iptables insanity.

Rotwang · 08-24-2006, 12:27 PM

I'm trying to get samba to work. It works if I kill my firewall. I have never changed my firewall at all until now, so I started with the default CentOS 4.3 firewall. This is me trying to open ports 137 and 138:

# Generated by iptables-save v1.2.11 on Thu Aug 24 13:18:14 2006
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [21284:972418]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -i eth0 -p tcp -m tcp --dport 138 -j ACCEPT
-A INPUT -j RH-Firewall-1-INPUT
-A INPUT -i eth0 -p udp -m udp --dport 137 -j ACCEPT
-A INPUT -i eth0 -p udp -m udp --dport 138 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 138 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 138 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 138 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 137 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 139 -j ACCEPT
-A INPUT -p udp -m udp --dport 139 -j ACCEPT
-A INPUT -p udp -m udp --dport 137 -j ACCEPT
-A INPUT -p udp -m udp --dport 138 -j ACCEPT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp -m icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p ipv6-crypt -j ACCEPT
-A RH-Firewall-1-INPUT -p ipv6-auth -j ACCEPT
-A RH-Firewall-1-INPUT -d 224.0.0.251 -p udp -m udp --dport 5353 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 21 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 25 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 135 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 137 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 138 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 139 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 445 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT
# Completed on Thu Aug 24 13:18:14 2006

Yet, when I stop and start /etc/init.d/iptables and then run a port scan this is what I get:

[root@localhost init.d]# nmap localhost

Starting nmap 3.70 ( http://www.insecure.org/nmap/ ) at 2006-08-24 13:24 EDT
Interesting ports on localhost.localdomain (127.0.0.1):
(The 1651 ports scanned but not shown below are in state: closed)
PORT STATE SERVICE
22/tcp open ssh
25/tcp open smtp
80/tcp open http
111/tcp open rpcbind
139/tcp open netbios-ssn
445/tcp open microsoft-ds
631/tcp open ipp
3306/tcp open mysql
8080/tcp open http-proxy

And samba still won't work, windows can't conx to it.

pljvaldez · 08-24-2006, 12:38 PM

My machine also has port 113 open, which is listed as "auth", but I'm not sure if that'll help you out or not...

Rotwang · 08-24-2006, 04:11 PM

thanks, I don't think samba uses 113. And besides, I apparently can't even open it because my changes aren't affecting iptables at all.

peter_robb · 08-24-2006, 07:17 PM

137 & 138 are udp protocols
139 is tcp

The sequence of the rules is important.
Nothing will get past the last rule in the RH-Firewall-1-INPUT chain, so it's pointless having INPUT rules after it..

So if your samba is going via the FORWARD chain, add some udp rules.