You are not logged in.

#1 2021-11-14 04:05:32

mwigzell
Member
Registered: 2016-01-29
Posts: 14

[SOLVED] samba from mac to ARCH linux fails: ICMP host unreachable

When trying to connect from my mac to my linux box with "connect server" in the finder. I put in "smb://<ip address of confucius>" where "confucius" is my linux box.
I have no firewall.
My kernel is: 5.14.16-arch1-1
My samba:

(base) mark@confucius:samba$ sudo pacman -Q samba
samba 4.15.1-1

My iptables:

(base) mark@confucius:android-sdk$ sudo iptables -L
[sudo] password for root: 
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
(base) mark@confucius:android-sdk$

My iMac sends (tcpdump)

19:05:44.785408 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 64)
    marks-imac.lan.50141 > confucius.microsoft-ds: Flags [S], cksum 0xfe62 (correct), seq 659133528, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 365917103 ecr 0,sackOK,eol], length 0
19:05:45.007315 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 64)
    marks-imac.lan.50142 > confucius.netbios-ssn: Flags [S], cksum 0x0bf5 (correct), seq 288857387, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 365917325 ecr 0,sackOK,eol], length 0
19:05:50.142304 ARP, Ethernet (len 6), IPv4 (len 4), Reply marks-imac.lan is-at b4:18:d1:eb:ce:87 (oui Unknown), length 46

and my linux box sends:

19:05:44.785471 IP confucius > marks-imac.lan: ICMP host confucius unreachable - admin prohibited filter, length 72
19:05:44.790895 IP confucius.49435 > _gateway.domain: 42048+ PTR? 98.86.168.192.in-addr.arpa. (44)
19:05:44.813237 IP confucius.55796 > _gateway.domain: 10493+ PTR? 98.86.168.192.in-addr.arpa. (44)
19:05:45.007362 IP confucius > marks-imac.lan: ICMP host confucius unreachable - admin prohibited filter, length 72

So it appears like the firewall is blocking an ICMP packet?  I do not understand why ICMP is even involved here. But its the only clue I have where something seems to be wrong.
As you see above, IPTABLES is empty. But if I run "nft list ruleset" I see:

(base) mark@confucius:android-sdk$ sudo nft list ruleset
[sudo] password for root: 
table inet filter {
	chain input {
		type filter hook input priority filter; policy drop;
		ct state invalid drop comment "early drop of invalid connections"
		ct state { established, related } accept comment "allow tracked connections"
		iifname "lo" accept comment "allow from loopback"
		ip protocol icmp accept comment "allow icmp"
		meta l4proto ipv6-icmp accept comment "allow icmp v6"
		tcp dport 22 accept comment "allow sshd"
		meta pkttype host limit rate 5/second counter packets 92 bytes 28768 reject with icmpx admin-prohibited
		counter packets 322 bytes 85846
	}

	chain forward {
		type filter hook forward priority filter; policy drop;
	}
}
(base) mark@confucius:android-sdk$

So I flushed the nftables and now it works:

(base) mark@confucius:etc$ sudo nft flush ruleset
[sudo] password for root: 
(base) mark@confucius:etc$ sudo nft list ruleset
(base) mark@confucius:etc$ 

PS. Now that its working, the reply from confucius:

19:46:18.761850 IP confucius.microsoft-ds > marks-imac.lan.50165: Flags [S.E], seq 1779813245, ack 1828883573, win 65160, options [mss 1460,sackOK,TS val 3864410218 ecr 366590234,nop,wscale 7], length 0
19:46:18.970102 IP confucius.netbios-ssn > marks-imac.lan.50166: Flags [S.E], seq 1502681061, ack 1456576725, win 65160, options [mss 1460,sackOK,TS val 3864410427 ecr 366590441,nop,wscale 7], length 0

With the empty ruleset I am able to connect via samba from my mac, login through samba and access my cifs share. It remains to fix this default ruleset which I found is in a file called "/etc/nftables.conf"
I"m glad I finally found out how to remove the offending default firewalling from the kernel. Yay! now what? I haven't the foggiest what is wrong with that default ruleset. Can anyone help me?
Hmm, I just discovered "nftables" was brought in by "firewalld", so I guess I don't need it at all?
The confusing thing has been that on reboot the file "/etc/nftables.conf" is reloaded into nf_tables! I have no firewall enabled, I disabled "firewalld". I'm thinking, maybe this is a bug? Surely nftables shouldn't reload the default on a reboot? Where is the command that does that?

Last edited by mwigzell (2021-11-14 16:13:41)

Offline

#2 2021-11-14 09:13:16

seth
Member
Registered: 2012-09-03
Posts: 25,086

Re: [SOLVED] samba from mac to ARCH linux fails: ICMP host unreachable

tl;dr

Hmm, I just discovered "nftables" was brought in by "firewalld", so I guess I don't need it at all?

https://unix.stackexchange.com/question … g-rejected

Offline

Board footer

Powered by FluxBB