[Samba] iptables on samba in AD native
Hello Samba group, I have setup iptables on a Samba-3.0.8 member server (with one IP) in a native mode Active Directory domain. Searching Samba list archives directs me to read http;//www.netfilter.org documentation and doesn't attempt to describe ports needed for samba to function as a member server in native AD. I would appreciate any constructive feedback regarding whether these iptables rules look correct, or grant too much or too little? They do work, and they express my understanding of samba server network communication. ## SAMBA RULES ## iptables -P INPUT DROP iptables -P FORWARD DROP iptables -P OUTPUT ACCEPT ANY='0.0.0.0/0' # RPC mapper iptables -A INPUT -s $ANY -p udp --dport 135 -j ACCEPT # NetBIOS Name Service (nbname)/Datagram Service (nbdatagram) iptables -A INPUT -s $ANY -p udp --dport 137:138 -j ACCEPT # NetBIOS Session Service (nbsession) iptables -A INPUT -s $ANY -p tcp --dport 139 -j ACCEPT # TCP Connection - establish 3-way handshake iptables -A INPUT -s $ANY -p tcp --dport 445 -j ACCEPT # Kerberos V5 communication 2K Packets iptables -A INPUT -p udp -m udp --dport 88 -j ACCEPT # Kerberos V5 communication 2K Packets iptables -A INPUT -p tcp -m tcp --dport 88 -j ACCEPT # NTP communication, for Kerberose V5 tickets? iptables -A INPUT -s $ANY -p udp --dport 123 -j ACCEPT Note: Limiting the OUTPUT rules kills communications to KDC, so I left it open. -- ._. | \0/John Stile | | UniX Administration | | / \ 510-305-3800 | | [EMAIL PROTECTED] | .-. signature.asc Description: This is a digitally signed message part -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] iptables and samba
hi all this is the output of tcpdump that it shows continously in the four minutes that it takes to open the share 02:28:17.294943 192.168.0.100.netbios-ssn 192.168.0.2.1049: P 28200:28268(68) ack 27225 win 5840 NBT Packet (DF) 02:28:17.295312 192.168.0.2.1049 192.168.0.100.netbios-ssn: P 27225:27363(138) ack 28268 win 63495 NBT Packet (DF) 02:28:17.295422 192.168.0.100.netbios-ssn 192.168.0.2.1049: P 28268:28307(39) ack 27363 win 5840 NBT Packet (DF) 02:28:17.295768 192.168.0.2.1049 192.168.0.100.netbios-ssn: P 27363:27408(45) ack 28307 win 63456 NBT Packet (DF) 02:28:17.295873 192.168.0.100.netbios-ssn 192.168.0.2.1049: P 28307:28346(39) ack 27408 win 5840 NBT Packet (DF) 02:28:17.296297 192.168.0.2.1049 192.168.0.100.netbios-ssn: P 27408:27501(93) ack 28346 win 63417 NBT Packet (DF) - Regards Azeem From: azeem ahmad [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Re: [Samba] iptables and samba Date: Thu, 27 May 2004 22:02:20 + the problem has been partially soved by REJECTing or ACCEPTing the port 445. the effect of ACCEPTing or REJECTing is same and that is: as i stated before that i have two shares named soft and linux. the problem appeares while accessing both shares for the first time (note only for the first time. if i close the share and then triy again the problem doesnt occur unless i restart my client computer) now the problem has been partially solved as if i access one of the two shares it takes 4 minutes but if then i access the 2nd share it doent take time. while before adding this rule it was talking time for the both shares Regards Azeem From: Andrew Gaffney [EMAIL PROTECTED] To: Tom Skeren [EMAIL PROTECTED] CC: azeem ahmad [EMAIL PROTECTED], [EMAIL PROTECTED] Subject: Re: [Samba] iptables and samba Date: Thu, 27 May 2004 16:43:39 -0500 Tom Skeren wrote: Andrew Gaffney wrote: azeem ahmad wrote: hi i m using the script below - iptables -F iptables -t nat -F iptables -P INPUT DROP iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A INPUT -i eth0 -p tcp --dport 8080 -j ACCEPT iptables -A INPUT -i eth0 -p tcp --dport 22 -j ACCEPT iptables -A INPUT -i eth0 -p tcp --dport 53 -j ACCEPT iptables -A INPUT -i eth0 -p udp --dport 53 -j ACCEPT iptables -A INPUT -i eth0 -p udp --dport 137 -j ACCEPT iptables -A INPUT -i eth0 -p udp --dport 138 -j ACCEPT iptables -A INPUT -i eth0 -p tcp --dport 139 -j ACCEPT - i have two shares on samba server Soft and linux in these shares there are many folders. whenever i run the above script and then i open the share it takes atleast 4 minutes to open the share. but it doesnt take time while browsing inside share. mean there is a folder on soft share like soft/adobe/acrobat/acrobat6 when i double click on soft it takes atleast 4 minutes but after that when i click on adobe then acrobat then acrobat6 it takes now time it just browse them normally. same problem is with the other share named linux. but if i dont run this script then all shares work fine with no delay this problem only occures first time. mean when i browse the share next time it doesnt occur This is a complete shot in the dark. Windows 2000 (probably) and XP (definately) will look for a SMB server on port 445 first by default. Since you have '-j DROP', the requests to 445 don't get a response. It takes a little bit to timeout and then Windows probably tries to connect again. I bet if you add the following iptables rule, the problem will go away: iptables -A INPUT -i eth0 -p all --dport 445 -j REJECT If you have Samba 3.x it will share on port 445. Okay, so you can change that REJECT to ACCEPT. -- Andrew Gaffney Network Administrator Skyline Aeronautics, LLC. 636-357-1548 _ Add photos to your e-mail with MSN 8. Get 2 months FREE*. http://join.msn.com/?page=features/featuredemail -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba _ Add photos to your e-mail with MSN 8. Get 2 months FREE*. http://join.msn.com/?page=features/featuredemail -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] iptables and samba
hi i m using the script below - iptables -F iptables -t nat -F iptables -P INPUT DROP iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A INPUT -i eth0 -p tcp --dport 8080 -j ACCEPT iptables -A INPUT -i eth0 -p tcp --dport 22 -j ACCEPT iptables -A INPUT -i eth0 -p tcp --dport 53 -j ACCEPT iptables -A INPUT -i eth0 -p udp --dport 53 -j ACCEPT iptables -A INPUT -i eth0 -p udp --dport 137 -j ACCEPT iptables -A INPUT -i eth0 -p udp --dport 138 -j ACCEPT iptables -A INPUT -i eth0 -p tcp --dport 139 -j ACCEPT - i have two shares on samba server Soft and linux in these shares there are many folders. whenever i run the above script and then i open the share it takes atleast 4 minutes to open the share. but it doesnt take time while browsing inside share. mean there is a folder on soft share like soft/adobe/acrobat/acrobat6 when i double click on soft it takes atleast 4 minutes but after that when i click on adobe then acrobat then acrobat6 it takes now time it just browse them normally. same problem is with the other share named linux. but if i dont run this script then all shares work fine with no delay this problem only occures first time. mean when i browse the share next time it doesnt occur Regards Azeem _ STOP MORE SPAM with the new MSN 8 and get 2 months FREE* http://join.msn.com/?page=features/junkmail -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] iptables and samba
azeem ahmad wrote: hi i m using the script below - iptables -F iptables -t nat -F iptables -P INPUT DROP iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A INPUT -i eth0 -p tcp --dport 8080 -j ACCEPT iptables -A INPUT -i eth0 -p tcp --dport 22 -j ACCEPT iptables -A INPUT -i eth0 -p tcp --dport 53 -j ACCEPT iptables -A INPUT -i eth0 -p udp --dport 53 -j ACCEPT iptables -A INPUT -i eth0 -p udp --dport 137 -j ACCEPT iptables -A INPUT -i eth0 -p udp --dport 138 -j ACCEPT iptables -A INPUT -i eth0 -p tcp --dport 139 -j ACCEPT - i have two shares on samba server Soft and linux in these shares there are many folders. whenever i run the above script and then i open the share it takes atleast 4 minutes to open the share. but it doesnt take time while browsing inside share. mean there is a folder on soft share like soft/adobe/acrobat/acrobat6 when i double click on soft it takes atleast 4 minutes but after that when i click on adobe then acrobat then acrobat6 it takes now time it just browse them normally. same problem is with the other share named linux. but if i dont run this script then all shares work fine with no delay this problem only occures first time. mean when i browse the share next time it doesnt occur This is a complete shot in the dark. Windows 2000 (probably) and XP (definately) will look for a SMB server on port 445 first by default. Since you have '-j DROP', the requests to 445 don't get a response. It takes a little bit to timeout and then Windows probably tries to connect again. I bet if you add the following iptables rule, the problem will go away: iptables -A INPUT -i eth0 -p all --dport 445 -j REJECT -- Andrew Gaffney Network Administrator Skyline Aeronautics, LLC. 636-357-1548 -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] iptables and samba
Andrew Gaffney wrote: azeem ahmad wrote: hi i m using the script below - iptables -F iptables -t nat -F iptables -P INPUT DROP iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A INPUT -i eth0 -p tcp --dport 8080 -j ACCEPT iptables -A INPUT -i eth0 -p tcp --dport 22 -j ACCEPT iptables -A INPUT -i eth0 -p tcp --dport 53 -j ACCEPT iptables -A INPUT -i eth0 -p udp --dport 53 -j ACCEPT iptables -A INPUT -i eth0 -p udp --dport 137 -j ACCEPT iptables -A INPUT -i eth0 -p udp --dport 138 -j ACCEPT iptables -A INPUT -i eth0 -p tcp --dport 139 -j ACCEPT - i have two shares on samba server Soft and linux in these shares there are many folders. whenever i run the above script and then i open the share it takes atleast 4 minutes to open the share. but it doesnt take time while browsing inside share. mean there is a folder on soft share like soft/adobe/acrobat/acrobat6 when i double click on soft it takes atleast 4 minutes but after that when i click on adobe then acrobat then acrobat6 it takes now time it just browse them normally. same problem is with the other share named linux. but if i dont run this script then all shares work fine with no delay this problem only occures first time. mean when i browse the share next time it doesnt occur This is a complete shot in the dark. Windows 2000 (probably) and XP (definately) will look for a SMB server on port 445 first by default. Since you have '-j DROP', the requests to 445 don't get a response. It takes a little bit to timeout and then Windows probably tries to connect again. I bet if you add the following iptables rule, the problem will go away: iptables -A INPUT -i eth0 -p all --dport 445 -j REJECT If you have Samba 3.x it will share on port 445. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] iptables and samba
its samba-2.2.7a-7.9.0 and i tried rejecting port 445 for tcp and udp but it isnt working properly yet Regards Azeem From: Tom Skeren [EMAIL PROTECTED] To: Andrew Gaffney [EMAIL PROTECTED] CC: azeem ahmad [EMAIL PROTECTED], [EMAIL PROTECTED] Subject: Re: [Samba] iptables and samba Date: Thu, 27 May 2004 14:41:07 -0700 Andrew Gaffney wrote: azeem ahmad wrote: hi i m using the script below - iptables -F iptables -t nat -F iptables -P INPUT DROP iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A INPUT -i eth0 -p tcp --dport 8080 -j ACCEPT iptables -A INPUT -i eth0 -p tcp --dport 22 -j ACCEPT iptables -A INPUT -i eth0 -p tcp --dport 53 -j ACCEPT iptables -A INPUT -i eth0 -p udp --dport 53 -j ACCEPT iptables -A INPUT -i eth0 -p udp --dport 137 -j ACCEPT iptables -A INPUT -i eth0 -p udp --dport 138 -j ACCEPT iptables -A INPUT -i eth0 -p tcp --dport 139 -j ACCEPT - i have two shares on samba server Soft and linux in these shares there are many folders. whenever i run the above script and then i open the share it takes atleast 4 minutes to open the share. but it doesnt take time while browsing inside share. mean there is a folder on soft share like soft/adobe/acrobat/acrobat6 when i double click on soft it takes atleast 4 minutes but after that when i click on adobe then acrobat then acrobat6 it takes now time it just browse them normally. same problem is with the other share named linux. but if i dont run this script then all shares work fine with no delay this problem only occures first time. mean when i browse the share next time it doesnt occur This is a complete shot in the dark. Windows 2000 (probably) and XP (definately) will look for a SMB server on port 445 first by default. Since you have '-j DROP', the requests to 445 don't get a response. It takes a little bit to timeout and then Windows probably tries to connect again. I bet if you add the following iptables rule, the problem will go away: iptables -A INPUT -i eth0 -p all --dport 445 -j REJECT If you have Samba 3.x it will share on port 445. _ Tired of spam? Get advanced junk mail protection with MSN 8. http://join.msn.com/?page=features/junkmail -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] iptables and samba
Tom Skeren wrote: Andrew Gaffney wrote: azeem ahmad wrote: hi i m using the script below - iptables -F iptables -t nat -F iptables -P INPUT DROP iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A INPUT -i eth0 -p tcp --dport 8080 -j ACCEPT iptables -A INPUT -i eth0 -p tcp --dport 22 -j ACCEPT iptables -A INPUT -i eth0 -p tcp --dport 53 -j ACCEPT iptables -A INPUT -i eth0 -p udp --dport 53 -j ACCEPT iptables -A INPUT -i eth0 -p udp --dport 137 -j ACCEPT iptables -A INPUT -i eth0 -p udp --dport 138 -j ACCEPT iptables -A INPUT -i eth0 -p tcp --dport 139 -j ACCEPT - i have two shares on samba server Soft and linux in these shares there are many folders. whenever i run the above script and then i open the share it takes atleast 4 minutes to open the share. but it doesnt take time while browsing inside share. mean there is a folder on soft share like soft/adobe/acrobat/acrobat6 when i double click on soft it takes atleast 4 minutes but after that when i click on adobe then acrobat then acrobat6 it takes now time it just browse them normally. same problem is with the other share named linux. but if i dont run this script then all shares work fine with no delay this problem only occures first time. mean when i browse the share next time it doesnt occur This is a complete shot in the dark. Windows 2000 (probably) and XP (definately) will look for a SMB server on port 445 first by default. Since you have '-j DROP', the requests to 445 don't get a response. It takes a little bit to timeout and then Windows probably tries to connect again. I bet if you add the following iptables rule, the problem will go away: iptables -A INPUT -i eth0 -p all --dport 445 -j REJECT If you have Samba 3.x it will share on port 445. Okay, so you can change that REJECT to ACCEPT. -- Andrew Gaffney Network Administrator Skyline Aeronautics, LLC. 636-357-1548 -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] iptables and samba
the problem has been partially soved by REJECTing or ACCEPTing the port 445. the effect of ACCEPTing or REJECTing is same and that is: as i stated before that i have two shares named soft and linux. the problem appeares while accessing both shares for the first time (note only for the first time. if i close the share and then triy again the problem doesnt occur unless i restart my client computer) now the problem has been partially solved as if i access one of the two shares it takes 4 minutes but if then i access the 2nd share it doent take time. while before adding this rule it was talking time for the both shares Regards Azeem From: Andrew Gaffney [EMAIL PROTECTED] To: Tom Skeren [EMAIL PROTECTED] CC: azeem ahmad [EMAIL PROTECTED], [EMAIL PROTECTED] Subject: Re: [Samba] iptables and samba Date: Thu, 27 May 2004 16:43:39 -0500 Tom Skeren wrote: Andrew Gaffney wrote: azeem ahmad wrote: hi i m using the script below - iptables -F iptables -t nat -F iptables -P INPUT DROP iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A INPUT -i eth0 -p tcp --dport 8080 -j ACCEPT iptables -A INPUT -i eth0 -p tcp --dport 22 -j ACCEPT iptables -A INPUT -i eth0 -p tcp --dport 53 -j ACCEPT iptables -A INPUT -i eth0 -p udp --dport 53 -j ACCEPT iptables -A INPUT -i eth0 -p udp --dport 137 -j ACCEPT iptables -A INPUT -i eth0 -p udp --dport 138 -j ACCEPT iptables -A INPUT -i eth0 -p tcp --dport 139 -j ACCEPT - i have two shares on samba server Soft and linux in these shares there are many folders. whenever i run the above script and then i open the share it takes atleast 4 minutes to open the share. but it doesnt take time while browsing inside share. mean there is a folder on soft share like soft/adobe/acrobat/acrobat6 when i double click on soft it takes atleast 4 minutes but after that when i click on adobe then acrobat then acrobat6 it takes now time it just browse them normally. same problem is with the other share named linux. but if i dont run this script then all shares work fine with no delay this problem only occures first time. mean when i browse the share next time it doesnt occur This is a complete shot in the dark. Windows 2000 (probably) and XP (definately) will look for a SMB server on port 445 first by default. Since you have '-j DROP', the requests to 445 don't get a response. It takes a little bit to timeout and then Windows probably tries to connect again. I bet if you add the following iptables rule, the problem will go away: iptables -A INPUT -i eth0 -p all --dport 445 -j REJECT If you have Samba 3.x it will share on port 445. Okay, so you can change that REJECT to ACCEPT. -- Andrew Gaffney Network Administrator Skyline Aeronautics, LLC. 636-357-1548 _ Add photos to your e-mail with MSN 8. Get 2 months FREE*. http://join.msn.com/?page=features/featuredemail -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
