[Samba] Samba4 and iptables

Thomas Harold thomas-lists at nybeta.com
Thu Aug 15 10:31:54 MDT 2013 

On 8/15/2013 10:36 AM, Kevin Field wrote:
> Hi everyone,
>
> I had posted recently about getting Samba4 to work on CentOS 6.4 but
> having changes only replicating in one direction, from the Win2k3 AD but
> not back to it.  I solved the problem, this time, by disabling iptables.
>   I find it a bit hard to understand.  These are the rules I have set up:
>
> *filter
> :INPUT ACCEPT [0:0]
> :FORWARD ACCEPT [0:0]
> :OUTPUT ACCEPT [52:5888]
> -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
> -A INPUT -p icmp -j ACCEPT
> -A INPUT -i lo -j ACCEPT
> -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
> -A INPUT -m udp -p udp --dport 53 -m comment --comment "DNS" -j ACCEPT
> -A INPUT -m udp -p udp --dport 123 -m comment --comment "NTP" -j ACCEPT
> -A INPUT -m udp -p udp --dport 135 -m comment --comment "RPC UDP" -j ACCEPT
> -A INPUT -m udp -p udp --dport 389 -m comment --comment "LDAP UDP" -j
> ACCEPT
> -A INPUT -m state --state NEW -m tcp -p tcp --dport 88 -m comment
> --comment "Kerberos" -j ACCEPT
> -A INPUT -m state --state NEW -m tcp -p tcp --dport 464 -m comment
> --comment "Kerberos Password Management" -j ACCEPT
> -A INPUT -m state --state NEW -m tcp -p tcp --dport 445 -m comment
> --comment "SMB CIFS" -j ACCEPT
> -A INPUT -m state --state NEW -m tcp -p tcp --dport 389 -m comment
> --comment "LDAP TCP" -j ACCEPT
> -A INPUT -m state --state NEW -m tcp -p tcp --dport 636 -m comment
> --comment "LDAP SSL" -j ACCEPT
> -A INPUT -m state --state NEW -m tcp -p tcp --dport 3268 -m comment
> --comment "LDAP Global Catalog" -j ACCEPT
> -A INPUT -m state --state NEW -m tcp -p tcp --dport 3269 -m comment
> --comment "LDAP Global Catalog SSL" -j ACCEPT
> -A INPUT -p udp -m udp --dport 631 -m comment --comment "CUPS" -j ACCEPT
> -A INPUT -p tcp -m tcp --dport 631 -m comment --comment "CUPS" -j ACCEPT
> -A INPUT -j REJECT --reject-with icmp-host-prohibited
> -A FORWARD -j REJECT --reject-with icmp-host-prohibited
> COMMIT
>

https://wiki.samba.org/index.php/Configure_your_firewall

Are you missing UDP port 137-138 (and possibly a few others) in your 
IPTables?

Also, try looking at the output of the following to check for ports in use:

# netstat -taunp | egrep "tcp.*LISTEN|udp" | egrep "samba|smbd"

One of our internal Samba servers has the following in 
/etc/sysconfig/iptables.  You won't need the NFSCHECK chains unless you 
are also using NFS.

# Generated by iptables-save v1.4.7 on Fri May 24 21:51:36 2013
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [48:6932]
:NFSCHECK - [0:0]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 53 -j ACCEPT
-A INPUT -p udp -m state --state NEW -m udp --dport 53 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 88 -j ACCEPT
-A INPUT -p udp -m state --state NEW -m udp --dport 88 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 135 -j ACCEPT
-A INPUT -p udp -m state --state NEW -m udp --dport 137 -j ACCEPT
-A INPUT -p udp -m state --state NEW -m udp --dport 138 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 139 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 389 -j ACCEPT
-A INPUT -p udp -m state --state NEW -m udp --dport 389 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 445 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 464 -j ACCEPT
-A INPUT -p udp -m state --state NEW -m udp --dport 464 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 631 -j ACCEPT
-A INPUT -p udp -m state --state NEW -m udp --dport 631 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 636 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 1024 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 3268 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 3269 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 5353 -j ACCEPT
-A INPUT -p udp -m state --state NEW -m udp --dport 5353 -j ACCEPT
-A INPUT -j NFSCHECK
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
-A NFSCHECK -s 172.30.0.0/24 -p tcp -m multiport --dports 
2049,32803,892,662,111 -m comment --comment "TCP for nfs, lockd, mountd, 
statd, portmap" -j ACCEPT
-A NFSCHECK -s 172.30.0.0/24 -p udp -m multiport --dports 
2049,32769,892,662,111 -m comment --comment "UDP for nfs, lockd, mountd, 
statd, portmap" -j ACCEPT
-A NFSCHECK -j RETURN
COMMIT
# Completed on Fri May 24 21:51:36 2013

More information about the samba mailing list