Re: [Samba] Samba4 and iptables

[email protected] Wed, 16 Feb 2011 07:54:19 -0800

Hello List-Members,

I working still on a perfect firewall-configuration for a Samba4-AD, butit seems to be a tricky work. Maybe somebody have any idea about my fail.

When I set back the firewall-rules, all is working perfect. Thenetwork-devices will be connected and I can work with dsa.msc . But itfails with following rules:


Chain INPUT (policy DROP)
target     prot opt source               destination

ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 stateRELATED,ESTABLISHEDACCEPT icmp -- 192.168.0.0/24 192.168.0.2 icmp type 8state NEW

ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0

ACCEPT tcp -- 192.168.0.0/24 192.168.0.2 tcp dpt:53state NEW,ESTABLISHEDACCEPT udp -- 192.168.0.0/24 192.168.0.2 udp dpt:53state NEW,RELATED,ESTABLISHEDACCEPT tcp -- 192.168.0.0/24 192.168.0.2 tcp dpt:88state NEW,ESTABLISHEDACCEPT udp -- 192.168.0.0/24 192.168.0.2 udp dpt:88state NEW,RELATED,ESTABLISHEDACCEPT udp -- 192.168.0.0/24 192.168.0.2 udp dpt:123state NEW,RELATED,ESTABLISHEDACCEPT tcp -- 192.168.0.0/24 192.168.0.2 tcp dpt:135state NEW,ESTABLISHEDACCEPT udp -- 192.168.0.0/24 192.168.0.2 udp dpt:137state NEW,RELATED,ESTABLISHEDACCEPT udp -- 192.168.0.0/24 192.168.0.2 udp dpt:138state NEW,RELATED,ESTABLISHEDACCEPT tcp -- 192.168.0.0/24 192.168.0.2 tcp dpt:139state NEW,ESTABLISHEDACCEPT tcp -- 192.168.0.0/24 192.168.0.2 tcp dpt:389state NEW,ESTABLISHEDACCEPT udp -- 192.168.0.0/24 192.168.0.2 udp dpt:389state NEW,RELATED,ESTABLISHEDACCEPT tcp -- 192.168.0.0/24 192.168.0.2 tcp dpt:445state NEW,ESTABLISHEDACCEPT udp -- 192.168.0.0/24 192.168.0.2 udp dpt:445state NEW,RELATED,ESTABLISHEDACCEPT tcp -- 192.168.0.0/24 192.168.0.2 tcp dpt:464state NEW,ESTABLISHEDACCEPT udp -- 192.168.0.0/24 192.168.0.2 udp dpt:464state NEW,RELATED,ESTABLISHEDACCEPT tcp -- 192.168.0.0/24 192.168.0.2 tcp dpt:636state NEW,ESTABLISHEDACCEPT tcp -- 192.168.0.0/24 192.168.0.2 tcpdpts:1024:65535 state NEW,ESTABLISHEDACCEPT udp -- 192.168.0.0/24 192.168.0.2 udpdpts:1024:65535 state NEW,RELATED,ESTABLISHED


Chain FORWARD (policy DROP)
target     prot opt source               destination

Chain OUTPUT (policy DROP)
target     prot opt source               destination

ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 stateNEW,RELATED,ESTABLISHED

ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0

ACCEPT tcp -- 192.168.0.2 192.168.0.0/24 tcp spt:53state ESTABLISHEDACCEPT udp -- 192.168.0.2 192.168.0.0/24 udp spt:53state RELATED,ESTABLISHEDACCEPT tcp -- 192.168.0.2 192.168.0.0/24 tcp spt:88state ESTABLISHEDACCEPT udp -- 192.168.0.2 192.168.0.0/24 udp spt:88state RELATED,ESTABLISHEDACCEPT udp -- 192.168.0.2 192.168.0.0/24 udp spt:123state RELATED,ESTABLISHEDACCEPT tcp -- 192.168.0.2 192.168.0.0/24 tcp spt:135state ESTABLISHEDACCEPT udp -- 192.168.0.2 192.168.0.0/24 udp spt:137state RELATED,ESTABLISHEDACCEPT udp -- 192.168.0.2 192.168.0.0/24 udp spt:138state RELATED,ESTABLISHEDACCEPT tcp -- 192.168.0.2 192.168.0.0/24 tcp spt:139state ESTABLISHEDACCEPT tcp -- 192.168.0.2 192.168.0.0/24 tcp spt:389state ESTABLISHEDACCEPT udp -- 192.168.0.2 192.168.0.0/24 udp spt:389state RELATED,ESTABLISHEDACCEPT tcp -- 192.168.0.2 192.168.0.0/24 tcp spt:445state ESTABLISHEDACCEPT udp -- 192.168.0.2 192.168.0.0/24 udp spt:445state RELATED,ESTABLISHEDACCEPT tcp -- 192.168.0.2 192.168.0.0/24 tcp spt:464state ESTABLISHEDACCEPT udp -- 192.168.0.2 192.168.0.0/24 udp spt:464state RELATED,ESTABLISHEDACCEPT tcp -- 192.168.0.2 192.168.0.0/24 tcp spt:636state ESTABLISHEDACCEPT tcp -- 192.168.0.2 192.168.0.0/24 tcpspts:1024:65535 state ESTABLISHEDACCEPT udp -- 192.168.0.2 192.168.0.0/24 udpspts:1024:65535 state RELATED,ESTABLISHED

I think I have noted all important ports by the documentations. Yourwill see, that I have opened the ports 1024:65535 for the local network,so I guess, that I have to open a additional port between 1 and 1023 !?Maybe I have a fail with the state-Rules?? If I not set --sport and--dport for the clients, so I believe, that the clients can use theports 1:65535 ??


Best regards

Bert



Am 14.02.2011 22:30, schrieb [email protected]:

... I found a very interesting thread -><http://art.ubuntuforums.org/showthread.php?p=9599313>


Regards

Bert


Am 14.02.2011 22:05, schrieb [email protected]:

Hello tms3 and list-members,
many thanks for your help. I spend a lot of time to configure myfirewall.
I opened all here<http://technet.microsoft.com/en-us/library/dd772723%28WS.10%29.aspx> listedports, but at the first time without success. I don't know why, butthe port 1024

That's a DCOM port. I wouldn't have thought that one was necessary.Maybe a question as to why on technical is in order.

seems to be very important. I found this port step by step with lessand less port-ranges.


After I had opened this port I was able to logon the domain.

netstat give me following result:

...

tcp 0 0 0.0.0.0:464 0.0.0.0:*LISTEN 1361/samba

...

tcp 0 0 192.168.0.1:53 0.0.0.0:*LISTEN 1183/named

...

tcp 0 0 0.0.0.0:88 0.0.0.0:*LISTEN 1361/samba

...

tcp 0 0 127.0.0.1:953 0.0.0.0:*LISTEN 1183/namedtcp 0 0 0.0.0.0:636 0.0.0.0:*LISTEN 1356/sambatcp 0 0 0.0.0.0:445 0.0.0.0:*LISTEN 1343/samba

...

tcp 0 0 0.0.0.0:1024 0.0.0.0:*LISTEN 1346/sambatcp 0 0 0.0.0.0:3268 0.0.0.0:*LISTEN 1356/sambatcp 0 0 0.0.0.0:389 0.0.0.0:*LISTEN 1356/sambatcp 0 0 0.0.0.0:135 0.0.0.0:*LISTEN 1346/sambatcp 0 0 0.0.0.0:139 0.0.0.0:*LISTEN 1343/samba

I tested this with one winxp-client and tomorrow I will start a testwith more clients.

I hope this will somebody help to make the server a litte bit moresecured.



Regards

Bert




Am 10.02.2011 15:53, schrieb [email protected]:




        Hello everybody,

        I have a running an installation of Samba4 as AD. All is
        working fine,
        but when I start the firewall, the clients have problems to
        login.

        By my firewall-rules from the past, I had opened the ports
        137:139 and
        445 for samba and new for bind the port 53.

    Kerberos is on port 88

    LDAP is on 339 636

    Here is a list of AD port requirements and their uses.

    http://technet.microsoft.com/en-us/library/dd772723%28WS.10%29.aspx




        The clients (WinXP) seems to have problems to read and write
        from/to the
        home directories. Maybe samba4 need additional or other ports
        to working
        fine?

        Here my current iptables-rules:

        IPTABLES=/sbin/iptables

        #Bind
        $IPTABLES -A INPUT -p tcp --dport 53 -m state --state
        NEW,ESTABLISHED -j
        ACCEPT;
        $IPTABLES -A OUTPUT -p tcp --sport 53 -m state --state
        ESTABLISHED -j
        ACCEPT;

        $IPTABLES -A INPUT -p udp --dport 53 -m state --state
        NEW,ESTABLISHED -j
        ACCEPT;
        $IPTABLES -A OUTPUT -p udp --sport 53 -m state --state
        ESTABLISHED -j
        ACCEPT;

        #Samba
        $IPTABLES -A INPUT -p udp --dport 137:139 -m state --state
        NEW,ESTABLISHED,RELATED -j ACCEPT;
        $IPTABLES -A OUTPUT -p udp --sport 137:139 -m state --state
        ESTABLISHED,RELATED -j ACCEPT;

        $IPTABLES -A INPUT -p tcp --dport 137:139 -m state --state
        NEW,ESTABLISHED,RELATED -j ACCEPT;
        $IPTABLES -A OUTPUT -p tcp --sport 137:139 -m state --state
        ESTABLISHED,RELATED -j ACCEPT;

        $IPTABLES -A INPUT -p udp --dport 445 -m state --state
        NEW,ESTABLISHED,RELATED -j ACCEPT;
        $IPTABLES -A OUTPUT -p udp --sport 445 -m state --state
        ESTABLISHED,RELATED -j ACCEPT;

        $IPTABLES -A INPUT -p tcp --dport 445 -m state --state
        ESTABLISHED,RELATED -j ACCEPT;
        $IPTABLES -A OUTPUT -p tcp --sport 445 -m state --state
        ESTABLISHED,RELATED -j ACCEPT;


        iptables --list

        ACCEPT tcp -- anywhere anywhere tcp
        spt:domain state ESTABLISHED
        ACCEPT udp -- anywhere anywhere udp
        spt:domain state ESTABLISHED
        ACCEPT udp -- anywhere anywhere udp
        spts:netbios-ns:netbios-ssn state RELATED,ESTABLISHED
        ACCEPT tcp -- anywhere anywhere tcp
        spts:netbios-ns:netbios-ssn state RELATED,ESTABLISHED
        ACCEPT udp -- anywhere anywhere udp
        spt:microsoft-ds state RELATED,ESTABLISHED
        ACCEPT tcp -- anywhere anywhere tcp
        spt:microsoft-ds state RELATED,ESTABLISHED

Note! I have the profiles configured with server-copies fromthe

        home-directorys! That's the reason for the necessary
        read-/write-possibility. When I login with a client, so the
        client look
        for the server-home-directory. When a client logout, the client
        synchronizes the local-home-directory to the ad-server.
        Without the
        running firewall on the AD it's work perfect. With the runnig
        firewall I
        get the message on login, that the client can't read the
        home-directory
        and when I logout, that the client can't synchronize the
        home-directory.
        The domain-login is always successful.

        Thanks in advance!

        Bert

-- To unsubscribe from this list go to the followingURL and

        read the
        instructions: https://lists.samba.org/mailman/options/samba


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba4 and iptables

Reply via email to