Tom wrote: > What is the subnet mask of the outside interface? > 255.255.255.0 or /24 > What is the subnet mask of the inside interface? > 255.255.255 or /24 > I'm not real good with iptables but you might need to check your source > address. Ex. 192.168.230.100/24. /24 is a full class C. > tried changing it to 192.168.230.0/24 as suggested by another, no difference still does not work; as I suspected the last octet can be any value it is effectively masked by the /24. > > -----Original Message----- > From: centos-bounces at centos.org [mailto:centos-bounces at centos.org] On Behalf > Of Rob Kampen > Sent: Monday, March 30, 2009 9:19 PM > To: CentOS mailing list > Subject: [CentOS] Samba and iptables - woes > > Hi folk, > I am trying to get iptables working on a samba server but find it is > blocking something that prevents the windoze clients from being able to > access the share. > here are the bits from iptables: > >> # nmb provided netbios-ns >> -A RH-Firewall-1-INPUT -p udp -m udp -s 192.168.230.100/24 -i eth1 >> --dport 137 -j ACCEPT # nmb provided netbios-dgm -A >> RH-Firewall-1-INPUT -p udp -m udp -s 192.168.230.100/24 -i eth1 >> --dport 138 -j ACCEPT # Samba -A RH-Firewall-1-INPUT -p tcp -m tcp -m >> state -s 192.168.230.100/24 -i >> eth1 --dport 135 --state NEW -j ACCEPT # smb provided netbios-ssn -A >> RH-Firewall-1-INPUT -p tcp -m tcp -m state -s 192.168.230.100/24 -i >> eth1 --dport 139 --state NEW -j ACCEPT # smb provided microsoft-ds -A >> RH-Firewall-1-INPUT -p tcp -m tcp -m state -s 192.168.230.100/24 -i >> eth1 --dport 445 --state NEW -j ACCEPT >> > so as far as I can tell this should provide access to the required services. > BTW the server has two NICs; 100Mb is eth0 at 192.168.230.230 and connects > to the router with internet/NAT firewall; 1Gb is eth1 at > 192.168.230.232 and this connects to a G ethernet switch that has the > windoze clients. > The smb.conf is as follows: > [global] > workgroup = NDG > netbios name = SAMBA > netbios aliases = Samba > server string = Samba Server Version %v > interfaces = lo, eth1, 192.168.230.232 > bind interfaces only = Yes > security = DOMAIN > obey pam restrictions = Yes > passdb backend = tdbsam > pam password change = Yes > log file = /var/log/samba/%m.log > max log size = 50 > load printers = No > add user script = /usr/sbin/useradd "%u" -n -g users > delete user script = /usr/sbin/userdel "%u" > add group script = /usr/sbin/groupadd "%g" > delete group script = /usr/sbin/groupdel "%g" > delete user from group script = /usr/sbin/userdel "%u" "%g" > add machine script = /usr/sbin/useradd -n -c "Workstation (%u)" > -M -d /nohome -s /bin/false "%u" > logon path = > domain logons = Yes > os level = 32 > preferred master = Yes > domain master = Yes > dns proxy = No > wins support = Yes > ldap ssl = no > create mask = 0664 > directory mask = 0775 > hosts allow = 127., 192.168.230., 192.168.231. > case sensitive = Yes > browseable = No > available = No > wide links = No > dont descend = / > > [homes] > comment = Home Directories > valid users = %S > read only = No > browseable = Yes > available = Yes > > [NDG] > comment = NDG files > path = /NDG > write list = @NDGstaff, @birdseye > read only = No > browseable = Yes > available = Yes > > I found that making the rule for port 139 ignore the eth port (i.e. > remove the -i eth1) allowed things to work better, but do not want this to > be the case as I do not want the eth0 interface to be used for this traffic. > looking at netstat -l -n shows only lo and eth1 listening on port 139, so > how is this failing to work?? > Any ideas? > Thanks > Rob > > No virus found in this incoming message. > Checked by AVG - www.avg.com > Version: 8.0.238 / Virus Database: 270.11.31/2028 - Release Date: 03/30/09 > 17:56:00 > > _______________________________________________ > CentOS mailing list > CentOS at centos.org > http://lists.centos.org/mailman/listinfo/centos > -------------- next part -------------- A non-text attachment was scrubbed... Name: rkampen.vcf Type: text/x-vcard Size: 121 bytes Desc: not available URL: <http://lists.centos.org/pipermail/centos/attachments/20090331/2a0b6fb6/attachment-0005.vcf>