Hi,

Here is an extract from my post on installing Samba4 on CentOS6.  I have
iptables working - I used netstat and Wireshark to monitor the packets.
-----
The ports needed are:
53, TCP & UDP (DNS)
88, TCP & UDP (Kerberos authentication)
135, TCP (MS RPC)
137, UDP (NetBIOS name service)
138, UDP (NetBIOS datagram service)
139, TCP (NetBIOS session service)
389, TCP & UDP (LDAP)
445, TCP (MS-DS AD)
464, TCP & UDP (Kerberos change/set password)
1024, TCP (this is a strange one but AD is using it)

Add these to iptables:
# iptables -A INPUT -p tcp --dport 53 -j ACCEPT
# iptables -A INPUT -p udp --dport 53 -j ACCEPT
# iptables -A INPUT -p udp --dport 137:138 -j ACCEPT
# iptables -A INPUT -p tcp --dport 139 -j ACCEPT
# iptables -A INPUT -p tcp --dport 445 -j ACCEPT
# iptables -A INPUT -p tcp --dport 135 -j ACCEPT
# iptables -A INPUT -p tcp --dport 88 -j ACCEPT
# iptables -A INPUT -p udp --dport 88 -j ACCEPT
# iptables -A INPUT -p tcp --dport 464 -j ACCEPT
# iptables -A INPUT -p tcp --dport 389 -j ACCEPT
# iptables -A INPUT -p udp --dport 389 -j ACCEPT
# iptables -A INPUT -p tcp --dport 1024 -j ACCEPT
-----
Looking at your rules, they are close to this.  I believe it's the
missing RPC (135) that's blocking RSAT.

Cheers,

Stephen Jones
Lloyd Systems Engineering



On Tue, Nov 27, 2012, at 12:39 AM, Andreas Krupp wrote:
> Hello,
> 
> I do appologize if this is something that was already discussed somewhere
> else... but for now I was not able to find the appropriate How-To.
> Would anybody know what the IPTABLES entries are to have working Samba4
> Domain Controller?
> I tried the following:
> 
> -A INPUT -p tcp -m state --state NEW -m tcp --dport 88 -j ACCEPT
> -A INPUT -p tcp -m state --state NEW -m tcp --dport 749 -j ACCEPT
> -A INPUT -p udp -m state --state NEW -m udp --dport 88 -j ACCEPT
> -A INPUT -p tcp -m state --state NEW -m tcp --dport 389 -j ACCEPT
> -A INPUT -d SERVERIP/32 -p udp -m udp --sport 1024:65535 --dport 53 -m
> state --state NEW,ESTABLISHED -j ACCEPT
> -A INPUT -d SERVERIP/32 -p udp -m udp --sport 53 --dport 53 -m state
> --state NEW,ESTABLISHED -j ACCEPT
> -A INPUT -p udp -m udp --dport 137 -j ACCEPT
> -A INPUT -p udp -m udp --dport 138 -j ACCEPT
> -A INPUT -m state --state NEW -m tcp -p tcp --dport 139 -j ACCEPT
> -A INPUT -m state --state NEW -m tcp -p tcp --dport 445 -j ACCEPT
> 
> With the above I was not able to connect via remote Administration tools
> to the Active Directory Service.
> Does anybody have a comprehensive list of ports/protocols one has to
> "open" in IPTABLES to get DNS, Samba, Fileshares, Active Directory, etc.
> working?
> 
> Cheers & thank you very much for your help!
> Best,
> Andreas
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list