Hello, I do appologize if this is something that was already discussed somewhere else... but for now I was not able to find the appropriate How-To. Would anybody know what the IPTABLES entries are to have working Samba4 Domain Controller? I tried the following: -A INPUT -p tcp -m state --state NEW -m tcp --dport 88 -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 749 -j ACCEPT -A INPUT -p udp -m state --state NEW -m udp --dport 88 -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 389 -j ACCEPT -A INPUT -d SERVERIP/32 -p udp -m udp --sport 1024:65535 --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT -A INPUT -d SERVERIP/32 -p udp -m udp --sport 53 --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT -A INPUT -p udp -m udp --dport 137 -j ACCEPT -A INPUT -p udp -m udp --dport 138 -j ACCEPT -A INPUT -m state --state NEW -m tcp -p tcp --dport 139 -j ACCEPT -A INPUT -m state --state NEW -m tcp -p tcp --dport 445 -j ACCEPT With the above I was not able to connect via remote Administration tools to the Active Directory Service. Does anybody have a comprehensive list of ports/protocols one has to "open" in IPTABLES to get DNS, Samba, Fileshares, Active Directory, etc. working? Cheers & thank you very much for your help! Best, Andreas
On 26.11.2012 14:39, Andreas Krupp wrote:> With the above I was not able to connect via remote Administration > tools to the Active Directory Service. Does anybody have a > comprehensive list of ports/protocols one has to "open" in IPTABLES to > get DNS, Samba, Fileshares, Active Directory, etc. working? Cheers & > thank you very much for your help! Best, AndreasHere is the official list: http://support.microsoft.com/kb/832017 Executive summary: It's hopeless. With so many RPC-based services that use dynamically assigned port numbers, you can't effectively put a packet filter between domain controller and the client. -- Mit freundlichen Gr??en Sven Tegethoff EDV-Team _________________________________________________________ UDO B?R GmbH & Co. KG F?rstenstra?e 18 47051 Duisburg Tel.: +49 (0) 203 28117-142 Fax: +49 (0) 203 28117-151 E-Mail: tegethoff at udobaer.de Ust.-Idnr.: DE119562189, HRA 6056, Sitz der Gesellschaft: Duisburg, Gerichtsstand: Duisburg Gesch?ftsf?hrer: Bodo Badnowitz, J?rgen Dietz Ein Unternehmen der BTI Gruppe: www.bti-group.com Diese E-Mail enth?lt vertrauliche und/oder rechtlich gesch?tzte Informationen. Wenn Sie nicht der richtige Adressat sind oder diese E-Mail irrt?mlich erhalten haben, informieren Sie bitte sofort den Absender und vernichten Sie diese E-Mail. Das unerlaubte Kopieren sowie die unbefugte Weitergabe dieser E-Mail ist nicht gestattet. This e-mail may contain confidential and/or privileged information. If you are not the intended recipient (or have received this e-mail in error) please notify the sender immediately and destroy this e-mail. Any unauthorized copying, disclosure or distribution of the material in this e-mail is strictly forbidden.
Hi, Here is an extract from my post on installing Samba4 on CentOS6. I have iptables working - I used netstat and Wireshark to monitor the packets. ----- The ports needed are: 53, TCP & UDP (DNS) 88, TCP & UDP (Kerberos authentication) 135, TCP (MS RPC) 137, UDP (NetBIOS name service) 138, UDP (NetBIOS datagram service) 139, TCP (NetBIOS session service) 389, TCP & UDP (LDAP) 445, TCP (MS-DS AD) 464, TCP & UDP (Kerberos change/set password) 1024, TCP (this is a strange one but AD is using it) Add these to iptables: # iptables -A INPUT -p tcp --dport 53 -j ACCEPT # iptables -A INPUT -p udp --dport 53 -j ACCEPT # iptables -A INPUT -p udp --dport 137:138 -j ACCEPT # iptables -A INPUT -p tcp --dport 139 -j ACCEPT # iptables -A INPUT -p tcp --dport 445 -j ACCEPT # iptables -A INPUT -p tcp --dport 135 -j ACCEPT # iptables -A INPUT -p tcp --dport 88 -j ACCEPT # iptables -A INPUT -p udp --dport 88 -j ACCEPT # iptables -A INPUT -p tcp --dport 464 -j ACCEPT # iptables -A INPUT -p tcp --dport 389 -j ACCEPT # iptables -A INPUT -p udp --dport 389 -j ACCEPT # iptables -A INPUT -p tcp --dport 1024 -j ACCEPT ----- Looking at your rules, they are close to this. I believe it's the missing RPC (135) that's blocking RSAT. Cheers, Stephen Jones Lloyd Systems Engineering On Tue, Nov 27, 2012, at 12:39 AM, Andreas Krupp wrote:> Hello, > > I do appologize if this is something that was already discussed somewhere > else... but for now I was not able to find the appropriate How-To. > Would anybody know what the IPTABLES entries are to have working Samba4 > Domain Controller? > I tried the following: > > -A INPUT -p tcp -m state --state NEW -m tcp --dport 88 -j ACCEPT > -A INPUT -p tcp -m state --state NEW -m tcp --dport 749 -j ACCEPT > -A INPUT -p udp -m state --state NEW -m udp --dport 88 -j ACCEPT > -A INPUT -p tcp -m state --state NEW -m tcp --dport 389 -j ACCEPT > -A INPUT -d SERVERIP/32 -p udp -m udp --sport 1024:65535 --dport 53 -m > state --state NEW,ESTABLISHED -j ACCEPT > -A INPUT -d SERVERIP/32 -p udp -m udp --sport 53 --dport 53 -m state > --state NEW,ESTABLISHED -j ACCEPT > -A INPUT -p udp -m udp --dport 137 -j ACCEPT > -A INPUT -p udp -m udp --dport 138 -j ACCEPT > -A INPUT -m state --state NEW -m tcp -p tcp --dport 139 -j ACCEPT > -A INPUT -m state --state NEW -m tcp -p tcp --dport 445 -j ACCEPT > > With the above I was not able to connect via remote Administration tools > to the Active Directory Service. > Does anybody have a comprehensive list of ports/protocols one has to > "open" in IPTABLES to get DNS, Samba, Fileshares, Active Directory, etc. > working? > > Cheers & thank you very much for your help! > Best, > Andreas > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba