Shorewall users - Oct 2002 - Samba Problems

Hello,

I''m having trouble with Samba and my rules... I can''t seem to
figure out
where the problem is, but I have a feeling it has something to do with my
masq vs fw vs local rules (I don''t know what the difference between the
two is).
Here''s a log of what''s being rejected:

Oct  9 13:21:19 bioart kernel: Shorewall:all2all:REJECT:IN=eth0
OUTMAC=00:03:47:94:4f:33:00:50:2c:00:f9:ed:08:00 SRC=192.168.1.41
DST=192.168.1.1 LEN=48 TOS=0x00 PREC=0x00 TTL=128 ID=18234 DF PROTO=TCP
SPT=3116 DPT=445 WINDOW=65268 RES=0x00 SYN URGP=0Oct  9 13:21:19 bioart kernel:
Shorewall:all2all:REJECT:IN=eth0
OUTMAC=00:03:47:94:4f:33:00:50:2c:00:f9:ed:08:00 SRC=192.168.1.41
DST=192.168.1.1 LEN=48 TOS=0x00 PREC=0x00 TTL=128 ID=18235 DF PROTO=TCP
SPT=3117 DPT=139 WINDOW=65268 RES=0x00 SYN URGP=0Oct  9 13:21:20 bioart kernel:
Shorewall:all2all:REJECT:IN=eth0
OUTMAC=00:03:47:94:4f:33:00:50:2c:00:f9:ed:08:00 SRC=192.168.1.41
DST=192.168.1.1 LEN=48 TOS=0x00 PREC=0x00 TTL=128 ID=18255 DF PROTO=TCP
SPT=3116 DPT=445 WINDOW=65268 RES=0x00 SYN URGP=0Oct  9 13:21:20 bioart kernel:
Shorewall:all2all:REJECT:IN=eth0
OUTMAC=00:03:47:94:4f:33:00:50:2c:00:f9:ed:08:00 SRC=192.168.1.41
DST=192.168.1.1 LEN=48 TOS=0x00 PREC=0x00 TTL=128 ID=18256 DF PROTO=TCP
SPT=3117 DPT=139 WINDOW=65268 RES=0x00 SYN URGP=0Oct  9 13:21:20 bioart kernel:
Shorewall:all2all:REJECT:IN=eth0
OUTMAC=00:03:47:94:4f:33:00:50:2c:00:f9:ed:08:00 SRC=192.168.1.41
DST=192.168.1.1 LEN=48 TOS=0x00 PREC=0x00 TTL=128 ID=18271 DF PROTO=TCP
SPT=3117 DPT=139 WINDOW=65268 RES=0x00 SYN URGP=0Oct  9 13:21:20 bioart kernel:
Shorewall:all2all:REJECT:IN=eth0
OUTMAC=00:03:47:94:4f:33:00:50:2c:00:f9:ed:08:00 SRC=192.168.1.41
DST=192.168.1.1 LEN=48 TOS=0x00 PREC=0x00 TTL=128 ID=18272 DF PROTO=TCP
SPT=3116 DPT=445 WINDOW=65268 RES=0x00 SYN URGP=0

---
Here are my rules: (It''s messy I know, but I don''t know where
the problem is)

ACCEPT  net     fw      tcp     5900,5901,8080,80,443,22,25,109,110,143 -
ACCEPT  masq    fw      tcp     5900,5901,8080,80,443,22,25,109,110,143 -
ACCEPT  loc     fw      tcp     5900,5901,8080,80,443,22,25,109,110,143 -
ACCEPT  fw      loc     udp     1024:   137
ACCEPT  fw      masq    udp     1024:   137
ACCEPT  masq    fw      udp     1024:   137
ACCEPT  loc     fw      udp     1024:   137
ACCEPT  masq    fw      tcp    
10000,domain,bootps,http,https,631,imap,pop3,smtp,nntp,ntp      -ACCEPT  masq   
fw      udp
domain,bootps,http,https,631,imap,pop3,smtp,nntp,ntp    -ACCEPT  fw      masq   
tcp     5900,5901,631,137,138,139,445
ACCEPT  fw      masq    udp     631,137,138,139 -
ACCEPT  fw      loc     udp     137:139
ACCEPT  fw      loc     tcp     137,139,445
ACCEPT  loc     fw      udp     137:139
ACCEPT  loc     fw      tcp     137,139,445

---
interface file:
masq    eth0    detect
net     eth1    detect

---
policy file:
masq    net     ACCEPT
loc     net     ACCEPT
fw      net     ACCEPT
net     all     DROP    info
all     all     REJECT  info

---



I''d appreciate any suggestions :)

Thanks!

Art

>
>
> art@monger.net wrote:
>> Hello,
>>
>> I''m having trouble with Samba and my rules... I can''t
seem to figure
>> out where the problem is, but I have a feeling it has something to do
>> with my masq vs fw vs local rules (I don''t know what the
difference
>> between the two is).
>
> If you don''t know then we certainly don''t know either.
''masq'' isn''t a
> zone  that is included in any of the standard sample Shorewall configs.
> Or are  you running Mandrake (wonder why I haven''t gotten my 9.0
> yet....)?
>
I am indeed running Mandrake 9.0

The zones file says:
net     Net     Internet zone
masq    Masquerade      Masquerade Local
loc     Local   Local
---

My default, mandrake set up the interface file as:
loc    eth0    detect
masq    eth0    detect
net     eth1    detect

This of course didnt work, until I commented out the loc entry.
>
>> Here''s a log of what''s being rejected:
>>
>> Oct  9 13:21:19 bioart kernel: Shorewall:all2all:REJECT:IN=eth0
OUT>> MAC=00:03:47:94:4f:33:00:50:2c:00:f9:ed:08:00 SRC=192.168.1.41
>> DST=192.168.1.1 LEN=48 TOS=0x00 PREC=0x00 TTL=128 ID=18234 DF
>> PROTO=TCP SPT=3116 DPT=445 WINDOW=65268 RES=0x00 SYN URGP=0
>
> So which zone is 192.168.1.41 in?
>
41 is in the masq zone (or loc...) i think part of the problem is that I
don''t really have a loc zone.  Could the loc and masq entries interfere
with each other?  I''m going to try removing all loc entries in the
rules
and see what happens
Thanks for the quick response!

Art
>> ---
>> Here are my rules: (It''s messy I know, but I don''t
know where the
>> problem is)
>>
>> ACCEPT  net     fw      tcp
>> 5900,5901,8080,80,443,22,25,109,110,143 - ACCEPT  masq    fw      tcp
>>    5900,5901,8080,80,443,22,25,109,110,143 - ACCEPT  loc     fw
>> tcp     5900,5901,8080,80,443,22,25,109,110,143 - ACCEPT  fw      loc
>>    udp     1024:   137
>> ACCEPT  fw      masq    udp     1024:   137
>> ACCEPT  masq    fw      udp     1024:   137
>> ACCEPT  loc     fw      udp     1024:   137
>> ACCEPT  masq    fw      tcp
>> 10000,domain,bootps,http,https,631,imap,pop3,smtp,nntp,ntp
>> -ACCEPT  masq    fw      udp
>> domain,bootps,http,https,631,imap,pop3,smtp,nntp,ntp    -ACCEPT  fw
>>   masq    tcp     5900,5901,631,137,138,139,445 ACCEPT  fw      masq
>>  udp     631,137,138,139 -
>> ACCEPT  fw      loc     udp     137:139
>> ACCEPT  fw      loc     tcp     137,139,445
>> ACCEPT  loc     fw      udp     137:139
>> ACCEPT  loc     fw      tcp     137,139,445
>>
>> ---
>> interface file:
>> masq    eth0    detect
>> net     eth1    detect
>>
>> ---
>> policy file:
>> masq    net     ACCEPT
>> loc     net     ACCEPT
>> fw      net     ACCEPT
>> net     all     DROP    info
>> all     all     REJECT  info
>>
>
> How is the ''loc'' zone defined?
>
> -Tom
> --
> Tom Eastep    \ Shorewall - iptables made easy
> AIM: tmeastep  \ http://www.shorewall.net
> ICQ: #60745924  \ teastep@shorewall.net

art@monger.net wrote:
> Hello,
> 
> I''m having trouble with Samba and my rules... I can''t
seem to figure out
> where the problem is, but I have a feeling it has something to do with my
> masq vs fw vs local rules (I don''t know what the difference
between the
> two is).
If you don''t know then we certainly don''t know either.
''masq'' isn''t a zone
that is included in any of the standard sample Shorewall configs. Or are 
you running Mandrake (wonder why I haven''t gotten my 9.0 yet....)?

> Here''s a log of what''s being rejected:
> 
> Oct  9 13:21:19 bioart kernel: Shorewall:all2all:REJECT:IN=eth0 OUT>
MAC=00:03:47:94:4f:33:00:50:2c:00:f9:ed:08:00 SRC=192.168.1.41
> DST=192.168.1.1 LEN=48 TOS=0x00 PREC=0x00 TTL=128 ID=18234 DF PROTO=TCP
> SPT=3116 DPT=445 WINDOW=65268 RES=0x00 SYN URGP=0
So which zone is 192.168.1.41 in?
> ---
> Here are my rules: (It''s messy I know, but I don''t know
where the problem is)
> 
> ACCEPT  net     fw      tcp     5900,5901,8080,80,443,22,25,109,110,143 -
> ACCEPT  masq    fw      tcp     5900,5901,8080,80,443,22,25,109,110,143 -
> ACCEPT  loc     fw      tcp     5900,5901,8080,80,443,22,25,109,110,143 -
> ACCEPT  fw      loc     udp     1024:   137
> ACCEPT  fw      masq    udp     1024:   137
> ACCEPT  masq    fw      udp     1024:   137
> ACCEPT  loc     fw      udp     1024:   137
> ACCEPT  masq    fw      tcp    
> 10000,domain,bootps,http,https,631,imap,pop3,smtp,nntp,ntp      -ACCEPT 
masq    fw      udp
> domain,bootps,http,https,631,imap,pop3,smtp,nntp,ntp    -ACCEPT  fw     
masq    tcp     5900,5901,631,137,138,139,445
> ACCEPT  fw      masq    udp     631,137,138,139 -
> ACCEPT  fw      loc     udp     137:139
> ACCEPT  fw      loc     tcp     137,139,445
> ACCEPT  loc     fw      udp     137:139
> ACCEPT  loc     fw      tcp     137,139,445
> 
> ---
> interface file:
> masq    eth0    detect
> net     eth1    detect
> 
> ---
> policy file:
> masq    net     ACCEPT
> loc     net     ACCEPT
> fw      net     ACCEPT
> net     all     DROP    info
> all     all     REJECT  info
> 
How is the ''loc'' zone defined?

-Tom
-- 
Tom Eastep    \ Shorewall - iptables made easy
AIM: tmeastep  \ http://www.shorewall.net
ICQ: #60745924  \ teastep@shorewall.net

art@monger.net wrote:
>>
> 
> 
> I am indeed running Mandrake 9.0
> 
> The zones file says:
> net     Net     Internet zone
> masq    Masquerade      Masquerade Local
> loc     Local   Local
> ---
> 
> My default, mandrake set up the interface file as:
> loc    eth0    detect
> masq    eth0    detect
> net     eth1    detect
> 
> This of course didnt work, until I commented out the loc entry.
No -- that doesn''t work.
> 
> 
>>>Here''s a log of what''s being rejected:
>>>
>>>Oct  9 13:21:19 bioart kernel: Shorewall:all2all:REJECT:IN=eth0
OUT>>>MAC=00:03:47:94:4f:33:00:50:2c:00:f9:ed:08:00 SRC=192.168.1.41
>>>DST=192.168.1.1 LEN=48 TOS=0x00 PREC=0x00 TTL=128 ID=18234 DF
>>>PROTO=TCP SPT=3116 DPT=445 WINDOW=65268 RES=0x00 SYN URGP=0
>>
>>So which zone is 192.168.1.41 in?
>>
> 
> 
> 41 is in the masq zone (or loc...) i think part of the problem is that I
> don''t really have a loc zone.  Could the loc and masq entries
interfere
> with each other?  I''m going to try removing all loc entries in the
rules
> and see what happens
You will want to transfer some of them to the masq zone -- namely the ones 
having to do with SMB (ports 137-139, 445).
> Thanks for the quick response!
> 
You''re welcome.
-Tom
-- 
Tom Eastep    \ Shorewall - iptables made easy
AIM: tmeastep  \ http://www.shorewall.net
ICQ: #60745924  \ teastep@shorewall.net

Oh Well,

Blame Mandrake''s install... I removed the loc zones and converted them
to
the masq zone and it worked flawlesly.  I think Mandrake tried to be cute
by adding a masq zone, but something went wrong.
Thanks for the quick response

Art
>
>
> art@monger.net wrote:
>> Hello,
>>
>> I''m having trouble with Samba and my rules... I can''t
seem to figure
>> out where the problem is, but I have a feeling it has something to do
>> with my masq vs fw vs local rules (I don''t know what the
difference
>> between the two is).
>
> If you don''t know then we certainly don''t know either.
''masq'' isn''t a
> zone  that is included in any of the standard sample Shorewall configs.
> Or are  you running Mandrake (wonder why I haven''t gotten my 9.0
> yet....)?
>
>
>> Here''s a log of what''s being rejected:
>>
>> Oct  9 13:21:19 bioart kernel: Shorewall:all2all:REJECT:IN=eth0
OUT>> MAC=00:03:47:94:4f:33:00:50:2c:00:f9:ed:08:00 SRC=192.168.1.41
>> DST=192.168.1.1 LEN=48 TOS=0x00 PREC=0x00 TTL=128 ID=18234 DF
>> PROTO=TCP SPT=3116 DPT=445 WINDOW=65268 RES=0x00 SYN URGP=0
>
> So which zone is 192.168.1.41 in?
>
>> ---
>> Here are my rules: (It''s messy I know, but I don''t
know where the
>> problem is)
>>
>> ACCEPT  net     fw      tcp
>> 5900,5901,8080,80,443,22,25,109,110,143 - ACCEPT  masq    fw      tcp
>>    5900,5901,8080,80,443,22,25,109,110,143 - ACCEPT  loc     fw
>> tcp     5900,5901,8080,80,443,22,25,109,110,143 - ACCEPT  fw      loc
>>    udp     1024:   137
>> ACCEPT  fw      masq    udp     1024:   137
>> ACCEPT  masq    fw      udp     1024:   137
>> ACCEPT  loc     fw      udp     1024:   137
>> ACCEPT  masq    fw      tcp
>> 10000,domain,bootps,http,https,631,imap,pop3,smtp,nntp,ntp
>> -ACCEPT  masq    fw      udp
>> domain,bootps,http,https,631,imap,pop3,smtp,nntp,ntp    -ACCEPT  fw
>>   masq    tcp     5900,5901,631,137,138,139,445 ACCEPT  fw      masq
>>  udp     631,137,138,139 -
>> ACCEPT  fw      loc     udp     137:139
>> ACCEPT  fw      loc     tcp     137,139,445
>> ACCEPT  loc     fw      udp     137:139
>> ACCEPT  loc     fw      tcp     137,139,445
>>
>> ---
>> interface file:
>> masq    eth0    detect
>> net     eth1    detect
>>
>> ---
>> policy file:
>> masq    net     ACCEPT
>> loc     net     ACCEPT
>> fw      net     ACCEPT
>> net     all     DROP    info
>> all     all     REJECT  info
>>
>
> How is the ''loc'' zone defined?
>
> -Tom
> --
> Tom Eastep    \ Shorewall - iptables made easy
> AIM: tmeastep  \ http://www.shorewall.net
> ICQ: #60745924  \ teastep@shorewall.net
>
> _______________________________________________
> Shorewall-users mailing list
> Shorewall-users@shorewall.net
> http://www.shorewall.net/mailman/listinfo/shorewall-users