SAMBA and IPTABLES woes!

I'm having huge difficulty getting my IP tables to allow samba connections. I cant browse my "network neighborhood" from any PC on my network (all windows + Mac OS X except RH9 server) unless IPTABLES is turned off on my server (its the master browser). I need to be able to connect to the server for file sharing! Here is my IPTABLES.

# Firewall configuration written by lokkit
# Manual customization of this file is not recommended.
# Note: ifup-post will punch the current nameservers through the
# firewall; such entries will *not* be listed here.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Lokkit-0-50-INPUT - [0:0]
-A INPUT -j RH-Lokkit-0-50-INPUT
-A FORWARD -j RH-Lokkit-0-50-INPUT
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 110 --syn -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 901 --syn -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 22 --syn -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 25 --syn -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 80 --syn -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p udp -m udp -s 0/0 --sport 67:68 -d 0/0 --dport 67:68 -i eth0 -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p udp -m udp -s 0/0 --sport 67:68 -d 0/0 --dport 67:68 -i eth1 -j ACCEPT
-A RH-Lokkit-0-50-INPUT -i lo -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p udp -m udp -s 64.105.172.26 --sport 53 -d 0/0 -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p udp -m udp -s 64.105.163.106 --sport 53 -d 0/0 -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --syn -j REJECT
-A RH-Lokkit-0-50-INPUT -p udp -m udp -j REJECT

# What I added for Samba (obviously wrong)
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 137:139 --syn -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p udp -m udp --dport 137:139 -j ACCEPT

COMMIT

Please help me figure out what I should put in iptables for samba file sharing! Thanks. Ideally I'd like the samba ports to be only accessable on my local network (192.168.0.*)

pleeeeeeeeeeeeease... i keep reading about different configurations! Whats the easiest method of allowing samba connections without disabling IPTABLES??

why don't you build your own Iptables script instead using buggy Lokkit thing?
this is a very weird firewall script, I can't find whatdoes this RH-Lokkit-0-50-INPUT thing, I belibve it is used to "filter" every INPUT and FORWARD entry to rules below but not sure.

since I don't understand this, you're probably not, too. Build your OWN iptables script and everything will go fine.

Well no, the script works fine, I just screwed around and added those last two entries at the bottom -- obviously they are weird and dont work. Lokkit is just a simple iptables configuration builder from redhat. I would just like to have somebody tell me some simple entries that will get samba working... you'd think it would be pretty straightforward, and why redhat doesnt have it as a lokkit option is beyond me.

I agree with Half_Elf -- build your own iptables script. The lokkit generated one is not meant to be manually customized.

Second, you're interested in opening your SMB shares only within your home LAN, right? You need to configure your iptables so that it allows all traffic originating from your LAN facing network card, but blocks unwanted intrusion from the internet facing network card.

Try this:

# !/bin/sh
# simple iptables script; check references below to harden it
# Red Hat: copy this script to /etc/rc.d/init.d and chmod +x
# Slackware: name this script iptables.sh and call from rc.local

# eth0 is internet facing network card
# eth1 is home LAN facing network card

# load iptables modules
/sbin/modprobe iptable_nat
/sbin/modprobe ip_conntrack

# enable ip forwarding
/bin/echo 1 > /proc/sys/net/ipv4/ip_forward

# flush tables
/sbin/iptables -F
/sbin/iptables -X

# enable masquerading to allow LAN internet access
/sbin/iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

# forward home LAN traffic (email, counter-strike etc) to internet
/sbin/iptables -A FORWARD -i eth1 -o eth0 -m state --state NEW,ESTABLISHED -j ACCEPT

# allow SSH
echo -e " - Allowing EXTERNAL access to the SSH server"
/sbin/iptables -A INPUT --protocol tcp --dport 22 -j ACCEPT

# allow HTTP
echo -e " - Allowing EXTERNAL access to the HTTP server"
/sbin/iptables -A INPUT --protocol tcp --dport 80 -j ACCEPT

# block out internet intrusion on eth0
/sbin/iptables -A INPUT -i eth0 -m state --state NEW,INVALID -j DROP
/sbin/iptables -A FORWARD -i eth0 -m state --state NEW,INVALID -j DROP


# REFERENCES
# Netfilter iptables home -- http://www.netfilter.org/
# Frozen Tux iptables tutorial -- http://iptables-tutorial.frozentux.net/
# IP masquerade HOWTO -- http://tldp.org/HOWTO/IP-Masquerade-HOWTO/index.html

# SAMPLE SCRIPTS
# Arno's hardened iptables script -- http://freshmeat.net/projects/iptabl.../?topic_id=151
# Jay's homeLAN iptables -- http://firewall-jay.sourceforge.net/

hosts.allow and hosts.deny will affect this too, although Lokkit is a bit of a sledgehammer one size fits all that doesn't allow for deviations.

here's a part of my /etc/sysconfig/iptables files:

-A INPUT -j RH-Lokkit-0-50-INPUT
-A FORWARD -j RH-Lokkit-0-50-INPUT
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 137:139 -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p udp -m udp --dport 137:139 -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 22 --syn -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p udp -m udp -s 0/0 --sport 67:68 -d 0/0 --dport 67:68 -i eth0 -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p udp -m udp -s 0/0 --sport 67:68 -d 0/0 --dport 67:68 -i eth1 -j ACCEPT


check yours and put the "137:139" entries to the same spot like where a I havemine.

then do a /sbin/service iptables restart.

then, runthis:

iptables -L

u should have something like these:

ACCEPT tcp -- anywhere anywhere tcp dpts:netbios-ns:netbios-ssn
ACCEPT udp -- anywhere anywhere udp dpts:netbios-ns:netbios-ssn

hth.

Quote:

Originally posted by Bungo2000 I'm having huge difficulty getting my IP tables to allow samba connections. I cant browse my "network neighborhood" from any PC on my network (all windows + Mac OS X except RH9 server) unless IPTABLES is turned off on my server (its the master browser). I need to be able to connect to the server for file sharing! Here is my IPTABLES. # Firewall configuration written by lokkit # Manual customization of this file is not recommended. # Note: ifup-post will punch the current nameservers through the # firewall; such entries will *not* be listed here. *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :RH-Lokkit-0-50-INPUT - [0:0] -A INPUT -j RH-Lokkit-0-50-INPUT -A FORWARD -j RH-Lokkit-0-50-INPUT -A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 110 --syn -j ACCEPT -A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 901 --syn -j ACCEPT -A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 22 --syn -j ACCEPT -A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 25 --syn -j ACCEPT -A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 80 --syn -j ACCEPT -A RH-Lokkit-0-50-INPUT -p udp -m udp -s 0/0 --sport 67:68 -d 0/0 --dport 67:68 -i eth0 -j ACCEPT -A RH-Lokkit-0-50-INPUT -p udp -m udp -s 0/0 --sport 67:68 -d 0/0 --dport 67:68 -i eth1 -j ACCEPT -A RH-Lokkit-0-50-INPUT -i lo -j ACCEPT -A RH-Lokkit-0-50-INPUT -p udp -m udp -s 64.105.172.26 --sport 53 -d 0/0 -j ACCEPT -A RH-Lokkit-0-50-INPUT -p udp -m udp -s 64.105.163.106 --sport 53 -d 0/0 -j ACCEPT -A RH-Lokkit-0-50-INPUT -p tcp -m tcp --syn -j REJECT -A RH-Lokkit-0-50-INPUT -p udp -m udp -j REJECT # What I added for Samba (obviously wrong) -A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 137:139 --syn -j ACCEPT -A RH-Lokkit-0-50-INPUT -p udp -m udp --dport 137:139 -j ACCEPT COMMIT Please help me figure out what I should put in iptables for samba file sharing! Thanks. Ideally I'd like the samba ports to be only accessable on my local network (192.168.0.*)

In RH 7.x you could NOT use blank lines in this file...
Maybe this is your problem?

Thanks born4linux -- that did the trick very nicely indeed!

ur welcome dude.

born4linux,

I was having the same problem. I did what you suggested and it worked for me too. Why did you say that the order of the ipchains file is important? I tried just appending the new rules for udp and tcp but I was never able to get Samba working until I placed the rules where you indicated.

Thanks,

Andy