I have been trying to get samba up and runnning but smbstatus basically tells me there are no shares.

I cannot ping my server and am concerned this is an issue. I can access my windows computer from the linux box though so I am not sure if this is actually an issue.
do I need Lisa running? (I don't even know what that is!)

I have read other thread where people get the same message from smbstatus but it always comes down to not being able to ping and the firewall stopping the econnection.

As I said I can ping all computers from any other computer except the linux computer which is 192.168.0.1

here is the output from smbstaus and my smb.conf file and iptables file.

[root@Shihan /]# smbstatus

Samba version 2.2.6pre2
Service uid gid pid machine
----------------------------------------------

Failed to open byte range locking database
ERROR: Failed to initialise locking database
Can't initialise locking module - exiting

smb.conf file:

#======================= Global Settings =====================================
[global]

workgroup = workgroup
netbios name = shihan
server string = Samba Server %v
guest account = pcguest
security = share
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 IPTOS_LOWDELAY
interfaces = 192.168.0.1
wins support = yes


#============================ Share Definitions ==============================

[share]
comment = Shared folder on shihan
path = /share
read only = no
public = yes
guest ok = yes
guest only = yes

[websites]
comment = websites
path = /home/web/htdocs
public = yes
writable = yes



iptables file:

#!/bin/sh

# Diable forwarding
echo 0 > /proc/sys/net/ipv4/ip_forward

LAN_IP_NET='192.168.0.1/24'
LAN_NIC='eth1'
WAN_IP='10.0.0.1'
WAN_NIC='eth0'
FORWARD_IP='192.168.0.1'
#WAS FORWARD_IP='192.168.0.3'

# load some modules (if needed)

# Flush
iptables -t nat -F POSTROUTING
iptables -t nat -F PREROUTING
iptables -t nat -F OUTPUT
iptables -F

iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT

# enable Masquerade and forwarding
iptables -t nat -A POSTROUTING -s $LAN_IP_NET -j MASQUERADE
iptables -A FORWARD -j ACCEPT -i $LAN_NIC -s $LAN_IP_NET
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

# Open ports on router for server/services
iptables -A INPUT -j ACCEPT -p tcp --dport 80
iptables -A INPUT -j ACCEPT -p tcp --dport 110
iptables -A INPUT -j ACCEPT -p tcp --dport 25
iptables -A INPUT -j ACCEPT -p tcp --dport 22
iptables -A INPUT -j ACCEPT -p tcp --dport 21

#added by Me from web info to allow pinging
iptables -I INPUT -s 192.168.0.1 -p tcp --dport 1241 -j ACCEPT
iptables -I INPUT -s 192.168.0.3 -p tcp --dport 1241 -j ACCEPT
iptables -I INPUT -s 192.168.0.2 -p tcp --dport 1241 -j ACCEPT



# STATE RELATED for router
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# Open ports to server on LAN
#iptables -A FORWARD -j ACCEPT -p tcp --dport 80
#iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to 192.168.0.3:80

# Enable forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward


One other thing I will post here is the script I use to start the firewall. I ahve suspicions that it is not right. I have had to use the stop directive to start it! and start seemed only to give me the message "usage..."


#!/bin/sh




#!/bin/sh
#
# chkconfig: 2345 11 89
#
# description: Loads the rc.firewall-2.4 ruleset.
#
# processname: firewall-2.4
# pidfile: /var/run/firewall.pid
# config: /etc/rc.d/rc.firewall-2.4
# probe: true

# ----------------------------------------------------------------------------
# v05/24/03
#
# Part of the copyrighted and trademarked TrinityOS document.
# http://www.ecst.csuchico.edu/~dranch
#
# Written and Maintained by David A. Ranch
# dranch@trinnet.net
#
# Updates
# -------
# 05/24/03 - removed a old networking up check that had some
# improper SGML ampersand conversions.
# ----------------------------------------------------------------------------


# Source function library.
. /etc/rc.d/init.d/functions

# Check that networking is up.

[ "XXXX${NETWORKING}" = "XXXXno" ] && exit 0

[ -x /sbin/ifconfig ] || exit 0

# The location of various iptables and other shell programs
#
# If your Linux distribution came with a copy of iptables, most
# likely it is located in /sbin. If you manually compiled
# iptables, the default location is in /usr/local/sbin
#
# ** Please use the "whereis iptables" command to figure out
# ** where your copy is and change the path below to reflect
# ** your setup
#
IPTABLES=/usr/local/sbin/iptables


# See how we were called.
case "$1" in
start)
#I had comented out the following line to stop the usage message coming up DK
/etc/rc.d/rc.firewall-2.4
;;

stop)
echo -e "\nFlushing firewall and setting default policies to DROP\n"
$IPTABLES -P INPUT DROP
$IPTABLES -F INPUT
$IPTABLES -P OUTPUT DROP
$IPTABLES -F OUTPUT
$IPTABLES -P FORWARD DROP
$IPTABLES -F FORWARD
$IPTABLES -F -t nat

# Delete all User-specified chains
$IPTABLES -X
#
# Reset all IPTABLES counters
$IPTABLES -Z
;;

restart)
$0 stop
$0 start
;;

status)
$IPTABLES -L
;;

mlist)
cat /proc/net/ip_conntrack
;;

*)
echo "Usage: firewall-2.4 {start|stop|status|mlist}"
exit 1
esac

exit 0

echo -e "\nDone.\n"

Are you really running samba version 2.2.6pre2? That's pretty old (current is 3.0.x).

I'd first upgrade samba, and then make sure it's actually running:

ps ax | grep smb

137/udp "INPUT , OUTPUT"
139/tcp "INPUT"

I think samba uses more ports like 445 but I am dropping that port, seems to work

must admit I haven't used smbstatus before, but it seems to report current connections so there may be easier places to start looking for your problem. Apart from the suggestions below re the firewall to chase samba probs you best bet is to keep it simple, up the log level in your smb.conf to around 3 (you can go higher but the amount of log data this will generate quickly becomes overwhelming) and tail that log whilst trying to make your connection. If nothing is hitting the log then the prob is not with samba and the firewall et al is a good place to start looking, otherwise you will see details of the problem in the samba logs.

ok so your default policy is to drop which is a very good thing, but this means that unless you have a rule for every acceptable action you will lose the packets. In this case you have rules that match specific port ranges

so they will be let in, but nothing else other than those ports will get through. You probably want a generic rule for your local network stuff, like


the other thing I would recommend, at least while your chasing bugs, is to log the packets as the last rule of the chain with something like this

this will allow you to see in your logs what packets are being rejected with enough detail to work out why. I hasten to add that this will dump quite a bit of data in your log files (if you use a logger that allows for sensible redirection of info out of your logs into a different file (ie syslog-ng or metalog, or some such) then i recommend doing that to make it easier to follow) but it is handy and interesting to see what is being blocked - kinda scary how many requests spew in from the net, this will give you a good idea of that.

OK its working now. Thanks Sutekh. I am not sure how it works now though. I added in the code that you mentioned and that seemed to have done the trick. The thing is I still cannot ping the eth cards on the linux computer. is there a particular port I need to open for pinging to work? how would I turn pinging on and off, or do I already have this in my iptables file?

thanks
David K

this will enable localhost and computers behind the firewall to ping systems outside your lan


to be able to ping your firewall I think you have to allow icmp's on LO you could try this

Thanks
OK that looks good but a few newbie type questions.

how do I set the environment variables eg $LAN_NIC, $IPT, $PATH etc.
is it an alias?

it is also complaining about -p and not knowing what icmp is would that be because I have not set the environment vars?

by the way I ddi just paste what you put in up there, I just changed $IPT......
Also this stuff below is only one of the lines, I commented out the other lines

[root@s vnc]# /etc/rc.d/rc.firewall-2.4 restart

Flushing firewall and setting default policies to DROP

Warning: wierd character in interface `-p' (No aliases, :, ! or *).
Bad argument `icmp'
Try `iptables -h' or 'iptables --help' for more information.
Warning: wierd character in interface `-p' (No aliases, :, ! or *).
Bad argument `icmp'
Try `iptables -h' or 'iptables --help' for more information.
Warning: wierd character in interface `-p' (No aliases, :, ! or *).
Bad argument `icmp'
Try `iptables -h' or 'iptables --help' for more information.
Warning: wierd character in interface `-p' (No aliases, :, ! or *).
Bad argument `icmp'
Try `iptables -h' or 'iptables --help' for more information.
Warning: wierd character in interface `-p' (No aliases, :, ! or *).
Bad argument `icmp'
Try `iptables -h' or 'iptables --help' for more information.
Warning: wierd character in interface `-p' (No aliases, :, ! or *).
Bad argument `icmp'
Try `iptables -h' or 'iptables --help' for more information.
Warning: wierd character in interface `-p' (No aliases, :, ! or *).
Bad argument `icmp'
Try `iptables -h' or 'iptables --help' for more information.
Warning: wierd character in interface `-p' (No aliases, :, ! or *).
Bad argument `icmp'
Try `iptables -h' or 'iptables --help' for more information.
Warning: wierd character in interface `-p' (No aliases, :, ! or *).
Bad argument `icmp'
Try `iptables -h' or 'iptables --help' for more information.

ok from the answer is in your original post as it turns out
typing in LAN_NIC='eth0' sets that value in the variable $LAN_NIC

ok so basically what is happening is that you are telling iptables to use $EXIT_IF and $INT_IF for your interfaces but unless you set these variables at the top of the script they remain undeclared (or null? some bash guru will tell me I'm wrong i'm sure ;-)) becase these are blank it keeps looking down the line and the next thing it sees is -p so it thinks that is what you are trying to use as the name of an interface (and that is of course invalid so it fails).

so the easist way to get up and running is to use the variables you have already declared that is LAN_NIC and WAN_NIC. so everywhere you wrote INT_IF replace it with LAN_NIC and change EXT_IF with WAN_NIC. re0run your script and you should be sorted

#external interface pointing to the internet
EXT_IF='eth1'
# internal / lan interface 192.something
INT_IF='eth0'
# location to iptables
IPT='/sbin/iptables'
# Your IP external one 'internet'
EXT_IP='xxx.xxx.xxx.xxx'

if it doesnt work just remove the $VARS from the code and replace them with your information for example 192.x.x.x instead of $INT_IF


EDIT: sorry, didn't refresh the page before posting, didn't see your reply there

s'ok no such thing as too much help :-)

Yup thats it. Thanks very much for all your help.

while this issue has now been solved and finished, I did just notice something I forgot to ask. Where are my log files kept? what would they be called.? I know sutekh you showed me to add the lines in iptables to enable logging but where does this write the logs?
thanks
David K

usually they'd be in /var/log/syslog...

It depends on what logger you're running (e.g. metalog, syslog, syslog-ng, sysklog, etc.), but in general all the logs will be somwhere under /var/log. Sometimes you'll find directories for the program itself under there, e.g. /var/log/samba.

yeah what they said!

another place they may be is /var/log/messages