LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 09-28-2004, 11:50 AM   #1
davidk
LQ Newbie
 
Registered: Sep 2004
Location: Adelaide Australia
Posts: 14

Rep: Reputation: 0
samba, firewalls and pinging


I have been trying to get samba up and runnning but smbstatus basically tells me there are no shares.

I cannot ping my server and am concerned this is an issue. I can access my windows computer from the linux box though so I am not sure if this is actually an issue.
do I need Lisa running? (I don't even know what that is!)

I have read other thread where people get the same message from smbstatus but it always comes down to not being able to ping and the firewall stopping the econnection.

As I said I can ping all computers from any other computer except the linux computer which is 192.168.0.1

here is the output from smbstaus and my smb.conf file and iptables file.

[root@Shihan /]# smbstatus

Samba version 2.2.6pre2
Service uid gid pid machine
----------------------------------------------

Failed to open byte range locking database
ERROR: Failed to initialise locking database
Can't initialise locking module - exiting

smb.conf file:

#======================= Global Settings =====================================
[global]

workgroup = workgroup
netbios name = shihan
server string = Samba Server %v
guest account = pcguest
security = share
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 IPTOS_LOWDELAY
interfaces = 192.168.0.1
wins support = yes


#============================ Share Definitions ==============================

[share]
comment = Shared folder on shihan
path = /share
read only = no
public = yes
guest ok = yes
guest only = yes

[websites]
comment = websites
path = /home/web/htdocs
public = yes
writable = yes



iptables file:

#!/bin/sh

# Diable forwarding
echo 0 > /proc/sys/net/ipv4/ip_forward

LAN_IP_NET='192.168.0.1/24'
LAN_NIC='eth1'
WAN_IP='10.0.0.1'
WAN_NIC='eth0'
FORWARD_IP='192.168.0.1'
#WAS FORWARD_IP='192.168.0.3'

# load some modules (if needed)

# Flush
iptables -t nat -F POSTROUTING
iptables -t nat -F PREROUTING
iptables -t nat -F OUTPUT
iptables -F

iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT

# enable Masquerade and forwarding
iptables -t nat -A POSTROUTING -s $LAN_IP_NET -j MASQUERADE
iptables -A FORWARD -j ACCEPT -i $LAN_NIC -s $LAN_IP_NET
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

# Open ports on router for server/services
iptables -A INPUT -j ACCEPT -p tcp --dport 80
iptables -A INPUT -j ACCEPT -p tcp --dport 110
iptables -A INPUT -j ACCEPT -p tcp --dport 25
iptables -A INPUT -j ACCEPT -p tcp --dport 22
iptables -A INPUT -j ACCEPT -p tcp --dport 21

#added by Me from web info to allow pinging
iptables -I INPUT -s 192.168.0.1 -p tcp --dport 1241 -j ACCEPT
iptables -I INPUT -s 192.168.0.3 -p tcp --dport 1241 -j ACCEPT
iptables -I INPUT -s 192.168.0.2 -p tcp --dport 1241 -j ACCEPT



# STATE RELATED for router
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# Open ports to server on LAN
#iptables -A FORWARD -j ACCEPT -p tcp --dport 80
#iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to 192.168.0.3:80

# Enable forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward


One other thing I will post here is the script I use to start the firewall. I ahve suspicions that it is not right. I have had to use the stop directive to start it! and start seemed only to give me the message "usage..."


#!/bin/sh




#!/bin/sh
#
# chkconfig: 2345 11 89
#
# description: Loads the rc.firewall-2.4 ruleset.
#
# processname: firewall-2.4
# pidfile: /var/run/firewall.pid
# config: /etc/rc.d/rc.firewall-2.4
# probe: true

# ----------------------------------------------------------------------------
# v05/24/03
#
# Part of the copyrighted and trademarked TrinityOS document.
# http://www.ecst.csuchico.edu/~dranch
#
# Written and Maintained by David A. Ranch
# dranch@trinnet.net
#
# Updates
# -------
# 05/24/03 - removed a old networking up check that had some
# improper SGML ampersand conversions.
# ----------------------------------------------------------------------------


# Source function library.
. /etc/rc.d/init.d/functions

# Check that networking is up.

[ "XXXX${NETWORKING}" = "XXXXno" ] && exit 0

[ -x /sbin/ifconfig ] || exit 0

# The location of various iptables and other shell programs
#
# If your Linux distribution came with a copy of iptables, most
# likely it is located in /sbin. If you manually compiled
# iptables, the default location is in /usr/local/sbin
#
# ** Please use the "whereis iptables" command to figure out
# ** where your copy is and change the path below to reflect
# ** your setup
#
IPTABLES=/usr/local/sbin/iptables


# See how we were called.
case "$1" in
start)
#I had comented out the following line to stop the usage message coming up DK
/etc/rc.d/rc.firewall-2.4
;;

stop)
echo -e "\nFlushing firewall and setting default policies to DROP\n"
$IPTABLES -P INPUT DROP
$IPTABLES -F INPUT
$IPTABLES -P OUTPUT DROP
$IPTABLES -F OUTPUT
$IPTABLES -P FORWARD DROP
$IPTABLES -F FORWARD
$IPTABLES -F -t nat

# Delete all User-specified chains
$IPTABLES -X
#
# Reset all IPTABLES counters
$IPTABLES -Z
;;

restart)
$0 stop
$0 start
;;

status)
$IPTABLES -L
;;

mlist)
cat /proc/net/ip_conntrack
;;

*)
echo "Usage: firewall-2.4 {start|stop|status|mlist}"
exit 1
esac

exit 0

echo -e "\nDone.\n"
 
Old 09-28-2004, 12:23 PM   #2
dsegel
Member
 
Registered: Aug 2004
Location: Davis, California
Distribution: Gentoo, always Gentoo.
Posts: 159

Rep: Reputation: 30
Are you really running samba version 2.2.6pre2? That's pretty old (current is 3.0.x).

I'd first upgrade samba, and then make sure it's actually running:

ps ax | grep smb
 
Old 09-28-2004, 04:27 PM   #3
lappen
Member
 
Registered: Aug 2003
Location: Sweden
Posts: 83

Rep: Reputation: 15
137/udp "INPUT , OUTPUT"
139/tcp "INPUT"

I think samba uses more ports like 445 but I am dropping that port, seems to work
 
Old 09-28-2004, 06:12 PM   #4
Sutekh
Member
 
Registered: Apr 2002
Location: Melbourne, Australia
Distribution: Gentoo
Posts: 273

Rep: Reputation: 30
Re: samba, firewalls and pinging

Quote:
Originally posted by davidk
I have been trying to get samba up and runnning but smbstatus basically tells me there are no shares.
must admit I haven't used smbstatus before, but it seems to report current connections so there may be easier places to start looking for your problem. Apart from the suggestions below re the firewall to chase samba probs you best bet is to keep it simple, up the log level in your smb.conf to around 3 (you can go higher but the amount of log data this will generate quickly becomes overwhelming) and tail that log whilst trying to make your connection. If nothing is hitting the log then the prob is not with samba and the firewall et al is a good place to start looking, otherwise you will see details of the problem in the samba logs.

Quote:

iptables file:

iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
ok so your default policy is to drop which is a very good thing, but this means that unless you have a rule for every acceptable action you will lose the packets. In this case you have rules that match specific port ranges

Quote:

#added by Me from web info to allow pinging
iptables -I INPUT -s 192.168.0.1 -p tcp --dport 1241 -j ACCEPT
iptables -I INPUT -s 192.168.0.3 -p tcp --dport 1241 -j ACCEPT
iptables -I INPUT -s 192.168.0.2 -p tcp --dport 1241 -j ACCEPT
so they will be let in, but nothing else other than those ports will get through. You probably want a generic rule for your local network stuff, like

Code:
iptables -A INPUT -i $LAN_NIC -j ACCEPT
iptables -A OUTPUT -o $LAN_NIC -j ACCEPT

the other thing I would recommend, at least while your chasing bugs, is to log the packets as the last rule of the chain with something like this

Code:
iptables -A OUTPUT -j LOG --log-prefix "|ipt OUTPUT -- "
iptables -A INPUT -j LOG --log-prefix "|ipt INPUT -- "
iptables -A FORWARD -j LOG --log-prefix "|ipt FORWARD -- "
this will allow you to see in your logs what packets are being rejected with enough detail to work out why. I hasten to add that this will dump quite a bit of data in your log files (if you use a logger that allows for sensible redirection of info out of your logs into a different file (ie syslog-ng or metalog, or some such) then i recommend doing that to make it easier to follow) but it is handy and interesting to see what is being blocked - kinda scary how many requests spew in from the net, this will give you a good idea of that.
 
Old 09-29-2004, 06:44 PM   #5
davidk
LQ Newbie
 
Registered: Sep 2004
Location: Adelaide Australia
Posts: 14

Original Poster
Rep: Reputation: 0
OK its working now. Thanks Sutekh. I am not sure how it works now though. I added in the code that you mentioned and that seemed to have done the trick. The thing is I still cannot ping the eth cards on the linux computer. is there a particular port I need to open for pinging to work? how would I turn pinging on and off, or do I already have this in my iptables file?

thanks
David K
 
Old 09-30-2004, 08:44 AM   #6
lappen
Member
 
Registered: Aug 2003
Location: Sweden
Posts: 83

Rep: Reputation: 15
this will enable localhost and computers behind the firewall to ping systems outside your lan


Code:
$IPT -A OUTPUT -o $EXT_IF -p icmp -s $EXT_IP --icmp-type 8 -m state --state NEW -j ACCEPT
$IPT -A FORWARD -i $INT_IF -p icmp -s 192.168.0.2 --icmp-type 8 -m state --state NEW -j ACCEPT
$IPT -A FORWARD -i $INT_IF -p icmp -s 192.168.0.3 --icmp-type 8 -m state --state NEW -j ACCEPT
to be able to ping your firewall I think you have to allow icmp's on LO you could try this
Code:
# Allow internal network to ping firewall 'i think'
$IPT -A INPUT -i $INT_IF -p icmp --icmp-type 8 -m state --state NEW -j ACCEPT
# Allow localhost to ping services 'i think'
$IPT -A INPUT -i lo -p icmp --icmp-type 8 -m state --state NEW -j ACCEPT
 
Old 10-01-2004, 04:58 AM   #7
davidk
LQ Newbie
 
Registered: Sep 2004
Location: Adelaide Australia
Posts: 14

Original Poster
Rep: Reputation: 0
Thanks
OK that looks good but a few newbie type questions.

how do I set the environment variables eg $LAN_NIC, $IPT, $PATH etc.
is it an alias?

it is also complaining about -p and not knowing what icmp is would that be because I have not set the environment vars?

by the way I ddi just paste what you put in up there, I just changed $IPT......
Also this stuff below is only one of the lines, I commented out the other lines

[root@s vnc]# /etc/rc.d/rc.firewall-2.4 restart

Flushing firewall and setting default policies to DROP

Warning: wierd character in interface `-p' (No aliases, :, ! or *).
Bad argument `icmp'
Try `iptables -h' or 'iptables --help' for more information.
Warning: wierd character in interface `-p' (No aliases, :, ! or *).
Bad argument `icmp'
Try `iptables -h' or 'iptables --help' for more information.
Warning: wierd character in interface `-p' (No aliases, :, ! or *).
Bad argument `icmp'
Try `iptables -h' or 'iptables --help' for more information.
Warning: wierd character in interface `-p' (No aliases, :, ! or *).
Bad argument `icmp'
Try `iptables -h' or 'iptables --help' for more information.
Warning: wierd character in interface `-p' (No aliases, :, ! or *).
Bad argument `icmp'
Try `iptables -h' or 'iptables --help' for more information.
Warning: wierd character in interface `-p' (No aliases, :, ! or *).
Bad argument `icmp'
Try `iptables -h' or 'iptables --help' for more information.
Warning: wierd character in interface `-p' (No aliases, :, ! or *).
Bad argument `icmp'
Try `iptables -h' or 'iptables --help' for more information.
Warning: wierd character in interface `-p' (No aliases, :, ! or *).
Bad argument `icmp'
Try `iptables -h' or 'iptables --help' for more information.
Warning: wierd character in interface `-p' (No aliases, :, ! or *).
Bad argument `icmp'
Try `iptables -h' or 'iptables --help' for more information.

Last edited by davidk; 10-01-2004 at 05:02 AM.
 
Old 10-01-2004, 08:57 AM   #8
Sutekh
Member
 
Registered: Apr 2002
Location: Melbourne, Australia
Distribution: Gentoo
Posts: 273

Rep: Reputation: 30
Quote:
Originally posted by davidk
Thanks
OK that looks good but a few newbie type questions.

how do I set the environment variables eg $LAN_NIC, $IPT, $PATH etc.
is it an alias?
ok from the answer is in your original post as it turns out
Quote:
LAN_IP_NET='192.168.0.1/24'
LAN_NIC='eth1'
WAN_IP='10.0.0.1'
WAN_NIC='eth0'
FORWARD_IP='192.168.0.1'
#WAS FORWARD_IP='192.168.0.3'
typing in LAN_NIC='eth0' sets that value in the variable $LAN_NIC

Quote:
it is also complaining about -p and not knowing what icmp is would that be because I have not set the environment vars?

by the way I ddi just paste what you put in up there, I just changed $IPT......
Also this stuff below is only one of the lines, I commented out the other lines

[root@s vnc]# /etc/rc.d/rc.firewall-2.4 restart

Flushing firewall and setting default policies to DROP

Warning: wierd character in interface `-p' (No aliases, :, ! or *).
Bad argument `icmp'
Try `iptables -h' or 'iptables --help' for more information.
ok so basically what is happening is that you are telling iptables to use $EXIT_IF and $INT_IF for your interfaces but unless you set these variables at the top of the script they remain undeclared (or null? some bash guru will tell me I'm wrong i'm sure ;-)) becase these are blank it keeps looking down the line and the next thing it sees is -p so it thinks that is what you are trying to use as the name of an interface (and that is of course invalid so it fails).

so the easist way to get up and running is to use the variables you have already declared that is LAN_NIC and WAN_NIC. so everywhere you wrote INT_IF replace it with LAN_NIC and change EXT_IF with WAN_NIC. re0run your script and you should be sorted
 
Old 10-01-2004, 09:08 AM   #9
lappen
Member
 
Registered: Aug 2003
Location: Sweden
Posts: 83

Rep: Reputation: 15
#external interface pointing to the internet
EXT_IF='eth1'
# internal / lan interface 192.something
INT_IF='eth0'
# location to iptables
IPT='/sbin/iptables'
# Your IP external one 'internet'
EXT_IP='xxx.xxx.xxx.xxx'

if it doesnt work just remove the $VARS from the code and replace them with your information for example 192.x.x.x instead of $INT_IF


EDIT: sorry, didn't refresh the page before posting, didn't see your reply there

Last edited by lappen; 10-01-2004 at 09:09 AM.
 
Old 10-01-2004, 08:13 PM   #10
Sutekh
Member
 
Registered: Apr 2002
Location: Melbourne, Australia
Distribution: Gentoo
Posts: 273

Rep: Reputation: 30
s'ok no such thing as too much help :-)
 
Old 10-01-2004, 10:58 PM   #11
davidk
LQ Newbie
 
Registered: Sep 2004
Location: Adelaide Australia
Posts: 14

Original Poster
Rep: Reputation: 0
Yup thats it. Thanks very much for all your help.
 
Old 10-27-2004, 05:16 AM   #12
davidk
LQ Newbie
 
Registered: Sep 2004
Location: Adelaide Australia
Posts: 14

Original Poster
Rep: Reputation: 0
while this issue has now been solved and finished, I did just notice something I forgot to ask. Where are my log files kept? what would they be called.? I know sutekh you showed me to add the lines in iptables to enable logging but where does this write the logs?
thanks
David K
 
Old 10-27-2004, 06:20 AM   #13
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 376Reputation: 376Reputation: 376Reputation: 376
Quote:
Originally posted by davidk
while this issue has now been solved and finished, I did just notice something I forgot to ask. Where are my log files kept? what would they be called.? I know sutekh you showed me to add the lines in iptables to enable logging but where does this write the logs?
thanks
David K
usually they'd be in /var/log/syslog...
 
Old 10-27-2004, 11:04 AM   #14
dsegel
Member
 
Registered: Aug 2004
Location: Davis, California
Distribution: Gentoo, always Gentoo.
Posts: 159

Rep: Reputation: 30
It depends on what logger you're running (e.g. metalog, syslog, syslog-ng, sysklog, etc.), but in general all the logs will be somwhere under /var/log. Sometimes you'll find directories for the program itself under there, e.g. /var/log/samba.
 
Old 10-27-2004, 11:23 PM   #15
Sutekh
Member
 
Registered: Apr 2002
Location: Melbourne, Australia
Distribution: Gentoo
Posts: 273

Rep: Reputation: 30
yeah what they said!

another place they may be is /var/log/messages
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
samba and firewalls geletine Linux - Networking 4 05-16-2005 11:20 AM
Samba and firewalls on Linux/Windows network - where to start? abovett Linux - Security 9 06-21-2004 07:18 PM
Pinging?? Sherpa Linux - General 3 05-13-2004 08:23 AM
Firewalls and Samba jeffreybluml Linux - Newbie 6 04-13-2004 02:34 PM
Linux Firewalls [iso firewalls] yoogie Linux - Networking 3 01-28-2002 07:56 PM


All times are GMT -5. The time now is 04:04 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration