Re: [Samba] Samba 4 DC Firewall settings

Mon, 25 Mar 2013 21:22:39 -0700 

On 24/03/13 15:17, Thomas Simmons wrote:


On Mar 24, 2013 7:04 AM, "steve" <[email protected]> wrote:


Samba 4.0.4 on openSUSE 12.3
Hi everyone.

Does anyone have a list of ports which have to be open to allow full DC
operation?

I'm no expert in firewalls and only have Yast at my disposal to configure
it. I've tried opening samba server and DNS server ports via Yast but I
must be missing something because I have to turn off the firewall to e.g.
join a Windows client to the domain. Maybe Yast isn't the right tool?

Cheers,
Steve



Hello Steve,

I have the following exceptions. Most of this came from netstat and
monitoring traffic. A few were picked up in Microsoft documentation, though
I've not seen my DC actually use them. Take special note of the last entry.
It is my understanding that Samba4 uses 1024 by default, however if that
port is not available it will use 1025, 1026, etc until it finds an open
port.

iptables -A INPUT -p tcp --dport 389 -j ACCEPT # LDAP
iptables -A INPUT -p udp --dport 389 -j ACCEPT # LDAP (UDP)
iptables -A INPUT -p tcp --dport 636 -j ACCEPT # LDAPS
iptables -A INPUT -p tcp --dport 53 -j ACCEPT # DNS (TCP)
iptables -A INPUT -p udp --dport 53 -j ACCEPT # DNS (UDP)
iptables -A INPUT -p tcp --dport 88 -j ACCEPT # Kerberos (TCP)
iptables -A INPUT -p udp --dport 88 -j ACCEPT # Kerberos (UDP)
iptables -A INPUT -p tcp --dport 464 -j ACCEPT # Kerberos Password (TCP)
iptables -A INPUT -p udp --dport 464 -j ACCEPT # Kerberos Password (UDP)
iptables -A INPUT -p tcp --dport 135 -j ACCEPT # RPC
iptables -A INPUT -p udp --dport 137 -j ACCEPT # NetBIOS Name Service
iptables -A INPUT -p udp --dport 138 -j ACCEPT # NetBIOS Datagram Service
iptables -A INPUT -p tcp --dport 139 -j ACCEPT # NetBIOS Session Service
iptables -A INPUT -p tcp --dport 445 -j ACCEPT # MS Directory Service
iptables -A INPUT -p tcp --dport 3268 -j ACCEPT # MS Global Catalog
iptables -A INPUT -p tcp --dport 1024 -j ACCEPT # DCOM *note this port is
not static*

Hi Thomas

Thanks. I've now got traffic through to the DC with the firewall 
activated. The only thing I'm not sure of is the 1024. I have it set but 
in (a few brief) tests, I've not seen wireshark mention it.

Cheers,
Steve
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba






















					Reply via email to