[CentOS] Samba and iptables - woes

Tue Mar 31 15:56:00 UTC 2009
Rob Kampen <rkampen at kampensonline.com>


Tom wrote:
> What is the subnet mask of the outside interface? 
>   
255.255.255.0 or /24
> What is the subnet mask of the inside interface?
>   
255.255.255 or /24
> I'm not real good with iptables but you might need to check your source
> address. Ex. 192.168.230.100/24. /24 is a full class C.
>   
tried changing it to 192.168.230.0/24 as suggested by another, no 
difference still does not work; as I suspected the last octet can be any 
value it is effectively masked by the /24.
>
> -----Original Message-----
> From: centos-bounces at centos.org [mailto:centos-bounces at centos.org] On Behalf
> Of Rob Kampen
> Sent: Monday, March 30, 2009 9:19 PM
> To: CentOS mailing list
> Subject: [CentOS] Samba and iptables - woes
>
> Hi folk,
> I am trying to get iptables working on a samba server but find it is
> blocking something that prevents the windoze clients from being able to
> access the share.
> here are the bits from iptables:
>   
>> # nmb provided netbios-ns
>> -A RH-Firewall-1-INPUT -p udp -m udp -s 192.168.230.100/24 -i eth1 
>> --dport 137 -j ACCEPT # nmb provided netbios-dgm -A 
>> RH-Firewall-1-INPUT -p udp -m udp -s 192.168.230.100/24 -i eth1 
>> --dport 138 -j ACCEPT # Samba -A RH-Firewall-1-INPUT -p tcp -m tcp -m 
>> state -s 192.168.230.100/24 -i
>> eth1 --dport 135 --state NEW -j ACCEPT # smb provided netbios-ssn -A 
>> RH-Firewall-1-INPUT -p tcp -m tcp -m state -s 192.168.230.100/24 -i
>> eth1 --dport 139 --state NEW -j ACCEPT # smb provided microsoft-ds -A 
>> RH-Firewall-1-INPUT -p tcp -m tcp -m state -s 192.168.230.100/24 -i
>> eth1 --dport 445 --state NEW -j ACCEPT
>>     
> so as far as I can tell this should provide access to the required services.
> BTW the server has two NICs; 100Mb is eth0 at 192.168.230.230 and connects
> to the router with internet/NAT firewall; 1Gb is eth1 at
> 192.168.230.232 and this connects to a G ethernet switch that has the
> windoze clients.
> The smb.conf is as follows:
>  [global]
>         workgroup = NDG
>         netbios name = SAMBA
>         netbios aliases = Samba
>         server string = Samba Server Version %v
>         interfaces = lo, eth1, 192.168.230.232
>         bind interfaces only = Yes
>         security = DOMAIN
>         obey pam restrictions = Yes
>         passdb backend = tdbsam
>         pam password change = Yes
>         log file = /var/log/samba/%m.log
>         max log size = 50
>         load printers = No
>         add user script = /usr/sbin/useradd "%u" -n -g users
>         delete user script = /usr/sbin/userdel "%u"
>         add group script = /usr/sbin/groupadd "%g"
>         delete group script = /usr/sbin/groupdel "%g"
>         delete user from group script = /usr/sbin/userdel "%u" "%g"
>         add machine script = /usr/sbin/useradd -n -c "Workstation (%u)" 
> -M -d /nohome -s /bin/false "%u"
>         logon path =
>         domain logons = Yes
>         os level = 32
>         preferred master = Yes
>         domain master = Yes
>         dns proxy = No
>         wins support = Yes
>         ldap ssl = no
>         create mask = 0664
>         directory mask = 0775
>         hosts allow = 127., 192.168.230., 192.168.231.
>         case sensitive = Yes
>         browseable = No
>         available = No
>         wide links = No
>         dont descend = /
>
> [homes]
>         comment = Home Directories
>         valid users = %S
>         read only = No
>         browseable = Yes
>         available = Yes
>
> [NDG]
>         comment = NDG files
>         path = /NDG
>         write list = @NDGstaff, @birdseye
>         read only = No
>         browseable = Yes
>         available = Yes
>
> I found that making the rule for port 139 ignore the eth port (i.e. 
> remove the -i eth1) allowed things to work better, but do not want this to
> be the case as I do not want the eth0 interface to be used for this traffic.
> looking at netstat -l -n shows only lo and eth1 listening on port 139, so
> how is this failing to work??
> Any ideas?
> Thanks
> Rob
>
> No virus found in this incoming message.
> Checked by AVG - www.avg.com
> Version: 8.0.238 / Virus Database: 270.11.31/2028 - Release Date: 03/30/09
> 17:56:00
>
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> http://lists.centos.org/mailman/listinfo/centos
>   
-------------- next part --------------
A non-text attachment was scrubbed...
Name: rkampen.vcf
Type: text/x-vcard
Size: 121 bytes
Desc: not available
URL: <http://lists.centos.org/pipermail/centos/attachments/20090331/2a0b6fb6/attachment-0005.vcf>