[Samba] Firewall trouble?

Tue Dec 29 08:58:47 UTC 2015

Hai, 

Im missing a few things. 

And maybe time server port to open? Are your dc's time server also?
These are the ports i've set. 

TCP what im having.
22,42,53,88,135,139,389,445,464,636,3268,3269,1024:5000,49612:65535

How you did: 
22,53,88,135,139,445,464,636,1024:5000,3268,3269
Your missing 42 389 and range : 49612:65535

UDP what im having.
53,67,68,88,123,137,138,389,464

How you did: 
53,67,88,123,137,138,389,464
Your missing 68 ( but i dont know if you need it )

If your not familiar with iptables. 
I advice you to install ufw for example.
I have a nice "base" set of rules, if you need some examples. 
Ufw isnt that hard and easy to extented. 
And a handy thing, integrating iptables + GeoIP is really easy. 
And handy for ssh access/blocks. 
I only allow ssh acces on my server from the netherlands with a rule like:

-A ufw-before-input -m state --state NEW -m geoip ! --src-cc NL -m tcp -p tcp --dport 22 -m comment --comment 'SSH%20Geoip' -j DROP

If you want some extra info on that, just mail me, no problem. 

Greetz, 

Louis

> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens James
> Verzonden: maandag 28 december 2015 17:27
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] Firewall trouble?
> 
> On 12/28/2015 10:33 AM, Ryan Ashley wrote:
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA256
> >
> > I recently tried adding a firewall to my Samba 4 server using the port
> > information I found on the wiki. Below is a dump of the resulting rules.
> >
> > root at dc01:~# iptables -S
> > - -P INPUT DROP
> > - -P FORWARD DROP
> > - -P OUTPUT ACCEPT
> > - -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
> > - -A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -m recent --set
> > - --name BLOCKED --rsource
> > - -A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -m recent
> > - --update --seconds 600 --hitcount 4 --name BLOCKED --rsource -j DROP
> > - -A INPUT -p icmp -m icmp --icmp-type 3 -j ACCEPT
> > - -A INPUT -p icmp -m icmp --icmp-type 11 -j ACCEPT
> > - -A INPUT -p icmp -m icmp --icmp-type 12 -j ACCEPT
> > - -A INPUT -p tcp -m tcp --dport 113 --tcp-flags FIN,SYN,RST,ACK SYN -j
> > REJECT --reject-with tcp-reset
> > - -A INPUT -p gre -j ACCEPT
> > - -A INPUT -p esp -j ACCEPT
> > - -A INPUT -p ah -j ACCEPT
> > - -A INPUT -p tcp -m state --state NEW -m multiport --dports
> > 22,53,88,135,139,445,464,636,1024:5000,3268,3269 -j ACCEPT
> > - -A INPUT -p udp -m state --state NEW -m multiport --dports
> > 53,67,88,123,137,138,389,464 -j ACCEPT
> > - -A INPUT -i lo -j ACCEPT
> >
> > As you can see, I try to prevent brute-force attacks on SSH, but
> > accept data, both TCP and UDP on the ports specified by the wiki
> > article. However, when this firewall is on my AD DC server, logins
> > take eons, everything is SLOW on workstations, and sometimes
> > authentications just plain fail. Why?
> > - --
> > Lead IT/IS Specialist
> > Reach Technology FP, Inc
> > -----BEGIN PGP SIGNATURE-----
> > Version: GnuPG v2
> >
> > iQEcBAEBCAAGBQJWgVZhAAoJEBJm6+aLKsMNWR8H+wY51lD4DauyhTJBA9fULYbG
> > JRMDTfR5C90wwnfZlQI/vS+iA/TUG29MC09rMe6FFk4LS31xRTWtxmXk3r7BUph5
> > jHWvAohlOxhx1hEnvDgqmK2nULZQ6sWXK9ikZpky7/Z2LFOM3ABt3EUq7i8/MPNd
> > 40TycXR8N13uMBrehs3UOXK3gj8+9KFpkfyeTOr+u/+j5yNOCAS/Uu+tx8ZCMY8H
> > EKW/1G615SxFzd8VJ0HREMWoeKOia+xqCo71zq38SJ6t2N6f+/IFpDxfXthdJSU4
> > FfbACHeyvVLc17IiTDlLNawZ+X/Cpnj2AsJXKKEuU3SY1K/hISCz18RKnov7QNE=
> > =iO++
> > -----END PGP SIGNATURE-----
> >
> I assume this is for a DC. If so are you using functional level 2008?
> You need to open ports 49152 through 65535 if you are. Level 2003 used
> 1025 through 5000.
> 
> --
> -James
> 
> 
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba