iptables rules to allow nautilus samba access
Bill Tangren
bjt at aa.usno.navy.mil
Thu Jul 28 16:53:46 UTC 2005
Will McDonald wrote:
> On 28/07/05, Bill Tangren <bjt at aa.usno.navy.mil> wrote:
>
>
>>They are applied on the samba server. I can get to the samba server from
>>a Windoze box. That was never a problem. What IS a problem is getting to
>>the Windoze box from the samba box. That's what I am trying to get help
>>with.
>
>
> Ah, sorry, should've paid a little more attention. :)
>
> As we found, we needed the following incoming ports.
>
> 137/udp
> 138/udp
> 139/tcp
> 445/tcp
>
> I assume you'd need to allow traffic out from the SMB server to these
> destination ports on the windows box. How restrictive are you being on
> outbound traffic from the host? What do your OUTPUT or
> tcp_outbound/udp_outbound chains like?
>
> Assuming you're not (statefully) allowing anything and everything out
> from the Samba server by default (a reasonable assumption given it
> works without the firewall in place and doesn't when it is) I imagine
> you'd want to see something like...
>
> Chain OUTPUT (policy DROP)
> ACCEPT udp -- anywhere $windowsbox udp dpt:137 state NEW
> ACCEPT udp -- anywhere $windowsbox udp dpt:138 state NEW
> ACCEPT tcp -- anywhere $windowsbox tcp dpt:139 state NEW
> ACCEPT tcp -- anywhere $windowsbox tcp dpt:445 state NEW
>
> Depending on exactly how you generate your rules something like...
>
> $IPTABLES -A OUTPUT -p udp --dport 137 -m state --state NEW -j ACCEPT
> $IPTABLES -A OUTPUT -p udp --dport 138 -m state --state NEW -j ACCEPT
> $IPTABLES -A OUTPUT -p tcp --dport 139 -m state --state NEW -j ACCEPT
> $IPTABLES -A OUTPUT -p tcp --dport 445 -m state --state NEW -j ACCEPT
>
> ... might do it for you.
>
> Will.
>
I'm not stopping anything outbound. I'm the only one with an account on
this box:
Chain up_outbound (0 references)
target prot opt source destination
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0
Chain tcp_outbound (0 references)
target prot opt source destination
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0
My original post indicated that nautilus was using high level ports
(>32800) to talk to the Windows boxes. I think the problem is there, but
I don't know how to get it to specify a specific range or to not use
those ranges at all.
Bill
More information about the redhat-list
mailing list