thr3ads.net - samba - [Samba] samba4 AD - strange slowness after enable iptables based firewall [May 2013]

If this information is useful, please help other people find it:
Share via:

Adam Sienkiewicz

2013-May-21 11:36 UTC

[Samba] samba4 AD - strange slowness after enable iptables based firewall

Hi; I sucesyfully ran AD on samba4 software. All required by me
functions works properly but when I turn on firewall my enviroment is
getting very slow - logon process is 3 times longer then on system
with disabled firewall service. Below I pasted my firewall
configuration - I based on samba tutorial and aexples and official
microsoft web page with needed ports:

Have you similar problems after firewall implementations ?

iptables -F
iptables -X

iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP

/bin/echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_all 		
/bin/echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts 	
/bin/echo "0" > /proc/sys/net/ipv4/conf/all/accept_source_route 	
/bin/echo "0" > /proc/sys/net/ipv4/conf/all/accept_redirects 		
/bin/echo "1" >
/proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
/bin/echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter 			
/bin/echo "1" > /proc/sys/net/ipv4/conf/all/log_martians 		

iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
iptables -A INPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

iptables -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -p tcp --dport 53 -j ACCEPT
iptables -A INPUT -p udp --dport 53 -j ACCEPT
iptables -A INPUT -p tcp --dport 5353 -j ACCEPT
iptables -A INPUT -p udp --dport 5353 -j ACCEPT
iptables -A INPUT -p tcp --dport 88 -j ACCEPT
iptables -A INPUT -p udp --dport 88 -j ACCEPT
iptables -A INPUT -p tcp --dport 135 -j ACCEPT
iptables -A INPUT -p udp --dport 137 -j ACCEPT
iptables -A INPUT -p udp --dport 138 -j ACCEPT
iptables -A INPUT -p tcp --dport 139 -j ACCEPT
iptables -A INPUT -p tcp --dport 389 -j ACCEPT
iptables -A INPUT -p udp --dport 389 -j ACCEPT
iptables -A INPUT -p tcp --dport 636 -j ACCEPT
iptables -A INPUT -p udp --dport 636 -j ACCEPT
iptables -A INPUT -p tcp --dport 445 -j ACCEPT
iptables -A INPUT -p udp --dport 445 -j ACCEPT
iptables -A INPUT -p tcp --dport 464 -j ACCEPT
iptables -A INPUT -p udp --dport 464 -j ACCEPT
iptables -A INPUT -p tcp --dport 1024 -j ACCEPT
iptables -A INPUT -p tcp --dport 5722 -j ACCEPT
iptables -A INPUT -p udp --dport 123 -j ACCEPT
iptables -A INPUT -p tcp --dport 3268:3269 -j ACCEPT
iptables -A INPUT -p tcp --dport 1025:5000 -j ACCEPT
iptables -A INPUT -p udp --dport 1025:5000 -j ACCEPT
iptables -A INPUT -p tcp --dport 49152:65535 -j ACCEPT
iptables -A INPUT -p udp --dport 49152:65535 -j ACCEPT
iptables -A INPUT -p tcp --dport 9389 -j ACCEPT


iptables -A INPUT -j DROP

iptables -A OUTPUT -m state ! --state INVALID -j ACCEPT
iptables -A OUTPUT -j LOG --log-level debug --log-prefix "IPT OUTPUT:
"
iptables -A OUTPUT -j DROP

bas

2013-May-21 15:52 UTC

head link

[Samba] samba4 AD - strange slowness after enable iptables based firewall

i.e. like this http://www.thegeekstuff.com/2012/08/iptables-log-packets/


On 5/21/2013 9:57 AM, Bas wrote:> Hmm, i notice you seem to turn off ping responses but then specifically
open up your firewall to it? I would try removing the line with
icmp_echo_ignore.
>
> If that doesn't fix it, add a log entry just above the line with -j
DROP so you get an entry in /etc/logs/syslog of every packet that was dropped.
>
> Sent from my Verizon Wireless 4G LTE smartphone
>
>
>
> Adam Sienkiewicz <adamsienkiewicz78 at gmail.com> wrote:
>
>> Hi; I sucesyfully ran AD on samba4 software. All required by me
>> functions works properly but when I turn on firewall my enviroment is
>> getting very slow - logon process is 3 times longer then on system
>> with disabled firewall service. Below I pasted my firewall
>> configuration - I based on samba tutorial and aexples and official
>> microsoft web page with needed ports:
>>
>> Have you similar problems after firewall implementations ?
>>
>> iptables -F
>> iptables -X
>>
>> iptables -P INPUT DROP
>> iptables -P OUTPUT DROP
>> iptables -P FORWARD DROP
>>
>> /bin/echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_all 		
>> /bin/echo "1" >
/proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
>> /bin/echo "0" >
/proc/sys/net/ipv4/conf/all/accept_source_route
>> /bin/echo "0" >
/proc/sys/net/ipv4/conf/all/accept_redirects
>> /bin/echo "1" >
/proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
>> /bin/echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter 			
>> /bin/echo "1" > /proc/sys/net/ipv4/conf/all/log_martians
>>
>> iptables -A INPUT -i lo -j ACCEPT
>> iptables -A OUTPUT -o lo -j ACCEPT
>> iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
>> iptables -A INPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
>>
>> iptables -A INPUT -p tcp --dport 22 -j ACCEPT
>> iptables -A INPUT -p tcp --dport 53 -j ACCEPT
>> iptables -A INPUT -p udp --dport 53 -j ACCEPT
>> iptables -A INPUT -p tcp --dport 5353 -j ACCEPT
>> iptables -A INPUT -p udp --dport 5353 -j ACCEPT
>> iptables -A INPUT -p tcp --dport 88 -j ACCEPT
>> iptables -A INPUT -p udp --dport 88 -j ACCEPT
>> iptables -A INPUT -p tcp --dport 135 -j ACCEPT
>> iptables -A INPUT -p udp --dport 137 -j ACCEPT
>> iptables -A INPUT -p udp --dport 138 -j ACCEPT
>> iptables -A INPUT -p tcp --dport 139 -j ACCEPT
>> iptables -A INPUT -p tcp --dport 389 -j ACCEPT
>> iptables -A INPUT -p udp --dport 389 -j ACCEPT
>> iptables -A INPUT -p tcp --dport 636 -j ACCEPT
>> iptables -A INPUT -p udp --dport 636 -j ACCEPT
>> iptables -A INPUT -p tcp --dport 445 -j ACCEPT
>> iptables -A INPUT -p udp --dport 445 -j ACCEPT
>> iptables -A INPUT -p tcp --dport 464 -j ACCEPT
>> iptables -A INPUT -p udp --dport 464 -j ACCEPT
>> iptables -A INPUT -p tcp --dport 1024 -j ACCEPT
>> iptables -A INPUT -p tcp --dport 5722 -j ACCEPT
>> iptables -A INPUT -p udp --dport 123 -j ACCEPT
>> iptables -A INPUT -p tcp --dport 3268:3269 -j ACCEPT
>> iptables -A INPUT -p tcp --dport 1025:5000 -j ACCEPT
>> iptables -A INPUT -p udp --dport 1025:5000 -j ACCEPT
>> iptables -A INPUT -p tcp --dport 49152:65535 -j ACCEPT
>> iptables -A INPUT -p udp --dport 49152:65535 -j ACCEPT
>> iptables -A INPUT -p tcp --dport 9389 -j ACCEPT
>>
>>
>> iptables -A INPUT -j DROP
>>
>> iptables -A OUTPUT -m state ! --state INVALID -j ACCEPT
>> iptables -A OUTPUT -j LOG --log-level debug --log-prefix "IPT
OUTPUT: "
>> iptables -A OUTPUT -j DROP
>> -- 
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba

Apparently Analagous Threads

Search for more seemingly similar threads

samba - May 2013 - samba4 AD - strange slowness after enable iptables based firewall

[Samba] samba4 AD - strange slowness after enable iptables based firewall

[Samba] samba4 AD - strange slowness after enable iptables based firewall

Apparently Analagous Threads