[CentOS] Samba and iptables - woes

Scott Silva ssilva at sgvwater.com
Wed Apr 1 22:49:08 UTC 2009

on 3-31-2009 8:26 PM Rob Kampen spake the following:
> Scott Silva wrote:
>> on 3-30-2009 9:19 PM Rob Kampen spake the following:
>>> Hi folk,
>>> I am trying to get iptables working on a samba server but find it is
>>> blocking something that prevents the windoze clients from being able to
>>> access the share.
>>> here are the bits from iptables:
>>>> # nmb provided netbios-ns
>>>> -A RH-Firewall-1-INPUT -p udp -m udp -s -i eth1
>>>> --dport 137 -j ACCEPT
>>>> # nmb provided netbios-dgm
>>>> -A RH-Firewall-1-INPUT -p udp -m udp -s -i eth1
>>>> --dport 138 -j ACCEPT
>>>> # Samba
>>>> -A RH-Firewall-1-INPUT -p tcp -m tcp -m state -s -i
>>>> eth1 --dport 135 --state NEW -j ACCEPT
>>>> # smb provided netbios-ssn
>>>> -A RH-Firewall-1-INPUT -p tcp -m tcp -m state -s -i
>>>> eth1 --dport 139 --state NEW -j ACCEPT
>>>> # smb provided microsoft-ds
>>>> -A RH-Firewall-1-INPUT -p tcp -m tcp -m state -s -i
>>>> eth1 --dport 445 --state NEW -j ACCEPT
>>> so as far as I can tell this should provide access to the required
>>> services.
>>> BTW the server has two NICs; 100Mb is eth0 at and
>>> connects to the router with internet/NAT firewall; 1Gb is eth1 at
>>> and this connects to a G ethernet switch that has the
>>> windoze clients.
>>> The smb.conf is as follows:
>>> [global]
>>>        workgroup = NDG
>>>        netbios name = SAMBA
>>>        netbios aliases = Samba
>>>        server string = Samba Server Version %v
>>>        interfaces = lo, eth1,
>>>        bind interfaces only = Yes
>>>        security = DOMAIN
>>>        obey pam restrictions = Yes
>>>        passdb backend = tdbsam
>>>        pam password change = Yes
>>>        log file = /var/log/samba/%m.log
>>>        max log size = 50
>>>        load printers = No
>>>        add user script = /usr/sbin/useradd "%u" -n -g users
>>>        delete user script = /usr/sbin/userdel "%u"
>>>        add group script = /usr/sbin/groupadd "%g"
>>>        delete group script = /usr/sbin/groupdel "%g"
>>>        delete user from group script = /usr/sbin/userdel "%u" "%g"
>>>        add machine script = /usr/sbin/useradd -n -c "Workstation (%u)"
>>> -M -d /nohome -s /bin/false "%u"
>>>        logon path =
>>>        domain logons = Yes
>>>        os level = 32
>>>        preferred master = Yes
>>>        domain master = Yes
>>>        dns proxy = No
>>>        wins support = Yes
>>>        ldap ssl = no
>>>        create mask = 0664
>>>        directory mask = 0775
>>>        hosts allow = 127., 192.168.230., 192.168.231.
>>>        case sensitive = Yes
>>>        browseable = No
>>>        available = No
>>>        wide links = No
>>>        dont descend = /
>>> [homes]
>>>        comment = Home Directories
>>>        valid users = %S
>>>        read only = No
>>>        browseable = Yes
>>>        available = Yes
>>> [NDG]
>>>        comment = NDG files
>>>        path = /NDG
>>>        write list = @NDGstaff, @birdseye
>>>        read only = No
>>>        browseable = Yes
>>>        available = Yes
>>> I found that making the rule for port 139 ignore the eth port (i.e.
>>> remove the -i eth1) allowed things to work better, but do not want this
>>> to be the case as I do not want the eth0 interface to be used for this
>>> traffic.
>>> looking at netstat -l -n shows only lo and eth1 listening on port 139,
>>> so how is this failing to work??
>>> Any ideas?
>>> Thanks
>>> Rob
>>> _______________________________________________
>>> CentOS mailing list
>>> CentOS at centos.org
>>> http://lists.centos.org/mailman/listinfo/centos
>> What are you attempting to achieve? Having both nics on the same subnet
>> doesn't make a lot of sense to me.
> Scott
> Good point, I guess I'm suffering from incremental additions over the
> last 4 years and no real look at the overall architecture. I'm not sure
> what would work best.
> I have a T1 to the big bad internet world via a Linksys RV016 router and
> this used to deal with everything. The main server provides DNS, apache,
> ssh, smtp, pop and imap - all needing internet accessibility and then
> samba for file server that is only required locally. Then along came
> asterisk server and a Netgear PoE vlan switch to run the snom VoIP / SIP
> phones, with the * needing internet access but only one NIC. Then along
> came a 1G ethernet switch to improve access speeds to samba, hence the
> two NICs on the same subnet - the 100Mb for the internet facing services
> (although all these services also need to be accessed locally) and the
> 1Gb NIC for file serving to the five windoze clients. Then I wanted to
> add firewall to the server to deal with things like tripping up the port
> 22 script kiddies and then tripped up on the samba...... Confused yet? 
> I guess some careful thought needed to design this appropriately.
> I was considering having the server do IP forwarding, but this may not
> be smart as it already does too much. Thanks for the questions - helps
> me focus on the real issues.
> Rob - p.s. suggestions welcome
I'll tell you how I did it in a few of our small remote offices.
Server is similar to what you have. Some web facing services, some local. T1
for internet access. 2 nics, but different subnets.  One subnet is pointed at
the T1's ip public address range, using one of the 63 addresses we have. All
public services are pointed at this interface. The other nic is on an RFC
private address range so no routing leakage will go out over the T1. An old PC
running IPCop is used for normal lan to wan traffic with web caching and
filtering. It's public address is a different address on the T1's range, and
the private address is the default gateway for all the PC's except the server.
If PC's need to access the public facing services, they do so through the
ipcop box to the T1 router, but not actually out through the internet, it just
sort of skims the border and comes back on that subnet. Iptables runs on the
server with public ports only accessible from the wan, and private ports only
accessible from the lan.

The server's default gateway is the public address, as it is already smart
enough to know which interface private lan traffic comes on. You can let the
traffic mingle on one switch if you have to, but separate switches or a vlan
is much better and lots safer. Our T1 routers have 8 switch ports, so public
equipment goes to that side and keeps isolation.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 258 bytes
Desc: OpenPGP digital signature
URL: <http://lists.centos.org/pipermail/centos/attachments/20090401/42fe74b8/attachment.sig>

More information about the CentOS mailing list