[Samba] Samba4 and iptables

Kevin Field kev at brantaero.com
Thu Aug 15 15:15:20 MDT 2013 

Thanks for your help, Thomas.

I think it was the missing "state" part of some of the lines.  When I 
use your example, it replicates, even in both directions this time! 
Which is quite odd, since without iptables running, I still had problems 
getting my Samba test user to replicate over to the Windows DC.

Also in case it helps anyone else who is not using NetBIOS, even if I 
cut the NetBIOS ports, it still works fine.  Same with SSL ports.  So 
now I have for the main part of it:

-A INPUT -m comment --comment "DNS" -p tcp -m state --state NEW -m tcp 
--dport 53 -j ACCEPT
-A INPUT -m comment --comment "DNS" -p udp -m state --state NEW -m udp 
--dport 53 -j ACCEPT
-A INPUT -m comment --comment "Kerberos" -p tcp -m state --state NEW -m 
tcp --dport 88 -j ACCEPT
-A INPUT -m comment --comment "Kerberos" -p udp -m state --state NEW -m 
udp --dport 88 -j ACCEPT
-A INPUT -m comment --comment "End Point Mapper (DCE/RPC Locator 
Service)" -p tcp -m state --state NEW -m tcp --dport 135 -j ACCEPT
-A INPUT -m comment --comment "LDAP" -p tcp -m state --state NEW -m tcp 
--dport 389 -j ACCEPT
-A INPUT -m comment --comment "LDAP" -p udp -m state --state NEW -m udp 
--dport 389 -j ACCEPT
-A INPUT -m comment --comment "SMB" -p tcp -m state --state NEW -m tcp 
--dport 445 -j ACCEPT
-A INPUT -m comment --comment "Kerberos kpasswd" -p tcp -m state --state 
NEW -m tcp --dport 464 -j ACCEPT
-A INPUT -m comment --comment "Kerberos kpasswd" -p udp -m state --state 
NEW -m udp --dport 464 -j ACCEPT
-A INPUT -m comment --comment "CUPS" -p tcp -m state --state NEW -m tcp 
--dport 631 -j ACCEPT
-A INPUT -m comment --comment "CUPS" -p udp -m state --state NEW -m udp 
--dport 631 -j ACCEPT
-A INPUT -m comment --comment "RPC" -p tcp -m state --state NEW -m tcp 
--dport 1024 -j ACCEPT
-A INPUT -m comment --comment "Global Catalog" -p tcp -m state --state 
NEW -m tcp --dport 3268 -j ACCEPT
-A INPUT -m comment --comment "Multicast DNS" -p tcp -m state --state 
NEW -m tcp --dport 5353 -j ACCEPT
-A INPUT -m comment --comment "Multicast DNS" -p udp -m state --state 
NEW -m udp --dport 5353 -j ACCEPT

Just tested adding a second user and it replicated immediately.

Yay!

Thanks again,
Kev

More information about the samba mailing list