LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices


Reply
  Search this Thread
Old 07-11-2004, 09:55 AM   #1
ichitaka
LQ Newbie
 
Registered: Jul 2004
Posts: 2

Rep: Reputation: 0
iptables on server machine


Hi all,
i was crawling all the web for that information, but no success. So now im here.

Setting up a sambaserver... all right.

Connecting win2k clients... all right.

rising up an iptables script... no connect.

well, this means: i was putting a firewall on the servermachin smaba in the internal network whith ip 192.168.1.60. All other clients 192.168.1.10 ~ 90 should connect on ports 135~139, 445 and 53 (couse bind is running to on that machin), but never not even on any other port.

Problem, when im rising up the iptables script, the clients stop talking with the server anymore.

We are running on debian/sarge with kernel 2.6.

Modules loaded:

ipt_LOG
ipt_state
ip_conntrack
iptable_filter
ip_tables


open rules:


$IPTABLES -A INPUT -p tcp -s $LAN -i $EXT_IP --dport 135:139 -j ACCEPT
$IPTABLES -A INPUT -p tcp -s $LAN -i $EXT_IP --sport 135:139 -j ACCEPT
$IPTABLES -A INPUT -p udp -s $LAN -i $EXT_IP --dport 135:139 -j ACCEPT
$IPTABLES -A INPUT -p udp -s $LAN -i $EXT_IP --sport 135:139 -j ACCEPT
$IPTABLES -A OUTPUT -p tcp -o $EXT_IP --sport 135:139 -j ACCEPT
$IPTABLES -A OUTPUT -p tcp -o $EXT_IP --dport 135:139 -j ACCEPT
$IPTABLES -A OUTPUT -p udp -o $EXT_IP --sport 135:139 -j ACCEPT
$IPTABLES -A OUTPUT -p udp -o $EXT_IP --dport 135:139 -j ACCEPT

$IPTABLES -A INPUT -p tcp -s $LAN -i $EXT_IP --dport 445 -j ACCEPT
$IPTABLES -A INPUT -p tcp -s $LAN -i $EXT_IP --sport 445 -j ACCEPT
$IPTABLES -A INPUT -p udp -s $LAN -i $EXT_IP --dport 445 -j ACCEPT
$IPTABLES -A INPUT -p udp -s $LAN -i $EXT_IP --sport 445 -j ACCEPT
$IPTABLES -A OUTPUT -p tcp -o $EXT_IP --sport 445 -j ACCEPT
$IPTABLES -A OUTPUT -p tcp -o $EXT_IP --dport 445 -j ACCEPT
$IPTABLES -A OUTPUT -p udp -o $EXT_IP --sport 445 -j ACCEPT
$IPTABLES -A OUTPUT -p udp -o $EXT_IP --dport 445 -j ACCEPT

$IPTABLES -A FORWARD -p tcp -s $LAN -i $EXT_IP --dport 135:139 -j ACCEPT
$IPTABLES -A FORWARD -p tcp -s $LAN -i $EXT_IP --sport 135:139 -j ACCEPT
$IPTABLES -A FORWARD -p udp -s $LAN -i $EXT_IP --dport 135:139 -j ACCEPT
$IPTABLES -A FORWARD -p udp -s $LAN -i $EXT_IP --sport 135:139 -j ACCEPT

$IPTABLES -A FORWARD -p tcp -s $LAN -i $EXT_IP --dport 445 -j ACCEPT
$IPTABLES -A FORWARD -p tcp -s $LAN -i $EXT_IP --sport 445 -j ACCEPT
$IPTABLES -A FORWARD -p udp -s $LAN -i $EXT_IP --dport 445 -j ACCEPT
$IPTABLES -A FORWARD -p udp -s $LAN -i $EXT_IP --sport 445 -j ACCEPT


As you can see, im that deperate, that i opend all possible connections.

thanks for any advise.

ichitaka
 
Old 07-11-2004, 10:33 AM   #2
Pcghost
Senior Member
 
Registered: Feb 2003
Location: The Real Washington
Distribution: Debian, Android
Posts: 1,819

Rep: Reputation: 46
Normally EXT_IP represents the ip address associated with the external or Internet interface of the machine, and INT_IP is the LAN ip. In which case you are allowing internal addresses to connect to the external interface on those ports, which isn't going to work.

I like to set up nmap on a client and run scans against the server to verify the ports are opening. You can use nmapwin if the client is a windows box.
 
Old 07-11-2004, 05:29 PM   #3
ichitaka
LQ Newbie
 
Registered: Jul 2004
Posts: 2

Original Poster
Rep: Reputation: 0
silly variable

> Normally EXT_IP represents the ip address associated with the external
> or Internet interface of the machine, and INT_IP is the LAN ip.

right, silly as i am, i set the variable $EXT_IP as eth0.

ichitaka
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
IPTABLES with SENDMAIL on local machine bradb21 Linux - Networking 5 06-03-2005 11:01 AM
iptables tracking machine eranb2 Linux - Security 4 01-07-2005 11:12 AM
if i run iptables-save ... is it permanent even if machine is rebooted? kublador Linux - General 4 08-31-2004 10:25 PM
Iptables Need It To Route To A Windows Machine For Remote Desktop sal_paradise42 Linux - General 2 11-11-2003 08:20 PM
snort and iptables on same machine cestor Linux - Security 8 06-13-2002 03:32 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 01:27 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration