[Samba] samba4 AD - strange slowness after enable iptables based firewall

Adam Sienkiewicz adamsienkiewicz78 at gmail.com
Tue May 21 05:36:29 MDT 2013 

Hi; I sucesyfully ran AD on samba4 software. All required by me
functions works properly but when I turn on firewall my enviroment is
getting very slow - logon process is 3 times longer then on system
with disabled firewall service. Below I pasted my firewall
configuration - I based on samba tutorial and aexples and official
microsoft web page with needed ports:

Have you similar problems after firewall implementations ?

iptables -F
iptables -X

iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP

/bin/echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_all 		
/bin/echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts 	
/bin/echo "0" > /proc/sys/net/ipv4/conf/all/accept_source_route 	
/bin/echo "0" > /proc/sys/net/ipv4/conf/all/accept_redirects 		
/bin/echo "1" > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
/bin/echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter 			
/bin/echo "1" > /proc/sys/net/ipv4/conf/all/log_martians 		

iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
iptables -A INPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

iptables -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -p tcp --dport 53 -j ACCEPT
iptables -A INPUT -p udp --dport 53 -j ACCEPT
iptables -A INPUT -p tcp --dport 5353 -j ACCEPT
iptables -A INPUT -p udp --dport 5353 -j ACCEPT
iptables -A INPUT -p tcp --dport 88 -j ACCEPT
iptables -A INPUT -p udp --dport 88 -j ACCEPT
iptables -A INPUT -p tcp --dport 135 -j ACCEPT
iptables -A INPUT -p udp --dport 137 -j ACCEPT
iptables -A INPUT -p udp --dport 138 -j ACCEPT
iptables -A INPUT -p tcp --dport 139 -j ACCEPT
iptables -A INPUT -p tcp --dport 389 -j ACCEPT
iptables -A INPUT -p udp --dport 389 -j ACCEPT
iptables -A INPUT -p tcp --dport 636 -j ACCEPT
iptables -A INPUT -p udp --dport 636 -j ACCEPT
iptables -A INPUT -p tcp --dport 445 -j ACCEPT
iptables -A INPUT -p udp --dport 445 -j ACCEPT
iptables -A INPUT -p tcp --dport 464 -j ACCEPT
iptables -A INPUT -p udp --dport 464 -j ACCEPT
iptables -A INPUT -p tcp --dport 1024 -j ACCEPT
iptables -A INPUT -p tcp --dport 5722 -j ACCEPT
iptables -A INPUT -p udp --dport 123 -j ACCEPT
iptables -A INPUT -p tcp --dport 3268:3269 -j ACCEPT
iptables -A INPUT -p tcp --dport 1025:5000 -j ACCEPT
iptables -A INPUT -p udp --dport 1025:5000 -j ACCEPT
iptables -A INPUT -p tcp --dport 49152:65535 -j ACCEPT
iptables -A INPUT -p udp --dport 49152:65535 -j ACCEPT
iptables -A INPUT -p tcp --dport 9389 -j ACCEPT


iptables -A INPUT -j DROP

iptables -A OUTPUT -m state ! --state INVALID -j ACCEPT
iptables -A OUTPUT -j LOG --log-level debug --log-prefix "IPT OUTPUT: "
iptables -A OUTPUT -j DROP

More information about the samba mailing list