You are not logged in.
I'm trying to mount smb directories. As long as iptables is off, it works fine, but as soon as iptables is on, it fails (connection times out). I set up iptables based on this wiki: http://wiki.archlinux.org/index.php/Sim … wall_HOWTO. Here is my iptables.rules file:
# Generated by iptables-save v1.3.5 on Tue May 23 12:46:04 2006
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [274558:186772128]
:interfaces - [0:0]
:open - [0:0]
-A INPUT -p icmp -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -j interfaces
-A INPUT -j open
-A INPUT -p tcp -j REJECT --reject-with tcp-reset
-A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable
-A interfaces -i lo -j ACCEPT
-A open -p tcp -m tcp --dport 22 -j ACCEPT
-A open -p tcp -m tcp --dport 80 -j ACCEPT
-A open -p tcp -m tcp --dport 443 -j ACCEPT
-A open -i eth0 -p udp -m udp --dport 137:139 -j ACCEPT
-A open -i eth0 -p tcp -m tcp --dport 137:139 -j ACCEPT
COMMIT
# Completed on Tue May 23 12:46:04 2006
And an excerpt from fstab:
//apollo2/Officer /mnt/Officer_on_Apollo2 smbfs credentials=/root/SMB_credentials_Apollo2,uid=officer,gid=users,workgroup=GleeNet
I've been able to figure out that 137:139 are for a samba server (which I'm actually not running--I'll close them once I'm sure they don't do anything for the client side). What are the ports that I should leave open? I'm not very experienced with the whole firewall thing.
This may be related to these posts: http://bbs.archlinux.org/viewtopic.php?t=21705 and http://bbs.archlinux.org/viewtopic.php?t=21607.
Thanks,
John
Offline
probably want tcp port 445, tcp port 139, and udp port 137 and 138.
those are the windows(smb/cifs) filesharing ports.
"Be conservative in what you send; be liberal in what you accept." -- Postel's Law
"tacos" -- Cactus' Law
"t̥͍͎̪̪͗a̴̻̩͈͚ͨc̠o̩̙͈ͫͅs͙͎̙͊ ͔͇̫̜t͎̳̀a̜̞̗ͩc̗͍͚o̲̯̿s̖̣̤̙͌ ̖̜̈ț̰̫͓ạ̪͖̳c̲͎͕̰̯̃̈o͉ͅs̪ͪ ̜̻̖̜͕" -- -̖͚̫̙̓-̺̠͇ͤ̃ ̜̪̜ͯZ͔̗̭̞ͪA̝͈̙͖̩L͉̠̺͓G̙̞̦͖O̳̗͍
Offline
I'm not sure where the problem is, but I can tell you that I do not have any open ports in my system and I can connect to the local network and access my samba shares.
If you inititate the connection then this rule (-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT) should allow you to start the connection.
I noticed that when I start the connection port 445 is used to contact the samba server and then the shares are mounted. Again, I do not have port 445 open by default, it only happens when a new connection in initiated by my system.
Offline
Can you post your ifconfig output here, please?
Offline
I recommend to use Arno's iptable firewall scripts. Outstanding and easy to use. Logging, NAT's, DMZ, multiple if's, etc... Newer needed to tweak iptables manually after this.
http://rocky.eld.leidenuniv.nl/
Offline
So it was a combination of things. Port 445 is necessary, and I also had unnecessary -m options that were screwing things up. Here's the working iptables.rules:
# Generated by iptables-save v1.3.5 on Wed May 24 17:59:38 2006
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [27:3084]
:interfaces - [0:0]
:open - [0:0]
-A INPUT -p icmp -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -j interfaces
-A INPUT -j open
-A INPUT -p tcp -j REJECT --reject-with tcp-reset
-A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable
-A interfaces -i lo -j ACCEPT
-A open -p tcp -m tcp --dport 22 -j ACCEPT
-A open -p tcp -m tcp --dport 80 -j ACCEPT
-A open -i eth0 -p udp --dport 137:139 -j ACCEPT
-A open -i eth0 -p tcp --dport 137:139 -j ACCEPT
-A open -p tcp --dport 445 -j ACCEPT
COMMIT
# Completed on Wed May 24 17:59:38 2006
I might go back and see if I can get rid of some of the 13x ports.
Thanks,
John
Offline