[CentOS] Samba and iptables - woes
Rob Townley
rob.townley at gmail.com
Tue Mar 31 16:50:57 UTC 2009
The poster suggesting a lopsided interfaces is correct. Look at
incoming vs outgoing packets via
ifconfig -a.
Use /sbin/ip to fix it. Since the subnet is the same, u need a
/sbin/ip rule.
On 3/31/09, Rob Kampen <rkampen at kampensonline.com> wrote:
>
>
> Craig White wrote:
>> On Tue, 2009-03-31 at 00:19 -0400, Rob Kampen wrote:
>>
>>> Hi folk,
>>> I am trying to get iptables working on a samba server but find it is
>>> blocking something that prevents the windoze clients from being able to
>>> access the share.
>>> here are the bits from iptables:
>>>
>>>> # nmb provided netbios-ns
>>>> -A RH-Firewall-1-INPUT -p udp -m udp -s 192.168.230.100/24 -i eth1
>>>> --dport 137 -j ACCEPT
>>>> # nmb provided netbios-dgm
>>>> -A RH-Firewall-1-INPUT -p udp -m udp -s 192.168.230.100/24 -i eth1
>>>> --dport 138 -j ACCEPT
>>>> # Samba
>>>> -A RH-Firewall-1-INPUT -p tcp -m tcp -m state -s 192.168.230.100/24 -i
>>>> eth1 --dport 135 --state NEW -j ACCEPT
>>>> # smb provided netbios-ssn
>>>> -A RH-Firewall-1-INPUT -p tcp -m tcp -m state -s 192.168.230.100/24 -i
>>>> eth1 --dport 139 --state NEW -j ACCEPT
>>>> # smb provided microsoft-ds
>>>> -A RH-Firewall-1-INPUT -p tcp -m tcp -m state -s 192.168.230.100/24 -i
>>>> eth1 --dport 445 --state NEW -j ACCEPT
>>>>
>>> so as far as I can tell this should provide access to the required
>>> services.
>>> BTW the server has two NICs; 100Mb is eth0 at 192.168.230.230 and
>>> connects to the router with internet/NAT firewall; 1Gb is eth1 at
>>> 192.168.230.232 and this connects to a G ethernet switch that has the
>>> windoze clients.
>>> The smb.conf is as follows:
>>> [global]
>>> workgroup = NDG
>>> netbios name = SAMBA
>>> netbios aliases = Samba
>>> server string = Samba Server Version %v
>>> interfaces = lo, eth1, 192.168.230.232
>>> bind interfaces only = Yes
>>> security = DOMAIN
>>> obey pam restrictions = Yes
>>> passdb backend = tdbsam
>>> pam password change = Yes
>>> log file = /var/log/samba/%m.log
>>> max log size = 50
>>> load printers = No
>>> add user script = /usr/sbin/useradd "%u" -n -g users
>>> delete user script = /usr/sbin/userdel "%u"
>>> add group script = /usr/sbin/groupadd "%g"
>>> delete group script = /usr/sbin/groupdel "%g"
>>> delete user from group script = /usr/sbin/userdel "%u" "%g"
>>> add machine script = /usr/sbin/useradd -n -c "Workstation (%u)"
>>> -M -d /nohome -s /bin/false "%u"
>>> logon path =
>>> domain logons = Yes
>>> os level = 32
>>> preferred master = Yes
>>> domain master = Yes
>>> dns proxy = No
>>> wins support = Yes
>>> ldap ssl = no
>>> create mask = 0664
>>> directory mask = 0775
>>> hosts allow = 127., 192.168.230., 192.168.231.
>>> case sensitive = Yes
>>> browseable = No
>>> available = No
>>> wide links = No
>>> dont descend = /
>>>
>>> [homes]
>>> comment = Home Directories
>>> valid users = %S
>>> read only = No
>>> browseable = Yes
>>> available = Yes
>>>
>>> [NDG]
>>> comment = NDG files
>>> path = /NDG
>>> write list = @NDGstaff, @birdseye
>>> read only = No
>>> browseable = Yes
>>> available = Yes
>>>
>>> I found that making the rule for port 139 ignore the eth port (i.e.
>>> remove the -i eth1) allowed things to work better, but do not want this
>>> to be the case as I do not want the eth0 interface to be used for this
>>> traffic.
>>> looking at netstat -l -n shows only lo and eth1 listening on port 139,
>>> so how is this failing to work??
>>> Any ideas?
>>> Thanks
>>>
>> ----
>> I don't believe that you want to use comma separators in things like
>> 'bind interfaces' or 'interfaces' - it doesn't seem that samba is
>> consistent here.
>>
>>
> removed
>> I have never used two separate hardware network interfaces on the same
>> subnet and suspect that it may actually be trying to communicate back
>> from the wrong one which is confusing things. Also, it doesn't make
>> sense to list both eth1 and the actual ip address in bind interfaces but
>> I would tend to doubt that would be a problem.
>>
>> Try taking eth0 down (as root - ifdown eth0) and see if that fixes the
>> problem.
> tried this and things appear to work okay, so I guess I need to split my
> subnet into two......
> Some further thinking required here. I have an almost identical set up
> in my home and actually tried all this there first, as I do not want my
> business impacted. So it appears to work fine at home but not at the
> office, some more testing required. I have only two windoze machines at
> home and neither access the server, so I'll have to contrive a setup
> that tries this out properly. Will keep you posted.....
>>
>>
>> Also, I'm not sure why some of the firewall rules include --state NEW
>> and some of the don't - that doesn't fully make sense to me.
>>
> state NEW is irrelevant for udp as it is a single direction with no
> handshaking such as tcp has - i.e. connectionless?
>> Craig
>>
>> _______________________________________________
>> CentOS mailing list
>> CentOS at centos.org
>> http://lists.centos.org/mailman/listinfo/centos
>>
>
More information about the CentOS
mailing list