Hello

I have following problem: I'm running Samba on Aurox 11.0 with
connection to Win XP. I have built my iptables firewall and added following lines:

iptables -I INPUT -p udp -m multiport --destination-port 137,138 -j ACCEPT
iptables -I INPUT -p tcp -m multiport --destination-port 139,445 -j ACCEPT

to make my Windows shares available to Linux. However it doesn't work.

I can connect to Win shares only when I turn on INPUT to all connections

iptables -P INPUT ACCEPT

when I replace ACCEPT by DROP I can't enter my WIN shares.

What's wrong?.


Cheers

Do you think you could give us a little bit more detailed explanation of your network setup please? I think that would help in trying to solve your problem. Thanks!

My first computer - Aurox 11.0, eth0 - connection with internet,
eth1 - connection with Win computer. IP adress of internal net -
192.168.0.1

My second computer - Win XP, eth1 - connection with Aurox, IP Adress - 192.168.0.2

Internet works on both computers when my firewall is on. But
I can access Win shares from Linux only when I replace DROP
by ACCEPT in:

$IPTABLE -P INPUT DROP

It seems that I have to open some INPUT ports to use my Samba.
I opened ports responsible for Samba communication (137, 138, 139, 445) but it doesn't work.

my firewall:

#!/bin/bash

IPTABLE=/sbin/iptables

# kernel configuration
echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects
echo 1 > /proc/sys/net/ipv4/ip_forward

/sbin/modprobe ip_conntrack

# Clean all rules
$IPTABLE -F
$IPTABLE -X

# Set policy
$IPTABLE -P INPUT DROP
$IPTABLE -P FORWARD DROP
# $IPTABLE -P OUTPUT DROP
$IPTABLE -P OUTPUT ACCEPT

# Allow all at loopback
$IPTABLE -A INPUT -i lo -j ACCEPT

# Answers/receives ping
$IPTABLE -A INPUT -p icmp --icmp-type echo-request -j ACCEPT

# ident inquiry
$IPTABLE -A INPUT -p tcp --dport 113 -j REJECT --reject-with icmp-port-unreachable

# Allow ssh from admin
# $IPTABLE -A INPUT -i eth1 -p tcp -s 192.168.0.2 --dport ssh -j ACCEPT

# Allowed from LAN
$IPTABLE -A INPUT -i eth1 -p tcp -s 192.168.0.2 -j ACCEPT -m multiport \
--destination-port 20,21,80,443,25,110

$IPTABLE -A INPUT -i eth1 -p udp -s 192.168.0.2 -j ACCEPT -m multiport \
--destination-port 53,123

# Allow return packets
$IPTABLE -A INPUT -i eth0 -j ACCEPT -m state --state ESTABLISHED,RELATED
$IPTABLE -A INPUT -i eth1 -j ACCEPT -m state --state ESTABLISHED,RELATED

iptables -I INPUT -p udp -m multiport --destination-port 137,138 -j ACCEPT
iptables -I INPUT -p tcp -m multiport --destination-port 139,445 -j ACCEPT

iptables -A FORWARD -s 192.168.0.2 -i eth1 -j ACCEPT
iptables -A FORWARD -j ACCEPT -m state --state ESTABLISHED,RELATED

iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

what are the errors you are receiving when you say it doesn't work? Have you tried accessing the shares through the terminal to see what the error is. Don't forget verbose output if that is an option. I might also suggest that when you open up the ports, try individual rules instead of the multiport match just as a testing procedure. Hope this helps

Something's wrong with Conqueror. It can't see Win shares.
I issued following command:

smbclient //192.168.0.2/net

from command line and entered my win share without problem.

I've mounted my Win share and can exchange files in mc. So the problem is with Conqueror.

Excellent, atleast we have part of the problem solved. There might be a configuration setting for which command that Konquerer uses. When I mount shares I usually use the smbmount (or whatever it's called I can't remember at the moment.) Maybe it's a setting you can switch. I'm glad we are at least getting somewhere with this.