Craig White wrote: > On Tue, 2009-03-31 at 00:19 -0400, Rob Kampen wrote: > >> Hi folk, >> I am trying to get iptables working on a samba server but find it is >> blocking something that prevents the windoze clients from being able to >> access the share. >> here are the bits from iptables: >> >>> # nmb provided netbios-ns >>> -A RH-Firewall-1-INPUT -p udp -m udp -s 192.168.230.100/24 -i eth1 >>> --dport 137 -j ACCEPT >>> # nmb provided netbios-dgm >>> -A RH-Firewall-1-INPUT -p udp -m udp -s 192.168.230.100/24 -i eth1 >>> --dport 138 -j ACCEPT >>> # Samba >>> -A RH-Firewall-1-INPUT -p tcp -m tcp -m state -s 192.168.230.100/24 -i >>> eth1 --dport 135 --state NEW -j ACCEPT >>> # smb provided netbios-ssn >>> -A RH-Firewall-1-INPUT -p tcp -m tcp -m state -s 192.168.230.100/24 -i >>> eth1 --dport 139 --state NEW -j ACCEPT >>> # smb provided microsoft-ds >>> -A RH-Firewall-1-INPUT -p tcp -m tcp -m state -s 192.168.230.100/24 -i >>> eth1 --dport 445 --state NEW -j ACCEPT >>> >> so as far as I can tell this should provide access to the required services. >> BTW the server has two NICs; 100Mb is eth0 at 192.168.230.230 and >> connects to the router with internet/NAT firewall; 1Gb is eth1 at >> 192.168.230.232 and this connects to a G ethernet switch that has the >> windoze clients. >> The smb.conf is as follows: >> [global] >> workgroup = NDG >> netbios name = SAMBA >> netbios aliases = Samba >> server string = Samba Server Version %v >> interfaces = lo, eth1, 192.168.230.232 >> bind interfaces only = Yes >> security = DOMAIN >> obey pam restrictions = Yes >> passdb backend = tdbsam >> pam password change = Yes >> log file = /var/log/samba/%m.log >> max log size = 50 >> load printers = No >> add user script = /usr/sbin/useradd "%u" -n -g users >> delete user script = /usr/sbin/userdel "%u" >> add group script = /usr/sbin/groupadd "%g" >> delete group script = /usr/sbin/groupdel "%g" >> delete user from group script = /usr/sbin/userdel "%u" "%g" >> add machine script = /usr/sbin/useradd -n -c "Workstation (%u)" >> -M -d /nohome -s /bin/false "%u" >> logon path = >> domain logons = Yes >> os level = 32 >> preferred master = Yes >> domain master = Yes >> dns proxy = No >> wins support = Yes >> ldap ssl = no >> create mask = 0664 >> directory mask = 0775 >> hosts allow = 127., 192.168.230., 192.168.231. >> case sensitive = Yes >> browseable = No >> available = No >> wide links = No >> dont descend = / >> >> [homes] >> comment = Home Directories >> valid users = %S >> read only = No >> browseable = Yes >> available = Yes >> >> [NDG] >> comment = NDG files >> path = /NDG >> write list = @NDGstaff, @birdseye >> read only = No >> browseable = Yes >> available = Yes >> >> I found that making the rule for port 139 ignore the eth port (i.e. >> remove the -i eth1) allowed things to work better, but do not want this >> to be the case as I do not want the eth0 interface to be used for this >> traffic. >> looking at netstat -l -n shows only lo and eth1 listening on port 139, >> so how is this failing to work?? >> Any ideas? >> Thanks >> > ---- > I don't believe that you want to use comma separators in things like > 'bind interfaces' or 'interfaces' - it doesn't seem that samba is > consistent here. > > removed > I have never used two separate hardware network interfaces on the same > subnet and suspect that it may actually be trying to communicate back > from the wrong one which is confusing things. Also, it doesn't make > sense to list both eth1 and the actual ip address in bind interfaces but > I would tend to doubt that would be a problem. > > Try taking eth0 down (as root - ifdown eth0) and see if that fixes the > problem. tried this and things appear to work okay, so I guess I need to split my subnet into two...... Some further thinking required here. I have an almost identical set up in my home and actually tried all this there first, as I do not want my business impacted. So it appears to work fine at home but not at the office, some more testing required. I have only two windoze machines at home and neither access the server, so I'll have to contrive a setup that tries this out properly. Will keep you posted..... > > > Also, I'm not sure why some of the firewall rules include --state NEW > and some of the don't - that doesn't fully make sense to me. > state NEW is irrelevant for udp as it is a single direction with no handshaking such as tcp has - i.e. connectionless? > Craig > > _______________________________________________ > CentOS mailing list > CentOS at centos.org > http://lists.centos.org/mailman/listinfo/centos > -------------- next part -------------- A non-text attachment was scrubbed... Name: rkampen.vcf Type: text/x-vcard Size: 121 bytes Desc: not available URL: <http://lists.centos.org/pipermail/centos/attachments/20090331/1f48e267/attachment-0005.vcf>