Hi folk, I am trying to get iptables working on a samba server but find it is blocking something that prevents the windoze clients from being able to access the share. here are the bits from iptables:> # nmb provided netbios-ns > -A RH-Firewall-1-INPUT -p udp -m udp -s 192.168.230.100/24 -i eth1 > --dport 137 -j ACCEPT > # nmb provided netbios-dgm > -A RH-Firewall-1-INPUT -p udp -m udp -s 192.168.230.100/24 -i eth1 > --dport 138 -j ACCEPT > # Samba > -A RH-Firewall-1-INPUT -p tcp -m tcp -m state -s 192.168.230.100/24 -i > eth1 --dport 135 --state NEW -j ACCEPT > # smb provided netbios-ssn > -A RH-Firewall-1-INPUT -p tcp -m tcp -m state -s 192.168.230.100/24 -i > eth1 --dport 139 --state NEW -j ACCEPT > # smb provided microsoft-ds > -A RH-Firewall-1-INPUT -p tcp -m tcp -m state -s 192.168.230.100/24 -i > eth1 --dport 445 --state NEW -j ACCEPTso as far as I can tell this should provide access to the required services. BTW the server has two NICs; 100Mb is eth0 at 192.168.230.230 and connects to the router with internet/NAT firewall; 1Gb is eth1 at 192.168.230.232 and this connects to a G ethernet switch that has the windoze clients. The smb.conf is as follows: [global] workgroup = NDG netbios name = SAMBA netbios aliases = Samba server string = Samba Server Version %v interfaces = lo, eth1, 192.168.230.232 bind interfaces only = Yes security = DOMAIN obey pam restrictions = Yes passdb backend = tdbsam pam password change = Yes log file = /var/log/samba/%m.log max log size = 50 load printers = No add user script = /usr/sbin/useradd "%u" -n -g users delete user script = /usr/sbin/userdel "%u" add group script = /usr/sbin/groupadd "%g" delete group script = /usr/sbin/groupdel "%g" delete user from group script = /usr/sbin/userdel "%u" "%g" add machine script = /usr/sbin/useradd -n -c "Workstation (%u)" -M -d /nohome -s /bin/false "%u" logon path domain logons = Yes os level = 32 preferred master = Yes domain master = Yes dns proxy = No wins support = Yes ldap ssl = no create mask = 0664 directory mask = 0775 hosts allow = 127., 192.168.230., 192.168.231. case sensitive = Yes browseable = No available = No wide links = No dont descend = / [homes] comment = Home Directories valid users = %S read only = No browseable = Yes available = Yes [NDG] comment = NDG files path = /NDG write list = @NDGstaff, @birdseye read only = No browseable = Yes available = Yes I found that making the rule for port 139 ignore the eth port (i.e. remove the -i eth1) allowed things to work better, but do not want this to be the case as I do not want the eth0 interface to be used for this traffic. looking at netstat -l -n shows only lo and eth1 listening on port 139, so how is this failing to work?? Any ideas? Thanks Rob -------------- next part -------------- A non-text attachment was scrubbed... Name: rkampen.vcf Type: text/x-vcard Size: 196 bytes Desc: not available URL: <lists.centos.org/pipermail/centos/attachments/20090331/ad011a1a/attachment-0003.vcf>
What is the subnet mask of the outside interface? What is the subnet mask of the inside interface? I'm not real good with iptables but you might need to check your source address. Ex. 192.168.230.100/24. /24 is a full class C. -----Original Message----- From: centos-bounces at centos.org [mailto:centos-bounces at centos.org] On Behalf Of Rob Kampen Sent: Monday, March 30, 2009 9:19 PM To: CentOS mailing list Subject: [CentOS] Samba and iptables - woes Hi folk, I am trying to get iptables working on a samba server but find it is blocking something that prevents the windoze clients from being able to access the share. here are the bits from iptables:> # nmb provided netbios-ns > -A RH-Firewall-1-INPUT -p udp -m udp -s 192.168.230.100/24 -i eth1 > --dport 137 -j ACCEPT # nmb provided netbios-dgm -A > RH-Firewall-1-INPUT -p udp -m udp -s 192.168.230.100/24 -i eth1 > --dport 138 -j ACCEPT # Samba -A RH-Firewall-1-INPUT -p tcp -m tcp -m > state -s 192.168.230.100/24 -i > eth1 --dport 135 --state NEW -j ACCEPT # smb provided netbios-ssn -A > RH-Firewall-1-INPUT -p tcp -m tcp -m state -s 192.168.230.100/24 -i > eth1 --dport 139 --state NEW -j ACCEPT # smb provided microsoft-ds -A > RH-Firewall-1-INPUT -p tcp -m tcp -m state -s 192.168.230.100/24 -i > eth1 --dport 445 --state NEW -j ACCEPTso as far as I can tell this should provide access to the required services. BTW the server has two NICs; 100Mb is eth0 at 192.168.230.230 and connects to the router with internet/NAT firewall; 1Gb is eth1 at 192.168.230.232 and this connects to a G ethernet switch that has the windoze clients. The smb.conf is as follows: [global] workgroup = NDG netbios name = SAMBA netbios aliases = Samba server string = Samba Server Version %v interfaces = lo, eth1, 192.168.230.232 bind interfaces only = Yes security = DOMAIN obey pam restrictions = Yes passdb backend = tdbsam pam password change = Yes log file = /var/log/samba/%m.log max log size = 50 load printers = No add user script = /usr/sbin/useradd "%u" -n -g users delete user script = /usr/sbin/userdel "%u" add group script = /usr/sbin/groupadd "%g" delete group script = /usr/sbin/groupdel "%g" delete user from group script = /usr/sbin/userdel "%u" "%g" add machine script = /usr/sbin/useradd -n -c "Workstation (%u)" -M -d /nohome -s /bin/false "%u" logon path domain logons = Yes os level = 32 preferred master = Yes domain master = Yes dns proxy = No wins support = Yes ldap ssl = no create mask = 0664 directory mask = 0775 hosts allow = 127., 192.168.230., 192.168.231. case sensitive = Yes browseable = No available = No wide links = No dont descend = / [homes] comment = Home Directories valid users = %S read only = No browseable = Yes available = Yes [NDG] comment = NDG files path = /NDG write list = @NDGstaff, @birdseye read only = No browseable = Yes available = Yes I found that making the rule for port 139 ignore the eth port (i.e. remove the -i eth1) allowed things to work better, but do not want this to be the case as I do not want the eth0 interface to be used for this traffic. looking at netstat -l -n shows only lo and eth1 listening on port 139, so how is this failing to work?? Any ideas? Thanks Rob No virus found in this incoming message. Checked by AVG - avg.com Version: 8.0.238 / Virus Database: 270.11.31/2028 - Release Date: 03/30/09 17:56:00
On Tue, 2009-03-31 at 00:19 -0400, Rob Kampen wrote:> Hi folk, > I am trying to get iptables working on a samba server but find it is > blocking something that prevents the windoze clients from being able to > access the share. > here are the bits from iptables: > > # nmb provided netbios-ns > > -A RH-Firewall-1-INPUT -p udp -m udp -s 192.168.230.100/24 -i eth1 > > --dport 137 -j ACCEPT > > # nmb provided netbios-dgm > > -A RH-Firewall-1-INPUT -p udp -m udp -s 192.168.230.100/24 -i eth1 > > --dport 138 -j ACCEPT > > # Samba > > -A RH-Firewall-1-INPUT -p tcp -m tcp -m state -s 192.168.230.100/24 -i > > eth1 --dport 135 --state NEW -j ACCEPT > > # smb provided netbios-ssn > > -A RH-Firewall-1-INPUT -p tcp -m tcp -m state -s 192.168.230.100/24 -i > > eth1 --dport 139 --state NEW -j ACCEPT > > # smb provided microsoft-ds > > -A RH-Firewall-1-INPUT -p tcp -m tcp -m state -s 192.168.230.100/24 -i > > eth1 --dport 445 --state NEW -j ACCEPT > so as far as I can tell this should provide access to the required services. > BTW the server has two NICs; 100Mb is eth0 at 192.168.230.230 and > connects to the router with internet/NAT firewall; 1Gb is eth1 at > 192.168.230.232 and this connects to a G ethernet switch that has the > windoze clients. > The smb.conf is as follows: > [global] > workgroup = NDG > netbios name = SAMBA > netbios aliases = Samba > server string = Samba Server Version %v > interfaces = lo, eth1, 192.168.230.232 > bind interfaces only = Yes > security = DOMAIN > obey pam restrictions = Yes > passdb backend = tdbsam > pam password change = Yes > log file = /var/log/samba/%m.log > max log size = 50 > load printers = No > add user script = /usr/sbin/useradd "%u" -n -g users > delete user script = /usr/sbin/userdel "%u" > add group script = /usr/sbin/groupadd "%g" > delete group script = /usr/sbin/groupdel "%g" > delete user from group script = /usr/sbin/userdel "%u" "%g" > add machine script = /usr/sbin/useradd -n -c "Workstation (%u)" > -M -d /nohome -s /bin/false "%u" > logon path > domain logons = Yes > os level = 32 > preferred master = Yes > domain master = Yes > dns proxy = No > wins support = Yes > ldap ssl = no > create mask = 0664 > directory mask = 0775 > hosts allow = 127., 192.168.230., 192.168.231. > case sensitive = Yes > browseable = No > available = No > wide links = No > dont descend = / > > [homes] > comment = Home Directories > valid users = %S > read only = No > browseable = Yes > available = Yes > > [NDG] > comment = NDG files > path = /NDG > write list = @NDGstaff, @birdseye > read only = No > browseable = Yes > available = Yes > > I found that making the rule for port 139 ignore the eth port (i.e. > remove the -i eth1) allowed things to work better, but do not want this > to be the case as I do not want the eth0 interface to be used for this > traffic. > looking at netstat -l -n shows only lo and eth1 listening on port 139, > so how is this failing to work?? > Any ideas? > Thanks---- I don't believe that you want to use comma separators in things like 'bind interfaces' or 'interfaces' - it doesn't seem that samba is consistent here. I have never used two separate hardware network interfaces on the same subnet and suspect that it may actually be trying to communicate back from the wrong one which is confusing things. Also, it doesn't make sense to list both eth1 and the actual ip address in bind interfaces but I would tend to doubt that would be a problem. Try taking eth0 down (as root - ifdown eth0) and see if that fixes the problem. Also, I'm not sure why some of the firewall rules include --state NEW and some of the don't - that doesn't fully make sense to me. Craig
Hi. 2009/3/31 Rob Kampen <rkampen at kampensonline.com>:> Hi folk, > I am trying to get iptables working on a samba server but find it is > blocking something that prevents the windoze clients from being able to > access the share. > here are the bits from iptables: >> >> # nmb provided netbios-ns >> -A RH-Firewall-1-INPUT -p udp -m udp -s 192.168.230.100/24 -i eth1 --dport >> 137 -j ACCEPT >> # nmb provided netbios-dgm >> -A RH-Firewall-1-INPUT -p udp -m udp -s 192.168.230.100/24 -i eth1 --dport >> 138 -j ACCEPT >> # Samba >> -A RH-Firewall-1-INPUT -p tcp -m tcp -m state -s 192.168.230.100/24 -i >> eth1 --dport 135 --state NEW -j ACCEPT >> # smb provided netbios-ssn >> -A RH-Firewall-1-INPUT -p tcp -m tcp -m state -s 192.168.230.100/24 -i >> eth1 --dport 139 --state NEW -j ACCEPT >> # smb provided microsoft-ds >> -A RH-Firewall-1-INPUT -p tcp -m tcp -m state -s 192.168.230.100/24 -i >> eth1 --dport 445 --state NEW -j ACCEPT >Your source address is invalid. If you want access from the entire 192.168.230.x subnet, you have to use a source of 192.168.230.0/24. If you want access from only 100, then you need to specify the source as 192.168.230.100/32 (a single address with a mask to match or just leave the mask off). HTH Regards, Andrew.
on 3-30-2009 9:19 PM Rob Kampen spake the following:> Hi folk, > I am trying to get iptables working on a samba server but find it is > blocking something that prevents the windoze clients from being able to > access the share. > here are the bits from iptables: >> # nmb provided netbios-ns >> -A RH-Firewall-1-INPUT -p udp -m udp -s 192.168.230.100/24 -i eth1 >> --dport 137 -j ACCEPT >> # nmb provided netbios-dgm >> -A RH-Firewall-1-INPUT -p udp -m udp -s 192.168.230.100/24 -i eth1 >> --dport 138 -j ACCEPT >> # Samba >> -A RH-Firewall-1-INPUT -p tcp -m tcp -m state -s 192.168.230.100/24 -i >> eth1 --dport 135 --state NEW -j ACCEPT >> # smb provided netbios-ssn >> -A RH-Firewall-1-INPUT -p tcp -m tcp -m state -s 192.168.230.100/24 -i >> eth1 --dport 139 --state NEW -j ACCEPT >> # smb provided microsoft-ds >> -A RH-Firewall-1-INPUT -p tcp -m tcp -m state -s 192.168.230.100/24 -i >> eth1 --dport 445 --state NEW -j ACCEPT > so as far as I can tell this should provide access to the required > services. > BTW the server has two NICs; 100Mb is eth0 at 192.168.230.230 and > connects to the router with internet/NAT firewall; 1Gb is eth1 at > 192.168.230.232 and this connects to a G ethernet switch that has the > windoze clients. > The smb.conf is as follows: > [global] > workgroup = NDG > netbios name = SAMBA > netbios aliases = Samba > server string = Samba Server Version %v > interfaces = lo, eth1, 192.168.230.232 > bind interfaces only = Yes > security = DOMAIN > obey pam restrictions = Yes > passdb backend = tdbsam > pam password change = Yes > log file = /var/log/samba/%m.log > max log size = 50 > load printers = No > add user script = /usr/sbin/useradd "%u" -n -g users > delete user script = /usr/sbin/userdel "%u" > add group script = /usr/sbin/groupadd "%g" > delete group script = /usr/sbin/groupdel "%g" > delete user from group script = /usr/sbin/userdel "%u" "%g" > add machine script = /usr/sbin/useradd -n -c "Workstation (%u)" > -M -d /nohome -s /bin/false "%u" > logon path > domain logons = Yes > os level = 32 > preferred master = Yes > domain master = Yes > dns proxy = No > wins support = Yes > ldap ssl = no > create mask = 0664 > directory mask = 0775 > hosts allow = 127., 192.168.230., 192.168.231. > case sensitive = Yes > browseable = No > available = No > wide links = No > dont descend = / > > [homes] > comment = Home Directories > valid users = %S > read only = No > browseable = Yes > available = Yes > > [NDG] > comment = NDG files > path = /NDG > write list = @NDGstaff, @birdseye > read only = No > browseable = Yes > available = Yes > > I found that making the rule for port 139 ignore the eth port (i.e. > remove the -i eth1) allowed things to work better, but do not want this > to be the case as I do not want the eth0 interface to be used for this > traffic. > looking at netstat -l -n shows only lo and eth1 listening on port 139, > so how is this failing to work?? > Any ideas? > Thanks > Rob > > _______________________________________________ > CentOS mailing list > CentOS at centos.org > lists.centos.org/mailman/listinfo/centosWhat are you attempting to achieve? Having both nics on the same subnet doesn't make a lot of sense to me. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 258 bytes Desc: OpenPGP digital signature URL: <lists.centos.org/pipermail/centos/attachments/20090331/998fbe9d/attachment-0003.sig>