Re: Samba and iptables - woes

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]





Craig White wrote:
On Tue, 2009-03-31 at 00:19 -0400, Rob Kampen wrote:
Hi folk,
I am trying to get iptables working on a samba server but find it is blocking something that prevents the windoze clients from being able to access the share.
here are the bits from iptables:
# nmb provided netbios-ns
-A RH-Firewall-1-INPUT -p udp -m udp -s 192.168.230.100/24 -i eth1 --dport 137 -j ACCEPT
# nmb provided netbios-dgm
-A RH-Firewall-1-INPUT -p udp -m udp -s 192.168.230.100/24 -i eth1 --dport 138 -j ACCEPT
# Samba
-A RH-Firewall-1-INPUT -p tcp -m tcp -m state -s 192.168.230.100/24 -i eth1 --dport 135 --state NEW -j ACCEPT
# smb provided netbios-ssn
-A RH-Firewall-1-INPUT -p tcp -m tcp -m state -s 192.168.230.100/24 -i eth1 --dport 139 --state NEW -j ACCEPT
# smb provided microsoft-ds
-A RH-Firewall-1-INPUT -p tcp -m tcp -m state -s 192.168.230.100/24 -i eth1 --dport 445 --state NEW -j ACCEPT
so as far as I can tell this should provide access to the required services.
BTW the server has two NICs; 100Mb is eth0 at 192.168.230.230 and connects to the router with internet/NAT firewall; 1Gb is eth1 at 192.168.230.232 and this connects to a G ethernet switch that has the windoze clients.
The smb.conf is as follows:
 [global]
        workgroup = NDG
        netbios name = SAMBA
        netbios aliases = Samba
        server string = Samba Server Version %v
        interfaces = lo, eth1, 192.168.230.232
        bind interfaces only = Yes
        security = DOMAIN
        obey pam restrictions = Yes
        passdb backend = tdbsam
        pam password change = Yes
        log file = /var/log/samba/%m.log
        max log size = 50
        load printers = No
        add user script = /usr/sbin/useradd "%u" -n -g users
        delete user script = /usr/sbin/userdel "%u"
        add group script = /usr/sbin/groupadd "%g"
        delete group script = /usr/sbin/groupdel "%g"
        delete user from group script = /usr/sbin/userdel "%u" "%g"
add machine script = /usr/sbin/useradd -n -c "Workstation (%u)" -M -d /nohome -s /bin/false "%u"
        logon path =
        domain logons = Yes
        os level = 32
        preferred master = Yes
        domain master = Yes
        dns proxy = No
        wins support = Yes
        ldap ssl = no
        create mask = 0664
        directory mask = 0775
        hosts allow = 127., 192.168.230., 192.168.231.
        case sensitive = Yes
        browseable = No
        available = No
        wide links = No
        dont descend = /

[homes]
        comment = Home Directories
        valid users = %S
        read only = No
        browseable = Yes
        available = Yes

[NDG]
        comment = NDG files
        path = /NDG
        write list = @NDGstaff, @birdseye
        read only = No
        browseable = Yes
        available = Yes

I found that making the rule for port 139 ignore the eth port (i.e. remove the -i eth1) allowed things to work better, but do not want this to be the case as I do not want the eth0 interface to be used for this traffic. looking at netstat -l -n shows only lo and eth1 listening on port 139, so how is this failing to work??
Any ideas?
Thanks
----
I don't believe that you want to use comma separators in things like
'bind interfaces' or 'interfaces' - it doesn't seem that samba is
consistent here.

removed
I have never used two separate hardware network interfaces on the same
subnet and suspect that it may actually be trying to communicate back
from the wrong one which is confusing things. Also, it doesn't make
sense to list both eth1 and the actual ip address in bind interfaces but
I would tend to doubt that would be a problem.

Try taking eth0 down (as root - ifdown eth0) and see if that fixes the
problem.
tried this and things appear to work okay, so I guess I need to split my subnet into two...... Some further thinking required here. I have an almost identical set up in my home and actually tried all this there first, as I do not want my business impacted. So it appears to work fine at home but not at the office, some more testing required. I have only two windoze machines at home and neither access the server, so I'll have to contrive a setup that tries this out properly. Will keep you posted.....
Also, I'm not sure why some of the firewall rules include --state NEW
and some of the don't - that doesn't fully make sense to me.
state NEW is irrelevant for udp as it is a single direction with no handshaking such as tcp has - i.e. connectionless?
Craig

_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos
begin:vcard
fn:Rob Kampen
n:Kampen;Rob
email;internet:rob@xxxxxxxxxxxxxxxxx
tel;cell:407-341-3815
version:2.1
end:vcard

_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos

[Index of Archives]     [CentOS]     [CentOS Announce]     [CentOS Development]     [CentOS ARM Devel]     [CentOS Docs]     [CentOS Virtualization]     [Carrier Grade Linux]     [Linux Media]     [Asterisk]     [DCCP]     [Netdev]     [Xorg]     [Linux USB]
  Powered by Linux