LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices

Reply
 
Search this Thread
Old 06-18-2005, 08:05 AM   #1
scng
Member
 
Registered: Sep 2004
Location: Hong Kong
Distribution: Fedora Core 3
Posts: 53

Rep: Reputation: 15
Unhappy A common problem on samba + iptables


Hi everyone

I find that my windows xp client doesnt connect to my FC3 box, via samba, when iptables is up.
It works if I stop the iptables at my FC3 box: /etc/rc.d/init.d/iptables stop
It's clear that sth wrong with my firewall setting. I've checked with the posts and try the following commands:

Code:
iptables -A INPUT -s 192.168.0.0/24 -d 192.168.0.101 -p tcp --dport 137 -j ACCEPT
iptables -A INPUT -s 192.168.0.0/24 -d 192.168.0.101 -p tcp --dport 138 -j ACCEPT
iptables -A INPUT -s 192.168.0.0/24 -d 192.168.0.101 -p tcp --dport 139 -j ACCEPT
iptables -A INPUT -s 192.168.0.0/24 -d 192.168.0.101 -p tcp --dport 445 -j ACCEPT

iptables -A INPUT -s 192.168.0.0/24 -d 192.168.0.101 -p udp --dport 137 -j ACCEPT
iptables -A INPUT -s 192.168.0.0/24 -d 192.168.0.101 -p udp --dport 138 -j ACCEPT
iptables -A INPUT -s 192.168.0.0/24 -d 192.168.0.101 -p udp --dport 139 -j ACCEPT
iptables -A INPUT -s 192.168.0.0/24 -d 192.168.0.101 -p udp --dport 445 -j ACCEPT
192.168.0.101 is my samba server running FC3
192.168.0.100 is my win xp client

i've checked with iptables -nL

Code:
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
RH-Firewall-1-INPUT  all  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     tcp  --  192.168.0.0/24       192.168.0.101       tcp dpt:137 
ACCEPT     tcp  --  192.168.0.0/24       192.168.0.101       tcp dpt:138 
ACCEPT     tcp  --  192.168.0.0/24       192.168.0.101       tcp dpt:139 
ACCEPT     tcp  --  192.168.0.0/24       192.168.0.101       tcp dpt:445 
ACCEPT     udp  --  192.168.0.0/24       192.168.0.101       udp dpt:137 
ACCEPT     udp  --  192.168.0.0/24       192.168.0.101       udp dpt:138 
ACCEPT     udp  --  192.168.0.0/24       192.168.0.101       udp dpt:139 
ACCEPT     udp  --  192.168.0.0/24       192.168.0.101       udp dpt:445 

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
RH-Firewall-1-INPUT  all  --  0.0.0.0/0            0.0.0.0/0           

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         

Chain RH-Firewall-1-INPUT (2 references)
target     prot opt source               destination         
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0           icmp type 255 
ACCEPT     esp  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     ah   --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     udp  --  0.0.0.0/0            224.0.0.251         udp dpt:5353 
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           udp dpt:631 
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED 
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:22 
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:80 
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:21 
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:25 
REJECT     all  --  0.0.0.0/0            0.0.0.0/0           reject-with icmp-host-prohibited

i am confused. what's wrong
thanks for help
 
Old 06-18-2005, 10:27 AM   #2
Ipolit
Member
 
Registered: Nov 2003
Location: Bulgaria
Distribution: Vector Linux, Morphix
Posts: 293

Rep: Reputation: 31
I can't find the sense of this.
your all default policies are ACCEPT, why you need to specify these ports?
if you had default policy DROP then it seems to have some reason.
and I'm not shore, but in the chain INPUT you don't have to specify -destination host - it's reasonable to be your computer.
also u should type TCP and UDP with capital letters
 
Old 06-18-2005, 02:27 PM   #3
maxut
Senior Member
 
Registered: May 2003
Location: istanbul
Distribution: debian - redhat - others
Posts: 1,188

Rep: Reputation: 50
Re: A common problem on samba + iptables

Quote:
Originally posted by scng

Code:
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
RH-Firewall-1-INPUT  all  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     tcp  --  192.168.0.0/24       192.168.0.101       tcp dpt:137 
.....


Chain RH-Firewall-1-INPUT (2 references)
target     prot opt source               destination         
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0           icmp type 255 
ACCEPT     esp  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     ah   --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     udp  --  0.0.0.0/0            224.0.0.251         udp dpt:5353 
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           udp dpt:631 
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED 
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:22 
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:80 
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:21 
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:25 
REJECT     all  --  0.0.0.0/0            0.0.0.0/0           reject-with icmp-host-prohibited

i am confused. what's wrong
thanks for help
wrong is the first rule in the INPUT chain. it checks RH-Firewall-1-INPUT chain first. and the last rule in is "REJECT all" in that chain, so your rules wont work. bc it will be blocked by last rule of RH-Firewall-1-INPUT chain.

try to add your rules like that, use "-I" isntead of "-A". so your rules will be checked fisrtly. if packets dont match your rules, iptables will check RH-Firewall-1-INPUT chain.
Code:
iptables -I INPUT -s 192.168.0.0/24 -d 192.168.0.101 -p tcp --dport 137 -j ACCEPT
...
good luck.
 
Old 06-18-2005, 11:03 PM   #4
scng
Member
 
Registered: Sep 2004
Location: Hong Kong
Distribution: Fedora Core 3
Posts: 53

Original Poster
Rep: Reputation: 15
The "-I" works! thanks!

besides, how to make the execute commands automatically on boot?

i've checked /etc/sysconfig/iptables, but the remarks in the file say.....

Code:
# Firewall configuration written by system-config-securitylevel
# Manual customization of this file is not recommended.
 
Old 06-19-2005, 03:52 AM   #5
scng
Member
 
Registered: Sep 2004
Location: Hong Kong
Distribution: Fedora Core 3
Posts: 53

Original Poster
Rep: Reputation: 15
thanks all, i've found the ans:

/etc/rc.d/init.d/iptables save
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
samba-common Install Problems sihtworth Linux - Networking 4 10-23-2005 07:30 AM
samba-common & package mgr problem Richlw Linux - Newbie 1 04-29-2005 11:27 AM
URL required for samba-common file br_sriram Linux - Software 1 09-18-2004 02:11 PM
samba-common-3.0.2a-3.2.100mdk.i586.rpm Moses420ca Mandriva 1 08-09-2004 02:18 PM
Firewall: receiving common error message for IPTABLES under Mandrake 8.1 lhoff Linux - Security 1 04-06-2002 04:45 AM


All times are GMT -5. The time now is 09:09 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration