I should update this list with another port I discovered: 3268, TCP (MSFT-GC) Used by global catalog - a LDAP service to browse the AD forest. Found this with Wireshark when trying to add a new user from ADUC.
Stephen Jones Lloyd Systems Engineering ----- Original message ----- From: Stephen Jones <[email protected]> To: [email protected] Subject: Re: [Samba] Samba4 on CentOS 6.3 - IPTABLES how-to??? Date: Tue, 27 Nov 2012 04:46:09 +1100 Hi, Here is an extract from my post on installing Samba4 on CentOS6. I have iptables working - I used netstat and Wireshark to monitor the packets. ----- The ports needed are: 53, TCP & UDP (DNS) 88, TCP & UDP (Kerberos authentication) 135, TCP (MS RPC) 137, UDP (NetBIOS name service) 138, UDP (NetBIOS datagram service) 139, TCP (NetBIOS session service) 389, TCP & UDP (LDAP) 445, TCP (MS-DS AD) 464, TCP & UDP (Kerberos change/set password) 1024, TCP (this is a strange one but AD is using it) Add these to iptables: # iptables -A INPUT -p tcp --dport 53 -j ACCEPT # iptables -A INPUT -p udp --dport 53 -j ACCEPT # iptables -A INPUT -p udp --dport 137:138 -j ACCEPT # iptables -A INPUT -p tcp --dport 139 -j ACCEPT # iptables -A INPUT -p tcp --dport 445 -j ACCEPT # iptables -A INPUT -p tcp --dport 135 -j ACCEPT # iptables -A INPUT -p tcp --dport 88 -j ACCEPT # iptables -A INPUT -p udp --dport 88 -j ACCEPT # iptables -A INPUT -p tcp --dport 464 -j ACCEPT # iptables -A INPUT -p tcp --dport 389 -j ACCEPT # iptables -A INPUT -p udp --dport 389 -j ACCEPT # iptables -A INPUT -p tcp --dport 1024 -j ACCEPT ----- Looking at your rules, they are close to this. I believe it's the missing RPC (135) that's blocking RSAT. Cheers, Stephen Jones Lloyd Systems Engineering On Tue, Nov 27, 2012, at 12:39 AM, Andreas Krupp wrote: > Hello, > > I do appologize if this is something that was already discussed somewhere > else... but for now I was not able to find the appropriate How-To. > Would anybody know what the IPTABLES entries are to have working Samba4 > Domain Controller? > I tried the following: > > -A INPUT -p tcp -m state --state NEW -m tcp --dport 88 -j ACCEPT > -A INPUT -p tcp -m state --state NEW -m tcp --dport 749 -j ACCEPT > -A INPUT -p udp -m state --state NEW -m udp --dport 88 -j ACCEPT > -A INPUT -p tcp -m state --state NEW -m tcp --dport 389 -j ACCEPT > -A INPUT -d SERVERIP/32 -p udp -m udp --sport 1024:65535 --dport 53 -m > state --state NEW,ESTABLISHED -j ACCEPT > -A INPUT -d SERVERIP/32 -p udp -m udp --sport 53 --dport 53 -m state > --state NEW,ESTABLISHED -j ACCEPT > -A INPUT -p udp -m udp --dport 137 -j ACCEPT > -A INPUT -p udp -m udp --dport 138 -j ACCEPT > -A INPUT -m state --state NEW -m tcp -p tcp --dport 139 -j ACCEPT > -A INPUT -m state --state NEW -m tcp -p tcp --dport 445 -j ACCEPT > > With the above I was not able to connect via remote Administration tools > to the Active Directory Service. > Does anybody have a comprehensive list of ports/protocols one has to > "open" in IPTABLES to get DNS, Samba, Fileshares, Active Directory, etc. > working? > > Cheers & thank you very much for your help! > Best, > Andreas > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
