[Samba] Firewall trouble?

James lingpanda101 at gmail.com
Tue Dec 29 17:06:41 UTC 2015


On 12/29/2015 12:00 PM, Ryan Ashley wrote:
> I just looked up 42 and 68. I do not use WINS or BOOTP. I am removing
> range 1024-5000 and replacing it with 49612-65535 now. I already allowed
> 389 TCP.
>
> Lead IT/IS Specialist
> Reach Technology FP, Inc
>
> On 12/29/2015 03:58 AM, L.P.H. van Belle wrote:
>> Hai,
>>
>> Im missing a few things.
>>
>> And maybe time server port to open? Are your dc's time server also?
>> These are the ports i've set.
>>
>> TCP what im having.
>> 22,42,53,88,135,139,389,445,464,636,3268,3269,1024:5000,49612:65535
>>
>> How you did:
>> 22,53,88,135,139,445,464,636,1024:5000,3268,3269
>> Your missing 42 389 and range : 49612:65535
>>
>>
>> UDP what im having.
>> 53,67,68,88,123,137,138,389,464
>>
>> How you did:
>> 53,67,88,123,137,138,389,464
>> Your missing 68 ( but i dont know if you need it )
>>
>> If your not familiar with iptables.
>> I advice you to install ufw for example.
>> I have a nice "base" set of rules, if you need some examples.
>> Ufw isnt that hard and easy to extented.
>> And a handy thing, integrating iptables + GeoIP is really easy.
>> And handy for ssh access/blocks.
>> I only allow ssh acces on my server from the netherlands with a rule like:
>>
>> -A ufw-before-input -m state --state NEW -m geoip ! --src-cc NL -m tcp -p tcp --dport 22 -m comment --comment 'SSH%20Geoip' -j DROP
>>
>> If you want some extra info on that, just mail me, no problem.
>>
>>
>> Greetz,
>>
>> Louis
>>
>>
>>
>>
>>> -----Oorspronkelijk bericht-----
>>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens James
>>> Verzonden: maandag 28 december 2015 17:27
>>> Aan: samba at lists.samba.org
>>> Onderwerp: Re: [Samba] Firewall trouble?
>>>
>>> On 12/28/2015 10:33 AM, Ryan Ashley wrote:
>> I recently tried adding a firewall to my Samba 4 server using the port
>> information I found on the wiki. Below is a dump of the resulting rules.
>>
>> root at dc01:~# iptables -S
>> -P INPUT DROP
>> -P FORWARD DROP
>> -P OUTPUT ACCEPT
>> -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
>> -A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -m recent --set
>> --name BLOCKED --rsource
>> -A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -m recent
>> --update --seconds 600 --hitcount 4 --name BLOCKED --rsource -j DROP
>> -A INPUT -p icmp -m icmp --icmp-type 3 -j ACCEPT
>> -A INPUT -p icmp -m icmp --icmp-type 11 -j ACCEPT
>> -A INPUT -p icmp -m icmp --icmp-type 12 -j ACCEPT
>> -A INPUT -p tcp -m tcp --dport 113 --tcp-flags FIN,SYN,RST,ACK SYN -j
>> REJECT --reject-with tcp-reset
>> -A INPUT -p gre -j ACCEPT
>> -A INPUT -p esp -j ACCEPT
>> -A INPUT -p ah -j ACCEPT
>> -A INPUT -p tcp -m state --state NEW -m multiport --dports
>> 22,53,88,135,139,445,464,636,1024:5000,3268,3269 -j ACCEPT
>> -A INPUT -p udp -m state --state NEW -m multiport --dports
>> 53,67,88,123,137,138,389,464 -j ACCEPT
>> -A INPUT -i lo -j ACCEPT
>>
>> As you can see, I try to prevent brute-force attacks on SSH, but
>> accept data, both TCP and UDP on the ports specified by the wiki
>> article. However, when this firewall is on my AD DC server, logins
>> take eons, everything is SLOW on workstations, and sometimes
>> authentications just plain fail. Why?
>>> I assume this is for a DC. If so are you using functional level 2008?
>>> You need to open ports 49152 through 65535 if you are. Level 2003 used
>>> 1025 through 5000.
>>>
>>> --
>>> -James
>>>
>>>
>>> --
>>> To unsubscribe from this list go to the following URL and read the
>>> instructions:  https://lists.samba.org/mailman/options/samba
>>
>>
Ryan check out this link.  It may prove helpful in additional 
troubleshooting if need be.

https://support.microsoft.com/en-us/kb/179442

-- 
-James




More information about the samba mailing list