Hello Samba group,
I have setup iptables on a Samba-3.0.8 member server (with one IP) in
a native mode Active Directory domain.
Searching Samba list archives directs me to read
http;//www.netfilter.org documentation and doesn't attempt to describe
ports needed for samba to function as a member server in native AD.
I would appreciate any constructive feedback regarding whether these
iptables rules look correct, or grant too much or too little? They do
work, and they express my understanding of samba server network
communication.
## SAMBA RULES ##
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
ANY='0.0.0.0/0'
# RPC mapper
iptables -A INPUT -s $ANY -p udp --dport 135 -j ACCEPT
# NetBIOS Name Service (nbname)/Datagram Service (nbdatagram)
iptables -A INPUT -s $ANY -p udp --dport 137:138 -j ACCEPT
# NetBIOS Session Service (nbsession)
iptables -A INPUT -s $ANY -p tcp --dport 139 -j ACCEPT
# TCP Connection - establish 3-way handshake
iptables -A INPUT -s $ANY -p tcp --dport 445 -j ACCEPT
# Kerberos V5 communication <2K Packets
iptables -A INPUT -p udp -m udp --dport 88 -j ACCEPT
# Kerberos V5 communication >2K Packets
iptables -A INPUT -p tcp -m tcp --dport 88 -j ACCEPT
# NTP communication, for Kerberose V5 tickets?
iptables -A INPUT -s $ANY -p udp --dport 123 -j ACCEPT
Note: Limiting the OUTPUT rules kills communications to KDC, so I left
it open.
--
._____________________.
| \0/ John Stile |
| UniX Administration |
| / \ 510-305-3800 |
| john@stilen.com |
.---------------------.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url :
http://lists.samba.org/archive/samba/attachments/20041114/1daef63d/attachment.bin
