Hesham S. Ahmed wrote:
Try adding the following rule before deny /sbin/iptables -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPTreplace eth0 with your interface. This would let ur firewall accept any pre-established connections, required for most cases where replies are sent to random ports. --- Justin Georgeson wrote: >No change, interestingly enough, iptables says >--cport is unknown >without -m, and I don't see mention of what -m does >in the man page. I >have version 1.2.6a-2 of iptables, packaged by >RedHat. Looking at >tcpdump, the netbios-ns reply packets from the >server are being dropped >by my firewall. Having discovered that, I've found >that I can mount a >file share by IP with my current rules. I just can't >do netbios-ns or >netbios-dgm. Here is the full results of >iptables-save > >*filter >:INPUT ACCEPT [0:0] >:FORWARD ACCEPT [0:0] >:OUTPUT ACCEPT [0:0] >-A INPUT -p tcp -m tcp --dport 22 --syn -j ACCEPT >-A INPUT -p tcp -m tcp -s 192.168.1.0/24 --dport >137:139 --syn -j ACCEPT >-A INPUT -p udp -m udp -s 0/0 --sport 67:68 -d 0/0 >--dport 67:68 -j ACCEPT >-A INPUT -p udp -m udp -s 66.150.129.229 --sport 53 >-d 0/0 -j ACCEPT >-A INPUT -p udp -m udp -s 24.219.4.35 --sport 53 -d >0/0 -j ACCEPT >-A INPUT -p udp -m udp -s 192.168.1.0/24 --dport >137:139 -j ACCEPT >-A INPUT -i lo -j ACCEPT >-A INPUT -p tcp -m tcp --syn -j REJECT >-A INPUT -p udp -m udp -j REJECT >COMMIT > >How can I allow the reply packets, since they're >addressed to a randomly >selected port? > >James Hubbard wrote: > > >>This depends on how restrictive your firewall > >rules are but why don't > >>you just use this: >> >>-A INPUT -p udp -s 192.168.1.0/24 --dport 137:139 > >-i eth0 -j ACCEPT > >>-A INPUT -p tcp -s 192.168.1.0/24 --dport 137:139 > >-i eth0 -j ACCEPT > >>I'm not sure what the -m stands for. You'll need > >to change eth0 to > >>match your internal ethernet card. Make sure you > >insert this before the > >>reject rules. >> >>James Hubbard >> >>Justin Georgeson wrote: >> >> >>>Ok, so I know from `netstat --ip -lnp` that the > >only ports smbd and nmbd > >>>are using are TCP 139, and UDP 137 and 138. I > >find it a little odd > >>>though that nmbd is bound to both 0.0.0.0 AND my > >primary interface. My > >>>problem is that I can't access shares on a > >windows machine unless I turn > >>>off my firewall. I'm using RH 8 and the 2.2.6-2 > >RPMs from the web page > >>>(working fine so far, barring this firewall > >thing). I have these rules > >>>added in iptables >>> >>>-A INPUT -p tcp -m tcp -s 192.168.1.0/24 --dport > >139 --syn -j ACCEPT > >>>-A INPUT -p udp -m udp -s 192.168.1.0/24 --dport > >137 -j ACCEPT > >>>-A INPUT -p udp -m udp -s 192.168.1.0/24 --dport > >138 -j ACCEPT > >>>tcpdump shows ports TCP 139 and UDP 137 being > >accessed when I run > >>>findsmb. But nothing is listed when I do. If I > >turn off my firewall, the > >>>other machine on the LAN, my windows box, is > >listed. What am I missing? > > >-- >To unsubscribe from this list go to the following >URL and read the >instructions: http://lists.samba.org/mailman/listinfo/samba __________________________________________________ Do you Yahoo!? HotJobs - Search new jobs daily now http://hotjobs.yahoo.com/
-- Justin Georgeson UnBound Technologies, Inc. http://www.unboundtech.com Main 713.329.9330 Fax 713.460.4051 Mobile 512.789.1962 5295 Hollister Road Houston, TX 77040 Real Applications using Real Wireless Intelligence(tm) -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
