[Samba] Firewall trouble?

Ryan Ashley ryana at reachtechfp.com
Mon Dec 28 15:33:53 UTC 2015


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

I recently tried adding a firewall to my Samba 4 server using the port
information I found on the wiki. Below is a dump of the resulting rules.

root at dc01:~# iptables -S
- -P INPUT DROP
- -P FORWARD DROP
- -P OUTPUT ACCEPT
- -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
- -A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -m recent --set
- --name BLOCKED --rsource
- -A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -m recent
- --update --seconds 600 --hitcount 4 --name BLOCKED --rsource -j DROP
- -A INPUT -p icmp -m icmp --icmp-type 3 -j ACCEPT
- -A INPUT -p icmp -m icmp --icmp-type 11 -j ACCEPT
- -A INPUT -p icmp -m icmp --icmp-type 12 -j ACCEPT
- -A INPUT -p tcp -m tcp --dport 113 --tcp-flags FIN,SYN,RST,ACK SYN -j
REJECT --reject-with tcp-reset
- -A INPUT -p gre -j ACCEPT
- -A INPUT -p esp -j ACCEPT
- -A INPUT -p ah -j ACCEPT
- -A INPUT -p tcp -m state --state NEW -m multiport --dports
22,53,88,135,139,445,464,636,1024:5000,3268,3269 -j ACCEPT
- -A INPUT -p udp -m state --state NEW -m multiport --dports
53,67,88,123,137,138,389,464 -j ACCEPT
- -A INPUT -i lo -j ACCEPT

As you can see, I try to prevent brute-force attacks on SSH, but
accept data, both TCP and UDP on the ports specified by the wiki
article. However, when this firewall is on my AD DC server, logins
take eons, everything is SLOW on workstations, and sometimes
authentications just plain fail. Why?
- -- 
Lead IT/IS Specialist
Reach Technology FP, Inc
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQEcBAEBCAAGBQJWgVZhAAoJEBJm6+aLKsMNWR8H+wY51lD4DauyhTJBA9fULYbG
JRMDTfR5C90wwnfZlQI/vS+iA/TUG29MC09rMe6FFk4LS31xRTWtxmXk3r7BUph5
jHWvAohlOxhx1hEnvDgqmK2nULZQ6sWXK9ikZpky7/Z2LFOM3ABt3EUq7i8/MPNd
40TycXR8N13uMBrehs3UOXK3gj8+9KFpkfyeTOr+u/+j5yNOCAS/Uu+tx8ZCMY8H
EKW/1G615SxFzd8VJ0HREMWoeKOia+xqCo71zq38SJ6t2N6f+/IFpDxfXthdJSU4
FfbACHeyvVLc17IiTDlLNawZ+X/Cpnj2AsJXKKEuU3SY1K/hISCz18RKnov7QNE=
=iO++
-----END PGP SIGNATURE-----



More information about the samba mailing list