Re: [Samba] Samba4 and iptables

Thu, 15 Aug 2013 09:32:42 -0700 

On 8/15/2013 10:36 AM, Kevin Field wrote:

Hi everyone,

I had posted recently about getting Samba4 to work on CentOS 6.4 but
having changes only replicating in one direction, from the Win2k3 AD but
not back to it.  I solved the problem, this time, by disabling iptables.
  I find it a bit hard to understand.  These are the rules I have set up:

*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [52:5888]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -m udp -p udp --dport 53 -m comment --comment "DNS" -j ACCEPT
-A INPUT -m udp -p udp --dport 123 -m comment --comment "NTP" -j ACCEPT
-A INPUT -m udp -p udp --dport 135 -m comment --comment "RPC UDP" -j ACCEPT
-A INPUT -m udp -p udp --dport 389 -m comment --comment "LDAP UDP" -j
ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 88 -m comment
--comment "Kerberos" -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 464 -m comment
--comment "Kerberos Password Management" -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 445 -m comment
--comment "SMB CIFS" -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 389 -m comment
--comment "LDAP TCP" -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 636 -m comment
--comment "LDAP SSL" -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 3268 -m comment
--comment "LDAP Global Catalog" -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 3269 -m comment
--comment "LDAP Global Catalog SSL" -j ACCEPT
-A INPUT -p udp -m udp --dport 631 -m comment --comment "CUPS" -j ACCEPT
-A INPUT -p tcp -m tcp --dport 631 -m comment --comment "CUPS" -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT



https://wiki.samba.org/index.php/Configure_your_firewall
Are you missing UDP port 137-138 (and possibly a few others) in your IPTables? 

Also, try looking at the output of the following to check for ports in use:

# netstat -taunp | egrep "tcp.*LISTEN|udp" | egrep "samba|smbd"
One of our internal Samba servers has the following in /etc/sysconfig/iptables. You won't need the NFSCHECK chains unless you are also using NFS. 

# Generated by iptables-save v1.4.7 on Fri May 24 21:51:36 2013
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [48:6932]
:NFSCHECK - [0:0]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 53 -j ACCEPT
-A INPUT -p udp -m state --state NEW -m udp --dport 53 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 88 -j ACCEPT
-A INPUT -p udp -m state --state NEW -m udp --dport 88 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 135 -j ACCEPT
-A INPUT -p udp -m state --state NEW -m udp --dport 137 -j ACCEPT
-A INPUT -p udp -m state --state NEW -m udp --dport 138 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 139 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 389 -j ACCEPT
-A INPUT -p udp -m state --state NEW -m udp --dport 389 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 445 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 464 -j ACCEPT
-A INPUT -p udp -m state --state NEW -m udp --dport 464 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 631 -j ACCEPT
-A INPUT -p udp -m state --state NEW -m udp --dport 631 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 636 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 1024 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 3268 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 3269 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 5353 -j ACCEPT
-A INPUT -p udp -m state --state NEW -m udp --dport 5353 -j ACCEPT
-A INPUT -j NFSCHECK
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
-A NFSCHECK -s 172.30.0.0/24 -p tcp -m multiport --dports 2049,32803,892,662,111 -m comment --comment "TCP for nfs, lockd, mountd, statd, portmap" -j ACCEPT -A NFSCHECK -s 172.30.0.0/24 -p udp -m multiport --dports 2049,32769,892,662,111 -m comment --comment "UDP for nfs, lockd, mountd, statd, portmap" -j ACCEPT 
-A NFSCHECK -j RETURN
COMMIT
# Completed on Fri May 24 21:51:36 2013
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Reply via email to