[CentOS] Samba and iptables - woes

Tue Mar 31 04:19:01 UTC 2009
Rob Kampen <rkampen at kampensonline.com>

Hi folk,
I am trying to get iptables working on a samba server but find it is 
blocking something that prevents the windoze clients from being able to 
access the share.
here are the bits from iptables:
> # nmb provided netbios-ns
> -A RH-Firewall-1-INPUT -p udp -m udp -s -i eth1 
> --dport 137 -j ACCEPT
> # nmb provided netbios-dgm
> -A RH-Firewall-1-INPUT -p udp -m udp -s -i eth1 
> --dport 138 -j ACCEPT
> # Samba
> -A RH-Firewall-1-INPUT -p tcp -m tcp -m state -s -i 
> eth1 --dport 135 --state NEW -j ACCEPT
> # smb provided netbios-ssn
> -A RH-Firewall-1-INPUT -p tcp -m tcp -m state -s -i 
> eth1 --dport 139 --state NEW -j ACCEPT
> # smb provided microsoft-ds
> -A RH-Firewall-1-INPUT -p tcp -m tcp -m state -s -i 
> eth1 --dport 445 --state NEW -j ACCEPT
so as far as I can tell this should provide access to the required services.
BTW the server has two NICs; 100Mb is eth0 at and 
connects to the router with internet/NAT firewall; 1Gb is eth1 at and this connects to a G ethernet switch that has the 
windoze clients.
The smb.conf is as follows:
        workgroup = NDG
        netbios name = SAMBA
        netbios aliases = Samba
        server string = Samba Server Version %v
        interfaces = lo, eth1,
        bind interfaces only = Yes
        security = DOMAIN
        obey pam restrictions = Yes
        passdb backend = tdbsam
        pam password change = Yes
        log file = /var/log/samba/%m.log
        max log size = 50
        load printers = No
        add user script = /usr/sbin/useradd "%u" -n -g users
        delete user script = /usr/sbin/userdel "%u"
        add group script = /usr/sbin/groupadd "%g"
        delete group script = /usr/sbin/groupdel "%g"
        delete user from group script = /usr/sbin/userdel "%u" "%g"
        add machine script = /usr/sbin/useradd -n -c "Workstation (%u)" 
-M -d /nohome -s /bin/false "%u"
        logon path =
        domain logons = Yes
        os level = 32
        preferred master = Yes
        domain master = Yes
        dns proxy = No
        wins support = Yes
        ldap ssl = no
        create mask = 0664
        directory mask = 0775
        hosts allow = 127., 192.168.230., 192.168.231.
        case sensitive = Yes
        browseable = No
        available = No
        wide links = No
        dont descend = /

        comment = Home Directories
        valid users = %S
        read only = No
        browseable = Yes
        available = Yes

        comment = NDG files
        path = /NDG
        write list = @NDGstaff, @birdseye
        read only = No
        browseable = Yes
        available = Yes

I found that making the rule for port 139 ignore the eth port (i.e. 
remove the -i eth1) allowed things to work better, but do not want this 
to be the case as I do not want the eth0 interface to be used for this 
looking at netstat -l -n shows only lo and eth1 listening on port 139, 
so how is this failing to work??
Any ideas?
-------------- next part --------------
A non-text attachment was scrubbed...
Name: rkampen.vcf
Type: text/x-vcard
Size: 196 bytes
Desc: not available
URL: <http://lists.centos.org/pipermail/centos/attachments/20090331/ad011a1a/attachment-0002.vcf>