Craig White wrote:
On Tue, 2009-03-31 at 00:19 -0400, Rob Kampen wrote:
Hi folk,
I am trying to get iptables working on a samba server but find it is
blocking something that prevents the windoze clients from being able to
access the share.
here are the bits from iptables:
# nmb provided netbios-ns
-A RH-Firewall-1-INPUT -p udp -m udp -s 192.168.230.100/24 -i eth1
--dport 137 -j ACCEPT
# nmb provided netbios-dgm
-A RH-Firewall-1-INPUT -p udp -m udp -s 192.168.230.100/24 -i eth1
--dport 138 -j ACCEPT
# Samba
-A RH-Firewall-1-INPUT -p tcp -m tcp -m state -s 192.168.230.100/24 -i
eth1 --dport 135 --state NEW -j ACCEPT
# smb provided netbios-ssn
-A RH-Firewall-1-INPUT -p tcp -m tcp -m state -s 192.168.230.100/24 -i
eth1 --dport 139 --state NEW -j ACCEPT
# smb provided microsoft-ds
-A RH-Firewall-1-INPUT -p tcp -m tcp -m state -s 192.168.230.100/24 -i
eth1 --dport 445 --state NEW -j ACCEPT
so as far as I can tell this should provide access to the required services.
BTW the server has two NICs; 100Mb is eth0 at 192.168.230.230 and
connects to the router with internet/NAT firewall; 1Gb is eth1 at
192.168.230.232 and this connects to a G ethernet switch that has the
windoze clients.
The smb.conf is as follows:
[global]
workgroup = NDG
netbios name = SAMBA
netbios aliases = Samba
server string = Samba Server Version %v
interfaces = lo, eth1, 192.168.230.232
bind interfaces only = Yes
security = DOMAIN
obey pam restrictions = Yes
passdb backend = tdbsam
pam password change = Yes
log file = /var/log/samba/%m.log
max log size = 50
load printers = No
add user script = /usr/sbin/useradd "%u" -n -g users
delete user script = /usr/sbin/userdel "%u"
add group script = /usr/sbin/groupadd "%g"
delete group script = /usr/sbin/groupdel "%g"
delete user from group script = /usr/sbin/userdel "%u" "%g"
add machine script = /usr/sbin/useradd -n -c "Workstation (%u)"
-M -d /nohome -s /bin/false "%u"
logon path =
domain logons = Yes
os level = 32
preferred master = Yes
domain master = Yes
dns proxy = No
wins support = Yes
ldap ssl = no
create mask = 0664
directory mask = 0775
hosts allow = 127., 192.168.230., 192.168.231.
case sensitive = Yes
browseable = No
available = No
wide links = No
dont descend = /
[homes]
comment = Home Directories
valid users = %S
read only = No
browseable = Yes
available = Yes
[NDG]
comment = NDG files
path = /NDG
write list = @NDGstaff, @birdseye
read only = No
browseable = Yes
available = Yes
I found that making the rule for port 139 ignore the eth port (i.e.
remove the -i eth1) allowed things to work better, but do not want this
to be the case as I do not want the eth0 interface to be used for this
traffic.
looking at netstat -l -n shows only lo and eth1 listening on port 139,
so how is this failing to work??
Any ideas?
Thanks
----
I don't believe that you want to use comma separators in things like
'bind interfaces' or 'interfaces' - it doesn't seem that samba is
consistent here.
removed
I have never used two separate hardware network interfaces on the same
subnet and suspect that it may actually be trying to communicate back
from the wrong one which is confusing things. Also, it doesn't make
sense to list both eth1 and the actual ip address in bind interfaces but
I would tend to doubt that would be a problem.
Try taking eth0 down (as root - ifdown eth0) and see if that fixes the
problem.
tried this and things appear to work okay, so I guess I need to split my
subnet into two......
Some further thinking required here. I have an almost identical set up
in my home and actually tried all this there first, as I do not want my
business impacted. So it appears to work fine at home but not at the
office, some more testing required. I have only two windoze machines at
home and neither access the server, so I'll have to contrive a setup
that tries this out properly. Will keep you posted.....
Also, I'm not sure why some of the firewall rules include --state NEW
and some of the don't - that doesn't fully make sense to me.
state NEW is irrelevant for udp as it is a single direction with no
handshaking such as tcp has - i.e. connectionless?
Craig
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos
begin:vcard
fn:Rob Kampen
n:Kampen;Rob
email;internet:rob@xxxxxxxxxxxxxxxxx
tel;cell:407-341-3815
version:2.1
end:vcard
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos
