[CentOS] Samba and iptables - woes

Tue Mar 31 17:14:11 UTC 2009
Scott Silva <ssilva at sgvwater.com>

on 3-30-2009 9:19 PM Rob Kampen spake the following:
> Hi folk,
> I am trying to get iptables working on a samba server but find it is
> blocking something that prevents the windoze clients from being able to
> access the share.
> here are the bits from iptables:
>> # nmb provided netbios-ns
>> -A RH-Firewall-1-INPUT -p udp -m udp -s 192.168.230.100/24 -i eth1
>> --dport 137 -j ACCEPT
>> # nmb provided netbios-dgm
>> -A RH-Firewall-1-INPUT -p udp -m udp -s 192.168.230.100/24 -i eth1
>> --dport 138 -j ACCEPT
>> # Samba
>> -A RH-Firewall-1-INPUT -p tcp -m tcp -m state -s 192.168.230.100/24 -i
>> eth1 --dport 135 --state NEW -j ACCEPT
>> # smb provided netbios-ssn
>> -A RH-Firewall-1-INPUT -p tcp -m tcp -m state -s 192.168.230.100/24 -i
>> eth1 --dport 139 --state NEW -j ACCEPT
>> # smb provided microsoft-ds
>> -A RH-Firewall-1-INPUT -p tcp -m tcp -m state -s 192.168.230.100/24 -i
>> eth1 --dport 445 --state NEW -j ACCEPT
> so as far as I can tell this should provide access to the required
> services.
> BTW the server has two NICs; 100Mb is eth0 at 192.168.230.230 and
> connects to the router with internet/NAT firewall; 1Gb is eth1 at
> 192.168.230.232 and this connects to a G ethernet switch that has the
> windoze clients.
> The smb.conf is as follows:
> [global]
>        workgroup = NDG
>        netbios name = SAMBA
>        netbios aliases = Samba
>        server string = Samba Server Version %v
>        interfaces = lo, eth1, 192.168.230.232
>        bind interfaces only = Yes
>        security = DOMAIN
>        obey pam restrictions = Yes
>        passdb backend = tdbsam
>        pam password change = Yes
>        log file = /var/log/samba/%m.log
>        max log size = 50
>        load printers = No
>        add user script = /usr/sbin/useradd "%u" -n -g users
>        delete user script = /usr/sbin/userdel "%u"
>        add group script = /usr/sbin/groupadd "%g"
>        delete group script = /usr/sbin/groupdel "%g"
>        delete user from group script = /usr/sbin/userdel "%u" "%g"
>        add machine script = /usr/sbin/useradd -n -c "Workstation (%u)"
> -M -d /nohome -s /bin/false "%u"
>        logon path =
>        domain logons = Yes
>        os level = 32
>        preferred master = Yes
>        domain master = Yes
>        dns proxy = No
>        wins support = Yes
>        ldap ssl = no
>        create mask = 0664
>        directory mask = 0775
>        hosts allow = 127., 192.168.230., 192.168.231.
>        case sensitive = Yes
>        browseable = No
>        available = No
>        wide links = No
>        dont descend = /
> 
> [homes]
>        comment = Home Directories
>        valid users = %S
>        read only = No
>        browseable = Yes
>        available = Yes
> 
> [NDG]
>        comment = NDG files
>        path = /NDG
>        write list = @NDGstaff, @birdseye
>        read only = No
>        browseable = Yes
>        available = Yes
> 
> I found that making the rule for port 139 ignore the eth port (i.e.
> remove the -i eth1) allowed things to work better, but do not want this
> to be the case as I do not want the eth0 interface to be used for this
> traffic.
> looking at netstat -l -n shows only lo and eth1 listening on port 139,
> so how is this failing to work??
> Any ideas?
> Thanks
> Rob
> 
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> http://lists.centos.org/mailman/listinfo/centos
What are you attempting to achieve? Having both nics on the same subnet
doesn't make a lot of sense to me.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 258 bytes
Desc: OpenPGP digital signature
URL: <http://lists.centos.org/pipermail/centos/attachments/20090331/998fbe9d/attachment-0005.sig>