iptables rules to allow nautilus samba access

Bill Tangren bjt at aa.usno.navy.mil
Thu Jul 28 16:53:46 UTC 2005 

Will McDonald wrote:
> On 28/07/05, Bill Tangren <bjt at aa.usno.navy.mil> wrote:
> 
> 
>>They are applied on the samba server. I can get to the samba server from
>>a Windoze box. That was never a problem. What IS a problem is getting to
>>the Windoze box from the samba box. That's what I am trying to get help
>>with.
> 
> 
> Ah, sorry, should've paid a little more attention. :) 
> 
> As we found, we needed the following incoming ports.
> 
> 137/udp
> 138/udp
> 139/tcp
> 445/tcp
> 
> I assume you'd need to allow traffic out from the SMB server to these
> destination ports on the windows box. How restrictive are you being on
> outbound traffic from the host? What do your OUTPUT or
> tcp_outbound/udp_outbound chains like?
> 
> Assuming you're not (statefully) allowing anything and everything out
> from the Samba server by default (a reasonable assumption given it
> works without the firewall in place and doesn't when it is) I imagine
> you'd want to see something like...
> 
> Chain OUTPUT (policy DROP)
> ACCEPT  udp  --  anywhere  $windowsbox  udp dpt:137 state NEW
> ACCEPT  udp  --  anywhere  $windowsbox  udp dpt:138 state NEW
> ACCEPT  tcp  --  anywhere  $windowsbox  tcp dpt:139 state NEW
> ACCEPT  tcp  --  anywhere  $windowsbox  tcp dpt:445 state NEW
> 
> Depending on exactly how you generate your rules something like...
> 
> $IPTABLES -A OUTPUT -p udp --dport 137 -m state --state NEW -j ACCEPT
> $IPTABLES -A OUTPUT -p udp --dport 138 -m state --state NEW -j ACCEPT
> $IPTABLES -A OUTPUT -p tcp --dport 139 -m state --state NEW -j ACCEPT
> $IPTABLES -A OUTPUT -p tcp --dport 445 -m state --state NEW -j ACCEPT
> 
> ... might do it for you.
> 
> Will.
> 
I'm not stopping anything outbound. I'm the only one with an account on 
this box:

Chain up_outbound (0 references)
target     prot opt source               destination
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0

Chain tcp_outbound (0 references)
target     prot opt source               destination
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0

My original post indicated that nautilus was using high level ports 
(>32800) to talk to the Windows boxes. I think the problem is there, but 
I don't know how to get it to specify a specific range or to not use 
those ranges at all.

Bill

More information about the redhat-list mailing list