But port 80 got nothing to do with samba and as u say, it works fine when u turn it off!
I made a script for u maybe u try it otherwise I have no more ideas. I added all rfc nets, because I don't know ur ip-range... Maybe u have to change the path for iptables and so on.... Regards and good luck #!/bin/sh # # This is automatically generated file. # Firewall Builder fwb_ipt v1.1.2-1 # Tue Jun 1 00:18:52 2004 CEST # # # # # # log() { test -x "$LOGGER" && $LOGGER -p info "$1" } va_num=1 add_addr() { addr=$1 nm=$2 dev=$3 type="" aadd="" L=`$IP -4 link ls $dev | grep "$dev:"` if test -n "$L"; then OIFS=$IFS IFS=" /:,<" set $L type=$4 IFS=$OIFS L=`$IP -4 addr ls $dev to $addr | grep " inet "` if test -n "$L"; then OIFS=$IFS IFS=" /" set $L aadd=$2 IFS=$OIFS fi fi if test -z "$aadd"; then if test "$type" = "POINTOPOINT"; then $IP -4 addr add $addr dev $dev scope global label $dev:FWB${va_num} va_num=`expr $va_num + 1` fi if test "$type" = "BROADCAST"; then $IP -4 addr add $addr/$nm dev $dev brd + scope global label $dev:FWB${va_num} va_num=`expr $va_num + 1` fi fi } getaddr() { dev=$1 name=$2 L=`$IP -4 addr show dev $dev | grep inet` test -z "$L" && { eval "$name=''" return } OIFS=$IFS IFS=" /" set $L eval "$name=$2" IFS=$OIFS } getinterfaces() { NAME=$1 $IP link show | grep -E "$NAME[^ ]*: "| while read L; do OIFS=$IFS IFS=" :" set $L IFS=$OIFS echo $2 done } LSMOD="/sbin/lsmod" MODPROBE="/sbin/modprobe" IPTABLES="/usr/sbin/iptables" IP="/sbin/ip" LOGGER="/bin/logger" INTERFACES="eth0 ppp0 lo " for i in $INTERFACES ; do $IP link show "$i" > /dev/null 2>&1 || { echo Interface $i does not exist exit 1 } done add_addr 127.0.0.1 8 lo $IP link set lo up getaddr eth0 interface_eth0 getaddr ppp0 interface_ppp0 $IPTABLES -P OUTPUT DROP $IPTABLES -P INPUT DROP $IPTABLES -P FORWARD DROP cat /proc/net/ip_tables_names | while read table; do $IPTABLES -t $table -L -n | while read c chain rest; do if test "X$c" = "XChain" ; then $IPTABLES -t $table -F $chain fi done $IPTABLES -t $table -X done MODULE_DIR="/lib/modules/`uname -r`/kernel/net/ipv4/netfilter/" MODULES=`(cd $MODULE_DIR; ls *_conntrack_* *_nat_* | sed 's/\.o.*$//; s/\.ko$//')` for module in $(echo $MODULES); do if $LSMOD | grep ${module} >/dev/null; then continue; fi $MODPROBE ${module} || exit 1 done log "Activating firewall for samba-server" # # Rule 0(NAT) # # redirect to proxy $IPTABLES -t nat -A PREROUTING -p tcp -s 10.0.0.0/8 --destination-port 80 -j REDIRECT --to-ports 8080 $IPTABLES -t nat -A PREROUTING -p tcp -s 192.168.0.0/16 --destination-port 80 -j REDIRECT --to-ports 8080 $IPTABLES -t nat -A PREROUTING -p tcp -s 172.16.0.0/12 --destination-port 80 -j REDIRECT --to-ports 8080 # # Rule 1(NAT) # # $IPTABLES -t nat -A POSTROUTING -o ppp0 -s 10.0.0.0/8 -j MASQUERADE $IPTABLES -t nat -A POSTROUTING -o ppp0 -s 192.168.0.0/16 -j MASQUERADE $IPTABLES -t nat -A POSTROUTING -o ppp0 -s 172.16.0.0/12 -j MASQUERADE # # $IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT # # Rule 0(ppp0) # # anti-spoofing Regel # $IPTABLES -N ppp0_In_RULE_0 test -n "$interface_eth0" && $IPTABLES -A INPUT -i ppp0 -s $interface_eth0 -j ppp0_In_RULE_0 test -n "$interface_ppp0" && $IPTABLES -A INPUT -i ppp0 -s $interface_ppp0 -j ppp0_In_RULE_0 $IPTABLES -A INPUT -i ppp0 -s 10.0.0.0/8 -j ppp0_In_RULE_0 $IPTABLES -A INPUT -i ppp0 -s 192.168.0.0/16 -j ppp0_In_RULE_0 $IPTABLES -A INPUT -i ppp0 -s 172.16.0.0/12 -j ppp0_In_RULE_0 test -n "$interface_eth0" && $IPTABLES -A FORWARD -i ppp0 -s $interface_eth0 -j ppp0_In_RULE_0 test -n "$interface_ppp0" && $IPTABLES -A FORWARD -i ppp0 -s $interface_ppp0 -j ppp0_In_RULE_0 $IPTABLES -A FORWARD -i ppp0 -s 10.0.0.0/8 -j ppp0_In_RULE_0 $IPTABLES -A FORWARD -i ppp0 -s 192.168.0.0/16 -j ppp0_In_RULE_0 $IPTABLES -A FORWARD -i ppp0 -s 172.16.0.0/12 -j ppp0_In_RULE_0 $IPTABLES -A ppp0_In_RULE_0 -j LOG --log-level info --log-prefix "RULE 0 -- DENY " $IPTABLES -A ppp0_In_RULE_0 -j DROP # # Rule 1(ppp0) # # anti-spoofing Regel # $IPTABLES -N Cid40BBAA6A.0 $IPTABLES -A OUTPUT -o ppp0 -j Cid40BBAA6A.0 $IPTABLES -A FORWARD -o ppp0 -j Cid40BBAA6A.0 test -n "$interface_eth0" && $IPTABLES -A Cid40BBAA6A.0 -o ppp0 -s $interface_eth0 -j RETURN test -n "$interface_ppp0" && $IPTABLES -A Cid40BBAA6A.0 -o ppp0 -s $interface_ppp0 -j RETURN $IPTABLES -A Cid40BBAA6A.0 -o ppp0 -s 10.0.0.0/8 -j RETURN $IPTABLES -A Cid40BBAA6A.0 -o ppp0 -s 192.168.0.0/16 -j RETURN $IPTABLES -A Cid40BBAA6A.0 -o ppp0 -s 172.16.0.0/12 -j RETURN $IPTABLES -N ppp0_Out_RULE_1_3 $IPTABLES -A Cid40BBAA6A.0 -o ppp0 -j ppp0_Out_RULE_1_3 $IPTABLES -A ppp0_Out_RULE_1_3 -j LOG --log-level info --log-prefix "RULE 1 -- DENY " $IPTABLES -A ppp0_Out_RULE_1_3 -j DROP # # Rule 0(lo) # # Erlaube alle Verbindungen zur 'loopback'-Schnittstelle # $IPTABLES -A INPUT -i lo -j ACCEPT $IPTABLES -A OUTPUT -o lo -j ACCEPT # # Rule 0(global) # # block fragments # $IPTABLES -N RULE_0 $IPTABLES -A OUTPUT -p all -f -j RULE_0 $IPTABLES -A INPUT -p all -f -j RULE_0 $IPTABLES -A FORWARD -p all -f -j RULE_0 $IPTABLES -A RULE_0 -j LOG --log-level info --log-prefix "RULE 0 -- DENY " $IPTABLES -A RULE_0 -j DROP # # Rule 1(global) # # allow ssh # test -n "$interface_eth0" && $IPTABLES -A OUTPUT -p tcp -d $interface_eth0 --destination-port 22 -m state --state NEW -j ACCEPT test -n "$interface_ppp0" && $IPTABLES -A OUTPUT -p tcp -d $interface_ppp0 --destination-port 22 -m state --state NEW -j ACCEPT test -n "$interface_eth0" && $IPTABLES -A INPUT -p tcp -d $interface_eth0 --destination-port 22 -m state --state NEW -j ACCEPT test -n "$interface_ppp0" && $IPTABLES -A INPUT -p tcp -d $interface_ppp0 --destination-port 22 -m state --state NEW -j ACCEPT # # Rule 2(global) # # allow windows services # test -n "$interface_eth0" && $IPTABLES -A INPUT -p tcp -m multiport -s 10.0.0.0/8 -d $interface_eth0 --destination-port 139,135,42,445,88,389,636,3268,3269,53 -m state --state NEW -j ACCEPT test -n "$interface_ppp0" && $IPTABLES -A INPUT -p tcp -m multiport -s 10.0.0.0/8 -d $interface_ppp0 --destination-port 139,135,42,445,88,389,636,3268,3269,53 -m state --state NEW -j ACCEPT test -n "$interface_eth0" && $IPTABLES -A INPUT -p tcp -m multiport -s 192.168.0.0/16 -d $interface_eth0 --destination-port 139,135,42,445,88,389,636,3268,3269,53 -m state --state NEW -j ACCEPT test -n "$interface_ppp0" && $IPTABLES -A INPUT -p tcp -m multiport -s 192.168.0.0/16 -d $interface_ppp0 --destination-port 139,135,42,445,88,389,636,3268,3269,53 -m state --state NEW -j ACCEPT test -n "$interface_eth0" && $IPTABLES -A INPUT -p tcp -m multiport -s 172.16.0.0/12 -d $interface_eth0 --destination-port 139,135,42,445,88,389,636,3268,3269,53 -m state --state NEW -j ACCEPT test -n "$interface_ppp0" && $IPTABLES -A INPUT -p tcp -m multiport -s 172.16.0.0/12 -d $interface_ppp0 --destination-port 139,135,42,445,88,389,636,3268,3269,53 -m state --state NEW -j ACCEPT test -n "$interface_eth0" && $IPTABLES -A INPUT -p udp -m multiport -s 10.0.0.0/8 -d $interface_eth0 --destination-port 138,137,53,88 -m state --state NEW -j ACCEPT test -n "$interface_ppp0" && $IPTABLES -A INPUT -p udp -m multiport -s 10.0.0.0/8 -d $interface_ppp0 --destination-port 138,137,53,88 -m state --state NEW -j ACCEPT test -n "$interface_eth0" && $IPTABLES -A INPUT -p udp -m multiport -s 192.168.0.0/16 -d $interface_eth0 --destination-port 138,137,53,88 -m state --state NEW -j ACCEPT test -n "$interface_ppp0" && $IPTABLES -A INPUT -p udp -m multiport -s 192.168.0.0/16 -d $interface_ppp0 --destination-port 138,137,53,88 -m state --state NEW -j ACCEPT test -n "$interface_eth0" && $IPTABLES -A INPUT -p udp -m multiport -s 172.16.0.0/12 -d $interface_eth0 --destination-port 138,137,53,88 -m state --state NEW -j ACCEPT test -n "$interface_ppp0" && $IPTABLES -A INPUT -p udp -m multiport -s 172.16.0.0/12 -d $interface_ppp0 --destination-port 138,137,53,88 -m state --state NEW -j ACCEPT # # Rule 3(global) # # allow dns service # test -n "$interface_eth0" && $IPTABLES -A OUTPUT -p tcp -s $interface_eth0 --destination-port 53 -m state --state NEW -j ACCEPT test -n "$interface_ppp0" && $IPTABLES -A OUTPUT -p tcp -s $interface_ppp0 --destination-port 53 -m state --state NEW -j ACCEPT test -n "$interface_eth0" && $IPTABLES -A OUTPUT -p udp -s $interface_eth0 --destination-port 53 -m state --state NEW -j ACCEPT test -n "$interface_ppp0" && $IPTABLES -A OUTPUT -p udp -s $interface_ppp0 --destination-port 53 -m state --state NEW -j ACCEPT # # Rule 4(global) # # DHCP server for the LAN? # $IPTABLES -N Cid40BBAAC8.0 test -n "$interface_eth0" && $IPTABLES -A INPUT -d $interface_eth0 -m state --state NEW -j Cid40BBAAC8.0 test -n "$interface_ppp0" && $IPTABLES -A INPUT -d $interface_ppp0 -m state --state NEW -j Cid40BBAAC8.0 $IPTABLES -N Cid40BBAAC8.1 $IPTABLES -A Cid40BBAAC8.0 -p udp -m multiport --destination-port 68,67 -m state --state NEW -j Cid40BBAAC8.1 $IPTABLES -A Cid40BBAAC8.1 -s 10.0.0.0/8 -m state --state NEW -j ACCEPT $IPTABLES -A Cid40BBAAC8.1 -s 192.168.0.0/16 -m state --state NEW -j ACCEPT $IPTABLES -A Cid40BBAAC8.1 -s 172.16.0.0/12 -m state --state NEW -j ACCEPT $IPTABLES -N Cid40BBAAC8.2 $IPTABLES -A INPUT -p udp -m multiport --destination-port 68,67 -m state --state NEW -j Cid40BBAAC8.2 $IPTABLES -A Cid40BBAAC8.2 -s 10.0.0.0/8 -d 255.255.255.255 -m state --state NEW -j ACCEPT $IPTABLES -A Cid40BBAAC8.2 -s 192.168.0.0/16 -d 255.255.255.255 -m state --state NEW -j ACCEPT $IPTABLES -A Cid40BBAAC8.2 -s 172.16.0.0/12 -d 255.255.255.255 -m state --state NEW -j ACCEPT # # Rule 5(global) # # again DHCP # $IPTABLES -N Cid40BBAADA.0 $IPTABLES -A OUTPUT -p udp -m multiport --destination-port 68,67 -m state --state NEW -j Cid40BBAADA.0 $IPTABLES -N Cid40BBAADA.1 test -n "$interface_eth0" && $IPTABLES -A Cid40BBAADA.0 -s $interface_eth0 -m state --state NEW -j Cid40BBAADA.1 test -n "$interface_ppp0" && $IPTABLES -A Cid40BBAADA.0 -s $interface_ppp0 -m state --state NEW -j Cid40BBAADA.1 $IPTABLES -A Cid40BBAADA.1 -d 10.0.0.0/8 -m state --state NEW -j ACCEPT $IPTABLES -A Cid40BBAADA.1 -d 192.168.0.0/16 -m state --state NEW -j ACCEPT $IPTABLES -A Cid40BBAADA.1 -d 172.16.0.0/12 -m state --state NEW -j ACCEPT # # Rule 6(global) # # 'masquerading' rfc-nets # $IPTABLES -A INPUT -s 10.0.0.0/8 -m state --state NEW -j ACCEPT $IPTABLES -A INPUT -s 192.168.0.0/16 -m state --state NEW -j ACCEPT $IPTABLES -A INPUT -s 172.16.0.0/12 -m state --state NEW -j ACCEPT $IPTABLES -A FORWARD -s 10.0.0.0/8 -m state --state NEW -j ACCEPT $IPTABLES -A FORWARD -s 192.168.0.0/16 -m state --state NEW -j ACCEPT $IPTABLES -A FORWARD -s 172.16.0.0/12 -m state --state NEW -j ACCEPT # # Rule 7(global) # # 'catch all' # $IPTABLES -N RULE_7 $IPTABLES -A OUTPUT -j RULE_7 $IPTABLES -A INPUT -j RULE_7 $IPTABLES -A FORWARD -j RULE_7 $IPTABLES -A RULE_7 -j LOG --log-level info --log-prefix "RULE 7 -- DENY " $IPTABLES -A RULE_7 -j DROP # # echo 1 > /proc/sys/net/ipv4/ip_forward -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba