[Samba] Samba 4 DC Firewall settings

steve steve at steve-ss.com
Mon Mar 25 22:22:48 MDT 2013

On 24/03/13 15:17, Thomas Simmons wrote:
>> On Mar 24, 2013 7:04 AM, "steve" <steve at steve-ss.com> wrote:
>>> Samba 4.0.4 on openSUSE 12.3
>>> Hi everyone.
>>> Does anyone have a list of ports which have to be open to allow full DC
>>> operation?
>>> I'm no expert in firewalls and only have Yast at my disposal to configure
>>> it. I've tried opening samba server and DNS server ports via Yast but I
>>> must be missing something because I have to turn off the firewall to e.g.
>>> join a Windows client to the domain. Maybe Yast isn't the right tool?
>>> Cheers,
>>> Steve
> Hello Steve,
> I have the following exceptions. Most of this came from netstat and
> monitoring traffic. A few were picked up in Microsoft documentation, though
> I've not seen my DC actually use them. Take special note of the last entry.
> It is my understanding that Samba4 uses 1024 by default, however if that
> port is not available it will use 1025, 1026, etc until it finds an open
> port.
> iptables -A INPUT -p tcp --dport 389 -j ACCEPT # LDAP
> iptables -A INPUT -p udp --dport 389 -j ACCEPT # LDAP (UDP)
> iptables -A INPUT -p tcp --dport 636 -j ACCEPT # LDAPS
> iptables -A INPUT -p tcp --dport 53 -j ACCEPT # DNS (TCP)
> iptables -A INPUT -p udp --dport 53 -j ACCEPT # DNS (UDP)
> iptables -A INPUT -p tcp --dport 88 -j ACCEPT # Kerberos (TCP)
> iptables -A INPUT -p udp --dport 88 -j ACCEPT # Kerberos (UDP)
> iptables -A INPUT -p tcp --dport 464 -j ACCEPT # Kerberos Password (TCP)
> iptables -A INPUT -p udp --dport 464 -j ACCEPT # Kerberos Password (UDP)
> iptables -A INPUT -p tcp --dport 135 -j ACCEPT # RPC
> iptables -A INPUT -p udp --dport 137 -j ACCEPT # NetBIOS Name Service
> iptables -A INPUT -p udp --dport 138 -j ACCEPT # NetBIOS Datagram Service
> iptables -A INPUT -p tcp --dport 139 -j ACCEPT # NetBIOS Session Service
> iptables -A INPUT -p tcp --dport 445 -j ACCEPT # MS Directory Service
> iptables -A INPUT -p tcp --dport 3268 -j ACCEPT # MS Global Catalog
> iptables -A INPUT -p tcp --dport 1024 -j ACCEPT # DCOM *note this port is
> not static*
Hi Thomas
Thanks. I've now got traffic through to the DC with the firewall 
activated. The only thing I'm not sure of is the 1024. I have it set but 
in (a few brief) tests, I've not seen wireshark mention it.

More information about the samba mailing list