LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 10-13-2005, 05:30 PM   #1
ozric99
LQ Newbie
 
Registered: Dec 2002
Posts: 10

Rep: Reputation: 0
samba browsing blocked by iptables script


I have a debian sid/unstable system that has been running just fine as an ssh server and ntp/dns client. I've now installed samba and need a nudge in the right direction to fix the iptables rules.

The server is on 10.10.10.7 in a 10.10.10.0/24 network.

My iptables rules are below. The samba share works fine without iptables running - as soon as I try these rules the share times out.

iptables -F
iptables -N FIREWALL
iptables -F FIREWALL
iptables -A INPUT -j FIREWALL
iptables -A FORWARD -j FIREWALL
iptables -A FIREWALL -p tcp -m tcp -s 10.10.10.0/24 --dport 22 --syn -j ACCEPT
iptables -A FIREWALL -i lo -j ACCEPT
iptables -A FIREWALL -p udp -m udp --sport 53 -j ACCEPT
iptables -A FIREWALL -p tcp -m tcp --sport 53 -j ACCEPT
iptables -A FIREWALL -p udp -m udp --dport 123 -j ACCEPT
iptables -A FIREWALL -p tcp -m tcp --syn -j REJECT
iptables -A FIREWALL -p udp -m udp -j REJECT
iptables -A INPUT -p udp -s 10.10.10.0/24 -d 10.10.10.7 -m multiport --dports 137,138 -j ACCEPT
iptables -A INPUT -p tcp -s 10.10.10.0/24 -d 10.10.10.7 -m multiport --dports 139,445 -j ACCEPT
iptables -A INPUT -p udp -s 10.10.10.0/24 -d 10.10.10.255 --dport 137 -j ACCEPT
iptables -A INPUT -p udp -d 10.10.10.7 -m multiport --dports 137,138 -j DROP
iptables -A INPUT -p tcp -d 10.10.10.7 -m multiport --dports 139,445 -j DROP
iptables -A OUTPUT -s 10.10.10.7 -d 10.10.10.0/24 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables-save > /etc/firewall-rules
iptables-restore < /etc/firewall-rules
 
Old 10-13-2005, 07:23 PM   #2
Vincent_Vega
Member
 
Registered: Nov 2003
Location: Jacksonville, FL
Distribution: Slackware & Arch
Posts: 825

Rep: Reputation: 31
Try changing your OUTPUT rule to allow all output to 10.10.10.0/24, not just Established/Related and see if that helps. Try adding "NEW" to the state requirements.

Last edited by Vincent_Vega; 10-13-2005 at 07:25 PM.
 
Old 10-14-2005, 10:52 AM   #3
ozric99
LQ Newbie
 
Registered: Dec 2002
Posts: 10

Original Poster
Rep: Reputation: 0
Thank you for your suggestion. I've made the change but still have the same problem. I am able to hit a share directly but cannot browse available shares in the samba workgroup.

When I flush the iptables rules I am able to see the workgroup in Windows' "My Network Places" and can browse its shares.

This is the change I made - I hope it was the one you suggested:

I changed:

iptables -A OUTPUT -s 10.10.10.7 -d 10.10.10.0/24 -m state --state ESTABLISHED,RELATED -j ACCEPT

to:

iptables -A OUTPUT -s 10.10.10.7 -d 10.10.10.0/24 -m state --state NEW -j ACCEPT
 
Old 10-18-2005, 01:52 PM   #4
ozric99
LQ Newbie
 
Registered: Dec 2002
Posts: 10

Original Poster
Rep: Reputation: 0
I've gone back to this today and had a few goes at trying to get it working. Still no luck.

Wondering if anyone else has any ideas?

Thanks.
 
Old 10-27-2005, 07:27 AM   #5
~=gr3p=~
Member
 
Registered: Feb 2005
Location: ~h3av3n~
Distribution: RHEL 4, Fedora Core 3,6,7 Centos 5, Ubuntu 7.04
Posts: 227

Rep: Reputation: 30
I have a similar problem with IPTables for samba. The temporary solution for me was adding WINS Server IP on the client machines.

I tried every damn thing but still doesn't work
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Blocked packets that should be accepted by iptables Pastorino Linux - Security 3 09-27-2005 11:06 AM
SMB blocked by iptables swmok Linux - Networking 0 01-06-2005 11:41 PM
iptables vs. Samba - NBNS response blocked? haertig Fedora 10 12-17-2004 10:39 PM
iptables permitting blocked traffic z3pp0 Linux - Security 7 08-24-2004 08:27 PM
Samba Network Browsing/IPTables Problem RedHatMN Linux - Networking 8 08-26-2003 07:17 PM


All times are GMT -5. The time now is 02:20 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration