Samba help

Rick Stevens rstevens at vitalstream.com
Fri Jan 9 02:16:58 UTC 2004 

dalen wrote:
>> Knowing less about iptables than smb.conf and based on what I found in 
>> the existing /etc/sysconfig/iptables, I added these two lines:
>>
>>                                -A RH-Firewall-1-INPUT -m state --state 
>> NEW -m tcp -p tcp --dport 137:139 -j ACCEPT
>> -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 445 
>> -j ACCEPT
>>
>> Are these the entries I _should_ add to iptables?
>>
>> Thanks!
>>
>> Andrew Robinson
> 
> 
> Andrew,
>     Like you, I know little about iptables.  I googled and found that 
> smb needs port 137-139(basic smb) and 445(for win2k clients IIRC). 
> Initially, I setup the firewall for ssh only and noticed the following 
> line...
> 
> -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j 
> ACCEPT
> 
> Using this as an example, I duplicated the above line for each 
> port/protocol I needed as shown below.
> 
> -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 137 -j 
> ACCEPT
> -A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 137 -j 
> ACCEPT
> -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 138 -j 
> ACCEPT
> -A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 138 -j 
> ACCEPT
> -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 139 -j 
> ACCEPT
> -A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 139 -j 
> ACCEPT
> -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 445 -j 
> ACCEPT
> -A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 445 -j 
> ACCEPT
> 
> This may be opening more ports/protocols than neccesary and I may try to 
> research it and close unneccesary ports later.  Another option is to use 
> the redhat firewall script (I don't remember the name).  It basically 
> asks which ports or service name to open and updates the iptables config 
> file.
> 
> Dale

Those first 6 rules could be rewritten as two:
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 
137:139 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 
137:139 -j ACCEPT

Saves space and typing.  ;-)
----------------------------------------------------------------------
- Rick Stevens, Senior Systems Engineer     rstevens at vitalstream.com -
- VitalStream, Inc.                       http://www.vitalstream.com -
-                                                                    -
-          su -; find / -name someone -exec touch \{\} \;            -
-                          - The UNIX way of touching someone        -
----------------------------------------------------------------------

More information about the fedora-list mailing list