Tom wrote:
What is the subnet mask of the outside interface?
255.255.255.0 or /24
What is the subnet mask of the inside interface?
255.255.255 or /24
I'm not real good with iptables but you might need to check your source address. Ex. 192.168.230.100/24. /24 is a full class C.
tried changing it to 192.168.230.0/24 as suggested by another, no difference still does not work; as I suspected the last octet can be any value it is effectively masked by the /24.
-----Original Message----- From: centos-bounces@centos.org [mailto:centos-bounces@centos.org] On Behalf Of Rob Kampen Sent: Monday, March 30, 2009 9:19 PM To: CentOS mailing list Subject: [CentOS] Samba and iptables - woes
Hi folk, I am trying to get iptables working on a samba server but find it is blocking something that prevents the windoze clients from being able to access the share. here are the bits from iptables:
# nmb provided netbios-ns -A RH-Firewall-1-INPUT -p udp -m udp -s 192.168.230.100/24 -i eth1 --dport 137 -j ACCEPT # nmb provided netbios-dgm -A RH-Firewall-1-INPUT -p udp -m udp -s 192.168.230.100/24 -i eth1 --dport 138 -j ACCEPT # Samba -A RH-Firewall-1-INPUT -p tcp -m tcp -m state -s 192.168.230.100/24 -i eth1 --dport 135 --state NEW -j ACCEPT # smb provided netbios-ssn -A RH-Firewall-1-INPUT -p tcp -m tcp -m state -s 192.168.230.100/24 -i eth1 --dport 139 --state NEW -j ACCEPT # smb provided microsoft-ds -A RH-Firewall-1-INPUT -p tcp -m tcp -m state -s 192.168.230.100/24 -i eth1 --dport 445 --state NEW -j ACCEPT
so as far as I can tell this should provide access to the required services. BTW the server has two NICs; 100Mb is eth0 at 192.168.230.230 and connects to the router with internet/NAT firewall; 1Gb is eth1 at 192.168.230.232 and this connects to a G ethernet switch that has the windoze clients. The smb.conf is as follows: [global] workgroup = NDG netbios name = SAMBA netbios aliases = Samba server string = Samba Server Version %v interfaces = lo, eth1, 192.168.230.232 bind interfaces only = Yes security = DOMAIN obey pam restrictions = Yes passdb backend = tdbsam pam password change = Yes log file = /var/log/samba/%m.log max log size = 50 load printers = No add user script = /usr/sbin/useradd "%u" -n -g users delete user script = /usr/sbin/userdel "%u" add group script = /usr/sbin/groupadd "%g" delete group script = /usr/sbin/groupdel "%g" delete user from group script = /usr/sbin/userdel "%u" "%g" add machine script = /usr/sbin/useradd -n -c "Workstation (%u)" -M -d /nohome -s /bin/false "%u" logon path = domain logons = Yes os level = 32 preferred master = Yes domain master = Yes dns proxy = No wins support = Yes ldap ssl = no create mask = 0664 directory mask = 0775 hosts allow = 127., 192.168.230., 192.168.231. case sensitive = Yes browseable = No available = No wide links = No dont descend = /
[homes] comment = Home Directories valid users = %S read only = No browseable = Yes available = Yes
[NDG] comment = NDG files path = /NDG write list = @NDGstaff, @birdseye read only = No browseable = Yes available = Yes
I found that making the rule for port 139 ignore the eth port (i.e. remove the -i eth1) allowed things to work better, but do not want this to be the case as I do not want the eth0 interface to be used for this traffic. looking at netstat -l -n shows only lo and eth1 listening on port 139, so how is this failing to work?? Any ideas? Thanks Rob
No virus found in this incoming message. Checked by AVG - www.avg.com Version: 8.0.238 / Virus Database: 270.11.31/2028 - Release Date: 03/30/09 17:56:00
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos