LinuxQuestions.org - iptables blocking samba connection to WinXP

- Linux - Networking (https://www.linuxquestions.org/questions/linux-networking-3/)

- - iptables blocking samba connection to WinXP (https://www.linuxquestions.org/questions/linux-networking-3/iptables-blocking-samba-connection-to-winxp-275163/)

iptables blocking samba connection to WinXP

Hi All,

I am using a Linux with iptables for the first time and it is blocking my samba connection to a network client running winxp. The XP client can see the "Samba Server" but can't connect. With iptables stopped the connection runs fine. How do I open the firewall to the local network?

Many thanks for any help.

You need to open udp port 137,138 and tcp port 139,445
eg:

Code:

/sbin/iptables -I INPUT -i eth0 -p udp -m multiport --dports 137,138 -j ACCEPT 

/sbin/iptables -I INPUT -i eth0 -p tcp -m multiport --dports 139,445 -j ACCEPT

I believe there is a typo in the first command. Instead of

Code:

-p tcp

is should read

Code:

-p udp

First line ONLY!

Secondly, this doesnt allow print support to a printer share on a Windows XP machine. Any suggestions for getting thru iptables for that?

Yea you're right about the typo, thanks for that, made the correction.
For printing to a Windows shared printer it shouldn't have anything to do with iptables as long as you're not limiting outgoing connections.

Well I have an almost fresh install of FC3, with iptables running by default (ie. out of the box rules). Yet to print to or even connect to a Windows printer i have to shutdown the iptables service.

I couldn't even add the print queue for the printer unless i disabled iptables. It refused to detect the printer on the network or connect to it when i fully specified its location on the LAN.

I'm able to print to a smb shared printer on Windows through cups even with this as my firewall(ie not allowing *any* incoming at all)

Code:

# Generated by iptables-save v1.2.11 on Sat Jan  8 23:26:02 2005

*filter

:INPUT DROP [3:536]

:FORWARD ACCEPT [0:0]

:OUTPUT ACCEPT [4504:4872351]

-A INPUT -i lo -j ACCEPT

-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

COMMIT

# Completed on Sat Jan  8 23:26:02 2005

Can you post the output of /sbin/iptables-save ?

There it is. How can i remove lines? I didn't read your first post correctly the first time and made the mistake of putting 137 & 138 on tcp as well as udp before i reaslised the typo. Prior to your suggested additions everything else was default and all I can say is that I found that after stopping iptables I was able to see the printer and print.

# Generated by iptables-save v1.2.11 on Sat Jan 8 19:13:11 2005
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [196533:19142927]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -i eth0 -p udp -m multiport --dports 137,138 -j ACCEPT
-A INPUT -i eth0 -p tcp -m multiport --dports 139,445 -j ACCEPT
-A INPUT -i eth0 -p tcp -m multiport --dports 137,138,139,445 -j ACCEPT
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp -m icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p ipv6-crypt -j ACCEPT
-A RH-Firewall-1-INPUT -p ipv6-auth -j ACCEPT
-A RH-Firewall-1-INPUT -d 224.0.0.251 -p udp -m udp --dport 5353 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT
# Completed on Sat Jan 8 19:13:11 2005

You can delete then using line number, for example if you wish to delete the 3rd line in the INPUT chain (-A INPUT -i eth0 -p tcp -m multiport --dports 137,138,139,445 -j ACCEPT in your case)

/sbin/iptables -D INPUT 3

Try adding some logging before packets are rejected and see what exactly doesn't get through the firewall when you try to print.

/sbin/iptables -I RH-Firewall-1-INPUT 9 -j LOG --log-prefix="Rejected:"

you can see the log with "dmesg"

Samba and IP Tables

No Joy. Even with the new lines the iptables is blocking the samba connection. Turned off, everything works great. The answers have put me on the right track , I believe, so I will press on. Thanks for all the help and info. Any other ideas gratefully appreciated.

can you post your rules?

port 631 for printing

jdblick,

is that a tcp or udp port?
thanks

I want to say tcp, but am not positive.

having same problem - need help

I am having the same problem. With iptables stopped, I can print to my WinXP printer with samba. However, with iptables running, my fc3 linux box cannot see the WinXP machine, and will not print to its printer. I have posted a copy of my output from iptables-save below:

# Generated by iptables-save v1.2.11 on Sun Jan 30 14:24:05 2005
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [1919:202200]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -i eth0 -p tcp -m multiport --dports 139,445 -j ACCEPT
-A INPUT -i eth0 -p udp -m multiport --dports 137,138 -j ACCEPT
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp -m icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p ipv6-crypt -j ACCEPT
-A RH-Firewall-1-INPUT -p ipv6-auth -j ACCEPT
-A RH-Firewall-1-INPUT -d 224.0.0.251 -p udp -m udp --dport 5353 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT

Can anyone suggest what I am doing wrong, and how to fix it?