LinuxQuestions.org
Visit the LQ Articles and Editorials section
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Software
User Name
Password
Linux - Software This forum is for Software issues.
Having a problem installing a new program? Want to know which application is best for the job? Post your question in this forum.

Notices



Reply
 
Search this Thread
Old 01-18-2006, 09:11 AM   #1
pingu
Senior Member
 
Registered: Jul 2004
Location: Skuttunge SWEDEN
Distribution: Debian preferably
Posts: 1,317

Rep: Reputation: 124Reputation: 124
My ip-tables rules prevents samba (nmbd) from starting


A small problem:
A sambaserver (FC4) with my own "firewall" - iptables-rules.
Thing is, samba will run (and stop) but not start/restart when firewall is active. (SELinux doesn't protect Samba.) Also, connections are very slow, even though it works at last.
"Service samba restart" and smbd is started, but not nmbd - prompt stands forever. Nothing in smbd/nmbd.log! No connections possible.
If I change policy to ACCEPT on OUTPUT + INPUT samba restarts fine.
So there is something I need to allow outbound, more than 135, 137-139, 445 - but what???
NB: firewall doesn't block nmbd/smbd - only prevents the service from starting.
Here's my firewall_rules (sorry, comments are in Swedish):
Code:
# ----- Först tömmer vi allt
        iptables -X
        iptables -F
        iptables -Z

# ----- Stoppa allt som inte är uttryckligen tillåtet.
        iptables -P INPUT DROP
        iptables -P OUTPUT DROP
        iptables -P FORWARD DROP

# ----- Stoppa speciellt anslutning mellan näten
        echo 0 > /proc/sys/net/ipv4/ip_forward
        iptables -A INPUT -s 10.0.4.1/23 -d 172.16.1.0/24 -j DROP
        iptables -A INPUT -s 172.16.1.0/24 -d 10.0.4.1/23 -j DROP

# ----- Accepterade anslutningar:
#       Upprättade förbindelser tillåts
        iptables -A INPUT -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT
        iptables -A OUTPUT -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT

# ----- DNS
        iptables -A INPUT -p tcp --dport 53 -j ACCEPT
        iptables -A INPUT -p udp --dport 53 -j ACCEPT
        iptables -A OUTPUT -p tcp --dport 53 -j ACCEPT
        iptables -A OUTPUT -p udp --dport 53 -j ACCEPT

# ----- Samba & WINS
        iptables -A INPUT -p tcp --dport 135 -s 10.0.4.1/23 -d 10.0.4.6 -j ACCEPT
        iptables -A INPUT -p udp --dport 137:138 -s 10.0.4.1/23 -d 10.0.4.6 -j ACCEPT
        iptables -A INPUT -p tcp --dport 139 -s 10.0.4.1/23 -d 10.0.4.6 -j ACCEPT
        iptables -A INPUT -p tcp --dport 445 -s 10.0.4.1/23 -d 10.0.4.6 -j ACCEPT
        iptables -A OUTPUT -p tcp --dport 135 -d 10.0.4.6 -j ACCEPT
        iptables -A OUTPUT -p udp --dport 137:138 -d 10.0.4.6 -j ACCEPT
        iptables -A OUTPUT -p tcp --dport 139 -d 10.0.4.6 -j ACCEPT
        iptables -A OUTPUT -p tcp --dport 445 -d 10.0.4.6 -j ACCEPT

        iptables -A INPUT -p tcp --dport 135 -s 172.16.1.1/24 -d 172.16.1.6 -j ACCEPT
        iptables -A INPUT -p udp --dport 137:138 -s 172.16.1.1/24 -d 172.16.1.6 -j ACCEPT
        iptables -A INPUT -p tcp --dport 139 -s 172.16.1.1/24 -d 172.16.1.6 -j ACCEPT
        iptables -A INPUT -p tcp --dport 445 -s 172.16.1.1/24 -d 172.16.1.6 -j ACCEPT
        iptables -A OUTPUT -p tcp --dport 135 -d 172.16.1.6 -j ACCEPT
        iptables -A OUTPUT -p udp --dport 137:138 -d 172.16.1.6 -j ACCEPT
        iptables -A OUTPUT -p tcp --dport 139 -d 172.16.1.6 -j ACCEPT
        iptables -A OUTPUT -p tcp --dport 445 -d 172.16.1.6 -j ACCEPT

# ----- SSH tillåts från personal-nätet
        iptables -A INPUT -p tcp --dport 999 -s 172.16.1.0/24 -j ACCEPT
 
Old 01-18-2006, 09:56 AM   #2
Half_Elf
Guru
 
Registered: Sep 2001
Location: Montreal, Canada
Distribution: Slackware; Debian; Gentoo...
Posts: 2,163

Rep: Reputation: 45
strange problem indeed...
You have several rules for smbd/nmbd that are filtered by ip; however, nmbd usually send their request via broadcasting. It is possible that nmbd is unable to start because it can't broadcast anything. Make sure to allow broadcasting for nmbd (port 137 or 138?) ?
 
Old 01-18-2006, 12:03 PM   #3
pingu
Senior Member
 
Registered: Jul 2004
Location: Skuttunge SWEDEN
Distribution: Debian preferably
Posts: 1,317

Original Poster
Rep: Reputation: 124Reputation: 124
Thanks for the suggestion!
Now at least I get something in the log for nmbd:

First, this computer is connected to 2 AD-domains, not member of any.
WINS is used, hostname UGGLAN tied to 172.16.1.6 Same WINS-server for both domains (not under my control).

nmbd.log reports (repeatedly!):
Code:
[2006/01/18 17:47:02, 0] libsmb/nmblib.c:send_udp(790)
  Packet send failed to 172.30.1.3(137) ERRNO=Operation not permitted
[2006/01/18 17:47:02, 0] nmbd/nmbd_packets.c:send_netbios_packet(163)
  send_netbios_packet: send_packet() to IP 172.30.1.3 port 137 failed
[2006/01/18 17:47:02, 0] nmbd/nmbd_namerelease.c:wins_release_name(166)
  release_name: Failed to send packet trying to release name UGGLAN<20> IP 10.0.4.6
This is repeated for both interfaces, and next (also for both):
Code:
[2006/01/18 17:48:17, 0] nmbd/nmbd.c:main(669)
  Netbios nameserver version 3.0.14a-2 started.
  Copyright Andrew Tridgell and the Samba Team 1994-2004
[2006/01/18 17:48:17, 0] nmbd/nmbd.c:main(688)
  standard input is not a socket, assuming -D option
[2006/01/18 17:48:17, 0] libsmb/nmblib.c:send_udp(790)
  Packet send failed to 172.30.1.3(137) ERRNO=Operation not permitted
[2006/01/18 17:48:17, 0] nmbd/nmbd_packets.c:send_netbios_packet(163)
  send_netbios_packet: send_packet() to IP 172.30.1.3 port 137 failed
[2006/01/18 17:48:17, 0] nmbd/nmbd_nameregister.c:multihomed_register_one(334)
  multihomed_register_one: Failed to send packet trying to register name UGGLAN<20> IP 10.0.4.6
Now I added ip of WINS-server 172.30.1.3, udp ACCEPT IN+OUT,
It still doesn't wotk - but nothing written in the log...
However, issuing
#nmbd start
seems to work! ps -e shows a nmbd-process - and the log is filled with same messages as above...
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
cant get nmbd to run in samba eroica Linux - Networking 6 11-25-2004 11:25 AM
nmbd not running (samba topic) TheDOGG Linux - Networking 1 03-01-2004 06:13 AM
Samba nmbd/smbd starting by client request to fileserver snocked Linux - Networking 0 11-11-2003 05:08 PM
Samba: Trouble Starting nmbd GeneWeber Linux - Networking 4 10-05-2003 08:50 PM
Samba nmbd doesn't start Obscure *BSD 2 10-01-2003 10:32 AM


All times are GMT -5. The time now is 08:55 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration