Re: [Samba] Samba4 and iptables

[nc-codew...@netcologne.de]

Hello tms3 and list-members,

many thanks for your help. I spend a lot of time to configure my firewall.
I opened all here 
<http://technet.microsoft.com/en-us/library/dd772723%28WS.10%29.aspx> 
listed ports, but at the first time without success. I don't know why, 
but the port 1024 seems to be very important. I found this port step by 
step with less and less port-ranges.

After I had opened this port I was able to logon the domain.

netstat give me following result:

...
tcp        0      0 0.0.0.0:464             0.0.0.0:*               
LISTEN      1361/samba
...
tcp        0      0 192.168.0.1:53         0.0.0.0:*               
LISTEN      1183/named
...
tcp        0      0 0.0.0.0:88              0.0.0.0:*               
LISTEN      1361/samba
...
tcp        0      0 127.0.0.1:953           0.0.0.0:*               
LISTEN      1183/named
tcp        0      0 0.0.0.0:636             0.0.0.0:*               
LISTEN      1356/samba
tcp        0      0 0.0.0.0:445             0.0.0.0:*               
LISTEN      1343/samba
...
tcp        0      0 0.0.0.0:1024            0.0.0.0:*               
LISTEN      1346/samba
tcp        0      0 0.0.0.0:3268            0.0.0.0:*               
LISTEN      1356/samba
tcp        0      0 0.0.0.0:389             0.0.0.0:*               
LISTEN      1356/samba
tcp        0      0 0.0.0.0:135             0.0.0.0:*               
LISTEN      1346/samba
tcp        0      0 0.0.0.0:139             0.0.0.0:*               
LISTEN      1343/samba

I tested this with one winxp-client and tomorrow I will start a test 
with more clients.


I hope this will somebody help to make the server a litte bit more secured.


Regards

Bert




Am 10.02.2011 15:53, schrieb t...@tms3.com:



Hello everybody,

I have a running an installation of Samba4 as AD. All is working fine,
but when I start the firewall, the clients have problems to login.

By my firewall-rules from the past, I had opened the ports 137:139 and
445 for samba and new for bind the port 53.
Kerberos is on port 88

LDAP is on 339 636

Here is a list of AD port requirements and their uses.

http://technet.microsoft.com/en-us/library/dd772723%28WS.10%29.aspx




The clients (WinXP) seems to have problems to read and write from/to the
home directories. Maybe samba4 need additional or other ports to working
fine?

Here my current iptables-rules:

IPTABLES=/sbin/iptables

#Bind
$IPTABLES -A INPUT -p tcp --dport 53 -m state --state NEW,ESTABLISHED -j
ACCEPT;
$IPTABLES -A OUTPUT -p tcp --sport 53 -m state --state ESTABLISHED -j
ACCEPT;

$IPTABLES -A INPUT -p udp --dport 53 -m state --state NEW,ESTABLISHED -j
ACCEPT;
$IPTABLES -A OUTPUT -p udp --sport 53 -m state --state ESTABLISHED -j
ACCEPT;

#Samba
$IPTABLES -A INPUT -p udp --dport 137:139 -m state --state
NEW,ESTABLISHED,RELATED -j ACCEPT;
$IPTABLES -A OUTPUT -p udp --sport 137:139 -m state --state
ESTABLISHED,RELATED -j ACCEPT;

$IPTABLES -A INPUT -p tcp --dport 137:139 -m state --state
NEW,ESTABLISHED,RELATED -j ACCEPT;
$IPTABLES -A OUTPUT -p tcp --sport 137:139 -m state --state
ESTABLISHED,RELATED -j ACCEPT;

$IPTABLES -A INPUT -p udp --dport 445 -m state --state
NEW,ESTABLISHED,RELATED -j ACCEPT;
$IPTABLES -A OUTPUT -p udp --sport 445 -m state --state
ESTABLISHED,RELATED -j ACCEPT;

$IPTABLES -A INPUT -p tcp --dport 445 -m state --state
ESTABLISHED,RELATED -j ACCEPT;
$IPTABLES -A OUTPUT -p tcp --sport 445 -m state --state
ESTABLISHED,RELATED -j ACCEPT;


iptables --list

ACCEPT tcp -- anywhere anywhere tcp
spt:domain state ESTABLISHED
ACCEPT udp -- anywhere anywhere udp
spt:domain state ESTABLISHED
ACCEPT udp -- anywhere anywhere udp
spts:netbios-ns:netbios-ssn state RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp
spts:netbios-ns:netbios-ssn state RELATED,ESTABLISHED
ACCEPT udp -- anywhere anywhere udp
spt:microsoft-ds state RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp
spt:microsoft-ds state RELATED,ESTABLISHED


Note! I have the profiles configured with server-copies from the
home-directorys! That's the reason for the necessary
read-/write-possibility. When I login with a client, so the client look
for the server-home-directory. When a client logout, the client
synchronizes the local-home-directory to the ad-server. Without the
running firewall on the AD it's work perfect. With the runnig firewall I
get the message on login, that the client can't read the home-directory
and when I logout, that the client can't synchronize the home-directory.
The domain-login is always successful.

Thanks in advance!

Bert





--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba