You are not logged in.
- Topics: Active | Unanswered
#1 2013-09-23 19:27:34
- Moyamo
- Member
- Registered: 2012-01-20
- Posts: 10
IPTables blocking NetBIOS
I have had this problem for a while now and I have finally decided to fix it once and for all.
I am unable to connect to the shared folders of other computers on the local network. Running smbclient with results in NT_STATUS_UNSUCCESSFUL but if I connect via the IP it succeeds (well almost).
[yaseen@luthien ~]$ smbclient -L //gamingpc
Enter yaseen's password:
Connection to gamingcomp failed (Error NT_STATUS_UNSUCCESSFUL)
[yaseen@luthien ~]$ smbclient -L 192.168.1.101
Enter yaseen's password:
Domain=[GAMINGPC] OS=[Windows 8 Single Language 9200] Server=[Windows 8 Single Language 6.2]
Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
C$ Disk Default share
Canon Printer Canon iP4600 series
Canon iP4600 series (Copy 1) Printer Canon iP4600 series (Copy 1)
IPC$ IPC Remote IPC
print$ Disk Printer Drivers
Users Disk
Connection to 192.168.1.101 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
NetBIOS over TCP disabled -- no workgroup availableHowever, after disabling iptables I am able to connect via the NetBIOS name.
[yaseen@luthien ~]$ sudo systemctl stop iptables
[yaseen@luthien ~]$ smbclient -L //gamingpc
Enter yaseen's password:
Domain=[GAMINGPC] OS=[Windows 8 Single Language 9200] Server=[Windows 8 Single Language 6.2]
Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
C$ Disk Default share
Canon Printer Canon iP4600 series
Canon iP4600 series (Copy 1) Printer Canon iP4600 series (Copy 1)
IPC$ IPC Remote IPC
print$ Disk Printer Drivers
Users Disk
Domain=[GAMINGPC] OS=[Windows 8 Single Language 9200] Server=[Windows 8 Single Language 6.2]But even with IPtables off I am unable to connect to the shared folders with Thunar. I think I have opened the NetBIOS ports, so why is IPtables preventing the NetBIOS resolution?
[yaseen@luthien ~]$ sudo iptables -L
[sudo] password for yaseen:
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere
DROP all -- anywhere anywhere ctstate INVALID
ACCEPT ipv6 -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere icmp echo-request ctstate NEW
UDP udp -- anywhere anywhere ctstate NEW
TCP tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,ACK/SYN ctstate NEW
REJECT udp -- anywhere anywhere reject-with icmp-port-unreachable
REJECT tcp -- anywhere anywhere reject-with tcp-reset
REJECT all -- anywhere anywhere reject-with icmp-proto-unreachable
Chain FORWARD (policy DROP)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain TCP (1 references)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp dpt:http
ACCEPT tcp -- anywhere anywhere tcp dpt:sent-lm
ACCEPT tcp -- anywhere anywhere multiport dports netbios-ns,netbios-dgm,netbios-ssn,microsoft-ds,bootps,bootpc
Chain UDP (1 references)
target prot opt source destination
ACCEPT udp -- anywhere anywhere udp dpt:domain
ACCEPT udp -- anywhere anywhere multiport dports netbios-ns,netbios-dgm,netbios-ssn,microsoft-ds,bootps,bootpcMy smb.conf:
[global]
workgroup = WORKGROUP
server string = Samba Server
netbios name = SERVER
printcap name = /etc/printcap
load printers = yes
log file = /var/log/samba/%m.log
max log size = 50
security = user
wins server = 192.168.1.1
dns proxy = no
#============================ Share Definitions ==============================
[homes]
comment = Home Directories
browseable = no
writable = yes
[printers]
comment = All Printers
path = /var/spool/samba
browseable = no
# Set public = yes to allow user 'guest account' to print
guest ok = no
writable = no
printable = yesOffline
#2 2013-09-23 20:33:53
- brebs
- Member
- Registered: 2007-04-03
- Posts: 3,742
Re: IPTables blocking NetBIOS
"iptables -L" doesn't show enough detail. This is much better:
iptables-saveOffline
#3 2013-09-24 06:41:58
- Moyamo
- Member
- Registered: 2012-01-20
- Posts: 10
Re: IPTables blocking NetBIOS
# Generated by iptables-save v1.4.19.1 on Tue Sep 24 08:40:41 2013
*raw
:PREROUTING ACCEPT [1351:530820]
:OUTPUT ACCEPT [1311:145341]
COMMIT
# Completed on Tue Sep 24 08:40:41 2013
# Generated by iptables-save v1.4.19.1 on Tue Sep 24 08:40:41 2013
*nat
:PREROUTING ACCEPT [125:53285]
:INPUT ACCEPT [6:858]
:OUTPUT ACCEPT [298:19457]
:POSTROUTING ACCEPT [298:19457]
COMMIT
# Completed on Tue Sep 24 08:40:41 2013
# Generated by iptables-save v1.4.19.1 on Tue Sep 24 08:40:41 2013
*mangle
:PREROUTING ACCEPT [1351:530820]
:INPUT ACCEPT [1232:478393]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [1311:145341]
:POSTROUTING ACCEPT [1341:148367]
COMMIT
# Completed on Tue Sep 24 08:40:41 2013
# Generated by iptables-save v1.4.19.1 on Tue Sep 24 08:40:41 2013
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [1311:145341]
:TCP - [0:0]
:UDP - [0:0]
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m conntrack --ctstate INVALID -j DROP
-A INPUT -p ipv6 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 8 -m conntrack --ctstate NEW -j ACCEPT
-A INPUT -p udp -m conntrack --ctstate NEW -j UDP
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m conntrack --ctstate NEW -j TCP
-A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable
-A INPUT -p tcp -j REJECT --reject-with tcp-reset
-A INPUT -j REJECT --reject-with icmp-proto-unreachable
-A TCP -p tcp -m tcp --dport 80 -j ACCEPT
-A TCP -p tcp -m tcp --dport 2316 -j ACCEPT
-A TCP -p tcp -m multiport --dports 137,138,139,445,67,68 -j ACCEPT
-A UDP -p udp -m udp --dport 53 -j ACCEPT
-A UDP -p udp -m multiport --dports 137,138,139,445,67,68 -j ACCEPT
COMMIT
# Completed on Tue Sep 24 08:40:41 2013Offline
#4 2013-09-25 18:39:44
- Strike0
- Member
- From: Germany
- Registered: 2011-09-05
- Posts: 1,489
Re: IPTables blocking NetBIOS
I'm not using samba, so it's a guess. But have a try with allowing input for port 5353 and check if you have installed "nss-mdns" and "gvfs-smb" (for thunar).
Offline
#5 2013-09-26 11:12:57
- Moyamo
- Member
- Registered: 2012-01-20
- Posts: 10
Re: IPTables blocking NetBIOS
Thanks! Installing those two packages fixed Thunar, but IPTables is still blocking smb. Thunar works now with IPTables off, but with it on it cannot find in network folders.
Offline
#6 2013-09-26 14:03:59
- brebs
- Member
- Registered: 2007-04-03
- Posts: 3,742
Re: IPTables blocking NetBIOS
IPTables is still blocking smb
Well, you're the one with the very strict iptables rules, creating this confusing problem for yourself. Why have you got such strict rules?
Google for e.g. "iptables debugging". An example:
watch -n 2 "iptables -t mangle -L -x -v"Offline
#7 2014-11-03 14:14:20
- MONOmah
- Member
- Registered: 2014-06-23
- Posts: 6
Re: IPTables blocking NetBIOS
Bumped into this problem too. Here is the situation:
1. Client (10.13.13.41:33118) sends netbios UDP packet from a random port to broadcast address and port 137 (10.13.13.255:137):
IN=wlp2s0 OUT= MAC= SRC=10.13.13.41 DST=10.13.13.255 LEN=78 TOS=0x00 PREC=0x00 TTL=64 ID=56997 DF PROTO=UDP SPT=33118 DPT=137 LEN=58IP 10.13.13.41.33118> 10.13.13.255.137: NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST2. "Server" (10.13.13.33:137) responses from port 137 to the client (10.13.13.41:33118):
IN=wlp2s0 OUT= MAC=00:23:15:6b:0a:28:00:13:a9:41:03:f1:08:00 SRC=10.13.13.33 DST=10.13.13.41 LEN=90 TOS=0x00 PREC=0x00 TTL=64 ID=39618 DF PROTO=UDP SPT=137 DPT=33118 LEN=70IP 10.13.13.33.137 > 10.13.13.41.33118: NBT UDP PACKET(137): QUERY; POSITIVE; RESPONSE; UNICASTHere is mine opinion -- iptables should treat these packets as related, but it doesn't. Solution is to accept packets both from and to port 137.
P. S. I suppose that in this situation "necrobumping" is appropriate.
Offline