Scott Silva wrote: > on 3-30-2009 9:19 PM Rob Kampen spake the following: > >> Hi folk, >> I am trying to get iptables working on a samba server but find it is >> blocking something that prevents the windoze clients from being able to >> access the share. >> here are the bits from iptables: >> >>> # nmb provided netbios-ns >>> -A RH-Firewall-1-INPUT -p udp -m udp -s 192.168.230.100/24 -i eth1 >>> --dport 137 -j ACCEPT >>> # nmb provided netbios-dgm >>> -A RH-Firewall-1-INPUT -p udp -m udp -s 192.168.230.100/24 -i eth1 >>> --dport 138 -j ACCEPT >>> # Samba >>> -A RH-Firewall-1-INPUT -p tcp -m tcp -m state -s 192.168.230.100/24 -i >>> eth1 --dport 135 --state NEW -j ACCEPT >>> # smb provided netbios-ssn >>> -A RH-Firewall-1-INPUT -p tcp -m tcp -m state -s 192.168.230.100/24 -i >>> eth1 --dport 139 --state NEW -j ACCEPT >>> # smb provided microsoft-ds >>> -A RH-Firewall-1-INPUT -p tcp -m tcp -m state -s 192.168.230.100/24 -i >>> eth1 --dport 445 --state NEW -j ACCEPT >>> >> so as far as I can tell this should provide access to the required >> services. >> BTW the server has two NICs; 100Mb is eth0 at 192.168.230.230 and >> connects to the router with internet/NAT firewall; 1Gb is eth1 at >> 192.168.230.232 and this connects to a G ethernet switch that has the >> windoze clients. >> The smb.conf is as follows: >> [global] >> workgroup = NDG >> netbios name = SAMBA >> netbios aliases = Samba >> server string = Samba Server Version %v >> interfaces = lo, eth1, 192.168.230.232 >> bind interfaces only = Yes >> security = DOMAIN >> obey pam restrictions = Yes >> passdb backend = tdbsam >> pam password change = Yes >> log file = /var/log/samba/%m.log >> max log size = 50 >> load printers = No >> add user script = /usr/sbin/useradd "%u" -n -g users >> delete user script = /usr/sbin/userdel "%u" >> add group script = /usr/sbin/groupadd "%g" >> delete group script = /usr/sbin/groupdel "%g" >> delete user from group script = /usr/sbin/userdel "%u" "%g" >> add machine script = /usr/sbin/useradd -n -c "Workstation (%u)" >> -M -d /nohome -s /bin/false "%u" >> logon path = >> domain logons = Yes >> os level = 32 >> preferred master = Yes >> domain master = Yes >> dns proxy = No >> wins support = Yes >> ldap ssl = no >> create mask = 0664 >> directory mask = 0775 >> hosts allow = 127., 192.168.230., 192.168.231. >> case sensitive = Yes >> browseable = No >> available = No >> wide links = No >> dont descend = / >> >> [homes] >> comment = Home Directories >> valid users = %S >> read only = No >> browseable = Yes >> available = Yes >> >> [NDG] >> comment = NDG files >> path = /NDG >> write list = @NDGstaff, @birdseye >> read only = No >> browseable = Yes >> available = Yes >> >> I found that making the rule for port 139 ignore the eth port (i.e. >> remove the -i eth1) allowed things to work better, but do not want this >> to be the case as I do not want the eth0 interface to be used for this >> traffic. >> looking at netstat -l -n shows only lo and eth1 listening on port 139, >> so how is this failing to work?? >> Any ideas? >> Thanks >> Rob >> >> _______________________________________________ >> CentOS mailing list >> CentOS at centos.org >> http://lists.centos.org/mailman/listinfo/centos >> > What are you attempting to achieve? Having both nics on the same subnet > doesn't make a lot of sense to me. > Scott Good point, I guess I'm suffering from incremental additions over the last 4 years and no real look at the overall architecture. I'm not sure what would work best. I have a T1 to the big bad internet world via a Linksys RV016 router and this used to deal with everything. The main server provides DNS, apache, ssh, smtp, pop and imap - all needing internet accessibility and then samba for file server that is only required locally. Then along came asterisk server and a Netgear PoE vlan switch to run the snom VoIP / SIP phones, with the * needing internet access but only one NIC. Then along came a 1G ethernet switch to improve access speeds to samba, hence the two NICs on the same subnet - the 100Mb for the internet facing services (although all these services also need to be accessed locally) and the 1Gb NIC for file serving to the five windoze clients. Then I wanted to add firewall to the server to deal with things like tripping up the port 22 script kiddies and then tripped up on the samba...... Confused yet? I guess some careful thought needed to design this appropriately. I was considering having the server do IP forwarding, but this may not be smart as it already does too much. Thanks for the questions - helps me focus on the real issues. Rob - p.s. suggestions welcome > > ------------------------------------------------------------------------ > > _______________________________________________ > CentOS mailing list > CentOS at centos.org > http://lists.centos.org/mailman/listinfo/centos > -------------- next part -------------- A non-text attachment was scrubbed... Name: rkampen.vcf Type: text/x-vcard Size: 207 bytes Desc: not available URL: <http://lists.centos.org/pipermail/centos/attachments/20090331/5e66571c/attachment-0004.vcf>