[CentOS] Samba and iptables - woes

Wed Apr 1 03:26:03 UTC 2009
Rob Kampen <rkampen at kampensonline.com>

Scott Silva wrote:
> on 3-30-2009 9:19 PM Rob Kampen spake the following:
>   
>> Hi folk,
>> I am trying to get iptables working on a samba server but find it is
>> blocking something that prevents the windoze clients from being able to
>> access the share.
>> here are the bits from iptables:
>>     
>>> # nmb provided netbios-ns
>>> -A RH-Firewall-1-INPUT -p udp -m udp -s 192.168.230.100/24 -i eth1
>>> --dport 137 -j ACCEPT
>>> # nmb provided netbios-dgm
>>> -A RH-Firewall-1-INPUT -p udp -m udp -s 192.168.230.100/24 -i eth1
>>> --dport 138 -j ACCEPT
>>> # Samba
>>> -A RH-Firewall-1-INPUT -p tcp -m tcp -m state -s 192.168.230.100/24 -i
>>> eth1 --dport 135 --state NEW -j ACCEPT
>>> # smb provided netbios-ssn
>>> -A RH-Firewall-1-INPUT -p tcp -m tcp -m state -s 192.168.230.100/24 -i
>>> eth1 --dport 139 --state NEW -j ACCEPT
>>> # smb provided microsoft-ds
>>> -A RH-Firewall-1-INPUT -p tcp -m tcp -m state -s 192.168.230.100/24 -i
>>> eth1 --dport 445 --state NEW -j ACCEPT
>>>       
>> so as far as I can tell this should provide access to the required
>> services.
>> BTW the server has two NICs; 100Mb is eth0 at 192.168.230.230 and
>> connects to the router with internet/NAT firewall; 1Gb is eth1 at
>> 192.168.230.232 and this connects to a G ethernet switch that has the
>> windoze clients.
>> The smb.conf is as follows:
>> [global]
>>        workgroup = NDG
>>        netbios name = SAMBA
>>        netbios aliases = Samba
>>        server string = Samba Server Version %v
>>        interfaces = lo, eth1, 192.168.230.232
>>        bind interfaces only = Yes
>>        security = DOMAIN
>>        obey pam restrictions = Yes
>>        passdb backend = tdbsam
>>        pam password change = Yes
>>        log file = /var/log/samba/%m.log
>>        max log size = 50
>>        load printers = No
>>        add user script = /usr/sbin/useradd "%u" -n -g users
>>        delete user script = /usr/sbin/userdel "%u"
>>        add group script = /usr/sbin/groupadd "%g"
>>        delete group script = /usr/sbin/groupdel "%g"
>>        delete user from group script = /usr/sbin/userdel "%u" "%g"
>>        add machine script = /usr/sbin/useradd -n -c "Workstation (%u)"
>> -M -d /nohome -s /bin/false "%u"
>>        logon path =
>>        domain logons = Yes
>>        os level = 32
>>        preferred master = Yes
>>        domain master = Yes
>>        dns proxy = No
>>        wins support = Yes
>>        ldap ssl = no
>>        create mask = 0664
>>        directory mask = 0775
>>        hosts allow = 127., 192.168.230., 192.168.231.
>>        case sensitive = Yes
>>        browseable = No
>>        available = No
>>        wide links = No
>>        dont descend = /
>>
>> [homes]
>>        comment = Home Directories
>>        valid users = %S
>>        read only = No
>>        browseable = Yes
>>        available = Yes
>>
>> [NDG]
>>        comment = NDG files
>>        path = /NDG
>>        write list = @NDGstaff, @birdseye
>>        read only = No
>>        browseable = Yes
>>        available = Yes
>>
>> I found that making the rule for port 139 ignore the eth port (i.e.
>> remove the -i eth1) allowed things to work better, but do not want this
>> to be the case as I do not want the eth0 interface to be used for this
>> traffic.
>> looking at netstat -l -n shows only lo and eth1 listening on port 139,
>> so how is this failing to work??
>> Any ideas?
>> Thanks
>> Rob
>>
>> _______________________________________________
>> CentOS mailing list
>> CentOS at centos.org
>> http://lists.centos.org/mailman/listinfo/centos
>>     
> What are you attempting to achieve? Having both nics on the same subnet
> doesn't make a lot of sense to me.
>   
Scott
Good point, I guess I'm suffering from incremental additions over the 
last 4 years and no real look at the overall architecture. I'm not sure 
what would work best.
I have a T1 to the big bad internet world via a Linksys RV016 router and 
this used to deal with everything. The main server provides DNS, apache, 
ssh, smtp, pop and imap - all needing internet accessibility and then 
samba for file server that is only required locally. Then along came 
asterisk server and a Netgear PoE vlan switch to run the snom VoIP / SIP 
phones, with the * needing internet access but only one NIC. Then along 
came a 1G ethernet switch to improve access speeds to samba, hence the 
two NICs on the same subnet - the 100Mb for the internet facing services 
(although all these services also need to be accessed locally) and the 
1Gb NIC for file serving to the five windoze clients. Then I wanted to 
add firewall to the server to deal with things like tripping up the port 
22 script kiddies and then tripped up on the samba...... Confused yet?  
I guess some careful thought needed to design this appropriately.
I was considering having the server do IP forwarding, but this may not 
be smart as it already does too much. Thanks for the questions - helps 
me focus on the real issues.
Rob - p.s. suggestions welcome
>   
> ------------------------------------------------------------------------
>
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> http://lists.centos.org/mailman/listinfo/centos
>   

-------------- next part --------------
A non-text attachment was scrubbed...
Name: rkampen.vcf
Type: text/x-vcard
Size: 207 bytes
Desc: not available
URL: <http://lists.centos.org/pipermail/centos/attachments/20090331/5e66571c/attachment-0004.vcf>