On 28/07/05, Bill Tangren <bjt@xxxxxxxxxxxxxxxx> wrote: > Will McDonald wrote: > > On 28/07/05, Bill Tangren <bjt@xxxxxxxxxxxxxxxx> wrote: > > > > > >>They are applied on the samba server. I can get to the samba server from > >>a Windoze box. That was never a problem. What IS a problem is getting to > >>the Windoze box from the samba box. That's what I am trying to get help > >>with. > > > > > > Ah, sorry, should've paid a little more attention. :) > > > > As we found, we needed the following incoming ports. > > > > 137/udp > > 138/udp > > 139/tcp > > 445/tcp > > > > I assume you'd need to allow traffic out from the SMB server to these > > destination ports on the windows box. How restrictive are you being on > > outbound traffic from the host? What do your OUTPUT or > > tcp_outbound/udp_outbound chains like? > > > > Assuming you're not (statefully) allowing anything and everything out > > from the Samba server by default (a reasonable assumption given it > > works without the firewall in place and doesn't when it is) I imagine > > you'd want to see something like... > > > > Chain OUTPUT (policy DROP) > > ACCEPT udp -- anywhere $windowsbox udp dpt:137 state NEW > > ACCEPT udp -- anywhere $windowsbox udp dpt:138 state NEW > > ACCEPT tcp -- anywhere $windowsbox tcp dpt:139 state NEW > > ACCEPT tcp -- anywhere $windowsbox tcp dpt:445 state NEW > > > > Depending on exactly how you generate your rules something like... > > > > $IPTABLES -A OUTPUT -p udp --dport 137 -m state --state NEW -j ACCEPT > > $IPTABLES -A OUTPUT -p udp --dport 138 -m state --state NEW -j ACCEPT > > $IPTABLES -A OUTPUT -p tcp --dport 139 -m state --state NEW -j ACCEPT > > $IPTABLES -A OUTPUT -p tcp --dport 445 -m state --state NEW -j ACCEPT > > > > ... might do it for you. > > > > Will. > > > I'm not stopping anything outbound. I'm the only one with an account on > this box: > > Chain up_outbound (0 references) > target prot opt source destination > ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 > > Chain tcp_outbound (0 references) > target prot opt source destination > ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 > > My original post indicated that nautilus was using high level ports > (>32800) to talk to the Windows boxes. I think the problem is there, but > I don't know how to get it to specify a specific range or to not use > those ranges at all. Hmm, OK then, does this inward bound source port approach help... https://lists.netfilter.org/pipermail/netfilter/2002-March/032383.html Will. (Or anything else enlightening from searches like... http://www.google.co.uk/search?hl=en&safe=off&q=iptables+samba+high+ports&meta= ) -- redhat-list mailing list unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe https://www.redhat.com/mailman/listinfo/redhat-list
