[SOLVED] Samba + iptables issue

sljunkie · 12-12-2012, 08:52 PM

Hi,

My iptables configuration is based upon Arch Linux's Simple Stateful Firewall solution. However, Samba doesn't work with it, even though I order the 137/UDP, 138/UDP, 139/TCP and 445/TCP ports to be open! Here's my configuration:

Code:

# Generated by iptables-save v1.4.16.2 on Mon Nov 12 23:02:57 2012
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:TCP - [0:0]
:UDP - [0:0]
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m conntrack --ctstate INVALID -j DROP
-A INPUT -p icmp -m icmp --icmp-type 8 -m conntrack --ctstate NEW -j ACCEPT
-A INPUT -p udp -m conntrack --ctstate NEW -j UDP
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m conntrack --ctstate NEW -j TCP
-A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable
-A INPUT -p tcp -j REJECT --reject-with tcp-reset
-A INPUT -j REJECT --reject-with icmp-proto-unreachable
-A TCP -s 192.168.0.0/24 -p tcp -m tcp --dport 22 -j ACCEPT
-A TCP -s 192.168.0.0/24 -p tcp -m tcp --dport 631 -j ACCEPT
-A TCP -s 192.168.0.0/24 -p tcp -m tcp --dport 139 -j ACCEPT
-A TCP -s 192.168.0.0/24 -p tcp -m tcp --dport 445 -j ACCEPT
-A TCP -s 192.168.0.0/24 -p tcp -m tcp --dport 2049 -j ACCEPT
-A UDP -s 192.168.0.0/24 -p udp -m udp --dport 137 -j ACCEPT
-A UDP -s 192.168.0.0/24 -p udp -m udp --dport 138 -j ACCEPT
-A UDP -s 192.168.0.0/24 -p udp -m udp --dport 5353 -j ACCEPT
COMMIT

Everything covered by the rules I open with iptables -A TCP/UDP -p tcp/udp --dport DPORT works...

With the firewall enabled, smbtree (and nautilus navigation) returns nothing... and smbclient SERVER/Sharename returns with (Error NT_STATUS_BAD_NETWORK_NAME)...

tshikose · 12-13-2012, 02:19 AM

Hi,

If you can afford (clear security risk) is your Samba configuration works with the FW off?

sljunkie · 12-13-2012, 02:21 AM

Yes, with the firewall off Samba works, but no, I can't afford that, even in a small and stupid LAN a package filter is necessary.

fotoguy · 12-13-2012, 05:19 AM

I think ports 137 and 138 should also be for tcp as well

sljunkie · 12-13-2012, 03:03 PM

Quote:

Originally Posted by fotoguy

I think ports 137 and 138 should also be for tcp as well

I opened them and nothing happened... well the Samba documentation says these ports are for udp.

allend · 12-13-2012, 03:46 PM

This is what I have in my firewall script for Samba

Code:

## Samba
# Samba uses UDP on ports 137 & 138 for nmbd and
# Samba uses TCP on ports 139 & 445 for smbd
# Accept the UDP packets so that they are not logged
$IPTABLES -A INPUT -i $EXTIF -s $LOCAL_LAN -p udp --sport 137 -j ACCEPT
$IPTABLES -A INPUT -i $EXTIF -s $LOCAL_LAN -p udp --dport 137 -j ACCEPT
$IPTABLES -A INPUT -i $EXTIF -s $LOCAL_LAN -p udp --dport 138 -j ACCEPT
$IPTABLES -A INPUT -i $EXTIF -s $LOCAL_LAN -p tcp --dport 139 -j ACCEPT
$IPTABLES -A INPUT -i $EXTIF -s $LOCAL_LAN -p tcp --dport 445 -j ACCEPT

I am not familiar with the Arch Linux Simple Stateful Firewall solution, so I do not know how the TCP and UDP chains are used.
Have you tried changing these to the INPUT chain?

sljunkie · 12-13-2012, 04:10 PM

Code:

$IPTABLES -A INPUT -i $EXTIF -s $LOCAL_LAN -p udp --sport 137 -j ACCEPT

THANK YOU

That was the missing rule, the *source port* for nmbd calls... it's working now, THANKS!

I guess I'll post that in the wiki and/or warn the Samba documentation folks, because when we hear 'open up port x' we associate immediatly with a --dport type of rule.