LinuxQuestions.org
Visit the LQ Articles and Editorials section
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Software
User Name
Password
Linux - Software This forum is for Software issues.
Having a problem installing a new program? Want to know which application is best for the job? Post your question in this forum.

Notices

Reply
 
Search this Thread
Old 06-28-2003, 03:16 PM   #1
Bungo2000
Member
 
Registered: Mar 2002
Location: San Francisco, CA
Distribution: Redhat 9
Posts: 35

Rep: Reputation: 15
Unhappy SAMBA and IPTABLES woes!


I'm having huge difficulty getting my IP tables to allow samba connections. I cant browse my "network neighborhood" from any PC on my network (all windows + Mac OS X except RH9 server) unless IPTABLES is turned off on my server (its the master browser). I need to be able to connect to the server for file sharing! Here is my IPTABLES.

# Firewall configuration written by lokkit
# Manual customization of this file is not recommended.
# Note: ifup-post will punch the current nameservers through the
# firewall; such entries will *not* be listed here.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Lokkit-0-50-INPUT - [0:0]
-A INPUT -j RH-Lokkit-0-50-INPUT
-A FORWARD -j RH-Lokkit-0-50-INPUT
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 110 --syn -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 901 --syn -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 22 --syn -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 25 --syn -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 80 --syn -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p udp -m udp -s 0/0 --sport 67:68 -d 0/0 --dport 67:68 -i eth0 -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p udp -m udp -s 0/0 --sport 67:68 -d 0/0 --dport 67:68 -i eth1 -j ACCEPT
-A RH-Lokkit-0-50-INPUT -i lo -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p udp -m udp -s 64.105.172.26 --sport 53 -d 0/0 -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p udp -m udp -s 64.105.163.106 --sport 53 -d 0/0 -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --syn -j REJECT
-A RH-Lokkit-0-50-INPUT -p udp -m udp -j REJECT

# What I added for Samba (obviously wrong)
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 137:139 --syn -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p udp -m udp --dport 137:139 -j ACCEPT

COMMIT

Please help me figure out what I should put in iptables for samba file sharing! Thanks. Ideally I'd like the samba ports to be only accessable on my local network (192.168.0.*)

Last edited by Bungo2000; 06-28-2003 at 03:18 PM.
 
Old 06-28-2003, 06:59 PM   #2
Bungo2000
Member
 
Registered: Mar 2002
Location: San Francisco, CA
Distribution: Redhat 9
Posts: 35

Original Poster
Rep: Reputation: 15
pleeeeeeeeeeeeease... i keep reading about different configurations! Whats the easiest method of allowing samba connections without disabling IPTABLES??
 
Old 06-28-2003, 07:33 PM   #3
Half_Elf
Guru
 
Registered: Sep 2001
Location: Montreal, Canada
Distribution: Slackware; Debian; Gentoo...
Posts: 2,163

Rep: Reputation: 45
why don't you build your own Iptables script instead using buggy Lokkit thing?
this is a very weird firewall script, I can't find whatdoes this RH-Lokkit-0-50-INPUT thing, I belibve it is used to "filter" every INPUT and FORWARD entry to rules below but not sure.

since I don't understand this, you're probably not, too. Build your OWN iptables script and everything will go fine.
 
Old 06-28-2003, 07:43 PM   #4
Bungo2000
Member
 
Registered: Mar 2002
Location: San Francisco, CA
Distribution: Redhat 9
Posts: 35

Original Poster
Rep: Reputation: 15
Unhappy

Well no, the script works fine, I just screwed around and added those last two entries at the bottom -- obviously they are weird and dont work. Lokkit is just a simple iptables configuration builder from redhat. I would just like to have somebody tell me some simple entries that will get samba working... you'd think it would be pretty straightforward, and why redhat doesnt have it as a lokkit option is beyond me.
 
Old 06-28-2003, 08:21 PM   #5
spurious
Member
 
Registered: Apr 2003
Location: Vancouver, BC
Distribution: Slackware, Ubuntu
Posts: 558

Rep: Reputation: 31
I agree with Half_Elf -- build your own iptables script. The lokkit generated one is not meant to be manually customized.

Second, you're interested in opening your SMB shares only within your home LAN, right? You need to configure your iptables so that it allows all traffic originating from your LAN facing network card, but blocks unwanted intrusion from the internet facing network card.

Try this:

# !/bin/sh
# simple iptables script; check references below to harden it
# Red Hat: copy this script to /etc/rc.d/init.d and chmod +x
# Slackware: name this script iptables.sh and call from rc.local

# eth0 is internet facing network card
# eth1 is home LAN facing network card

# load iptables modules
/sbin/modprobe iptable_nat
/sbin/modprobe ip_conntrack

# enable ip forwarding
/bin/echo 1 > /proc/sys/net/ipv4/ip_forward

# flush tables
/sbin/iptables -F
/sbin/iptables -X

# enable masquerading to allow LAN internet access
/sbin/iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

# forward home LAN traffic (email, counter-strike etc) to internet
/sbin/iptables -A FORWARD -i eth1 -o eth0 -m state --state NEW,ESTABLISHED -j ACCEPT

# allow SSH
echo -e " - Allowing EXTERNAL access to the SSH server"
/sbin/iptables -A INPUT --protocol tcp --dport 22 -j ACCEPT

# allow HTTP
echo -e " - Allowing EXTERNAL access to the HTTP server"
/sbin/iptables -A INPUT --protocol tcp --dport 80 -j ACCEPT

# block out internet intrusion on eth0
/sbin/iptables -A INPUT -i eth0 -m state --state NEW,INVALID -j DROP
/sbin/iptables -A FORWARD -i eth0 -m state --state NEW,INVALID -j DROP


# REFERENCES
# Netfilter iptables home -- http://www.netfilter.org/
# Frozen Tux iptables tutorial -- http://iptables-tutorial.frozentux.net/
# IP masquerade HOWTO -- http://tldp.org/HOWTO/IP-Masquerade-HOWTO/index.html

# SAMPLE SCRIPTS
# Arno's hardened iptables script -- http://freshmeat.net/projects/iptabl.../?topic_id=151
# Jay's homeLAN iptables -- http://firewall-jay.sourceforge.net/
 
Old 06-28-2003, 09:27 PM   #6
Looking_Lost
Senior Member
 
Registered: Apr 2003
Location: Eire
Distribution: Slackware 12.0, OpenSuse 10.3
Posts: 1,120

Rep: Reputation: 45
hosts.allow and hosts.deny will affect this too, although Lokkit is a bit of a sledgehammer one size fits all that doesn't allow for deviations.
 
Old 06-29-2003, 04:06 AM   #7
born4linux
Senior Member
 
Registered: Sep 2002
Location: Philippines
Distribution: Slackware, RHEL&variants, AIX, SuSE
Posts: 1,127

Rep: Reputation: 49
here's a part of my /etc/sysconfig/iptables files:

-A INPUT -j RH-Lokkit-0-50-INPUT
-A FORWARD -j RH-Lokkit-0-50-INPUT
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 137:139 -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p udp -m udp --dport 137:139 -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 22 --syn -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p udp -m udp -s 0/0 --sport 67:68 -d 0/0 --dport 67:68 -i eth0 -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p udp -m udp -s 0/0 --sport 67:68 -d 0/0 --dport 67:68 -i eth1 -j ACCEPT


check yours and put the "137:139" entries to the same spot like where a I havemine.

then do a /sbin/service iptables restart.

then, runthis:

iptables -L

u should have something like these:

ACCEPT tcp -- anywhere anywhere tcp dpts:netbios-ns:netbios-ssn
ACCEPT udp -- anywhere anywhere udp dpts:netbios-ns:netbios-ssn

hth.
 
Old 06-29-2003, 06:34 AM   #8
apeekaboo
Member
 
Registered: Apr 2003
Location: Stockholm/Sweden
Distribution: Kubuntu, Debian, Slax
Posts: 91

Rep: Reputation: 16
Re: SAMBA and IPTABLES woes!

Quote:
Originally posted by Bungo2000
I'm having huge difficulty getting my IP tables to allow samba connections. I cant browse my "network neighborhood" from any PC on my network (all windows + Mac OS X except RH9 server) unless IPTABLES is turned off on my server (its the master browser). I need to be able to connect to the server for file sharing! Here is my IPTABLES.

# Firewall configuration written by lokkit
# Manual customization of this file is not recommended.
# Note: ifup-post will punch the current nameservers through the
# firewall; such entries will *not* be listed here.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Lokkit-0-50-INPUT - [0:0]
-A INPUT -j RH-Lokkit-0-50-INPUT
-A FORWARD -j RH-Lokkit-0-50-INPUT
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 110 --syn -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 901 --syn -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 22 --syn -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 25 --syn -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 80 --syn -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p udp -m udp -s 0/0 --sport 67:68 -d 0/0 --dport 67:68 -i eth0 -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p udp -m udp -s 0/0 --sport 67:68 -d 0/0 --dport 67:68 -i eth1 -j ACCEPT
-A RH-Lokkit-0-50-INPUT -i lo -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p udp -m udp -s 64.105.172.26 --sport 53 -d 0/0 -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p udp -m udp -s 64.105.163.106 --sport 53 -d 0/0 -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --syn -j REJECT
-A RH-Lokkit-0-50-INPUT -p udp -m udp -j REJECT

# What I added for Samba (obviously wrong)
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 137:139 --syn -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p udp -m udp --dport 137:139 -j ACCEPT

COMMIT

Please help me figure out what I should put in iptables for samba file sharing! Thanks. Ideally I'd like the samba ports to be only accessable on my local network (192.168.0.*)
In RH 7.x you could NOT use blank lines in this file...
Maybe this is your problem?
 
Old 06-29-2003, 01:35 PM   #9
Bungo2000
Member
 
Registered: Mar 2002
Location: San Francisco, CA
Distribution: Redhat 9
Posts: 35

Original Poster
Rep: Reputation: 15
Talking YES!

Thanks born4linux -- that did the trick very nicely indeed!
 
Old 06-29-2003, 02:24 PM   #10
born4linux
Senior Member
 
Registered: Sep 2002
Location: Philippines
Distribution: Slackware, RHEL&variants, AIX, SuSE
Posts: 1,127

Rep: Reputation: 49
ur welcome dude.
 
Old 02-02-2004, 05:41 PM   #11
andrewstr
Member
 
Registered: Oct 2003
Location: WA--USA
Distribution: Red Hat 9, Suse 10.2
Posts: 144

Rep: Reputation: 15
born4linux,

I was having the same problem. I did what you suggested and it worked for me too. Why did you say that the order of the ipchains file is important? I tried just appending the new rules for udp and tcp but I was never able to get Samba working until I placed the rules where you indicated.

Thanks,

Andy
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
iptables woes quadfour Linux - Networking 7 10-04-2005 11:19 PM
Samba woes Imaboyo Linux - Software 13 09-21-2004 05:39 PM
iptables woes tjm Linux - Security 2 11-30-2003 05:10 PM
IPTABLES Mapping/Forwarding Woes shadowcode Linux - Networking 4 07-23-2003 05:20 PM
Samba woes nero64 Linux - Newbie 9 01-03-2003 07:29 PM


All times are GMT -5. The time now is 03:53 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration