You are not logged in.
After reading and trying all of the tips suggested in this thread
I got almost everything working. Just that despite the fact that I did allow the ports
mentioned in the tutorial, I still have to stop iptables in order to be able
to browse the shares through the 'Browse Network' icon in nautilus.
Doing:
smb://192.168.x.xxx
works just fine.
vaio@nando, Tue Jul 12 16:52:18
~
$ sudo iptables -L --line-numbers
Chain INPUT (policy ACCEPT)
num target prot opt source destination
1 ACCEPT udp -- 192.168.1.0/24 anywhere udp dpt:netbios-ns
2 ACCEPT udp -- 192.168.1.0/24 anywhere udp dpt:netbios-dgm
3 ACCEPT tcp -- 192.168.1.0/24 anywhere tcp dpt:netbios-ssn
4 ACCEPT tcp -- 192.168.1.0/24 anywhere tcp dpt:microsoft-ds
5 DROP icmp -- anywhere anywhere
6 ACCEPT all -- anywhere anywhere
7 ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
8 DROP all -- 10.0.0.0/8 anywhere
9 DROP all -- 172.16.0.0/16 anywhere
10 DROP all -- 192.168.0.0/24 anywhere
11 DROP udp -- anywhere anywhere udp dpts:33435:33525
12 DROP udp -- anywhere anywhere udp dpts:33435:33525
13 DROP all -- anywhere anywhere state INVALID
14 DROP all -- anywhere anywhere
15 ACCEPT tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,ACK/SYN limit: avg 1/sec burst 5
16 ACCEPT tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,ACK/RST limit: avg 1/sec burst 5
Chain FORWARD (policy ACCEPT)
num target prot opt source destination
Chain OUTPUT (policy ACCEPT)
num target prot opt source destination
vaio@nando, Tue Jul 12 16:52:28
~
Any ideas?
Thanks in advance.
Last edited by FernandoBasso (2011-07-12 20:51:31)
There is a difference between knowing the path and walking the path.
Offline
You might need ICMP for browsing the network.
Offline
You might need ICMP for browsing the network.
Thanks for the reply. Allowing icmp (iptables -D INPUT 5) didn't do any good at all.
However, iptables -I INPUT -s 192.168.1.0/24 did work. Just, that I don't want to
allow everyone in the LAN to have access, and some IPs are set through DHCP, so,
I can't allow just 'this' or 'that' machine.
I am trying to find out which of the rules is blocking browsing the network.
Just for sake of information, here's /etc/iptables/iptables.rules:
# Generated by iptables-save v1.4.10 on Thu Jul 14 08:16:15 2011
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [10:696]
-A INPUT -s 192.168.1.0/24 -j LOG --log-prefix "__LOCAL_CONNECTIONS__"
-A INPUT -s 192.168.1.0/24 -j ACCEPT
-A INPUT -s 192.168.1.0/24 -p udp -m udp --dport 137 -j ACCEPT
-A INPUT -s 192.168.1.0/24 -p udp -m udp --dport 138 -j ACCEPT
-A INPUT -s 192.168.1.0/24 -p tcp -m tcp --dport 139 -j ACCEPT
-A INPUT -s 192.168.1.0/24 -p tcp -m tcp --dport 445 -j ACCEPT
-A INPUT -p icmp -j DROP
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -s 10.0.0.0/8 -j DROP
-A INPUT -s 172.16.0.0/16 -j DROP
-A INPUT -s 192.168.0.0/24 -j DROP
-A INPUT -i eth0 -p udp -m udp --dport 33435:33525 -j DROP
-A INPUT -i wlan0 -p udp -m udp --dport 33435:33525 -j DROP
-A INPUT -m state --state INVALID -j DROP
-A INPUT -j DROP
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 1/sec -j ACCEPT
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK RST -m limit --limit 1/sec -j ACCEPT
COMMIT
# Completed on Thu Jul 14 08:16:15 2011
There is a difference between knowing the path and walking the path.
Offline
Hello,
I think the problem is that when you try to browse for servers your machine will broadcast an udp packet to i.e. 192.168.1.255.
This packet will come from some available port on your machine (in the upper free region) and go to destination port 137 on the whole subnet.
A machine running a samba/windows network server will then reply _to_your_arbritray_port_ which your firewall will not allow.
Example:
Your machine broadcasts from 192.168.1.40 port 45123 to 192.168.1.255 port 137.
Another machine running a server replies from 192.168.1.41 port 137 to your machine 192.168.1.40 port 45123.
Your firewall will block the reply because it does not have any special rule for your port 45123.
Since I think its a bad idea to just open your firewall for all packets originating from port 137, I myself am using the "recent" module:
It works like this:
In the OUTPUT chain I have the following rule:
-A OUTPUT -d 192.168.0.255 -p udp --dport 137 -m recent --name samba --rsource --set -j ACCEPT
this keeps track of the port you used to broadcast and stores it on your machine.
In the INPUT chain I then have
-A INPUT -s 192.168.0.0/24 -p udp --sport 137 -m recent --name samba --rdest --rcheck -j ACCEPT
This checks your destination against your recently saved ip/port tupel.
Works for me (but I'm not an expert on firewall configurations, in fact I'm really new to it myself).
I'd be interested in better solutions!
Offline
totsilence,
Your theory makes sense. I just got myself wondering if windows (which
browses shares 'by default') has some ports open all the time for anyone
to access...
I'll investigate more on this. I'll post again in case I find
anything worthwhile.
Thanks for now.
There is a difference between knowing the path and walking the path.
Offline