[CentOS] Samba and iptables - woes

Tue Mar 31 04:30:01 UTC 2009
Tom <mlist at doublevision.gotdns.com>

What is the subnet mask of the outside interface? 

What is the subnet mask of the inside interface?

I'm not real good with iptables but you might need to check your source
address. Ex. /24 is a full class C.

-----Original Message-----
From: centos-bounces at centos.org [mailto:centos-bounces at centos.org] On Behalf
Of Rob Kampen
Sent: Monday, March 30, 2009 9:19 PM
To: CentOS mailing list
Subject: [CentOS] Samba and iptables - woes

Hi folk,
I am trying to get iptables working on a samba server but find it is
blocking something that prevents the windoze clients from being able to
access the share.
here are the bits from iptables:
> # nmb provided netbios-ns
> -A RH-Firewall-1-INPUT -p udp -m udp -s -i eth1 
> --dport 137 -j ACCEPT # nmb provided netbios-dgm -A 
> RH-Firewall-1-INPUT -p udp -m udp -s -i eth1 
> --dport 138 -j ACCEPT # Samba -A RH-Firewall-1-INPUT -p tcp -m tcp -m 
> state -s -i
> eth1 --dport 135 --state NEW -j ACCEPT # smb provided netbios-ssn -A 
> RH-Firewall-1-INPUT -p tcp -m tcp -m state -s -i
> eth1 --dport 139 --state NEW -j ACCEPT # smb provided microsoft-ds -A 
> RH-Firewall-1-INPUT -p tcp -m tcp -m state -s -i
> eth1 --dport 445 --state NEW -j ACCEPT
so as far as I can tell this should provide access to the required services.
BTW the server has two NICs; 100Mb is eth0 at and connects
to the router with internet/NAT firewall; 1Gb is eth1 at and this connects to a G ethernet switch that has the
windoze clients.
The smb.conf is as follows:
        workgroup = NDG
        netbios name = SAMBA
        netbios aliases = Samba
        server string = Samba Server Version %v
        interfaces = lo, eth1,
        bind interfaces only = Yes
        security = DOMAIN
        obey pam restrictions = Yes
        passdb backend = tdbsam
        pam password change = Yes
        log file = /var/log/samba/%m.log
        max log size = 50
        load printers = No
        add user script = /usr/sbin/useradd "%u" -n -g users
        delete user script = /usr/sbin/userdel "%u"
        add group script = /usr/sbin/groupadd "%g"
        delete group script = /usr/sbin/groupdel "%g"
        delete user from group script = /usr/sbin/userdel "%u" "%g"
        add machine script = /usr/sbin/useradd -n -c "Workstation (%u)" 
-M -d /nohome -s /bin/false "%u"
        logon path =
        domain logons = Yes
        os level = 32
        preferred master = Yes
        domain master = Yes
        dns proxy = No
        wins support = Yes
        ldap ssl = no
        create mask = 0664
        directory mask = 0775
        hosts allow = 127., 192.168.230., 192.168.231.
        case sensitive = Yes
        browseable = No
        available = No
        wide links = No
        dont descend = /

        comment = Home Directories
        valid users = %S
        read only = No
        browseable = Yes
        available = Yes

        comment = NDG files
        path = /NDG
        write list = @NDGstaff, @birdseye
        read only = No
        browseable = Yes
        available = Yes

I found that making the rule for port 139 ignore the eth port (i.e. 
remove the -i eth1) allowed things to work better, but do not want this to
be the case as I do not want the eth0 interface to be used for this traffic.
looking at netstat -l -n shows only lo and eth1 listening on port 139, so
how is this failing to work??
Any ideas?

No virus found in this incoming message.
Checked by AVG - www.avg.com
Version: 8.0.238 / Virus Database: 270.11.31/2028 - Release Date: 03/30/09