What is the subnet mask of the outside interface?
What is the subnet mask of the inside interface?
I'm not real good with iptables but you might need to check your source
address. Ex. 192.168.230.100/24. /24 is a full class C.
-----Original Message-----
From: centos-bounces@xxxxxxxxxx [mailto:centos-bounces@xxxxxxxxxx] On Behalf
Of Rob Kampen
Sent: Monday, March 30, 2009 9:19 PM
To: CentOS mailing list
Subject: Samba and iptables - woes
Hi folk,
I am trying to get iptables working on a samba server but find it is
blocking something that prevents the windoze clients from being able to
access the share.
here are the bits from iptables:
> # nmb provided netbios-ns
> -A RH-Firewall-1-INPUT -p udp -m udp -s 192.168.230.100/24 -i eth1
> --dport 137 -j ACCEPT # nmb provided netbios-dgm -A
> RH-Firewall-1-INPUT -p udp -m udp -s 192.168.230.100/24 -i eth1
> --dport 138 -j ACCEPT # Samba -A RH-Firewall-1-INPUT -p tcp -m tcp -m
> state -s 192.168.230.100/24 -i
> eth1 --dport 135 --state NEW -j ACCEPT # smb provided netbios-ssn -A
> RH-Firewall-1-INPUT -p tcp -m tcp -m state -s 192.168.230.100/24 -i
> eth1 --dport 139 --state NEW -j ACCEPT # smb provided microsoft-ds -A
> RH-Firewall-1-INPUT -p tcp -m tcp -m state -s 192.168.230.100/24 -i
> eth1 --dport 445 --state NEW -j ACCEPT
so as far as I can tell this should provide access to the required services.
BTW the server has two NICs; 100Mb is eth0 at 192.168.230.230 and connects
to the router with internet/NAT firewall; 1Gb is eth1 at
192.168.230.232 and this connects to a G ethernet switch that has the
windoze clients.
The smb.conf is as follows:
[global]
workgroup = NDG
netbios name = SAMBA
netbios aliases = Samba
server string = Samba Server Version %v
interfaces = lo, eth1, 192.168.230.232
bind interfaces only = Yes
security = DOMAIN
obey pam restrictions = Yes
passdb backend = tdbsam
pam password change = Yes
log file = /var/log/samba/%m.log
max log size = 50
load printers = No
add user script = /usr/sbin/useradd "%u" -n -g users
delete user script = /usr/sbin/userdel "%u"
add group script = /usr/sbin/groupadd "%g"
delete group script = /usr/sbin/groupdel "%g"
delete user from group script = /usr/sbin/userdel "%u" "%g"
add machine script = /usr/sbin/useradd -n -c "Workstation (%u)"
-M -d /nohome -s /bin/false "%u"
logon path =
domain logons = Yes
os level = 32
preferred master = Yes
domain master = Yes
dns proxy = No
wins support = Yes
ldap ssl = no
create mask = 0664
directory mask = 0775
hosts allow = 127., 192.168.230., 192.168.231.
case sensitive = Yes
browseable = No
available = No
wide links = No
dont descend = /
[homes]
comment = Home Directories
valid users = %S
read only = No
browseable = Yes
available = Yes
[NDG]
comment = NDG files
path = /NDG
write list = @NDGstaff, @birdseye
read only = No
browseable = Yes
available = Yes
I found that making the rule for port 139 ignore the eth port (i.e.
remove the -i eth1) allowed things to work better, but do not want this to
be the case as I do not want the eth0 interface to be used for this traffic.
looking at netstat -l -n shows only lo and eth1 listening on port 139, so
how is this failing to work??
Any ideas?
Thanks
Rob
No virus found in this incoming message.
Checked by AVG - www.avg.com
Version: 8.0.238 / Virus Database: 270.11.31/2028 - Release Date: 03/30/09
17:56:00
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos
