Do the 4 windoze boxes have static IP's so you can do all you wnat
with them or they pick from the pool?Otherwise dealing with a few
boxes in DHCP and iptables isn't pleasant for me .Would suggest you
isolate the M$ boxes so you can plug their IP's into the iptables on
the Samba box then punish the rest like so
iptables -A INPUT -s 192.168.0.X -d 172.16.21.Y -j ACCEPT #this though
gives access to all services to the samba box
Then purnish the rest of the boxes with a big DROP.Do a service
iptables save if all works otherwise do a service iptables
restart if it doesn't work to avoid the mess.
Btw how does selinux and samba any noise?
Thats my view can correct me if am offline
:-)
Ronny
*******************************************************************
PGP Fingerprint: 6695 794A B84E D922 88FB 73CC 6CBD 8036 B3CD 7304
We can't become what we need to be by remaining what we are
*******************************************************************
joseph mpora wrote:
Hullo All,
I need your advice on a particular scenario. I have a Samba 3
PDC running on a Fedora Core 3 box (kernel 2.6.12-1). This machine lies
between two networks, one a 192.168.0. and the other a 172.16.21. which
it serves using DHCP. The 192.168.0. network has the gateway to the
internet (another linux box) whereas the 172.16.21. network connects
through the PDC.
The Challenge:
I would like 4 machines (Windows 2000 Pro) on the 192.168.0.
network to access Domain (and print) services that are present on the
172.16.21. network. I have already got Samba to listen on both
interfaces but are trying to get IPTABLES to let it through without
opening up the entire network.
Current IPTABLES script:
-----begin script-------------
#!/bin/sh
echo -e "\n\nLoading NAT firewall.\n"
IPTABLES=/sbin/iptables
EXTIF="eth0"
INTIF="eth1"
/sbin/depmod -a
/sbin/modprobe ip_tables
/sbin/modprobe ip_conntrack
/sbin/modprobe ip_conntrack_ftp
/sbin/modprobe iptable_nat
/sbin/modprobe ip_nat_ftp
$IPTABLES -P INPUT DROP
$IPTABLES -F INPUT
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -F OUTPUT
$IPTABLES -P FORWARD DROP
$IPTABLES -F FORWARD
$IPTABLES -A INPUT -i lo -j ACCEPT
$IPTABLES -A INPUT -i $INTIF -j ACCEPT
$IPTABLES -A INPUT -i $EXTIF -m state --state ESTABLISHED,RELATED -j
ACCEPT
# Enable incoming traffic for: SSH, DNS(tcp), HTTP, HTTPS
for i in 22 25 53 80 443
do
$IPTABLES -A INPUT -i $EXTIF -p tcp --dport $i -j ACCEPT
done
# Allow DNS(udp)
$IPTABLES -A INPUT -i $EXTIF -p udp --dport 53 -j ACCEPT
echo "Allow all connections OUT and only existing and specified ones
IN"
$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -m state \
--state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT
$IPTABLES -A FORWARD -j LOG
echo " Enabling SNAT (MASQUERADE) functionality on $EXTIF"
$IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE
echo "1" > /proc/sys/net/ipv4/ip_forward
echo -e "\nNAT firewall done.\n"
----end script----------------
Regards,
Joseph Mpora
_______________________________________________
LUG mailing list
[email protected]
http://kym.net/mailman/listinfo/lug
%LUG is generously hosted by INFOCOM http://www.infocom.co.ug/
The above comments and data are owned by whoever posted them (including attachments if any). The List's Host is not responsible for them in any way.
---------------------------------------
|
_______________________________________________
LUG mailing list
[email protected]
http://kym.net/mailman/listinfo/lug
%LUG is generously hosted by INFOCOM http://www.infocom.co.ug/
The above comments and data are owned by whoever posted them (including
attachments if any). The List's Host is not responsible for them in any way.
---------------------------------------
