I've set up Samba on a couple of machines with iptables (to allow 137UDP, 138UDP, 139TCP, and 445TCP in from allowed hosts). This works fine, but if I try to start / restart smb while the firewall is up, I get "Starting SMB services:" and it hangs there. Adding 127.0.0.1 and the IP address of the host didn't help. Googling didn't help me either. What else needs to be allowed for the service to start? tcpdump isn't helping.

Well really interesting.

1. can you give the output of iptables -vnL when you can not start samba ?
2. I am sure that you do not need to open any ports to the eth to start samba as we have several server working with samba but not allowing any connection for the eth.
3. does /log/messages say anything
4. does /log/samba/smb... say anything

The server wouldnt rely on the firewall to start. Everything is local so it wouldnt stop the service from running.
Just to clarify, if you have the firewall disabled does the service start properly?

Another thing,

[root@localhost ~]# iptables -vnL
Chain INPUT (policy DROP 805 packets, 81092 bytes)
pkts bytes target prot opt in out source destination
460 32396 ACCEPT tcp -- * * 10.0.0.0/22 0.0.0.0/0 tcp dpt:22
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 0
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 3
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 11
193 27127 ACCEPT udp -- * * 10.99.16.5 0.0.0.0/0 udp spt:53 dpts:1024:65535
0 0 ACCEPT tcp -- * * 10.99.16.5 0.0.0.0/0 tcp spt:53 dpts:1024:65535
18 1406 ACCEPT udp -- * * 10.99.16.7 0.0.0.0/0 udp spt:53 dpts:1024:65535
0 0 ACCEPT tcp -- * * 10.99.16.7 0.0.0.0/0 tcp spt:53 dpts:1024:65535
14 1064 ACCEPT udp -- * * 10.99.16.5 0.0.0.0/0 udp spt:123
0 0 ACCEPT tcp -- * * 10.3.0.0/24 0.0.0.0/0 tcp dpt:111
0 0 ACCEPT udp -- * * 10.3.0.0/24 0.0.0.0/0 udp dpt:111
0 0 ACCEPT tcp -- * * 10.3.0.0/24 0.0.0.0/0 tcp dpt:2049
0 0 ACCEPT udp -- * * 10.3.0.0/24 0.0.0.0/0 udp dpt:2049
0 0 ACCEPT tcp -- * * 10.3.0.0/24 0.0.0.0/0 tcp dpts:4000:4005
0 0 ACCEPT udp -- * * 10.3.0.0/24 0.0.0.0/0 udp dpts:4000:4005
0 0 ACCEPT tcp -- * * 10.4.0.0/24 0.0.0.0/0 tcp dpt:111
0 0 ACCEPT udp -- * * 10.4.0.0/24 0.0.0.0/0 udp dpt:111
0 0 ACCEPT tcp -- * * 10.4.0.0/24 0.0.0.0/0 tcp dpt:2049
0 0 ACCEPT udp -- * * 10.4.0.0/24 0.0.0.0/0 udp dpt:2049
0 0 ACCEPT tcp -- * * 10.4.0.0/24 0.0.0.0/0 tcp dpts:4000:4005
0 0 ACCEPT udp -- * * 10.4.0.0/24 0.0.0.0/0 udp dpts:4000:4005
0 0 ACCEPT tcp -- * * 10.5.0.0/24 0.0.0.0/0 tcp dpt:111
0 0 ACCEPT udp -- * * 10.5.0.0/24 0.0.0.0/0 udp dpt:111
0 0 ACCEPT tcp -- * * 10.5.0.0/24 0.0.0.0/0 tcp dpt:2049
0 0 ACCEPT udp -- * * 10.5.0.0/24 0.0.0.0/0 udp dpt:2049
0 0 ACCEPT tcp -- * * 10.5.0.0/24 0.0.0.0/0 tcp dpts:4000:4005
0 0 ACCEPT udp -- * * 10.5.0.0/24 0.0.0.0/0 udp dpts:4000:4005
0 0 ACCEPT tcp -- * * 10.99.17.0/24 0.0.0.0/0 tcp dpt:111
0 0 ACCEPT udp -- * * 10.99.17.0/24 0.0.0.0/0 udp dpt:111
0 0 ACCEPT tcp -- * * 10.99.17.0/24 0.0.0.0/0 tcp dpt:2049
0 0 ACCEPT udp -- * * 10.99.17.0/24 0.0.0.0/0 udp dpt:2049
0 0 ACCEPT tcp -- * * 10.99.17.0/24 0.0.0.0/0 tcp dpts:4000:4005
0 0 ACCEPT udp -- * * 10.99.17.0/24 0.0.0.0/0 udp dpts:4000:4005
0 0 ACCEPT udp -- * * 10.99.23.49 0.0.0.0/0 udp dpt:137
4 996 ACCEPT udp -- * * 10.99.23.49 0.0.0.0/0 udp dpt:138
0 0 ACCEPT tcp -- * * 10.99.23.49 0.0.0.0/0 tcp dpt:139
0 0 ACCEPT tcp -- * * 10.99.23.49 0.0.0.0/0 tcp dpt:445
0 0 ACCEPT udp -- * * 10.0.1.21 0.0.0.0/0 udp dpt:137
0 0 ACCEPT udp -- * * 10.0.1.21 0.0.0.0/0 udp dpt:138
0 0 ACCEPT tcp -- * * 10.0.1.21 0.0.0.0/0 tcp dpt:139
0 0 ACCEPT tcp -- * * 10.0.1.21 0.0.0.0/0 tcp dpt:445

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination

Chain OUTPUT (policy ACCEPT 914 packets, 230K bytes)
pkts bytes target prot opt in out source destination
[root@localhost ~]#

Well, since the only difference is with the firewall running or not...

Nope.

Nope.

[root@localhost ~]# echo "<<< MARK >>>" >> /var/log/messages
[root@localhost ~]# echo "<<< MARK >>>" >> /var/log/samba/smbd.log
[root@localhost ~]# service smb start
Starting SMB services:
[root@localhost ~]# tail /var/log/messages
Sep 12 12:53:46 localhost dhclient: DHCPACK from 10.99.16.1
Sep 12 12:53:46 localhost dhclient: bound to 10.99.23.49 -- renewal in 1668 seconds.
Sep 12 13:21:34 localhost dhclient: DHCPREQUEST on eth0 to 10.99.16.1 port 67
Sep 12 13:21:34 localhost dhclient: DHCPACK from 10.99.16.1
Sep 12 13:21:34 localhost dhclient: bound to 10.99.23.49 -- renewal in 1403 seconds.
Sep 12 13:44:57 localhost dhclient: DHCPREQUEST on eth0 to 10.99.16.1 port 67
Sep 12 13:44:57 localhost dhclient: DHCPACK from 10.99.16.1
Sep 12 13:44:57 localhost dhclient: bound to 10.99.23.49 -- renewal in 1480 seconds.
<<< MARK >>>
[root@localhost ~]# tail /var/log/samba/smbd.log
10.0.1.21 (10.0.1.21) connect to service data initially as user nfsnobody (uid=65534, gid=65534) (pid 7576)
[2008/09/12 12:07:31, 1] smbd/service.c:close_cnum(1230)
10.0.1.21 (10.0.1.21) closed connection to service data
[2008/09/12 12:16:07, 0] smbd/server.c:main(948)
smbd version 3.0.28-1.el5_2.1 started.
Copyright Andrew Tridgell and the Samba Team 1992-2007
<<< MARK >>>
[2008/09/12 13:45:51, 0] smbd/server.c:main(948)
smbd version 3.0.28-1.el5_2.1 started.
Copyright Andrew Tridgell and the Samba Team 1992-2007

That is correct. I flush the iptables rules and reset the policies to ACCEPT, and smb starts just fine. Load the iptables rules, and smb no longer starts.

For giggles, I added the reverse, so I have TCP and UDP for 137, 138, 139, and 445. No difference.

Oh, and if I stop the firewall, start smb, and then start the firewall, Samba works just fine.

I found my answer.

$IPTABLES -A INPUT -i lo -j ACCEPT