Samba and iptables - woes

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]



Hi folk,
I am trying to get iptables working on a samba server but find it is blocking something that prevents the windoze clients from being able to access the share.
here are the bits from iptables:
# nmb provided netbios-ns
-A RH-Firewall-1-INPUT -p udp -m udp -s 192.168.230.100/24 -i eth1 --dport 137 -j ACCEPT
# nmb provided netbios-dgm
-A RH-Firewall-1-INPUT -p udp -m udp -s 192.168.230.100/24 -i eth1 --dport 138 -j ACCEPT
# Samba
-A RH-Firewall-1-INPUT -p tcp -m tcp -m state -s 192.168.230.100/24 -i eth1 --dport 135 --state NEW -j ACCEPT
# smb provided netbios-ssn
-A RH-Firewall-1-INPUT -p tcp -m tcp -m state -s 192.168.230.100/24 -i eth1 --dport 139 --state NEW -j ACCEPT
# smb provided microsoft-ds
-A RH-Firewall-1-INPUT -p tcp -m tcp -m state -s 192.168.230.100/24 -i eth1 --dport 445 --state NEW -j ACCEPT
so as far as I can tell this should provide access to the required services.
BTW the server has two NICs; 100Mb is eth0 at 192.168.230.230 and connects to the router with internet/NAT firewall; 1Gb is eth1 at 192.168.230.232 and this connects to a G ethernet switch that has the windoze clients.
The smb.conf is as follows:
[global]
       workgroup = NDG
       netbios name = SAMBA
       netbios aliases = Samba
       server string = Samba Server Version %v
       interfaces = lo, eth1, 192.168.230.232
       bind interfaces only = Yes
       security = DOMAIN
       obey pam restrictions = Yes
       passdb backend = tdbsam
       pam password change = Yes
       log file = /var/log/samba/%m.log
       max log size = 50
       load printers = No
       add user script = /usr/sbin/useradd "%u" -n -g users
       delete user script = /usr/sbin/userdel "%u"
       add group script = /usr/sbin/groupadd "%g"
       delete group script = /usr/sbin/groupdel "%g"
       delete user from group script = /usr/sbin/userdel "%u" "%g"
add machine script = /usr/sbin/useradd -n -c "Workstation (%u)" -M -d /nohome -s /bin/false "%u"
       logon path =
       domain logons = Yes
       os level = 32
       preferred master = Yes
       domain master = Yes
       dns proxy = No
       wins support = Yes
       ldap ssl = no
       create mask = 0664
       directory mask = 0775
       hosts allow = 127., 192.168.230., 192.168.231.
       case sensitive = Yes
       browseable = No
       available = No
       wide links = No
       dont descend = /

[homes]
       comment = Home Directories
       valid users = %S
       read only = No
       browseable = Yes
       available = Yes

[NDG]
       comment = NDG files
       path = /NDG
       write list = @NDGstaff, @birdseye
       read only = No
       browseable = Yes
       available = Yes

I found that making the rule for port 139 ignore the eth port (i.e. remove the -i eth1) allowed things to work better, but do not want this to be the case as I do not want the eth0 interface to be used for this traffic. looking at netstat -l -n shows only lo and eth1 listening on port 139, so how is this failing to work??
Any ideas?
Thanks
Rob
begin:vcard
fn:Rob Kampen
n:Kampen;Rob
email;internet:rkampen@xxxxxxxxxxxxxxxxx
tel;work:407-896-9556 x6344
tel;fax:407-896-7607
tel;home:407-876-4854
tel;cell:407-341-3815
version:2.1
end:vcard

_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos

[Index of Archives]     [CentOS]     [CentOS Announce]     [CentOS Development]     [CentOS ARM Devel]     [CentOS Docs]     [CentOS Virtualization]     [Carrier Grade Linux]     [Linux Media]     [Asterisk]     [DCCP]     [Netdev]     [Xorg]     [Linux USB]
  Powered by Linux