alfresco and iptables

Craig White craigwhite at azapple.com
Sun Dec 9 19:21:11 UTC 2007 

On Sun, 2007-12-09 at 13:03 -0600, Les Mikesell wrote:
> Craig White wrote:
> 
> > #!/bin/sh
> > #
> > echo 1 > /proc/sys/net/ipv4/ip_forward
> > modprobe iptable_nat
> > iptables -F
> > iptables -t nat -F
> > iptables -P INPUT ACCEPT
> > iptables -P FORWARD ACCEPT
> > iptables -P OUTPUT ACCEPT
> > iptables -t nat -A PREROUTING -p tcp -d 192.168.3.8 --dport 445 \
> > -j REDIRECT --to-ports 1445
> > iptables -t nat -A PREROUTING -p tcp -d 192.168.3.8 --dport 139 \
> > -j REDIRECT --to-ports 1139
> > iptables -t nat -A PREROUTING -p udp -d 192.168.3.8 --dport 137 \
> > -j REDIRECT --to-ports 1137
> > iptables -t nat -A PREROUTING -p udp -d 192.168.3.8 --dport 138 \
> > -j REDIRECT --to-ports 1138
> > 
> > # smbclient -L 192.168.3.8
> > Error connecting to 192.168.3.8 (Connection refused)
> > Connection to 192.168.3.8 failed
> > 
> > # smbclient -L 192.168.3.8 -p 139
> > Error connecting to 192.168.3.8 (Connection refused)
> > Connection to 192.168.3.8 failed
> > 
> > # smbclient -L 192.168.3.8 -p 1139
> > Password:
> > Anonymous login successful
> > Domain=[TH] OS=[Java] Server=[Alfresco CIFS Server 3.5.1]
> > 
> >         Sharename       Type      Comment
> >         ---------       ----      -------
> > cli_rpc_pipe_open_noauth: rpc_pipe_bind for pipe \srvsvc failed with
> > error NT_STATUS_BUFFER_TOO_SMALL
> >         Alfresco        Disk
> >         IPC$            IPC
> > Error connecting to 192.168.3.8 (Connection refused)
> > Connection to 192.168.3.8 failed
> > NetBIOS over TCP disabled -- no workgroup available
> > 
> > Same results either way... 
> 
> For each of the PREROUTING lines, add a matching OUTPUT entry like:
> 
> iptables -t nat -A PREROUTING -p tcp -d 192.168.3.8 --dport 445 \
>   -j REDIRECT --to-ports 1445
> iptables -t nat -A OUTPUT -p tcp -d 192.168.3.8 --dport 445 \
>   -j REDIRECT --to-ports 1445
----
the thing I can't figure out is why they don't show up...
# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

even though, I just executed...

#!/bin/sh
#
echo 1 > /proc/sys/net/ipv4/ip_forward
modprobe iptable_nat
iptables -F
iptables -t nat -F
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT

iptables -t nat -A PREROUTING -p tcp -d 192.168.3.8 --dport 445 \
-j REDIRECT --to-ports 1445
iptables -t nat -A PREROUTING -p tcp -d 192.168.3.8 --dport 139 \
-j REDIRECT --to-ports 1139
iptables -t nat -A PREROUTING -p udp -d 192.168.3.8 --dport 137 \
-j REDIRECT --to-ports 1137
iptables -t nat -A PREROUTING -p udp -d 192.168.3.8 --dport 138 \
-j REDIRECT --to-ports 1138

iptables -t nat -A OUTPUT -p tcp -d 192.168.3.8 --dport 445 \
-j REDIRECT --to-ports 1445
iptables -t nat -A OUTPUT -p tcp -d 192.168.3.8 --dport 139 \
-j REDIRECT --to-ports 1139
iptables -t nat -A OUTPUT -p udp -d 192.168.3.8 --dport 138 \
-j REDIRECT --to-ports 1138
iptables -t nat -A OUTPUT -p udp -d 192.168.3.8 --dport 137 \
-j REDIRECT --to-ports 1137

and just to make sure...
# service iptables save
Saving firewall rules to /etc/sysconfig/iptables:          [  OK  ]

# cat /etc/sysconfig/iptables
# Generated by iptables-save v1.3.5 on Sun Dec  9 12:18:09 2007
*filter
:INPUT ACCEPT [2739:198569]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [2521:240751]
COMMIT
# Completed on Sun Dec  9 12:18:09 2007
# Generated by iptables-save v1.3.5 on Sun Dec  9 12:18:09 2007
*nat
:PREROUTING ACCEPT [39:5957]
:POSTROUTING ACCEPT [260:16668]
:OUTPUT ACCEPT [260:16668]
-A PREROUTING -d 192.168.3.8 -p tcp -m tcp --dport 445 -j REDIRECT
--to-ports 1445
-A PREROUTING -d 192.168.3.8 -p tcp -m tcp --dport 139 -j REDIRECT
--to-ports 1139
-A PREROUTING -d 192.168.3.8 -p udp -m udp --dport 137 -j REDIRECT
--to-ports 1137
-A PREROUTING -d 192.168.3.8 -p udp -m udp --dport 138 -j REDIRECT
--to-ports 1138
-A OUTPUT -d 192.168.3.8 -p tcp -m tcp --dport 445 -j REDIRECT
--to-ports 1445
-A OUTPUT -d 192.168.3.8 -p tcp -m tcp --dport 139 -j REDIRECT
--to-ports 1139
-A OUTPUT -d 192.168.3.8 -p udp -m udp --dport 138 -j REDIRECT
--to-ports 1138
-A OUTPUT -d 192.168.3.8 -p udp -m udp --dport 137 -j REDIRECT
--to-ports 1137
COMMIT
# Completed on Sun Dec  9 12:18:09 2007

At any rate, this hasn't changed anything ;-(

# smbclient -L 192.168.3.8 -p 445
Error connecting to 192.168.3.8 (Connection refused)
Connection to 192.168.3.8 failed

# smbclient -L 192.168.3.8 -p 139
Error connecting to 192.168.3.8 (Connection refused)
Connection to 192.168.3.8 failed

# smbclient -L 192.168.3.8 -p 1139
Password:
Anonymous login successful
Domain=[TH] OS=[Java] Server=[Alfresco CIFS Server 3.5.1]

        Sharename       Type      Comment
        ---------       ----      -------
cli_rpc_pipe_open_noauth: rpc_pipe_bind for pipe \srvsvc failed with
error NT_STATUS_BUFFER_TOO_SMALL
        Alfresco        Disk
        IPC$            IPC
Error connecting to 192.168.3.8 (Connection refused)
Connection to 192.168.3.8 failed
NetBIOS over TCP disabled -- no workgroup available
----
> 
> ...and please post a summary if you get this and the Staroffice/lucene 
> search working.
----
Sure - how about a separate thread?

Craig

More information about the fedora-list mailing list