Aelius Maximus wrote: > > Please help me ! > > Samba/netbios do not work until I staticaly open UDP > ports above 1024 for new connections!!! > > As far as I know SAMBA uses TCP/UDP 137:139 for > initiating a new connection > > Corect me if I'm wrong, SAMBA/netbios never send > first packet to a destination port higher than 1024. > (in the default install) > > There are packets sent to a port higher than 1024 > but they should be only a reply to a request > If I'm right first rule should let them get in. > > Default policy is DROP > > 1 iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT > > 2 iptables -A INPUT -p tcp --dport 137:139 -m state --state NEW -j > ACCEPT > 3 iptables -A INPUT -p udp --dport 137:139 -m state --state NEW -j > ACCEPT > > 4 iptables -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j > ACCEPT > > Is that corect ? Is that enough ? > For me it works only if I staticaly open some UDP ports (for new > connections) > above 1024 like this: > > 5 iptables -A INPUT -p udp --dport 1024:10000 -m state --state NEW -j > ACCEPT
Actually, you must also open the reverse connections with --sport 137:139. The reason is that windows clients apparently randomly connect with either sport or dport in that range, sometimes sport == dport, sometimes it's a high port, and it does not seem to be consistent. I have win98 and winME on my network; some machines connect one way, others connect some other way. Once you open your firewall to connections with --sport=137:139, you can eliminate rule 5. --Yan -- Future fighter pilots: Me: Akari, WHAT are you DOING? Akari, age 3: Pushing the envelope. spam killer code kpwq1jkcsEzdx39gnkVvgycd15ayqq (see http://www.paganini.net/ask)
