Samba and Firewall
Bob Chiodini
rchiodin at bellsouth.net
Mon Mar 7 13:55:33 UTC 2005
On Mon, 2005-03-07 at 08:41 -0500, Bob Chiodini wrote:
> On Mon, 2005-03-07 at 20:06 +0800, Shu Hung (Koala) wrote:
> > How to turn on logging of iptables?
> >
> > Koala
> >
> > Bob Chiodini wrote:
> >
> > >On Mon, 2005-03-07 at 12:52 +0800, Shu Hung (Koala) wrote:
> > >
> > >
> > >>Hello
> > >>I've been working on a Samba machine for a while.
> > >>Recently, I tried to turn on its firewall.
> > >>But my configuration to iptables is flawed somehow -- it is half right
> > >>and half wrong.
> > >>
> > >>Here is what I've done:
> > >> - I used system-config-securitylevel to config new ports to open
> > >> - I've opened ports 139:tcp, 445:tcp, 137:udp, 138:udp
> > >> - I restart the iptables to load up the configs.
> > >>
> > >>Here is the consequence right now:
> > >> - As I reboot my client PC, I cannot connect to samba shared folders --
> > >>unless I stop iptables first
> > >> - After I've connected to Samba once, I can connect to Samba as many
> > >>time as I want to -- even if I start iptables again.
> > >>
> > >>I guest one more port or something is responsible for the first
> > >>connection to the server.
> > >>Does anybody have any idea?
> > >>
> > >>--
> > >>
> > >>
> > >Try turning on logging in iptables, if it's not already.
> > >Check /var/log/messages to see what is being dropped, related to your
> > >client.
> > >
> > >Bob...
> > >
> > >
> > >
> >
> > --
> > Technical Support, DigitalOne Limited
> > Tel: 8100-2616 / 2545-1383
> > Fax: 2815-0593
> >
> >
> >
> > --
> > No virus found in this outgoing message.
> > Checked by AVG Anti-Virus.
> > Version: 7.0.308 / Virus Database: 266.6.2 - Release Date: 4/3/2005
> >
>
> It depends on how you set up your firewall. man iptables and search for
> LOG. You have to add a LOG rule before your REJECT or DROP rules.
>
> Bob...
>
>
Sorry about the reply-to-self.
Another option: Open up your firewall and run ethereal to determine
what ports and protocols are hitting your server. Use "host <your IP>"
as the capture filter to cut down on spurious traffic.
I tried this here and did not see anything other than TCP port 139 and
UDP port 137.
Bob...
More information about the fedora-list
mailing list