Re: iptables rules to allow nautilus samba access [SOLVED]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Will McDonald wrote:
On 28/07/05, Bill Tangren <bjt@xxxxxxxxxxxxxxxx> wrote:

Will McDonald wrote:

On 28/07/05, Bill Tangren <bjt@xxxxxxxxxxxxxxxx> wrote:



They are applied on the samba server. I can get to the samba server from
a Windoze box. That was never a problem. What IS a problem is getting to
the Windoze box from the samba box. That's what I am trying to get help
with.


Ah, sorry, should've paid a little more attention. :)

As we found, we needed the following incoming ports.

137/udp
138/udp
139/tcp
445/tcp

I assume you'd need to allow traffic out from the SMB server to these
destination ports on the windows box. How restrictive are you being on
outbound traffic from the host? What do your OUTPUT or
tcp_outbound/udp_outbound chains like?

Assuming you're not (statefully) allowing anything and everything out
from the Samba server by default (a reasonable assumption given it
works without the firewall in place and doesn't when it is) I imagine
you'd want to see something like...

Chain OUTPUT (policy DROP)
ACCEPT  udp  --  anywhere  $windowsbox  udp dpt:137 state NEW
ACCEPT  udp  --  anywhere  $windowsbox  udp dpt:138 state NEW
ACCEPT  tcp  --  anywhere  $windowsbox  tcp dpt:139 state NEW
ACCEPT  tcp  --  anywhere  $windowsbox  tcp dpt:445 state NEW

Depending on exactly how you generate your rules something like...

$IPTABLES -A OUTPUT -p udp --dport 137 -m state --state NEW -j ACCEPT
$IPTABLES -A OUTPUT -p udp --dport 138 -m state --state NEW -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --dport 139 -m state --state NEW -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --dport 445 -m state --state NEW -j ACCEPT

... might do it for you.

Will.


I'm not stopping anything outbound. I'm the only one with an account on
this box:

Chain up_outbound (0 references)
target     prot opt source               destination
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0

Chain tcp_outbound (0 references)
target     prot opt source               destination
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0

My original post indicated that nautilus was using high level ports
(>32800) to talk to the Windows boxes. I think the problem is there, but
I don't know how to get it to specify a specific range or to not use
those ranges at all.


Hmm, OK then, does this inward bound source port approach help...

https://lists.netfilter.org/pipermail/netfilter/2002-March/032383.html

Will.

(Or anything else enlightening from searches like...

http://www.google.co.uk/search?hl=en&safe=off&q=iptables+samba+high+ports&meta=
)


None of these links helped. The problem I was having is that findsmb uses ports 32820+ and 38960+. [findsmb is what nautilus uses to get a list of network neighborhood boxes on the LAN.] The only way around this that I could find is to open these port ranges in the firewall, but restrict them to local (LAN) boxes. This solved my problem, but I was hoping to find a way to get findsmb to not use high ports.

Oh well...

Thanks for the help.

Bill

--
redhat-list mailing list
unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe
https://www.redhat.com/mailman/listinfo/redhat-list

[Index of Archives]     [CentOS]     [Kernel Development]     [PAM]     [Fedora Users]     [Red Hat Development]     [Big List of Linux Books]     [Linux Admin]     [Gimp]     [Asterisk PBX]     [Yosemite News]     [Red Hat Crash Utility]


  Powered by Linux