[CentOS] Samba and iptables - woes

Tue Mar 31 16:50:57 UTC 2009
Rob Townley <rob.townley at gmail.com>

The poster suggesting a lopsided interfaces is correct.  Look at
incoming vs outgoing packets via
ifconfig -a.
  Use /sbin/ip to fix it.  Since the subnet is the same, u need a
/sbin/ip rule.

On 3/31/09, Rob Kampen <rkampen at kampensonline.com> wrote:
>
>
> Craig White wrote:
>> On Tue, 2009-03-31 at 00:19 -0400, Rob Kampen wrote:
>>
>>> Hi folk,
>>> I am trying to get iptables working on a samba server but find it is
>>> blocking something that prevents the windoze clients from being able to
>>> access the share.
>>> here are the bits from iptables:
>>>
>>>> # nmb provided netbios-ns
>>>> -A RH-Firewall-1-INPUT -p udp -m udp -s 192.168.230.100/24 -i eth1
>>>> --dport 137 -j ACCEPT
>>>> # nmb provided netbios-dgm
>>>> -A RH-Firewall-1-INPUT -p udp -m udp -s 192.168.230.100/24 -i eth1
>>>> --dport 138 -j ACCEPT
>>>> # Samba
>>>> -A RH-Firewall-1-INPUT -p tcp -m tcp -m state -s 192.168.230.100/24 -i
>>>> eth1 --dport 135 --state NEW -j ACCEPT
>>>> # smb provided netbios-ssn
>>>> -A RH-Firewall-1-INPUT -p tcp -m tcp -m state -s 192.168.230.100/24 -i
>>>> eth1 --dport 139 --state NEW -j ACCEPT
>>>> # smb provided microsoft-ds
>>>> -A RH-Firewall-1-INPUT -p tcp -m tcp -m state -s 192.168.230.100/24 -i
>>>> eth1 --dport 445 --state NEW -j ACCEPT
>>>>
>>> so as far as I can tell this should provide access to the required
>>> services.
>>> BTW the server has two NICs; 100Mb is eth0 at 192.168.230.230 and
>>> connects to the router with internet/NAT firewall; 1Gb is eth1 at
>>> 192.168.230.232 and this connects to a G ethernet switch that has the
>>> windoze clients.
>>> The smb.conf is as follows:
>>>  [global]
>>>         workgroup = NDG
>>>         netbios name = SAMBA
>>>         netbios aliases = Samba
>>>         server string = Samba Server Version %v
>>>         interfaces = lo, eth1, 192.168.230.232
>>>         bind interfaces only = Yes
>>>         security = DOMAIN
>>>         obey pam restrictions = Yes
>>>         passdb backend = tdbsam
>>>         pam password change = Yes
>>>         log file = /var/log/samba/%m.log
>>>         max log size = 50
>>>         load printers = No
>>>         add user script = /usr/sbin/useradd "%u" -n -g users
>>>         delete user script = /usr/sbin/userdel "%u"
>>>         add group script = /usr/sbin/groupadd "%g"
>>>         delete group script = /usr/sbin/groupdel "%g"
>>>         delete user from group script = /usr/sbin/userdel "%u" "%g"
>>>         add machine script = /usr/sbin/useradd -n -c "Workstation (%u)"
>>> -M -d /nohome -s /bin/false "%u"
>>>         logon path =
>>>         domain logons = Yes
>>>         os level = 32
>>>         preferred master = Yes
>>>         domain master = Yes
>>>         dns proxy = No
>>>         wins support = Yes
>>>         ldap ssl = no
>>>         create mask = 0664
>>>         directory mask = 0775
>>>         hosts allow = 127., 192.168.230., 192.168.231.
>>>         case sensitive = Yes
>>>         browseable = No
>>>         available = No
>>>         wide links = No
>>>         dont descend = /
>>>
>>> [homes]
>>>         comment = Home Directories
>>>         valid users = %S
>>>         read only = No
>>>         browseable = Yes
>>>         available = Yes
>>>
>>> [NDG]
>>>         comment = NDG files
>>>         path = /NDG
>>>         write list = @NDGstaff, @birdseye
>>>         read only = No
>>>         browseable = Yes
>>>         available = Yes
>>>
>>> I found that making the rule for port 139 ignore the eth port (i.e.
>>> remove the -i eth1) allowed things to work better, but do not want this
>>> to be the case as I do not want the eth0 interface to be used for this
>>> traffic.
>>> looking at netstat -l -n shows only lo and eth1 listening on port 139,
>>> so how is this failing to work??
>>> Any ideas?
>>> Thanks
>>>
>> ----
>> I don't believe that you want to use comma separators in things like
>> 'bind interfaces' or 'interfaces' - it doesn't seem that samba is
>> consistent here.
>>
>>
> removed
>> I have never used two separate hardware network interfaces on the same
>> subnet and suspect that it may actually be trying to communicate back
>> from the wrong one which is confusing things. Also, it doesn't make
>> sense to list both eth1 and the actual ip address in bind interfaces but
>> I would tend to doubt that would be a problem.
>>
>> Try taking eth0 down (as root - ifdown eth0) and see if that fixes the
>> problem.
> tried this and things appear to work okay, so I guess I need to split my
> subnet into two......
> Some further thinking required here. I have an almost identical set up
> in my home and actually tried all this there first, as I do not want my
> business impacted. So it appears to work fine at home but not at the
> office, some more testing required. I have only two windoze machines at
> home and neither access the server, so I'll have to contrive a setup
> that tries this out properly. Will keep you posted.....
>>
>>
>> Also, I'm not sure why some of the firewall rules include --state NEW
>> and some of the don't - that doesn't fully make sense to me.
>>
> state NEW is irrelevant for udp as it is a single direction with no
> handshaking such as tcp has - i.e. connectionless?
>> Craig
>>
>> _______________________________________________
>> CentOS mailing list
>> CentOS at centos.org
>> http://lists.centos.org/mailman/listinfo/centos
>>
>