Hi folk, I am trying to get iptables working on a samba server but find it is blocking something that prevents the windoze clients from being able to access the share. here are the bits from iptables:
# nmb provided netbios-ns -A RH-Firewall-1-INPUT -p udp -m udp -s 192.168.230.100/24 -i eth1 --dport 137 -j ACCEPT # nmb provided netbios-dgm -A RH-Firewall-1-INPUT -p udp -m udp -s 192.168.230.100/24 -i eth1 --dport 138 -j ACCEPT # Samba -A RH-Firewall-1-INPUT -p tcp -m tcp -m state -s 192.168.230.100/24 -i eth1 --dport 135 --state NEW -j ACCEPT # smb provided netbios-ssn -A RH-Firewall-1-INPUT -p tcp -m tcp -m state -s 192.168.230.100/24 -i eth1 --dport 139 --state NEW -j ACCEPT # smb provided microsoft-ds -A RH-Firewall-1-INPUT -p tcp -m tcp -m state -s 192.168.230.100/24 -i eth1 --dport 445 --state NEW -j ACCEPT
so as far as I can tell this should provide access to the required services. BTW the server has two NICs; 100Mb is eth0 at 192.168.230.230 and connects to the router with internet/NAT firewall; 1Gb is eth1 at 192.168.230.232 and this connects to a G ethernet switch that has the windoze clients. The smb.conf is as follows: [global] workgroup = NDG netbios name = SAMBA netbios aliases = Samba server string = Samba Server Version %v interfaces = lo, eth1, 192.168.230.232 bind interfaces only = Yes security = DOMAIN obey pam restrictions = Yes passdb backend = tdbsam pam password change = Yes log file = /var/log/samba/%m.log max log size = 50 load printers = No add user script = /usr/sbin/useradd "%u" -n -g users delete user script = /usr/sbin/userdel "%u" add group script = /usr/sbin/groupadd "%g" delete group script = /usr/sbin/groupdel "%g" delete user from group script = /usr/sbin/userdel "%u" "%g" add machine script = /usr/sbin/useradd -n -c "Workstation (%u)" -M -d /nohome -s /bin/false "%u" logon path = domain logons = Yes os level = 32 preferred master = Yes domain master = Yes dns proxy = No wins support = Yes ldap ssl = no create mask = 0664 directory mask = 0775 hosts allow = 127., 192.168.230., 192.168.231. case sensitive = Yes browseable = No available = No wide links = No dont descend = /
[homes] comment = Home Directories valid users = %S read only = No browseable = Yes available = Yes
[NDG] comment = NDG files path = /NDG write list = @NDGstaff, @birdseye read only = No browseable = Yes available = Yes
I found that making the rule for port 139 ignore the eth port (i.e. remove the -i eth1) allowed things to work better, but do not want this to be the case as I do not want the eth0 interface to be used for this traffic. looking at netstat -l -n shows only lo and eth1 listening on port 139, so how is this failing to work?? Any ideas? Thanks Rob
What is the subnet mask of the outside interface?
What is the subnet mask of the inside interface?
I'm not real good with iptables but you might need to check your source address. Ex. 192.168.230.100/24. /24 is a full class C.
-----Original Message----- From: centos-bounces@centos.org [mailto:centos-bounces@centos.org] On Behalf Of Rob Kampen Sent: Monday, March 30, 2009 9:19 PM To: CentOS mailing list Subject: [CentOS] Samba and iptables - woes
Hi folk, I am trying to get iptables working on a samba server but find it is blocking something that prevents the windoze clients from being able to access the share. here are the bits from iptables:
# nmb provided netbios-ns -A RH-Firewall-1-INPUT -p udp -m udp -s 192.168.230.100/24 -i eth1 --dport 137 -j ACCEPT # nmb provided netbios-dgm -A RH-Firewall-1-INPUT -p udp -m udp -s 192.168.230.100/24 -i eth1 --dport 138 -j ACCEPT # Samba -A RH-Firewall-1-INPUT -p tcp -m tcp -m state -s 192.168.230.100/24 -i eth1 --dport 135 --state NEW -j ACCEPT # smb provided netbios-ssn -A RH-Firewall-1-INPUT -p tcp -m tcp -m state -s 192.168.230.100/24 -i eth1 --dport 139 --state NEW -j ACCEPT # smb provided microsoft-ds -A RH-Firewall-1-INPUT -p tcp -m tcp -m state -s 192.168.230.100/24 -i eth1 --dport 445 --state NEW -j ACCEPT
so as far as I can tell this should provide access to the required services. BTW the server has two NICs; 100Mb is eth0 at 192.168.230.230 and connects to the router with internet/NAT firewall; 1Gb is eth1 at 192.168.230.232 and this connects to a G ethernet switch that has the windoze clients. The smb.conf is as follows: [global] workgroup = NDG netbios name = SAMBA netbios aliases = Samba server string = Samba Server Version %v interfaces = lo, eth1, 192.168.230.232 bind interfaces only = Yes security = DOMAIN obey pam restrictions = Yes passdb backend = tdbsam pam password change = Yes log file = /var/log/samba/%m.log max log size = 50 load printers = No add user script = /usr/sbin/useradd "%u" -n -g users delete user script = /usr/sbin/userdel "%u" add group script = /usr/sbin/groupadd "%g" delete group script = /usr/sbin/groupdel "%g" delete user from group script = /usr/sbin/userdel "%u" "%g" add machine script = /usr/sbin/useradd -n -c "Workstation (%u)" -M -d /nohome -s /bin/false "%u" logon path = domain logons = Yes os level = 32 preferred master = Yes domain master = Yes dns proxy = No wins support = Yes ldap ssl = no create mask = 0664 directory mask = 0775 hosts allow = 127., 192.168.230., 192.168.231. case sensitive = Yes browseable = No available = No wide links = No dont descend = /
[homes] comment = Home Directories valid users = %S read only = No browseable = Yes available = Yes
[NDG] comment = NDG files path = /NDG write list = @NDGstaff, @birdseye read only = No browseable = Yes available = Yes
I found that making the rule for port 139 ignore the eth port (i.e. remove the -i eth1) allowed things to work better, but do not want this to be the case as I do not want the eth0 interface to be used for this traffic. looking at netstat -l -n shows only lo and eth1 listening on port 139, so how is this failing to work?? Any ideas? Thanks Rob
No virus found in this incoming message. Checked by AVG - www.avg.com Version: 8.0.238 / Virus Database: 270.11.31/2028 - Release Date: 03/30/09 17:56:00
Tom wrote:
What is the subnet mask of the outside interface?
255.255.255.0 or /24
What is the subnet mask of the inside interface?
255.255.255 or /24
I'm not real good with iptables but you might need to check your source address. Ex. 192.168.230.100/24. /24 is a full class C.
tried changing it to 192.168.230.0/24 as suggested by another, no difference still does not work; as I suspected the last octet can be any value it is effectively masked by the /24.
-----Original Message----- From: centos-bounces@centos.org [mailto:centos-bounces@centos.org] On Behalf Of Rob Kampen Sent: Monday, March 30, 2009 9:19 PM To: CentOS mailing list Subject: [CentOS] Samba and iptables - woes
Hi folk, I am trying to get iptables working on a samba server but find it is blocking something that prevents the windoze clients from being able to access the share. here are the bits from iptables:
# nmb provided netbios-ns -A RH-Firewall-1-INPUT -p udp -m udp -s 192.168.230.100/24 -i eth1 --dport 137 -j ACCEPT # nmb provided netbios-dgm -A RH-Firewall-1-INPUT -p udp -m udp -s 192.168.230.100/24 -i eth1 --dport 138 -j ACCEPT # Samba -A RH-Firewall-1-INPUT -p tcp -m tcp -m state -s 192.168.230.100/24 -i eth1 --dport 135 --state NEW -j ACCEPT # smb provided netbios-ssn -A RH-Firewall-1-INPUT -p tcp -m tcp -m state -s 192.168.230.100/24 -i eth1 --dport 139 --state NEW -j ACCEPT # smb provided microsoft-ds -A RH-Firewall-1-INPUT -p tcp -m tcp -m state -s 192.168.230.100/24 -i eth1 --dport 445 --state NEW -j ACCEPT
so as far as I can tell this should provide access to the required services. BTW the server has two NICs; 100Mb is eth0 at 192.168.230.230 and connects to the router with internet/NAT firewall; 1Gb is eth1 at 192.168.230.232 and this connects to a G ethernet switch that has the windoze clients. The smb.conf is as follows: [global] workgroup = NDG netbios name = SAMBA netbios aliases = Samba server string = Samba Server Version %v interfaces = lo, eth1, 192.168.230.232 bind interfaces only = Yes security = DOMAIN obey pam restrictions = Yes passdb backend = tdbsam pam password change = Yes log file = /var/log/samba/%m.log max log size = 50 load printers = No add user script = /usr/sbin/useradd "%u" -n -g users delete user script = /usr/sbin/userdel "%u" add group script = /usr/sbin/groupadd "%g" delete group script = /usr/sbin/groupdel "%g" delete user from group script = /usr/sbin/userdel "%u" "%g" add machine script = /usr/sbin/useradd -n -c "Workstation (%u)" -M -d /nohome -s /bin/false "%u" logon path = domain logons = Yes os level = 32 preferred master = Yes domain master = Yes dns proxy = No wins support = Yes ldap ssl = no create mask = 0664 directory mask = 0775 hosts allow = 127., 192.168.230., 192.168.231. case sensitive = Yes browseable = No available = No wide links = No dont descend = /
[homes] comment = Home Directories valid users = %S read only = No browseable = Yes available = Yes
[NDG] comment = NDG files path = /NDG write list = @NDGstaff, @birdseye read only = No browseable = Yes available = Yes
I found that making the rule for port 139 ignore the eth port (i.e. remove the -i eth1) allowed things to work better, but do not want this to be the case as I do not want the eth0 interface to be used for this traffic. looking at netstat -l -n shows only lo and eth1 listening on port 139, so how is this failing to work?? Any ideas? Thanks Rob
No virus found in this incoming message. Checked by AVG - www.avg.com Version: 8.0.238 / Virus Database: 270.11.31/2028 - Release Date: 03/30/09 17:56:00
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
On Tue, 2009-03-31 at 00:19 -0400, Rob Kampen wrote:
Hi folk, I am trying to get iptables working on a samba server but find it is blocking something that prevents the windoze clients from being able to access the share. here are the bits from iptables:
# nmb provided netbios-ns -A RH-Firewall-1-INPUT -p udp -m udp -s 192.168.230.100/24 -i eth1 --dport 137 -j ACCEPT # nmb provided netbios-dgm -A RH-Firewall-1-INPUT -p udp -m udp -s 192.168.230.100/24 -i eth1 --dport 138 -j ACCEPT # Samba -A RH-Firewall-1-INPUT -p tcp -m tcp -m state -s 192.168.230.100/24 -i eth1 --dport 135 --state NEW -j ACCEPT # smb provided netbios-ssn -A RH-Firewall-1-INPUT -p tcp -m tcp -m state -s 192.168.230.100/24 -i eth1 --dport 139 --state NEW -j ACCEPT # smb provided microsoft-ds -A RH-Firewall-1-INPUT -p tcp -m tcp -m state -s 192.168.230.100/24 -i eth1 --dport 445 --state NEW -j ACCEPT
so as far as I can tell this should provide access to the required services. BTW the server has two NICs; 100Mb is eth0 at 192.168.230.230 and connects to the router with internet/NAT firewall; 1Gb is eth1 at 192.168.230.232 and this connects to a G ethernet switch that has the windoze clients. The smb.conf is as follows: [global] workgroup = NDG netbios name = SAMBA netbios aliases = Samba server string = Samba Server Version %v interfaces = lo, eth1, 192.168.230.232 bind interfaces only = Yes security = DOMAIN obey pam restrictions = Yes passdb backend = tdbsam pam password change = Yes log file = /var/log/samba/%m.log max log size = 50 load printers = No add user script = /usr/sbin/useradd "%u" -n -g users delete user script = /usr/sbin/userdel "%u" add group script = /usr/sbin/groupadd "%g" delete group script = /usr/sbin/groupdel "%g" delete user from group script = /usr/sbin/userdel "%u" "%g" add machine script = /usr/sbin/useradd -n -c "Workstation (%u)" -M -d /nohome -s /bin/false "%u" logon path = domain logons = Yes os level = 32 preferred master = Yes domain master = Yes dns proxy = No wins support = Yes ldap ssl = no create mask = 0664 directory mask = 0775 hosts allow = 127., 192.168.230., 192.168.231. case sensitive = Yes browseable = No available = No wide links = No dont descend = /
[homes] comment = Home Directories valid users = %S read only = No browseable = Yes available = Yes
[NDG] comment = NDG files path = /NDG write list = @NDGstaff, @birdseye read only = No browseable = Yes available = Yes
I found that making the rule for port 139 ignore the eth port (i.e. remove the -i eth1) allowed things to work better, but do not want this to be the case as I do not want the eth0 interface to be used for this traffic. looking at netstat -l -n shows only lo and eth1 listening on port 139, so how is this failing to work?? Any ideas? Thanks
---- I don't believe that you want to use comma separators in things like 'bind interfaces' or 'interfaces' - it doesn't seem that samba is consistent here.
I have never used two separate hardware network interfaces on the same subnet and suspect that it may actually be trying to communicate back from the wrong one which is confusing things. Also, it doesn't make sense to list both eth1 and the actual ip address in bind interfaces but I would tend to doubt that would be a problem.
Try taking eth0 down (as root - ifdown eth0) and see if that fixes the problem.
Also, I'm not sure why some of the firewall rules include --state NEW and some of the don't - that doesn't fully make sense to me.
Craig
Craig White wrote:
On Tue, 2009-03-31 at 00:19 -0400, Rob Kampen wrote:
Hi folk, I am trying to get iptables working on a samba server but find it is blocking something that prevents the windoze clients from being able to access the share. here are the bits from iptables:
# nmb provided netbios-ns -A RH-Firewall-1-INPUT -p udp -m udp -s 192.168.230.100/24 -i eth1 --dport 137 -j ACCEPT # nmb provided netbios-dgm -A RH-Firewall-1-INPUT -p udp -m udp -s 192.168.230.100/24 -i eth1 --dport 138 -j ACCEPT # Samba -A RH-Firewall-1-INPUT -p tcp -m tcp -m state -s 192.168.230.100/24 -i eth1 --dport 135 --state NEW -j ACCEPT # smb provided netbios-ssn -A RH-Firewall-1-INPUT -p tcp -m tcp -m state -s 192.168.230.100/24 -i eth1 --dport 139 --state NEW -j ACCEPT # smb provided microsoft-ds -A RH-Firewall-1-INPUT -p tcp -m tcp -m state -s 192.168.230.100/24 -i eth1 --dport 445 --state NEW -j ACCEPT
so as far as I can tell this should provide access to the required services. BTW the server has two NICs; 100Mb is eth0 at 192.168.230.230 and connects to the router with internet/NAT firewall; 1Gb is eth1 at 192.168.230.232 and this connects to a G ethernet switch that has the windoze clients. The smb.conf is as follows: [global] workgroup = NDG netbios name = SAMBA netbios aliases = Samba server string = Samba Server Version %v interfaces = lo, eth1, 192.168.230.232 bind interfaces only = Yes security = DOMAIN obey pam restrictions = Yes passdb backend = tdbsam pam password change = Yes log file = /var/log/samba/%m.log max log size = 50 load printers = No add user script = /usr/sbin/useradd "%u" -n -g users delete user script = /usr/sbin/userdel "%u" add group script = /usr/sbin/groupadd "%g" delete group script = /usr/sbin/groupdel "%g" delete user from group script = /usr/sbin/userdel "%u" "%g" add machine script = /usr/sbin/useradd -n -c "Workstation (%u)" -M -d /nohome -s /bin/false "%u" logon path = domain logons = Yes os level = 32 preferred master = Yes domain master = Yes dns proxy = No wins support = Yes ldap ssl = no create mask = 0664 directory mask = 0775 hosts allow = 127., 192.168.230., 192.168.231. case sensitive = Yes browseable = No available = No wide links = No dont descend = /
[homes] comment = Home Directories valid users = %S read only = No browseable = Yes available = Yes
[NDG] comment = NDG files path = /NDG write list = @NDGstaff, @birdseye read only = No browseable = Yes available = Yes
I found that making the rule for port 139 ignore the eth port (i.e. remove the -i eth1) allowed things to work better, but do not want this to be the case as I do not want the eth0 interface to be used for this traffic. looking at netstat -l -n shows only lo and eth1 listening on port 139, so how is this failing to work?? Any ideas? Thanks
I don't believe that you want to use comma separators in things like 'bind interfaces' or 'interfaces' - it doesn't seem that samba is consistent here.
removed
I have never used two separate hardware network interfaces on the same subnet and suspect that it may actually be trying to communicate back from the wrong one which is confusing things. Also, it doesn't make sense to list both eth1 and the actual ip address in bind interfaces but I would tend to doubt that would be a problem.
Try taking eth0 down (as root - ifdown eth0) and see if that fixes the problem.
tried this and things appear to work okay, so I guess I need to split my subnet into two...... Some further thinking required here. I have an almost identical set up in my home and actually tried all this there first, as I do not want my business impacted. So it appears to work fine at home but not at the office, some more testing required. I have only two windoze machines at home and neither access the server, so I'll have to contrive a setup that tries this out properly. Will keep you posted.....
Also, I'm not sure why some of the firewall rules include --state NEW and some of the don't - that doesn't fully make sense to me.
state NEW is irrelevant for udp as it is a single direction with no handshaking such as tcp has - i.e. connectionless?
Craig
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
The poster suggesting a lopsided interfaces is correct. Look at incoming vs outgoing packets via ifconfig -a. Use /sbin/ip to fix it. Since the subnet is the same, u need a /sbin/ip rule.
On 3/31/09, Rob Kampen rkampen@kampensonline.com wrote:
Craig White wrote:
On Tue, 2009-03-31 at 00:19 -0400, Rob Kampen wrote:
Hi folk, I am trying to get iptables working on a samba server but find it is blocking something that prevents the windoze clients from being able to access the share. here are the bits from iptables:
# nmb provided netbios-ns -A RH-Firewall-1-INPUT -p udp -m udp -s 192.168.230.100/24 -i eth1 --dport 137 -j ACCEPT # nmb provided netbios-dgm -A RH-Firewall-1-INPUT -p udp -m udp -s 192.168.230.100/24 -i eth1 --dport 138 -j ACCEPT # Samba -A RH-Firewall-1-INPUT -p tcp -m tcp -m state -s 192.168.230.100/24 -i eth1 --dport 135 --state NEW -j ACCEPT # smb provided netbios-ssn -A RH-Firewall-1-INPUT -p tcp -m tcp -m state -s 192.168.230.100/24 -i eth1 --dport 139 --state NEW -j ACCEPT # smb provided microsoft-ds -A RH-Firewall-1-INPUT -p tcp -m tcp -m state -s 192.168.230.100/24 -i eth1 --dport 445 --state NEW -j ACCEPT
so as far as I can tell this should provide access to the required services. BTW the server has two NICs; 100Mb is eth0 at 192.168.230.230 and connects to the router with internet/NAT firewall; 1Gb is eth1 at 192.168.230.232 and this connects to a G ethernet switch that has the windoze clients. The smb.conf is as follows: [global] workgroup = NDG netbios name = SAMBA netbios aliases = Samba server string = Samba Server Version %v interfaces = lo, eth1, 192.168.230.232 bind interfaces only = Yes security = DOMAIN obey pam restrictions = Yes passdb backend = tdbsam pam password change = Yes log file = /var/log/samba/%m.log max log size = 50 load printers = No add user script = /usr/sbin/useradd "%u" -n -g users delete user script = /usr/sbin/userdel "%u" add group script = /usr/sbin/groupadd "%g" delete group script = /usr/sbin/groupdel "%g" delete user from group script = /usr/sbin/userdel "%u" "%g" add machine script = /usr/sbin/useradd -n -c "Workstation (%u)" -M -d /nohome -s /bin/false "%u" logon path = domain logons = Yes os level = 32 preferred master = Yes domain master = Yes dns proxy = No wins support = Yes ldap ssl = no create mask = 0664 directory mask = 0775 hosts allow = 127., 192.168.230., 192.168.231. case sensitive = Yes browseable = No available = No wide links = No dont descend = /
[homes] comment = Home Directories valid users = %S read only = No browseable = Yes available = Yes
[NDG] comment = NDG files path = /NDG write list = @NDGstaff, @birdseye read only = No browseable = Yes available = Yes
I found that making the rule for port 139 ignore the eth port (i.e. remove the -i eth1) allowed things to work better, but do not want this to be the case as I do not want the eth0 interface to be used for this traffic. looking at netstat -l -n shows only lo and eth1 listening on port 139, so how is this failing to work?? Any ideas? Thanks
I don't believe that you want to use comma separators in things like 'bind interfaces' or 'interfaces' - it doesn't seem that samba is consistent here.
removed
I have never used two separate hardware network interfaces on the same subnet and suspect that it may actually be trying to communicate back from the wrong one which is confusing things. Also, it doesn't make sense to list both eth1 and the actual ip address in bind interfaces but I would tend to doubt that would be a problem.
Try taking eth0 down (as root - ifdown eth0) and see if that fixes the problem.
tried this and things appear to work okay, so I guess I need to split my subnet into two...... Some further thinking required here. I have an almost identical set up in my home and actually tried all this there first, as I do not want my business impacted. So it appears to work fine at home but not at the office, some more testing required. I have only two windoze machines at home and neither access the server, so I'll have to contrive a setup that tries this out properly. Will keep you posted.....
Also, I'm not sure why some of the firewall rules include --state NEW and some of the don't - that doesn't fully make sense to me.
state NEW is irrelevant for udp as it is a single direction with no handshaking such as tcp has - i.e. connectionless?
Craig
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Rob Townley wrote:
The poster suggesting a lopsided interfaces is correct. Look at incoming vs outgoing packets via ifconfig -a. Use /sbin/ip to fix it. Since the subnet is the same, u need a /sbin/ip rule.
Okay, I get the issue, packet arrives on one interface but server sends it back on the other one due to routing rules, thus the client gets confused. Reading the man ip leaves me confused, I understand the basics but this is WAY over my competence level. What kind of rule do I need here, need some expert assistance please. Thanks Rob
On 3/31/09, Rob Kampen rkampen@kampensonline.com wrote:
Craig White wrote:
On Tue, 2009-03-31 at 00:19 -0400, Rob Kampen wrote:
Hi folk, I am trying to get iptables working on a samba server but find it is blocking something that prevents the windoze clients from being able to access the share. here are the bits from iptables:
# nmb provided netbios-ns -A RH-Firewall-1-INPUT -p udp -m udp -s 192.168.230.100/24 -i eth1 --dport 137 -j ACCEPT # nmb provided netbios-dgm -A RH-Firewall-1-INPUT -p udp -m udp -s 192.168.230.100/24 -i eth1 --dport 138 -j ACCEPT # Samba -A RH-Firewall-1-INPUT -p tcp -m tcp -m state -s 192.168.230.100/24 -i eth1 --dport 135 --state NEW -j ACCEPT # smb provided netbios-ssn -A RH-Firewall-1-INPUT -p tcp -m tcp -m state -s 192.168.230.100/24 -i eth1 --dport 139 --state NEW -j ACCEPT # smb provided microsoft-ds -A RH-Firewall-1-INPUT -p tcp -m tcp -m state -s 192.168.230.100/24 -i eth1 --dport 445 --state NEW -j ACCEPT
so as far as I can tell this should provide access to the required services. BTW the server has two NICs; 100Mb is eth0 at 192.168.230.230 and connects to the router with internet/NAT firewall; 1Gb is eth1 at 192.168.230.232 and this connects to a G ethernet switch that has the windoze clients. The smb.conf is as follows: [global] workgroup = NDG netbios name = SAMBA netbios aliases = Samba server string = Samba Server Version %v interfaces = lo, eth1, 192.168.230.232 bind interfaces only = Yes security = DOMAIN obey pam restrictions = Yes passdb backend = tdbsam pam password change = Yes log file = /var/log/samba/%m.log max log size = 50 load printers = No add user script = /usr/sbin/useradd "%u" -n -g users delete user script = /usr/sbin/userdel "%u" add group script = /usr/sbin/groupadd "%g" delete group script = /usr/sbin/groupdel "%g" delete user from group script = /usr/sbin/userdel "%u" "%g" add machine script = /usr/sbin/useradd -n -c "Workstation (%u)" -M -d /nohome -s /bin/false "%u" logon path = domain logons = Yes os level = 32 preferred master = Yes domain master = Yes dns proxy = No wins support = Yes ldap ssl = no create mask = 0664 directory mask = 0775 hosts allow = 127., 192.168.230., 192.168.231. case sensitive = Yes browseable = No available = No wide links = No dont descend = /
[homes] comment = Home Directories valid users = %S read only = No browseable = Yes available = Yes
[NDG] comment = NDG files path = /NDG write list = @NDGstaff, @birdseye read only = No browseable = Yes available = Yes
I found that making the rule for port 139 ignore the eth port (i.e. remove the -i eth1) allowed things to work better, but do not want this to be the case as I do not want the eth0 interface to be used for this traffic. looking at netstat -l -n shows only lo and eth1 listening on port 139, so how is this failing to work?? Any ideas? Thanks
I don't believe that you want to use comma separators in things like 'bind interfaces' or 'interfaces' - it doesn't seem that samba is consistent here.
removed
I have never used two separate hardware network interfaces on the same subnet and suspect that it may actually be trying to communicate back from the wrong one which is confusing things. Also, it doesn't make sense to list both eth1 and the actual ip address in bind interfaces but I would tend to doubt that would be a problem.
Try taking eth0 down (as root - ifdown eth0) and see if that fixes the problem.
tried this and things appear to work okay, so I guess I need to split my subnet into two...... Some further thinking required here. I have an almost identical set up in my home and actually tried all this there first, as I do not want my business impacted. So it appears to work fine at home but not at the office, some more testing required. I have only two windoze machines at home and neither access the server, so I'll have to contrive a setup that tries this out properly. Will keep you posted.....
Also, I'm not sure why some of the firewall rules include --state NEW and some of the don't - that doesn't fully make sense to me.
state NEW is irrelevant for udp as it is a single direction with no handshaking such as tcp has - i.e. connectionless?
Craig
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Hi.
2009/3/31 Rob Kampen rkampen@kampensonline.com:
Hi folk, I am trying to get iptables working on a samba server but find it is blocking something that prevents the windoze clients from being able to access the share. here are the bits from iptables:
# nmb provided netbios-ns -A RH-Firewall-1-INPUT -p udp -m udp -s 192.168.230.100/24 -i eth1 --dport 137 -j ACCEPT # nmb provided netbios-dgm -A RH-Firewall-1-INPUT -p udp -m udp -s 192.168.230.100/24 -i eth1 --dport 138 -j ACCEPT # Samba -A RH-Firewall-1-INPUT -p tcp -m tcp -m state -s 192.168.230.100/24 -i eth1 --dport 135 --state NEW -j ACCEPT # smb provided netbios-ssn -A RH-Firewall-1-INPUT -p tcp -m tcp -m state -s 192.168.230.100/24 -i eth1 --dport 139 --state NEW -j ACCEPT # smb provided microsoft-ds -A RH-Firewall-1-INPUT -p tcp -m tcp -m state -s 192.168.230.100/24 -i eth1 --dport 445 --state NEW -j ACCEPT
Your source address is invalid. If you want access from the entire 192.168.230.x subnet, you have to use a source of 192.168.230.0/24. If you want access from only 100, then you need to specify the source as 192.168.230.100/32 (a single address with a mask to match or just leave the mask off).
HTH
Regards, Andrew.
Spook ZA wrote:
Hi.
2009/3/31 Rob Kampen rkampen@kampensonline.com:
Hi folk, I am trying to get iptables working on a samba server but find it is blocking something that prevents the windoze clients from being able to access the share. here are the bits from iptables:
# nmb provided netbios-ns -A RH-Firewall-1-INPUT -p udp -m udp -s 192.168.230.100/24 -i eth1 --dport 137 -j ACCEPT # nmb provided netbios-dgm -A RH-Firewall-1-INPUT -p udp -m udp -s 192.168.230.100/24 -i eth1 --dport 138 -j ACCEPT # Samba -A RH-Firewall-1-INPUT -p tcp -m tcp -m state -s 192.168.230.100/24 -i eth1 --dport 135 --state NEW -j ACCEPT # smb provided netbios-ssn -A RH-Firewall-1-INPUT -p tcp -m tcp -m state -s 192.168.230.100/24 -i eth1 --dport 139 --state NEW -j ACCEPT # smb provided microsoft-ds -A RH-Firewall-1-INPUT -p tcp -m tcp -m state -s 192.168.230.100/24 -i eth1 --dport 445 --state NEW -j ACCEPT
Your source address is invalid. If you want access from the entire 192.168.230.x subnet, you have to use a source of 192.168.230.0/24. If you want access from only 100, then you need to specify the source as 192.168.230.100/32 (a single address with a mask to match or just leave the mask off).
Sorry, not so, tried changing it as you suggested but no go. the /24 masks the last octet thus you can have any value from 0~254.
HTH
Regards, Andrew. _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
on 3-30-2009 9:19 PM Rob Kampen spake the following:
Hi folk, I am trying to get iptables working on a samba server but find it is blocking something that prevents the windoze clients from being able to access the share. here are the bits from iptables:
# nmb provided netbios-ns -A RH-Firewall-1-INPUT -p udp -m udp -s 192.168.230.100/24 -i eth1 --dport 137 -j ACCEPT # nmb provided netbios-dgm -A RH-Firewall-1-INPUT -p udp -m udp -s 192.168.230.100/24 -i eth1 --dport 138 -j ACCEPT # Samba -A RH-Firewall-1-INPUT -p tcp -m tcp -m state -s 192.168.230.100/24 -i eth1 --dport 135 --state NEW -j ACCEPT # smb provided netbios-ssn -A RH-Firewall-1-INPUT -p tcp -m tcp -m state -s 192.168.230.100/24 -i eth1 --dport 139 --state NEW -j ACCEPT # smb provided microsoft-ds -A RH-Firewall-1-INPUT -p tcp -m tcp -m state -s 192.168.230.100/24 -i eth1 --dport 445 --state NEW -j ACCEPT
so as far as I can tell this should provide access to the required services. BTW the server has two NICs; 100Mb is eth0 at 192.168.230.230 and connects to the router with internet/NAT firewall; 1Gb is eth1 at 192.168.230.232 and this connects to a G ethernet switch that has the windoze clients. The smb.conf is as follows: [global] workgroup = NDG netbios name = SAMBA netbios aliases = Samba server string = Samba Server Version %v interfaces = lo, eth1, 192.168.230.232 bind interfaces only = Yes security = DOMAIN obey pam restrictions = Yes passdb backend = tdbsam pam password change = Yes log file = /var/log/samba/%m.log max log size = 50 load printers = No add user script = /usr/sbin/useradd "%u" -n -g users delete user script = /usr/sbin/userdel "%u" add group script = /usr/sbin/groupadd "%g" delete group script = /usr/sbin/groupdel "%g" delete user from group script = /usr/sbin/userdel "%u" "%g" add machine script = /usr/sbin/useradd -n -c "Workstation (%u)" -M -d /nohome -s /bin/false "%u" logon path = domain logons = Yes os level = 32 preferred master = Yes domain master = Yes dns proxy = No wins support = Yes ldap ssl = no create mask = 0664 directory mask = 0775 hosts allow = 127., 192.168.230., 192.168.231. case sensitive = Yes browseable = No available = No wide links = No dont descend = /
[homes] comment = Home Directories valid users = %S read only = No browseable = Yes available = Yes
[NDG] comment = NDG files path = /NDG write list = @NDGstaff, @birdseye read only = No browseable = Yes available = Yes
I found that making the rule for port 139 ignore the eth port (i.e. remove the -i eth1) allowed things to work better, but do not want this to be the case as I do not want the eth0 interface to be used for this traffic. looking at netstat -l -n shows only lo and eth1 listening on port 139, so how is this failing to work?? Any ideas? Thanks Rob
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
What are you attempting to achieve? Having both nics on the same subnet doesn't make a lot of sense to me.
Scott Silva wrote:
on 3-30-2009 9:19 PM Rob Kampen spake the following:
Hi folk, I am trying to get iptables working on a samba server but find it is blocking something that prevents the windoze clients from being able to access the share. here are the bits from iptables:
# nmb provided netbios-ns -A RH-Firewall-1-INPUT -p udp -m udp -s 192.168.230.100/24 -i eth1 --dport 137 -j ACCEPT # nmb provided netbios-dgm -A RH-Firewall-1-INPUT -p udp -m udp -s 192.168.230.100/24 -i eth1 --dport 138 -j ACCEPT # Samba -A RH-Firewall-1-INPUT -p tcp -m tcp -m state -s 192.168.230.100/24 -i eth1 --dport 135 --state NEW -j ACCEPT # smb provided netbios-ssn -A RH-Firewall-1-INPUT -p tcp -m tcp -m state -s 192.168.230.100/24 -i eth1 --dport 139 --state NEW -j ACCEPT # smb provided microsoft-ds -A RH-Firewall-1-INPUT -p tcp -m tcp -m state -s 192.168.230.100/24 -i eth1 --dport 445 --state NEW -j ACCEPT
so as far as I can tell this should provide access to the required services. BTW the server has two NICs; 100Mb is eth0 at 192.168.230.230 and connects to the router with internet/NAT firewall; 1Gb is eth1 at 192.168.230.232 and this connects to a G ethernet switch that has the windoze clients. The smb.conf is as follows: [global] workgroup = NDG netbios name = SAMBA netbios aliases = Samba server string = Samba Server Version %v interfaces = lo, eth1, 192.168.230.232 bind interfaces only = Yes security = DOMAIN obey pam restrictions = Yes passdb backend = tdbsam pam password change = Yes log file = /var/log/samba/%m.log max log size = 50 load printers = No add user script = /usr/sbin/useradd "%u" -n -g users delete user script = /usr/sbin/userdel "%u" add group script = /usr/sbin/groupadd "%g" delete group script = /usr/sbin/groupdel "%g" delete user from group script = /usr/sbin/userdel "%u" "%g" add machine script = /usr/sbin/useradd -n -c "Workstation (%u)" -M -d /nohome -s /bin/false "%u" logon path = domain logons = Yes os level = 32 preferred master = Yes domain master = Yes dns proxy = No wins support = Yes ldap ssl = no create mask = 0664 directory mask = 0775 hosts allow = 127., 192.168.230., 192.168.231. case sensitive = Yes browseable = No available = No wide links = No dont descend = /
[homes] comment = Home Directories valid users = %S read only = No browseable = Yes available = Yes
[NDG] comment = NDG files path = /NDG write list = @NDGstaff, @birdseye read only = No browseable = Yes available = Yes
I found that making the rule for port 139 ignore the eth port (i.e. remove the -i eth1) allowed things to work better, but do not want this to be the case as I do not want the eth0 interface to be used for this traffic. looking at netstat -l -n shows only lo and eth1 listening on port 139, so how is this failing to work?? Any ideas? Thanks Rob
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
What are you attempting to achieve? Having both nics on the same subnet doesn't make a lot of sense to me.
Scott Good point, I guess I'm suffering from incremental additions over the last 4 years and no real look at the overall architecture. I'm not sure what would work best. I have a T1 to the big bad internet world via a Linksys RV016 router and this used to deal with everything. The main server provides DNS, apache, ssh, smtp, pop and imap - all needing internet accessibility and then samba for file server that is only required locally. Then along came asterisk server and a Netgear PoE vlan switch to run the snom VoIP / SIP phones, with the * needing internet access but only one NIC. Then along came a 1G ethernet switch to improve access speeds to samba, hence the two NICs on the same subnet - the 100Mb for the internet facing services (although all these services also need to be accessed locally) and the 1Gb NIC for file serving to the five windoze clients. Then I wanted to add firewall to the server to deal with things like tripping up the port 22 script kiddies and then tripped up on the samba...... Confused yet? I guess some careful thought needed to design this appropriately. I was considering having the server do IP forwarding, but this may not be smart as it already does too much. Thanks for the questions - helps me focus on the real issues. Rob - p.s. suggestions welcome
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
2009/4/1 Rob Kampen rkampen@kampensonline.com
Scott Silva wrote:
What are you attempting to achieve? Having both nics on the same subnet doesn't make a lot of sense to me.
Scott Good point, I guess I'm suffering from incremental additions over the last 4 years and no real look at the overall architecture. I'm not sure what would work best. I have a T1 to the big bad internet world via a Linksys RV016 router and this used to deal with everything. The main server provides DNS, apache, ssh, smtp, pop and imap - all needing internet accessibility and then samba for file server that is only required locally. Then along came asterisk server and a Netgear PoE vlan switch to run the snom VoIP / SIP phones, with the * needing internet access but only one NIC. Then along came a 1G ethernet switch to improve access speeds to samba, hence the two NICs on the same subnet - the 100Mb for the internet facing services (although all these services also need to be accessed locally) and the 1Gb NIC for file serving to the five windoze clients. Then I wanted to add firewall to the server to deal with things like tripping up the port 22 script kiddies and then tripped up on the samba...... Confused yet? I guess some careful thought needed to design this appropriately. I was considering having the server do IP forwarding, but this may not be smart as it already does too much. Thanks for the questions - helps me focus on the real issues. Rob - p.s. suggestions welcome
So, is the gigabit switch connected to the RV016?
I'd guess so, so that your client machines can reach the internet... In which case, there's no need to connect the server to the routers built in switch too... By the sounds of it, you don't need multiple nics for what you are trying to do... Perhaps the issue is that you are using the 'DMZ port' on the router to make the server internet accessible? You can also use the routers port forwarding functionality to forward each individual service to the server and not use the DMZ port, then you can simplify your config leaving your server with a single interface and a single IP address... If you wanted to get cleverer with the config from there you could potentially have a go with bonding your NICs and connecting the 100Mb NIC to the routers switch such that the gigabit NIC would be the primary NIC, but, in the event the gigabit switch, or the link to it went down, the 100Mb NIC would become active and your internet services at least would still be provided...
Alternatively, as you've said, you could get the server doing the forwarding... as you're only dealing with a T1, it wouldn't be at all resource intensive and as long as the server isn't struggling with it's existing workload, it'll likely do forwarding fine too... One thing that you might want to consider though is that if you set the server up to do routing, that's one more service that would be lost if the machine went down for some reason... That might not be an issue though as if it's already the only DNS server within your network and it provides all externally accessible services, if it goes down now, you'd loose all services except for those outbound connections from client machines that are already up or where the remote address is cached in the local DNS cache... On reasons for doing that though, being able to get rid of NAT on your internet connected services could prove handy, especially if you have any remote SIP connections to/from your asterisk...
d
on 3-31-2009 8:26 PM Rob Kampen spake the following:
Scott Silva wrote:
on 3-30-2009 9:19 PM Rob Kampen spake the following:
Hi folk, I am trying to get iptables working on a samba server but find it is blocking something that prevents the windoze clients from being able to access the share. here are the bits from iptables:
# nmb provided netbios-ns -A RH-Firewall-1-INPUT -p udp -m udp -s 192.168.230.100/24 -i eth1 --dport 137 -j ACCEPT # nmb provided netbios-dgm -A RH-Firewall-1-INPUT -p udp -m udp -s 192.168.230.100/24 -i eth1 --dport 138 -j ACCEPT # Samba -A RH-Firewall-1-INPUT -p tcp -m tcp -m state -s 192.168.230.100/24 -i eth1 --dport 135 --state NEW -j ACCEPT # smb provided netbios-ssn -A RH-Firewall-1-INPUT -p tcp -m tcp -m state -s 192.168.230.100/24 -i eth1 --dport 139 --state NEW -j ACCEPT # smb provided microsoft-ds -A RH-Firewall-1-INPUT -p tcp -m tcp -m state -s 192.168.230.100/24 -i eth1 --dport 445 --state NEW -j ACCEPT
so as far as I can tell this should provide access to the required services. BTW the server has two NICs; 100Mb is eth0 at 192.168.230.230 and connects to the router with internet/NAT firewall; 1Gb is eth1 at 192.168.230.232 and this connects to a G ethernet switch that has the windoze clients. The smb.conf is as follows: [global] workgroup = NDG netbios name = SAMBA netbios aliases = Samba server string = Samba Server Version %v interfaces = lo, eth1, 192.168.230.232 bind interfaces only = Yes security = DOMAIN obey pam restrictions = Yes passdb backend = tdbsam pam password change = Yes log file = /var/log/samba/%m.log max log size = 50 load printers = No add user script = /usr/sbin/useradd "%u" -n -g users delete user script = /usr/sbin/userdel "%u" add group script = /usr/sbin/groupadd "%g" delete group script = /usr/sbin/groupdel "%g" delete user from group script = /usr/sbin/userdel "%u" "%g" add machine script = /usr/sbin/useradd -n -c "Workstation (%u)" -M -d /nohome -s /bin/false "%u" logon path = domain logons = Yes os level = 32 preferred master = Yes domain master = Yes dns proxy = No wins support = Yes ldap ssl = no create mask = 0664 directory mask = 0775 hosts allow = 127., 192.168.230., 192.168.231. case sensitive = Yes browseable = No available = No wide links = No dont descend = /
[homes] comment = Home Directories valid users = %S read only = No browseable = Yes available = Yes
[NDG] comment = NDG files path = /NDG write list = @NDGstaff, @birdseye read only = No browseable = Yes available = Yes
I found that making the rule for port 139 ignore the eth port (i.e. remove the -i eth1) allowed things to work better, but do not want this to be the case as I do not want the eth0 interface to be used for this traffic. looking at netstat -l -n shows only lo and eth1 listening on port 139, so how is this failing to work?? Any ideas? Thanks Rob
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
What are you attempting to achieve? Having both nics on the same subnet doesn't make a lot of sense to me.
Scott Good point, I guess I'm suffering from incremental additions over the last 4 years and no real look at the overall architecture. I'm not sure what would work best. I have a T1 to the big bad internet world via a Linksys RV016 router and this used to deal with everything. The main server provides DNS, apache, ssh, smtp, pop and imap - all needing internet accessibility and then samba for file server that is only required locally. Then along came asterisk server and a Netgear PoE vlan switch to run the snom VoIP / SIP phones, with the * needing internet access but only one NIC. Then along came a 1G ethernet switch to improve access speeds to samba, hence the two NICs on the same subnet - the 100Mb for the internet facing services (although all these services also need to be accessed locally) and the 1Gb NIC for file serving to the five windoze clients. Then I wanted to add firewall to the server to deal with things like tripping up the port 22 script kiddies and then tripped up on the samba...... Confused yet? I guess some careful thought needed to design this appropriately. I was considering having the server do IP forwarding, but this may not be smart as it already does too much. Thanks for the questions - helps me focus on the real issues. Rob - p.s. suggestions welcome
I'll tell you how I did it in a few of our small remote offices. Server is similar to what you have. Some web facing services, some local. T1 for internet access. 2 nics, but different subnets. One subnet is pointed at the T1's ip public address range, using one of the 63 addresses we have. All public services are pointed at this interface. The other nic is on an RFC private address range so no routing leakage will go out over the T1. An old PC running IPCop is used for normal lan to wan traffic with web caching and filtering. It's public address is a different address on the T1's range, and the private address is the default gateway for all the PC's except the server. If PC's need to access the public facing services, they do so through the ipcop box to the T1 router, but not actually out through the internet, it just sort of skims the border and comes back on that subnet. Iptables runs on the server with public ports only accessible from the wan, and private ports only accessible from the lan.
The server's default gateway is the public address, as it is already smart enough to know which interface private lan traffic comes on. You can let the traffic mingle on one switch if you have to, but separate switches or a vlan is much better and lots safer. Our T1 routers have 8 switch ports, so public equipment goes to that side and keeps isolation.
-
Craig White -
D Tucny -
Rob Kampen -
Rob Townley -
Scott Silva -
Spook ZA -
Tom