iptables rules to allow nautilus samba access
Will McDonald
wmcdonald at gmail.com
Thu Jul 28 20:40:03 UTC 2005
On 28/07/05, Bill Tangren <bjt at aa.usno.navy.mil> wrote:
> Will McDonald wrote:
> > On 28/07/05, Bill Tangren <bjt at aa.usno.navy.mil> wrote:
> >
> >
> >>They are applied on the samba server. I can get to the samba server from
> >>a Windoze box. That was never a problem. What IS a problem is getting to
> >>the Windoze box from the samba box. That's what I am trying to get help
> >>with.
> >
> >
> > Ah, sorry, should've paid a little more attention. :)
> >
> > As we found, we needed the following incoming ports.
> >
> > 137/udp
> > 138/udp
> > 139/tcp
> > 445/tcp
> >
> > I assume you'd need to allow traffic out from the SMB server to these
> > destination ports on the windows box. How restrictive are you being on
> > outbound traffic from the host? What do your OUTPUT or
> > tcp_outbound/udp_outbound chains like?
> >
> > Assuming you're not (statefully) allowing anything and everything out
> > from the Samba server by default (a reasonable assumption given it
> > works without the firewall in place and doesn't when it is) I imagine
> > you'd want to see something like...
> >
> > Chain OUTPUT (policy DROP)
> > ACCEPT udp -- anywhere $windowsbox udp dpt:137 state NEW
> > ACCEPT udp -- anywhere $windowsbox udp dpt:138 state NEW
> > ACCEPT tcp -- anywhere $windowsbox tcp dpt:139 state NEW
> > ACCEPT tcp -- anywhere $windowsbox tcp dpt:445 state NEW
> >
> > Depending on exactly how you generate your rules something like...
> >
> > $IPTABLES -A OUTPUT -p udp --dport 137 -m state --state NEW -j ACCEPT
> > $IPTABLES -A OUTPUT -p udp --dport 138 -m state --state NEW -j ACCEPT
> > $IPTABLES -A OUTPUT -p tcp --dport 139 -m state --state NEW -j ACCEPT
> > $IPTABLES -A OUTPUT -p tcp --dport 445 -m state --state NEW -j ACCEPT
> >
> > ... might do it for you.
> >
> > Will.
> >
> I'm not stopping anything outbound. I'm the only one with an account on
> this box:
>
> Chain up_outbound (0 references)
> target prot opt source destination
> ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0
>
> Chain tcp_outbound (0 references)
> target prot opt source destination
> ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0
>
> My original post indicated that nautilus was using high level ports
> (>32800) to talk to the Windows boxes. I think the problem is there, but
> I don't know how to get it to specify a specific range or to not use
> those ranges at all.
Hmm, OK then, does this inward bound source port approach help...
https://lists.netfilter.org/pipermail/netfilter/2002-March/032383.html
Will.
(Or anything else enlightening from searches like...
http://www.google.co.uk/search?hl=en&safe=off&q=iptables+samba+high+ports&meta=
)
More information about the redhat-list
mailing list