[CentOS] Samba and iptables - woes

Tue Mar 31 16:13:51 UTC 2009
Rob Kampen <rkampen at kampensonline.com>


Craig White wrote:
> On Tue, 2009-03-31 at 00:19 -0400, Rob Kampen wrote:
>   
>> Hi folk,
>> I am trying to get iptables working on a samba server but find it is 
>> blocking something that prevents the windoze clients from being able to 
>> access the share.
>> here are the bits from iptables:
>>     
>>> # nmb provided netbios-ns
>>> -A RH-Firewall-1-INPUT -p udp -m udp -s 192.168.230.100/24 -i eth1 
>>> --dport 137 -j ACCEPT
>>> # nmb provided netbios-dgm
>>> -A RH-Firewall-1-INPUT -p udp -m udp -s 192.168.230.100/24 -i eth1 
>>> --dport 138 -j ACCEPT
>>> # Samba
>>> -A RH-Firewall-1-INPUT -p tcp -m tcp -m state -s 192.168.230.100/24 -i 
>>> eth1 --dport 135 --state NEW -j ACCEPT
>>> # smb provided netbios-ssn
>>> -A RH-Firewall-1-INPUT -p tcp -m tcp -m state -s 192.168.230.100/24 -i 
>>> eth1 --dport 139 --state NEW -j ACCEPT
>>> # smb provided microsoft-ds
>>> -A RH-Firewall-1-INPUT -p tcp -m tcp -m state -s 192.168.230.100/24 -i 
>>> eth1 --dport 445 --state NEW -j ACCEPT
>>>       
>> so as far as I can tell this should provide access to the required services.
>> BTW the server has two NICs; 100Mb is eth0 at 192.168.230.230 and 
>> connects to the router with internet/NAT firewall; 1Gb is eth1 at 
>> 192.168.230.232 and this connects to a G ethernet switch that has the 
>> windoze clients.
>> The smb.conf is as follows:
>>  [global]
>>         workgroup = NDG
>>         netbios name = SAMBA
>>         netbios aliases = Samba
>>         server string = Samba Server Version %v
>>         interfaces = lo, eth1, 192.168.230.232
>>         bind interfaces only = Yes
>>         security = DOMAIN
>>         obey pam restrictions = Yes
>>         passdb backend = tdbsam
>>         pam password change = Yes
>>         log file = /var/log/samba/%m.log
>>         max log size = 50
>>         load printers = No
>>         add user script = /usr/sbin/useradd "%u" -n -g users
>>         delete user script = /usr/sbin/userdel "%u"
>>         add group script = /usr/sbin/groupadd "%g"
>>         delete group script = /usr/sbin/groupdel "%g"
>>         delete user from group script = /usr/sbin/userdel "%u" "%g"
>>         add machine script = /usr/sbin/useradd -n -c "Workstation (%u)" 
>> -M -d /nohome -s /bin/false "%u"
>>         logon path =
>>         domain logons = Yes
>>         os level = 32
>>         preferred master = Yes
>>         domain master = Yes
>>         dns proxy = No
>>         wins support = Yes
>>         ldap ssl = no
>>         create mask = 0664
>>         directory mask = 0775
>>         hosts allow = 127., 192.168.230., 192.168.231.
>>         case sensitive = Yes
>>         browseable = No
>>         available = No
>>         wide links = No
>>         dont descend = /
>>
>> [homes]
>>         comment = Home Directories
>>         valid users = %S
>>         read only = No
>>         browseable = Yes
>>         available = Yes
>>
>> [NDG]
>>         comment = NDG files
>>         path = /NDG
>>         write list = @NDGstaff, @birdseye
>>         read only = No
>>         browseable = Yes
>>         available = Yes
>>
>> I found that making the rule for port 139 ignore the eth port (i.e. 
>> remove the -i eth1) allowed things to work better, but do not want this 
>> to be the case as I do not want the eth0 interface to be used for this 
>> traffic.
>> looking at netstat -l -n shows only lo and eth1 listening on port 139, 
>> so how is this failing to work??
>> Any ideas?
>> Thanks
>>     
> ----
> I don't believe that you want to use comma separators in things like
> 'bind interfaces' or 'interfaces' - it doesn't seem that samba is
> consistent here.
>
>   
removed
> I have never used two separate hardware network interfaces on the same
> subnet and suspect that it may actually be trying to communicate back
> from the wrong one which is confusing things. Also, it doesn't make
> sense to list both eth1 and the actual ip address in bind interfaces but
> I would tend to doubt that would be a problem.
>
> Try taking eth0 down (as root - ifdown eth0) and see if that fixes the
> problem.
tried this and things appear to work okay, so I guess I need to split my 
subnet into two......
Some further thinking required here. I have an almost identical set up 
in my home and actually tried all this there first, as I do not want my 
business impacted. So it appears to work fine at home but not at the 
office, some more testing required. I have only two windoze machines at 
home and neither access the server, so I'll have to contrive a setup 
that tries this out properly. Will keep you posted.....
>  
>
> Also, I'm not sure why some of the firewall rules include --state NEW
> and some of the don't - that doesn't fully make sense to me.
>   
state NEW is irrelevant for udp as it is a single direction with no 
handshaking such as tcp has - i.e. connectionless?
> Craig
>
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> http://lists.centos.org/mailman/listinfo/centos
>   
-------------- next part --------------
A non-text attachment was scrubbed...
Name: rkampen.vcf
Type: text/x-vcard
Size: 121 bytes
Desc: not available
URL: <http://lists.centos.org/pipermail/centos/attachments/20090331/1f48e267/attachment-0005.vcf>