Will McDonald wrote:
On 28/07/05, Bill Tangren <bjt@xxxxxxxxxxxxxxxx> wrote:
Will McDonald wrote:
On 28/07/05, Bill Tangren <bjt@xxxxxxxxxxxxxxxx> wrote:
They are applied on the samba server. I can get to the samba server from
a Windoze box. That was never a problem. What IS a problem is getting to
the Windoze box from the samba box. That's what I am trying to get help
with.
Ah, sorry, should've paid a little more attention. :)
As we found, we needed the following incoming ports.
137/udp
138/udp
139/tcp
445/tcp
I assume you'd need to allow traffic out from the SMB server to these
destination ports on the windows box. How restrictive are you being on
outbound traffic from the host? What do your OUTPUT or
tcp_outbound/udp_outbound chains like?
Assuming you're not (statefully) allowing anything and everything out
from the Samba server by default (a reasonable assumption given it
works without the firewall in place and doesn't when it is) I imagine
you'd want to see something like...
Chain OUTPUT (policy DROP)
ACCEPT udp -- anywhere $windowsbox udp dpt:137 state NEW
ACCEPT udp -- anywhere $windowsbox udp dpt:138 state NEW
ACCEPT tcp -- anywhere $windowsbox tcp dpt:139 state NEW
ACCEPT tcp -- anywhere $windowsbox tcp dpt:445 state NEW
Depending on exactly how you generate your rules something like...
$IPTABLES -A OUTPUT -p udp --dport 137 -m state --state NEW -j ACCEPT
$IPTABLES -A OUTPUT -p udp --dport 138 -m state --state NEW -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --dport 139 -m state --state NEW -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --dport 445 -m state --state NEW -j ACCEPT
... might do it for you.
Will.
I'm not stopping anything outbound. I'm the only one with an account on
this box:
Chain up_outbound (0 references)
target prot opt source destination
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0
Chain tcp_outbound (0 references)
target prot opt source destination
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0
My original post indicated that nautilus was using high level ports
(>32800) to talk to the Windows boxes. I think the problem is there, but
I don't know how to get it to specify a specific range or to not use
those ranges at all.
Hmm, OK then, does this inward bound source port approach help...
https://lists.netfilter.org/pipermail/netfilter/2002-March/032383.html
Will.
(Or anything else enlightening from searches like...
http://www.google.co.uk/search?hl=en&safe=off&q=iptables+samba+high+ports&meta=
)
None of these links helped. The problem I was having is that findsmb
uses ports 32820+ and 38960+. [findsmb is what nautilus uses to get a
list of network neighborhood boxes on the LAN.] The only way around this
that I could find is to open these port ranges in the firewall, but
restrict them to local (LAN) boxes. This solved my problem, but I was
hoping to find a way to get findsmb to not use high ports.
Oh well...
Thanks for the help.
Bill
--
redhat-list mailing list
unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe
https://www.redhat.com/mailman/listinfo/redhat-list
