[Samba] Firewall trouble?

Ryan Ashley ryana at reachtechfp.com
Mon Jan 11 13:04:21 UTC 2016 

I just wanted to reply to let anybody else with the issue know that
closing off the old ports (2003 and prior) and opening the ones
specified in the KB article solved our problems. We now have a
functioning firewall and working AD with Samba 4. Thanks for the help!

Lead IT/IS Specialist
Reach Technology FP, Inc

On 12/29/2015 12:13 PM, Ryan Ashley wrote:
> Alright, I have setup the new rules and am waiting to see if I have any
> issues. If I do, I will keep working on it. I also read the article
> below, which mentions exactly what you I was told about 2008 and newer
> using different ports.
> 
> https://support.microsoft.com/en-us/kb/929851
> 
> Here is the new configuration:
> 
> root at dc01:~# iptables -S
> -P INPUT DROP
> -P FORWARD DROP
> -P OUTPUT ACCEPT
> -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
> -A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -m recent --set
> --name BLOCKED --rsource
> -A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -m recent
> --update --seconds 600 --hitcount 4 --name BLOCKED --rsource -j DROP
> -A INPUT -p icmp -m icmp --icmp-type 3 -j ACCEPT
> -A INPUT -p icmp -m icmp --icmp-type 11 -j ACCEPT
> -A INPUT -p icmp -m icmp --icmp-type 12 -j ACCEPT
> -A INPUT -p tcp -m tcp --dport 113 --tcp-flags FIN,SYN,RST,ACK SYN -j
> REJECT --reject-with tcp-reset
> -A INPUT -s 10.0.0.0/22 -p tcp -m state --state NEW -m multiport
> --dports 22,53,88,135,139,389,445,464,636,3268,3269,49152:65535 -j ACCEPT
> -A INPUT -s 10.0.0.0/22 -p udp -m state --state NEW -m multiport
> --dports 53,67,88,123,137,138,389,464 -j ACCEPT
> -A INPUT -i lo -j ACCEPT
> 
> As you can see, I only allow access from my LAN now, thus further
> securing the server. VPN users get a LAN address so they will work with
> this setup also.
> 
> Lead IT/IS Specialist
> Reach Technology FP, Inc
> 
> On 12/29/2015 03:58 AM, L.P.H. van Belle wrote:
>> Hai, 
>>
>> Im missing a few things. 
>>
>> And maybe time server port to open? Are your dc's time server also?
>> These are the ports i've set. 
>>
>> TCP what im having.
>> 22,42,53,88,135,139,389,445,464,636,3268,3269,1024:5000,49612:65535
>>
>> How you did: 
>> 22,53,88,135,139,445,464,636,1024:5000,3268,3269
>> Your missing 42 389 and range : 49612:65535
>>
>>
>> UDP what im having.
>> 53,67,68,88,123,137,138,389,464
>>
>> How you did: 
>> 53,67,88,123,137,138,389,464
>> Your missing 68 ( but i dont know if you need it )
>>
>> If your not familiar with iptables. 
>> I advice you to install ufw for example.
>> I have a nice "base" set of rules, if you need some examples. 
>> Ufw isnt that hard and easy to extented. 
>> And a handy thing, integrating iptables + GeoIP is really easy. 
>> And handy for ssh access/blocks. 
>> I only allow ssh acces on my server from the netherlands with a rule like:
>>
>> -A ufw-before-input -m state --state NEW -m geoip ! --src-cc NL -m tcp -p tcp --dport 22 -m comment --comment 'SSH%20Geoip' -j DROP
>>
>> If you want some extra info on that, just mail me, no problem. 
>>
>>
>> Greetz, 
>>
>> Louis
>>
>>
>>
>>
>>> -----Oorspronkelijk bericht-----
>>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens James
>>> Verzonden: maandag 28 december 2015 17:27
>>> Aan: samba at lists.samba.org
>>> Onderwerp: Re: [Samba] Firewall trouble?
>>>
>>> On 12/28/2015 10:33 AM, Ryan Ashley wrote:
>> I recently tried adding a firewall to my Samba 4 server using the port
>> information I found on the wiki. Below is a dump of the resulting rules.
>>
>> root at dc01:~# iptables -S
>> -P INPUT DROP
>> -P FORWARD DROP
>> -P OUTPUT ACCEPT
>> -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
>> -A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -m recent --set
>> --name BLOCKED --rsource
>> -A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -m recent
>> --update --seconds 600 --hitcount 4 --name BLOCKED --rsource -j DROP
>> -A INPUT -p icmp -m icmp --icmp-type 3 -j ACCEPT
>> -A INPUT -p icmp -m icmp --icmp-type 11 -j ACCEPT
>> -A INPUT -p icmp -m icmp --icmp-type 12 -j ACCEPT
>> -A INPUT -p tcp -m tcp --dport 113 --tcp-flags FIN,SYN,RST,ACK SYN -j
>> REJECT --reject-with tcp-reset
>> -A INPUT -p gre -j ACCEPT
>> -A INPUT -p esp -j ACCEPT
>> -A INPUT -p ah -j ACCEPT
>> -A INPUT -p tcp -m state --state NEW -m multiport --dports
>> 22,53,88,135,139,445,464,636,1024:5000,3268,3269 -j ACCEPT
>> -A INPUT -p udp -m state --state NEW -m multiport --dports
>> 53,67,88,123,137,138,389,464 -j ACCEPT
>> -A INPUT -i lo -j ACCEPT
>>
>> As you can see, I try to prevent brute-force attacks on SSH, but
>> accept data, both TCP and UDP on the ports specified by the wiki
>> article. However, when this firewall is on my AD DC server, logins
>> take eons, everything is SLOW on workstations, and sometimes
>> authentications just plain fail. Why?
>>>>
>>> I assume this is for a DC. If so are you using functional level 2008?
>>> You need to open ports 49152 through 65535 if you are. Level 2003 used
>>> 1025 through 5000.
>>>
>>> --
>>> -James
>>>
>>>
>>> --
>>> To unsubscribe from this list go to the following URL and read the
>>> instructions:  https://lists.samba.org/mailman/options/samba
>>
>>
>>
>

More information about the samba mailing list