Scott Silva wrote:
on 3-30-2009 9:19 PM Rob Kampen spake the following:
Hi folk,
I am trying to get iptables working on a samba server but find it is
blocking something that prevents the windoze clients from being able to
access the share.
here are the bits from iptables:
# nmb provided netbios-ns
-A RH-Firewall-1-INPUT -p udp -m udp -s 192.168.230.100/24 -i eth1
--dport 137 -j ACCEPT
# nmb provided netbios-dgm
-A RH-Firewall-1-INPUT -p udp -m udp -s 192.168.230.100/24 -i eth1
--dport 138 -j ACCEPT
# Samba
-A RH-Firewall-1-INPUT -p tcp -m tcp -m state -s 192.168.230.100/24 -i
eth1 --dport 135 --state NEW -j ACCEPT
# smb provided netbios-ssn
-A RH-Firewall-1-INPUT -p tcp -m tcp -m state -s 192.168.230.100/24 -i
eth1 --dport 139 --state NEW -j ACCEPT
# smb provided microsoft-ds
-A RH-Firewall-1-INPUT -p tcp -m tcp -m state -s 192.168.230.100/24 -i
eth1 --dport 445 --state NEW -j ACCEPT
so as far as I can tell this should provide access to the required
services.
BTW the server has two NICs; 100Mb is eth0 at 192.168.230.230 and
connects to the router with internet/NAT firewall; 1Gb is eth1 at
192.168.230.232 and this connects to a G ethernet switch that has the
windoze clients.
The smb.conf is as follows:
[global]
workgroup = NDG
netbios name = SAMBA
netbios aliases = Samba
server string = Samba Server Version %v
interfaces = lo, eth1, 192.168.230.232
bind interfaces only = Yes
security = DOMAIN
obey pam restrictions = Yes
passdb backend = tdbsam
pam password change = Yes
log file = /var/log/samba/%m.log
max log size = 50
load printers = No
add user script = /usr/sbin/useradd "%u" -n -g users
delete user script = /usr/sbin/userdel "%u"
add group script = /usr/sbin/groupadd "%g"
delete group script = /usr/sbin/groupdel "%g"
delete user from group script = /usr/sbin/userdel "%u" "%g"
add machine script = /usr/sbin/useradd -n -c "Workstation (%u)"
-M -d /nohome -s /bin/false "%u"
logon path =
domain logons = Yes
os level = 32
preferred master = Yes
domain master = Yes
dns proxy = No
wins support = Yes
ldap ssl = no
create mask = 0664
directory mask = 0775
hosts allow = 127., 192.168.230., 192.168.231.
case sensitive = Yes
browseable = No
available = No
wide links = No
dont descend = /
[homes]
comment = Home Directories
valid users = %S
read only = No
browseable = Yes
available = Yes
[NDG]
comment = NDG files
path = /NDG
write list = @NDGstaff, @birdseye
read only = No
browseable = Yes
available = Yes
I found that making the rule for port 139 ignore the eth port (i.e.
remove the -i eth1) allowed things to work better, but do not want this
to be the case as I do not want the eth0 interface to be used for this
traffic.
looking at netstat -l -n shows only lo and eth1 listening on port 139,
so how is this failing to work??
Any ideas?
Thanks
Rob
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos
What are you attempting to achieve? Having both nics on the same subnet
doesn't make a lot of sense to me.
Scott
Good point, I guess I'm suffering from incremental additions over the
last 4 years and no real look at the overall architecture. I'm not sure
what would work best.
I have a T1 to the big bad internet world via a Linksys RV016 router and
this used to deal with everything. The main server provides DNS, apache,
ssh, smtp, pop and imap - all needing internet accessibility and then
samba for file server that is only required locally. Then along came
asterisk server and a Netgear PoE vlan switch to run the snom VoIP / SIP
phones, with the * needing internet access but only one NIC. Then along
came a 1G ethernet switch to improve access speeds to samba, hence the
two NICs on the same subnet - the 100Mb for the internet facing services
(although all these services also need to be accessed locally) and the
1Gb NIC for file serving to the five windoze clients. Then I wanted to
add firewall to the server to deal with things like tripping up the port
22 script kiddies and then tripped up on the samba...... Confused yet?
I guess some careful thought needed to design this appropriately.
I was considering having the server do IP forwarding, but this may not
be smart as it already does too much. Thanks for the questions - helps
me focus on the real issues.
Rob - p.s. suggestions welcome
------------------------------------------------------------------------
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos
begin:vcard
fn:Rob Kampen
n:Kampen;Rob
email;internet:rkampen@xxxxxxxxxxxxxxxxx
tel;work:407-896-9556 x6344
tel;fax:407-896-7607
tel;home:407-876-4854
tel;cell:407-341-3815
version:2.1
end:vcard
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos
