OK... you have set up a computer to be a samba server, sharing the directory /usr/src (i.e. the kernel source directory!)
You attempt to access by a laptop running windows... and the access is denied on correct password if the firewall is up but accepted on password if the fireall is down. Is this correct?
Would the laptop be on IP 192.168.2.0 and the server on 192.168.2.9 ?
Since eth0 is LAN as well as internet, I guess you are using a wired switch/router/modem combo. Is this correct? (A 10-port switch?)
Examining your firewall I see...
You have default drop policies - good - but why accept at the start?
You opened a "mangle" chain... only to close and flush it. Why?
I suspect you are trying to get the firewall to do too many things at once. (If you put a "stop" before line 18, you would get completely open chains. This is a cludgy way of switching the firewall on and off.)
INPUT Rules:
... you accept any incoming packet from established connections, and anything you requested. Rules are evaluated in order (someone correct me) so any INPUT rules after this one will only affect NEW connections.
You are accepting new tcp connections from ports 21, 22, 23, 25, 80 and 110
You are accepting new tcp and udp connections (on designated ports) from host 0
provided the packet is for host 9 (I have left out the 192.168.2. part.)
As an afterthought, you accept new tcp connections on port 10000(!?)
The following two rules:
$IPT -A INPUT -p udp -d 192.168.2.9 -m multiport --dports 137,138 -j DROP
$IPT -A INPUT -p tcp -d 192.168.2.9 -m multiport --dports 135,139,445 -j DROP
... will never be evaluated, as there is an identical condition set to ACCEPT previous to this one. But, shouldn't "--dports" be "--dport"?
However... you can safely delete these lines without affecting your firewall. If you want to switch these ports off, just comment out the previous rule.
After all these rules have been checked, then, and only then, do you allow all (tcp) traffic through the computer internals (aka. the loopback interface). This rule should be first, not last.
OUTPUT Rules: there are four...
$IPT -A OUTPUT -p ALL -s 127.0.0.1 -j ACCEPT
... if it came in on the loopback, then let it out the same way
$IPT -A OUTPUT -p ALL -o lo -j ACCEPT
... let everything out along the loopback - hey? Didn't we just do that?
Delete the previous rule. Keep this one.
$IPT -A OUTPUT -p ALL -o eth0 -j ACCEPT
... let all outgoing packets out eth0
(If you only have lo and eth0, why not just let everything out?)
$IPT -A OUTPUT -s 192.168.2.9 -d 192.168.2.0 -m state --state ESTABLISHED,RELATED -j ACCEPT
... this line doesn't get evaluated unless these IP's are connected through something other than eth0. It says that anything from host 9 can go to hast 0 provided it is part of an existing session.
Probably you can see that you need to re-evaluate your firewall policy. Simplify your firewall. (Write comments in the script!) Then you'll find things working again.
Note... you are using iptables
and samba to restrict access to samba.
From your rules, you want to restrict samba to your LAN... that is, any host with IP in range 192.168.2.0 to 192.168.2.256 ... the lines that do this are:
Code:
$IPT -A INPUT -p udp -m udp -s 192.168.2.0/24 --dport 137 -j ACCEPT
$IPT -A INPUT -p udp -m udp -s 192.168.2.0/24 --dport 138 -j ACCEPT
$IPT -A INPUT -m state --state NEW -m tcp -p tcp -s 192.168.2.0/24 --dport 139 -j ACCEPT
$IPT -A INPUT -m state --state NEW -m tcp -p tcp -s 192.168.2.0/24 --dport 445 -j ACCEPT
... to restrict to a single host, change the "/24" to "/32" with the appropriate IP. Set the output rule to let everything out. (So you'll be doing all your filtering on INPUT.)
Delete the lines with multiport in them.
For a friendly lesson:
http://troy.jdmz.net/samba/fw/