samba - Feb 2011 - Samba4 and iptables

Hello everybody,

I have a running an installation of Samba4 as AD. All is working fine, 
but when I start the firewall, the clients have problems to login.

By my firewall-rules from the past, I had opened the ports 137:139 and 
445 for samba and new for bind the port 53.

The clients (WinXP) seems to have problems to read and write from/to the 
home directories. Maybe samba4 need additional or other ports to working 
fine?

Here my current iptables-rules:

IPTABLES=/sbin/iptables

#Bind
$IPTABLES -A INPUT -p tcp --dport 53 -m state --state NEW,ESTABLISHED -j 
ACCEPT;
$IPTABLES -A OUTPUT -p tcp --sport 53 -m state --state ESTABLISHED -j 
ACCEPT;

$IPTABLES -A INPUT -p udp --dport 53 -m state --state NEW,ESTABLISHED -j 
ACCEPT;
$IPTABLES -A OUTPUT -p udp --sport 53 -m state --state ESTABLISHED -j 
ACCEPT;

#Samba
$IPTABLES -A INPUT -p udp --dport 137:139 -m state --state 
NEW,ESTABLISHED,RELATED -j ACCEPT;
$IPTABLES -A OUTPUT -p udp --sport 137:139 -m state --state 
ESTABLISHED,RELATED -j ACCEPT;

$IPTABLES -A INPUT -p tcp --dport 137:139 -m state --state 
NEW,ESTABLISHED,RELATED -j ACCEPT;
$IPTABLES -A OUTPUT -p tcp --sport 137:139 -m state --state 
ESTABLISHED,RELATED -j ACCEPT;

$IPTABLES -A INPUT -p udp --dport 445 -m state --state 
NEW,ESTABLISHED,RELATED -j ACCEPT;
$IPTABLES -A OUTPUT -p udp --sport 445 -m state --state 
ESTABLISHED,RELATED -j ACCEPT;

$IPTABLES -A INPUT -p tcp --dport 445 -m state --state 
ESTABLISHED,RELATED -j ACCEPT;
$IPTABLES -A OUTPUT -p tcp --sport 445 -m state --state 
ESTABLISHED,RELATED -j ACCEPT;


iptables --list

ACCEPT     tcp  --  anywhere             anywhere            tcp 
spt:domain state ESTABLISHED
ACCEPT     udp  --  anywhere             anywhere            udp 
spt:domain state ESTABLISHED
ACCEPT     udp  --  anywhere             anywhere            udp 
spts:netbios-ns:netbios-ssn state RELATED,ESTABLISHED
ACCEPT     tcp  --  anywhere             anywhere            tcp 
spts:netbios-ns:netbios-ssn state RELATED,ESTABLISHED
ACCEPT     udp  --  anywhere             anywhere            udp 
spt:microsoft-ds state RELATED,ESTABLISHED
ACCEPT     tcp  --  anywhere             anywhere            tcp 
spt:microsoft-ds state RELATED,ESTABLISHED


Note! I have the profiles configured with server-copies from the 
home-directorys! That's the reason for the necessary 
read-/write-possibility. When I login with a client, so the client look 
for the server-home-directory. When a client logout, the client 
synchronizes the local-home-directory to the ad-server. Without the 
running firewall on the AD it's work perfect. With the runnig firewall I 
get the message on login, that the client can't read the home-directory 
and when I logout, that the client can't synchronize the home-directory. 
The domain-login is always successful.

Thanks in advance!

Bert

>
> Hello everybody,
>
> I have a running an installation of Samba4 as AD. All is working fine,
> but when I start the firewall, the clients have problems to login.
>
> By my firewall-rules from the past, I had opened the ports 137:139 and
> 445 for samba and new for bind the port 53.
Kerberos is on port 88

LDAP is on 339 636

Here is a list of AD port requirements and their uses.

http://technet.microsoft.com/en-us/library/dd772723%28WS.10%29.aspx

>
>
>
> The clients (WinXP) seems to have problems to read and write from/to 
> the
> home directories. Maybe samba4 need additional or other ports to 
> working
> fine?
>
> Here my current iptables-rules:
>
> IPTABLES=/sbin/iptables
>
> #Bind
> $IPTABLES -A INPUT -p tcp --dport 53 -m state --state NEW,ESTABLISHED 
> -j
> ACCEPT;
> $IPTABLES -A OUTPUT -p tcp --sport 53 -m state --state ESTABLISHED -j
> ACCEPT;
>
> $IPTABLES -A INPUT -p udp --dport 53 -m state --state NEW,ESTABLISHED 
> -j
> ACCEPT;
> $IPTABLES -A OUTPUT -p udp --sport 53 -m state --state ESTABLISHED -j
> ACCEPT;
>
> #Samba
> $IPTABLES -A INPUT -p udp --dport 137:139 -m state --state
> NEW,ESTABLISHED,RELATED -j ACCEPT;
> $IPTABLES -A OUTPUT -p udp --sport 137:139 -m state --state
> ESTABLISHED,RELATED -j ACCEPT;
>
> $IPTABLES -A INPUT -p tcp --dport 137:139 -m state --state
> NEW,ESTABLISHED,RELATED -j ACCEPT;
> $IPTABLES -A OUTPUT -p tcp --sport 137:139 -m state --state
> ESTABLISHED,RELATED -j ACCEPT;
>
> $IPTABLES -A INPUT -p udp --dport 445 -m state --state
> NEW,ESTABLISHED,RELATED -j ACCEPT;
> $IPTABLES -A OUTPUT -p udp --sport 445 -m state --state
> ESTABLISHED,RELATED -j ACCEPT;
>
> $IPTABLES -A INPUT -p tcp --dport 445 -m state --state
> ESTABLISHED,RELATED -j ACCEPT;
> $IPTABLES -A OUTPUT -p tcp --sport 445 -m state --state
> ESTABLISHED,RELATED -j ACCEPT;
>
>
> iptables --list
>
> ACCEPT     tcp  --  anywhere             anywhere            tcp
> spt:domain state ESTABLISHED
> ACCEPT     udp  --  anywhere             anywhere            udp
> spt:domain state ESTABLISHED
> ACCEPT     udp  --  anywhere             anywhere            udp
> spts:netbios-ns:netbios-ssn state RELATED,ESTABLISHED
> ACCEPT     tcp  --  anywhere             anywhere            tcp
> spts:netbios-ns:netbios-ssn state RELATED,ESTABLISHED
> ACCEPT     udp  --  anywhere             anywhere            udp
> spt:microsoft-ds state RELATED,ESTABLISHED
> ACCEPT     tcp  --  anywhere             anywhere            tcp
> spt:microsoft-ds state RELATED,ESTABLISHED
>
>
> Note! I have the profiles configured with server-copies from the
> home-directorys! That's the reason for the necessary
> read-/write-possibility. When I login with a client, so the client 
> look
> for the server-home-directory. When a client logout, the client
> synchronizes the local-home-directory to the ad-server. Without the
> running firewall on the AD it's work perfect. With the runnig firewall 
> I
> get the message on login, that the client can't read the 
> home-directory
> and when I logout, that the client can't synchronize the 
> home-directory.
> The domain-login is always successful.
>
> Thanks in advance!
>
> Bert
>
>
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba

>
> Hello tms3 and list-members,
>
> many thanks for your help. I spend a lot of time to configure my     
> firewall.
>
> I opened all here 
> <http://technet.microsoft.com/en-us/library/dd772723%28WS.10%29.aspx>
> listed ports, but at the first time without success. I don't know     
> why, but the port 1024
That's a DCOM port. I wouldn't have thought that one was necessary. 
Maybe a question as to why on technical is in order.
>
>
> seems to be very important. I found this port     step by step with 
> less and less port-ranges.
>
> After I had opened this port I was able to logon the domain.
>
> netstat give me following result:
>
> ...
> tcp        0      0 0.0.0.0:464             0.0.0.0:*                  
>  LISTEN      1361/samba
> ...
> tcp        0      0 192.168.0.1:53         0.0.0.0:*                   
> LISTEN      1183/named
> ...
> tcp        0      0 0.0.0.0:88              0.0.0.0:*                  
>  LISTEN      1361/samba
> ...
> tcp        0      0 127.0.0.1:953           0.0.0.0:*                  
>  LISTEN      1183/named
> tcp        0      0 0.0.0.0:636             0.0.0.0:*                  
>  LISTEN      1356/samba
> tcp        0      0 0.0.0.0:445             0.0.0.0:*                  
>  LISTEN      1343/samba
> ...
> tcp        0      0 0.0.0.0:1024            0.0.0.0:*                  
>  LISTEN      1346/samba
> tcp        0      0 0.0.0.0:3268            0.0.0.0:*                  
>  LISTEN      1356/samba
> tcp        0      0 0.0.0.0:389             0.0.0.0:*                  
>  LISTEN      1356/samba
> tcp        0      0 0.0.0.0:135             0.0.0.0:*                  
>  LISTEN      1346/samba
> tcp        0      0 0.0.0.0:139             0.0.0.0:*                  
>  LISTEN      1343/samba
>
> I tested this with one winxp-client and tomorrow I will start a test   
>   with more clients.
>
>
> I hope this will somebody help to make the server a litte bit more     
> secured.
>
>
> Regards
>
> Bert
>
>
>
>
> Am 10.02.2011 15:53, schrieb tms3 at tms3.com:
>>
>>
>>
>>
>>> Hello everybody,
>>>
>>> I have a running an installation of Samba4 as AD. All is working
>>>   fine,
>>> but when I start the firewall, the clients have problems to
>>> login.
>>>
>>> By my firewall-rules from the past, I had opened the ports         
>>> 137:139 and
>>> 445 for samba and new for bind the port 53.
>>>
>> Kerberos is on port 88
>>
>> LDAP is on 339 636
>>
>> Here is a list of AD port requirements and their uses.
>>
>> http://technet.microsoft.com/en-us/library/dd772723%28WS.10%29.aspx
>>
>>
>>
>>>
>>>
>>> The clients (WinXP) seems to have problems to read and write
>>> from/to the
>>> home directories. Maybe samba4 need additional or other ports to
>>>   working
>>> fine?
>>>
>>> Here my current iptables-rules:
>>>
>>> IPTABLES=/sbin/iptables
>>>
>>> #Bind
>>> $IPTABLES -A INPUT -p tcp --dport 53 -m state --state         
>>> NEW,ESTABLISHED -j
>>> ACCEPT;
>>> $IPTABLES -A OUTPUT -p tcp --sport 53 -m state --state         
>>> ESTABLISHED -j
>>> ACCEPT;
>>>
>>> $IPTABLES -A INPUT -p udp --dport 53 -m state --state         
>>> NEW,ESTABLISHED -j
>>> ACCEPT;
>>> $IPTABLES -A OUTPUT -p udp --sport 53 -m state --state         
>>> ESTABLISHED -j
>>> ACCEPT;
>>>
>>> #Samba
>>> $IPTABLES -A INPUT -p udp --dport 137:139 -m state --state
>>> NEW,ESTABLISHED,RELATED -j ACCEPT;
>>> $IPTABLES -A OUTPUT -p udp --sport 137:139 -m state --state
>>> ESTABLISHED,RELATED -j ACCEPT;
>>>
>>> $IPTABLES -A INPUT -p tcp --dport 137:139 -m state --state
>>> NEW,ESTABLISHED,RELATED -j ACCEPT;
>>> $IPTABLES -A OUTPUT -p tcp --sport 137:139 -m state --state
>>> ESTABLISHED,RELATED -j ACCEPT;
>>>
>>> $IPTABLES -A INPUT -p udp --dport 445 -m state --state
>>> NEW,ESTABLISHED,RELATED -j ACCEPT;
>>> $IPTABLES -A OUTPUT -p udp --sport 445 -m state --state
>>> ESTABLISHED,RELATED -j ACCEPT;
>>>
>>> $IPTABLES -A INPUT -p tcp --dport 445 -m state --state
>>> ESTABLISHED,RELATED -j ACCEPT;
>>> $IPTABLES -A OUTPUT -p tcp --sport 445 -m state --state
>>> ESTABLISHED,RELATED -j ACCEPT;
>>>
>>>
>>> iptables --list
>>>
>>> ACCEPT tcp -- anywhere anywhere tcp
>>> spt:domain state ESTABLISHED
>>> ACCEPT udp -- anywhere anywhere udp
>>> spt:domain state ESTABLISHED
>>> ACCEPT udp -- anywhere anywhere udp
>>> spts:netbios-ns:netbios-ssn state RELATED,ESTABLISHED
>>> ACCEPT tcp -- anywhere anywhere tcp
>>> spts:netbios-ns:netbios-ssn state RELATED,ESTABLISHED
>>> ACCEPT udp -- anywhere anywhere udp
>>> spt:microsoft-ds state RELATED,ESTABLISHED
>>> ACCEPT tcp -- anywhere anywhere tcp
>>> spt:microsoft-ds state RELATED,ESTABLISHED
>>>
>>>
>>> Note! I have the profiles configured with server-copies from the
>>> home-directorys! That's the reason for the necessary
>>> read-/write-possibility. When I login with a client, so the
>>> client look
>>> for the server-home-directory. When a client logout, the client
>>> synchronizes the local-home-directory to the ad-server. Without
>>>  the
>>> running firewall on the AD it's work perfect. With the runnig
>>> firewall I
>>> get the message on login, that the client can't read the
>>> home-directory
>>> and when I logout, that the client can't synchronize the
>>> home-directory.
>>> The domain-login is always successful.
>>>
>>> Thanks in advance!
>>>
>>> Bert
>>>
>>>
>>>
>>>
>>>
>>> --
>>> To unsubscribe from this list go to the following URL and read
>>> the
>>> instructions: https://lists.samba.org/mailman/options/samba
>>>
>>
>