Try adding the following rule before deny /sbin/iptables -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
replace eth0 with your interface. This would let ur firewall accept any pre-established connections, required for most cases where replies are sent to random ports. --- Justin Georgeson <[EMAIL PROTECTED]> wrote: > No change, interestingly enough, iptables says > --cport is unknown > without -m, and I don't see mention of what -m does > in the man page. I > have version 1.2.6a-2 of iptables, packaged by > RedHat. Looking at > tcpdump, the netbios-ns reply packets from the > server are being dropped > by my firewall. Having discovered that, I've found > that I can mount a > file share by IP with my current rules. I just can't > do netbios-ns or > netbios-dgm. Here is the full results of > iptables-save > > *filter > :INPUT ACCEPT [0:0] > :FORWARD ACCEPT [0:0] > :OUTPUT ACCEPT [0:0] > -A INPUT -p tcp -m tcp --dport 22 --syn -j ACCEPT > -A INPUT -p tcp -m tcp -s 192.168.1.0/24 --dport > 137:139 --syn -j ACCEPT > -A INPUT -p udp -m udp -s 0/0 --sport 67:68 -d 0/0 > --dport 67:68 -j ACCEPT > -A INPUT -p udp -m udp -s 66.150.129.229 --sport 53 > -d 0/0 -j ACCEPT > -A INPUT -p udp -m udp -s 24.219.4.35 --sport 53 -d > 0/0 -j ACCEPT > -A INPUT -p udp -m udp -s 192.168.1.0/24 --dport > 137:139 -j ACCEPT > -A INPUT -i lo -j ACCEPT > -A INPUT -p tcp -m tcp --syn -j REJECT > -A INPUT -p udp -m udp -j REJECT > COMMIT > > How can I allow the reply packets, since they're > addressed to a randomly > selected port? > > James Hubbard wrote: > > > This depends on how restrictive your firewall > rules are but why don't > > you just use this: > > > > -A INPUT -p udp -s 192.168.1.0/24 --dport 137:139 > -i eth0 -j ACCEPT > > -A INPUT -p tcp -s 192.168.1.0/24 --dport 137:139 > -i eth0 -j ACCEPT > > > > I'm not sure what the -m stands for. You'll need > to change eth0 to > > match your internal ethernet card. Make sure you > insert this before the > > reject rules. > > > > James Hubbard > > > > Justin Georgeson wrote: > > > > > Ok, so I know from `netstat --ip -lnp` that the > only ports smbd and nmbd > > > are using are TCP 139, and UDP 137 and 138. I > find it a little odd > > > though that nmbd is bound to both 0.0.0.0 AND my > primary interface. My > > > problem is that I can't access shares on a > windows machine unless I turn > > > off my firewall. I'm using RH 8 and the 2.2.6-2 > RPMs from the web page > > > (working fine so far, barring this firewall > thing). I have these rules > > > added in iptables > > > > > > -A INPUT -p tcp -m tcp -s 192.168.1.0/24 --dport > 139 --syn -j ACCEPT > > > -A INPUT -p udp -m udp -s 192.168.1.0/24 --dport > 137 -j ACCEPT > > > -A INPUT -p udp -m udp -s 192.168.1.0/24 --dport > 138 -j ACCEPT > > > > > > tcpdump shows ports TCP 139 and UDP 137 being > accessed when I run > > > findsmb. But nothing is listed when I do. If I > turn off my firewall, the > > > other machine on the LAN, my windows box, is > listed. What am I missing? > > > > > > -- > To unsubscribe from this list go to the following > URL and read the > instructions: http://lists.samba.org/mailman/listinfo/samba __________________________________________________ Do you Yahoo!? HotJobs - Search new jobs daily now http://hotjobs.yahoo.com/ -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
