Hi all,
i was crawling all the web for that information, but no success. So now i´m here.

Setting up a sambaserver... all right.

Connecting win2k clients... all right.

rising up an iptables script... no connect.

well, this means: i was putting a firewall on the servermachin smaba in the internal network whith ip 192.168.1.60. All other clients 192.168.1.10 ~ 90 should connect on ports 135~139, 445 and 53 (couse bind is running to on that machin), but never not even on any other port.

Problem, when i´m rising up the iptables script, the clients stop talking with the server anymore.

We are running on debian/sarge with kernel 2.6.

Modules loaded:

ipt_LOG
ipt_state
ip_conntrack
iptable_filter
ip_tables


open rules:


$IPTABLES -A INPUT -p tcp -s $LAN -i $EXT_IP --dport 135:139 -j ACCEPT
$IPTABLES -A INPUT -p tcp -s $LAN -i $EXT_IP --sport 135:139 -j ACCEPT
$IPTABLES -A INPUT -p udp -s $LAN -i $EXT_IP --dport 135:139 -j ACCEPT
$IPTABLES -A INPUT -p udp -s $LAN -i $EXT_IP --sport 135:139 -j ACCEPT
$IPTABLES -A OUTPUT -p tcp -o $EXT_IP --sport 135:139 -j ACCEPT
$IPTABLES -A OUTPUT -p tcp -o $EXT_IP --dport 135:139 -j ACCEPT
$IPTABLES -A OUTPUT -p udp -o $EXT_IP --sport 135:139 -j ACCEPT
$IPTABLES -A OUTPUT -p udp -o $EXT_IP --dport 135:139 -j ACCEPT

$IPTABLES -A INPUT -p tcp -s $LAN -i $EXT_IP --dport 445 -j ACCEPT
$IPTABLES -A INPUT -p tcp -s $LAN -i $EXT_IP --sport 445 -j ACCEPT
$IPTABLES -A INPUT -p udp -s $LAN -i $EXT_IP --dport 445 -j ACCEPT
$IPTABLES -A INPUT -p udp -s $LAN -i $EXT_IP --sport 445 -j ACCEPT
$IPTABLES -A OUTPUT -p tcp -o $EXT_IP --sport 445 -j ACCEPT
$IPTABLES -A OUTPUT -p tcp -o $EXT_IP --dport 445 -j ACCEPT
$IPTABLES -A OUTPUT -p udp -o $EXT_IP --sport 445 -j ACCEPT
$IPTABLES -A OUTPUT -p udp -o $EXT_IP --dport 445 -j ACCEPT

$IPTABLES -A FORWARD -p tcp -s $LAN -i $EXT_IP --dport 135:139 -j ACCEPT
$IPTABLES -A FORWARD -p tcp -s $LAN -i $EXT_IP --sport 135:139 -j ACCEPT
$IPTABLES -A FORWARD -p udp -s $LAN -i $EXT_IP --dport 135:139 -j ACCEPT
$IPTABLES -A FORWARD -p udp -s $LAN -i $EXT_IP --sport 135:139 -j ACCEPT

$IPTABLES -A FORWARD -p tcp -s $LAN -i $EXT_IP --dport 445 -j ACCEPT
$IPTABLES -A FORWARD -p tcp -s $LAN -i $EXT_IP --sport 445 -j ACCEPT
$IPTABLES -A FORWARD -p udp -s $LAN -i $EXT_IP --dport 445 -j ACCEPT
$IPTABLES -A FORWARD -p udp -s $LAN -i $EXT_IP --sport 445 -j ACCEPT


As you can see, im that deperate, that i opend all possible connections.

thanks for any advise.

ichitaka

Normally EXT_IP represents the ip address associated with the external or Internet interface of the machine, and INT_IP is the LAN ip. In which case you are allowing internal addresses to connect to the external interface on those ports, which isn't going to work.

I like to set up nmap on a client and run scans against the server to verify the ports are opening. You can use nmapwin if the client is a windows box.

> Normally EXT_IP represents the ip address associated with the external
> or Internet interface of the machine, and INT_IP is the LAN ip.

right, silly as i am, i set the variable $EXT_IP as eth0.

ichitaka