[Samba] Samba 4 DC Firewall settings

Thomas Simmons twsnnva at gmail.com
Sun Mar 24 08:17:58 MDT 2013


>
>
> On Mar 24, 2013 7:04 AM, "steve" <steve at steve-ss.com> wrote:
>
> > Samba 4.0.4 on openSUSE 12.3
> > Hi everyone.
> >
> > Does anyone have a list of ports which have to be open to allow full DC
> > operation?
> >
> > I'm no expert in firewalls and only have Yast at my disposal to configure
> > it. I've tried opening samba server and DNS server ports via Yast but I
> > must be missing something because I have to turn off the firewall to e.g.
> > join a Windows client to the domain. Maybe Yast isn't the right tool?
> >
> > Cheers,
> > Steve
>
>
Hello Steve,

I have the following exceptions. Most of this came from netstat and
monitoring traffic. A few were picked up in Microsoft documentation, though
I've not seen my DC actually use them. Take special note of the last entry.
It is my understanding that Samba4 uses 1024 by default, however if that
port is not available it will use 1025, 1026, etc until it finds an open
port.

iptables -A INPUT -p tcp --dport 389 -j ACCEPT # LDAP
iptables -A INPUT -p udp --dport 389 -j ACCEPT # LDAP (UDP)
iptables -A INPUT -p tcp --dport 636 -j ACCEPT # LDAPS
iptables -A INPUT -p tcp --dport 53 -j ACCEPT # DNS (TCP)
iptables -A INPUT -p udp --dport 53 -j ACCEPT # DNS (UDP)
iptables -A INPUT -p tcp --dport 88 -j ACCEPT # Kerberos (TCP)
iptables -A INPUT -p udp --dport 88 -j ACCEPT # Kerberos (UDP)
iptables -A INPUT -p tcp --dport 464 -j ACCEPT # Kerberos Password (TCP)
iptables -A INPUT -p udp --dport 464 -j ACCEPT # Kerberos Password (UDP)
iptables -A INPUT -p tcp --dport 135 -j ACCEPT # RPC
iptables -A INPUT -p udp --dport 137 -j ACCEPT # NetBIOS Name Service
iptables -A INPUT -p udp --dport 138 -j ACCEPT # NetBIOS Datagram Service
iptables -A INPUT -p tcp --dport 139 -j ACCEPT # NetBIOS Session Service
iptables -A INPUT -p tcp --dport 445 -j ACCEPT # MS Directory Service
iptables -A INPUT -p tcp --dport 3268 -j ACCEPT # MS Global Catalog
iptables -A INPUT -p tcp --dport 1024 -j ACCEPT # DCOM *note this port is
not static*


More information about the samba mailing list