Hello Samba group, I have setup iptables on a Samba-3.0.8 member server (with one IP) in a native mode Active Directory domain.
Searching Samba list archives directs me to read http;//www.netfilter.org documentation and doesn't attempt to describe ports needed for samba to function as a member server in native AD. I would appreciate any constructive feedback regarding whether these iptables rules look correct, or grant too much or too little? They do work, and they express my understanding of samba server network communication. ## SAMBA RULES ## iptables -P INPUT DROP iptables -P FORWARD DROP iptables -P OUTPUT ACCEPT ANY='0.0.0.0/0' # RPC mapper iptables -A INPUT -s $ANY -p udp --dport 135 -j ACCEPT # NetBIOS Name Service (nbname)/Datagram Service (nbdatagram) iptables -A INPUT -s $ANY -p udp --dport 137:138 -j ACCEPT # NetBIOS Session Service (nbsession) iptables -A INPUT -s $ANY -p tcp --dport 139 -j ACCEPT # TCP Connection - establish 3-way handshake iptables -A INPUT -s $ANY -p tcp --dport 445 -j ACCEPT # Kerberos V5 communication <2K Packets iptables -A INPUT -p udp -m udp --dport 88 -j ACCEPT # Kerberos V5 communication >2K Packets iptables -A INPUT -p tcp -m tcp --dport 88 -j ACCEPT # NTP communication, for Kerberose V5 tickets? iptables -A INPUT -s $ANY -p udp --dport 123 -j ACCEPT Note: Limiting the OUTPUT rules kills communications to KDC, so I left it open. -- ._____________________. | \0/ John Stile | | UniX Administration | | / \ 510-305-3800 | | [EMAIL PROTECTED] | .---------------------.
signature.asc
Description: This is a digitally signed message part
-- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
