samba, firewalls and pinging
I have been trying to get samba up and runnning but smbstatus basically tells me there are no shares.
I cannot ping my server and am concerned this is an issue. I can access my windows computer from the linux box though so I am not sure if this is actually an issue. do I need Lisa running? (I don't even know what that is!) I have read other thread where people get the same message from smbstatus but it always comes down to not being able to ping and the firewall stopping the econnection. As I said I can ping all computers from any other computer except the linux computer which is 192.168.0.1 here is the output from smbstaus and my smb.conf file and iptables file. [root@Shihan /]# smbstatus Samba version 2.2.6pre2 Service uid gid pid machine ---------------------------------------------- Failed to open byte range locking database ERROR: Failed to initialise locking database Can't initialise locking module - exiting smb.conf file: #======================= Global Settings ===================================== [global] workgroup = workgroup netbios name = shihan server string = Samba Server %v guest account = pcguest security = share socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 IPTOS_LOWDELAY interfaces = 192.168.0.1 wins support = yes #============================ Share Definitions ============================== [share] comment = Shared folder on shihan path = /share read only = no public = yes guest ok = yes guest only = yes [websites] comment = websites path = /home/web/htdocs public = yes writable = yes iptables file: #!/bin/sh # Diable forwarding echo 0 > /proc/sys/net/ipv4/ip_forward LAN_IP_NET='192.168.0.1/24' LAN_NIC='eth1' WAN_IP='10.0.0.1' WAN_NIC='eth0' FORWARD_IP='192.168.0.1' #WAS FORWARD_IP='192.168.0.3' # load some modules (if needed) # Flush iptables -t nat -F POSTROUTING iptables -t nat -F PREROUTING iptables -t nat -F OUTPUT iptables -F iptables -P INPUT DROP iptables -P FORWARD DROP iptables -P OUTPUT ACCEPT # enable Masquerade and forwarding iptables -t nat -A POSTROUTING -s $LAN_IP_NET -j MASQUERADE iptables -A FORWARD -j ACCEPT -i $LAN_NIC -s $LAN_IP_NET iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT # Open ports on router for server/services iptables -A INPUT -j ACCEPT -p tcp --dport 80 iptables -A INPUT -j ACCEPT -p tcp --dport 110 iptables -A INPUT -j ACCEPT -p tcp --dport 25 iptables -A INPUT -j ACCEPT -p tcp --dport 22 iptables -A INPUT -j ACCEPT -p tcp --dport 21 #added by Me from web info to allow pinging iptables -I INPUT -s 192.168.0.1 -p tcp --dport 1241 -j ACCEPT iptables -I INPUT -s 192.168.0.3 -p tcp --dport 1241 -j ACCEPT iptables -I INPUT -s 192.168.0.2 -p tcp --dport 1241 -j ACCEPT # STATE RELATED for router iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT # Open ports to server on LAN #iptables -A FORWARD -j ACCEPT -p tcp --dport 80 #iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to 192.168.0.3:80 # Enable forwarding echo 1 > /proc/sys/net/ipv4/ip_forward One other thing I will post here is the script I use to start the firewall. I ahve suspicions that it is not right. I have had to use the stop directive to start it! and start seemed only to give me the message "usage..." #!/bin/sh #!/bin/sh # # chkconfig: 2345 11 89 # # description: Loads the rc.firewall-2.4 ruleset. # # processname: firewall-2.4 # pidfile: /var/run/firewall.pid # config: /etc/rc.d/rc.firewall-2.4 # probe: true # ---------------------------------------------------------------------------- # v05/24/03 # # Part of the copyrighted and trademarked TrinityOS document. # http://www.ecst.csuchico.edu/~dranch # # Written and Maintained by David A. Ranch # dranch@trinnet.net # # Updates # ------- # 05/24/03 - removed a old networking up check that had some # improper SGML ampersand conversions. # ---------------------------------------------------------------------------- # Source function library. . /etc/rc.d/init.d/functions # Check that networking is up. [ "XXXX${NETWORKING}" = "XXXXno" ] && exit 0 [ -x /sbin/ifconfig ] || exit 0 # The location of various iptables and other shell programs # # If your Linux distribution came with a copy of iptables, most # likely it is located in /sbin. If you manually compiled # iptables, the default location is in /usr/local/sbin # # ** Please use the "whereis iptables" command to figure out # ** where your copy is and change the path below to reflect # ** your setup # IPTABLES=/usr/local/sbin/iptables # See how we were called. case "$1" in start) #I had comented out the following line to stop the usage message coming up DK /etc/rc.d/rc.firewall-2.4 ;; stop) echo -e "\nFlushing firewall and setting default policies to DROP\n" $IPTABLES -P INPUT DROP $IPTABLES -F INPUT $IPTABLES -P OUTPUT DROP $IPTABLES -F OUTPUT $IPTABLES -P FORWARD DROP $IPTABLES -F FORWARD $IPTABLES -F -t nat # Delete all User-specified chains $IPTABLES -X # # Reset all IPTABLES counters $IPTABLES -Z ;; restart) $0 stop $0 start ;; status) $IPTABLES -L ;; mlist) cat /proc/net/ip_conntrack ;; *) echo "Usage: firewall-2.4 {start|stop|status|mlist}" exit 1 esac exit 0 echo -e "\nDone.\n" |
Are you really running samba version 2.2.6pre2? That's pretty old (current is 3.0.x).
I'd first upgrade samba, and then make sure it's actually running: ps ax | grep smb |
137/udp "INPUT , OUTPUT"
139/tcp "INPUT" I think samba uses more ports like 445 but I am dropping that port, seems to work |
Re: samba, firewalls and pinging
Quote:
Quote:
Quote:
Code:
iptables -A INPUT -i $LAN_NIC -j ACCEPT the other thing I would recommend, at least while your chasing bugs, is to log the packets as the last rule of the chain with something like this Code:
iptables -A OUTPUT -j LOG --log-prefix "|ipt OUTPUT -- " |
OK its working now. Thanks Sutekh. I am not sure how it works now though. I added in the code that you mentioned and that seemed to have done the trick. The thing is I still cannot ping the eth cards on the linux computer. is there a particular port I need to open for pinging to work? how would I turn pinging on and off, or do I already have this in my iptables file?
thanks David K :D |
this will enable localhost and computers behind the firewall to ping systems outside your lan
Code:
$IPT -A OUTPUT -o $EXT_IF -p icmp -s $EXT_IP --icmp-type 8 -m state --state NEW -j ACCEPT Code:
# Allow internal network to ping firewall 'i think' |
Thanks
OK that looks good but a few newbie type questions. how do I set the environment variables eg $LAN_NIC, $IPT, $PATH etc. is it an alias? it is also complaining about -p and not knowing what icmp is would that be because I have not set the environment vars? by the way I ddi just paste what you put in up there, I just changed $IPT...... Also this stuff below is only one of the lines, I commented out the other lines [root@s vnc]# /etc/rc.d/rc.firewall-2.4 restart Flushing firewall and setting default policies to DROP Warning: wierd character in interface `-p' (No aliases, :, ! or *). Bad argument `icmp' Try `iptables -h' or 'iptables --help' for more information. Warning: wierd character in interface `-p' (No aliases, :, ! or *). Bad argument `icmp' Try `iptables -h' or 'iptables --help' for more information. Warning: wierd character in interface `-p' (No aliases, :, ! or *). Bad argument `icmp' Try `iptables -h' or 'iptables --help' for more information. Warning: wierd character in interface `-p' (No aliases, :, ! or *). Bad argument `icmp' Try `iptables -h' or 'iptables --help' for more information. Warning: wierd character in interface `-p' (No aliases, :, ! or *). Bad argument `icmp' Try `iptables -h' or 'iptables --help' for more information. Warning: wierd character in interface `-p' (No aliases, :, ! or *). Bad argument `icmp' Try `iptables -h' or 'iptables --help' for more information. Warning: wierd character in interface `-p' (No aliases, :, ! or *). Bad argument `icmp' Try `iptables -h' or 'iptables --help' for more information. Warning: wierd character in interface `-p' (No aliases, :, ! or *). Bad argument `icmp' Try `iptables -h' or 'iptables --help' for more information. Warning: wierd character in interface `-p' (No aliases, :, ! or *). Bad argument `icmp' Try `iptables -h' or 'iptables --help' for more information. |
Quote:
Quote:
Quote:
so the easist way to get up and running is to use the variables you have already declared that is LAN_NIC and WAN_NIC. so everywhere you wrote INT_IF replace it with LAN_NIC and change EXT_IF with WAN_NIC. re0run your script and you should be sorted |
#external interface pointing to the internet
EXT_IF='eth1' # internal / lan interface 192.something INT_IF='eth0' # location to iptables IPT='/sbin/iptables' # Your IP external one 'internet' EXT_IP='xxx.xxx.xxx.xxx' if it doesnt work just remove the $VARS from the code and replace them with your information for example 192.x.x.x instead of $INT_IF EDIT: sorry, didn't refresh the page before posting, didn't see your reply there |
s'ok no such thing as too much help :-)
|
Yup thats it. Thanks very much for all your help.:D
|
while this issue has now been solved and finished, I did just notice something I forgot to ask. Where are my log files kept? what would they be called.? I know sutekh you showed me to add the lines in iptables to enable logging but where does this write the logs?
thanks David K |
Quote:
|
It depends on what logger you're running (e.g. metalog, syslog, syslog-ng, sysklog, etc.), but in general all the logs will be somwhere under /var/log. Sometimes you'll find directories for the program itself under there, e.g. /var/log/samba.
|
yeah what they said!
another place they may be is /var/log/messages |
All times are GMT -5. The time now is 03:56 PM. |