*RESOLVED* Samba with iptables

jd1p3k · 2007-01-22 15:11:01

So in my week long quest/search I have seen that many have issues with letting the correct ports through iptables. I am having trouble with roaming profiles, when iptables are off then they work great but when they are on it can't load my roaming profile.

sh#iptables -L
Chain INPUT (policy DROP)
target prot opt source destination
DROP tcp -- anywhere anywhere tcp dpt:0
DROP udp -- anywhere anywhere udp dpt:0
DROP tcp -- anywhere anywhere tcp spt:0
DROP udp -- anywhere anywhere udp spt:0
DROP 0 -- anywhere 255.255.255.255
ACCEPT 0 -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT tcp -- 66.249.64.0/19 anywhere tcp dpt:ssh
ACCEPT tcp -- 192.168.187.0/24 anywhere tcp dpt:ssh
ACCEPT tcp -- anywhere anywhere tcp dpt:www
ACCEPT udp -- anywhere anywhere udp dpt:www
ACCEPT 0 -- anywhere anywhere state NEW
LOG 0 -- anywhere anywhere LOG level warning prefix `FW_INPUT '
REJECT tcp -- anywhere anywhere reject-with tcp-reset
REJECT udp -- anywhere anywhere reject-with icmp-port-unreachable
ACCEPT tcp -- anywhere anywhere multiport dports 445,135,136,netbios-ns,netbios-dgm,netbios-ssn
ACCEPT udp -- anywhere anywhere multiport dports 445,135,136,netbios-ns,netbios-dgm,netbios-ssn

Chain FORWARD (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy DROP)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere multiport dports 445,135,136,netbios-ns,netbios-dgm,netbios-ssn
ACCEPT udp -- anywhere anywhere multiport dports 445,135,136,netbios-ns,netbios-dgm,netbios-ssn
ACCEPT 0 -- anywhere anywhere
ACCEPT 0 -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
ACCEPT tcp -- anywhere anywhere tcp dpt:domain
LOG 0 -- anywhere anywhere LOG level warning prefix `FW_OUTPUT '

Chain ILLEGAL (0 references)
target prot opt source destination

sh#tail /var/log/iptables.log
Jan 21 23:55:29 slowass_serv FW_INPUT IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:0f:3d:66:97:3a:08:00 SRC=192.168.187.105 DST=192.168.187.255 LEN=96 TOS=0x00 PREC=0x00 TTL=128 ID=42166 PROTO=UDP SPT=137 DPT=137 LEN=76
Jan 21 23:55:30 slowass_serv FW_INPUT IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:0f:3d:66:97:3a:08:00 SRC=192.168.187.105 DST=192.168.187.255 LEN=96 TOS=0x00 PREC=0x00 TTL=128 ID=42168 PROTO=UDP SPT=137 DPT=137 LEN=76
Jan 21 23:55:31 slowass_serv FW_INPUT IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:0f:3d:66:97:3a:08:00 SRC=192.168.187.105 DST=192.168.187.255 LEN=96 TOS=0x00 PREC=0x00 TTL=128 ID=42169 PROTO=UDP SPT=137 DPT=137 LEN=76
Jan 21 23:55:31 slowass_serv FW_INPUT IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:0f:3d:66:97:3a:08:00 SRC=192.168.187.105 DST=192.168.187.255 LEN=205 TOS=0x00 PREC=0x00 TTL=128 ID=42170 PROTO=UDP SPT=138 DPT=138 LEN=185
Jan 21 23:55:31 slowass_serv FW_INPUT IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:0f:3d:66:97:3a:08:00 SRC=192.168.187.105 DST=192.168.187.255 LEN=205 TOS=0x00 PREC=0x00 TTL=128 ID=42171 PROTO=UDP SPT=138 DPT=138 LEN=185
Jan 21 23:55:31 slowass_serv FW_INPUT IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:0f:3d:66:97:3a:08:00 SRC=192.168.187.105 DST=192.168.187.255 LEN=229 TOS=0x00 PREC=0x00 TTL=128 ID=42172 PROTO=UDP SPT=138 DPT=138 LEN=209
Jan 21 23:55:31 slowass_serv FW_INPUT IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:0f:3d:66:97:3a:08:00 SRC=192.168.187.105 DST=192.168.187.255 LEN=235 TOS=0x00 PREC=0x00 TTL=128 ID=42173 PROTO=UDP SPT=138 DPT=138 LEN=215
Jan 21 23:55:31 slowass_serv FW_INPUT IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:0f:3d:66:97:3a:08:00 SRC=192.168.187.105 DST=192.168.187.255 LEN=78 TOS=0x00 PREC=0x00 TTL=128 ID=42174 PROTO=UDP SPT=137 DPT=137 LEN=58
Jan 21 23:55:32 slowass_serv FW_INPUT IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:0f:3d:66:97:3a:08:00 SRC=192.168.187.105 DST=192.168.187.255 LEN=78 TOS=0x00 PREC=0x00 TTL=128 ID=42175 PROTO=UDP SPT=137 DPT=137 LEN=58
Jan 21 23:55:33 slowass_serv FW_INPUT IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:0f:3d:66:97:3a:08:00 SRC=192.168.187.105 DST=192.168.187.255 LEN=78 TOS=0x00 PREC=0x00 TTL=128 ID=42177 PROTO=UDP SPT=137 DPT=137 LEN=58

any help on this is much appreciated, I have been tearing my hair out.

Thnx.

Last edited by jd1p3k (2007-02-09 13:32:13)

jd1p3k · 2007-01-26 14:29:47

So to me it seems like this could be the issue:

DST=192.168.187.255

I am just not sure how to fix it

ralvez · 2007-01-26 16:44:23

I do not think that that is the problem because you have set up a rule that says:
ACCEPT tcp -- 192.168.187.0/24 anywhere tcp dpt:ssh and the address 192.168.187.255 is within the accepted scope.
Have you seen this? It may be of help:
http://gentoo-wiki.com/HOWTO_Implement_ … s_your_PDC

edit: on second inspection 192.168.187.255 is the broadcast address and that may be just an indicator that one of the computers is trying to talk to the firewall.

cactus · 2007-01-27 03:30:08

you're rules look a bit odd..
can you paste the iptables save file perhaps?

jd1p3k · 2007-01-27 10:50:03

Here is my iptables.rules

# Generated by iptables-save v1.3.7 on Fri Jan 26 19:34:43 2007
*raw
:PREROUTING ACCEPT [274509:87101722]
:OUTPUT ACCEPT [3177:549494]
COMMIT
# Completed on Fri Jan 26 19:34:43 2007
# Generated by iptables-save v1.3.7 on Fri Jan 26 19:34:43 2007
*mangle
:PREROUTING ACCEPT [274509:87101722]
:INPUT ACCEPT [4005:748522]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [3177:549494]
:POSTROUTING ACCEPT [4323:827362]
COMMIT
# Completed on Fri Jan 26 19:34:43 2007
# Generated by iptables-save v1.3.7 on Fri Jan 26 19:34:43 2007
*nat
:PREROUTING ACCEPT [271104:86424381]
:POSTROUTING ACCEPT [713:144698]
:OUTPUT ACCEPT [588:140026]
COMMIT
# Completed on Fri Jan 26 19:34:43 2007
# Generated by iptables-save v1.3.7 on Fri Jan 26 19:34:43 2007
*filter
:INPUT DROP [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT DROP [10:728]
:ILLEGAL - [0:0]
-A INPUT -p tcp -m tcp --dport 0 -j DROP 
-A INPUT -p udp -m udp --dport 0 -j DROP 
-A INPUT -p tcp -m tcp --sport 0 -j DROP 
-A INPUT -p udp -m udp --sport 0 -j DROP 
-A INPUT -d 255.255.255.255 -i eth0 -j DROP 
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A INPUT -s 66.249.64.0/255.255.224.0 -i eth0 -p tcp -m tcp --dport 22 -j ACCEPT 
-A INPUT -s 192.168.187.0/255.255.255.0 -i eth0 -p tcp -m tcp --dport 22 -j ACCEPT 
-A INPUT -i eth0 -p tcp -m tcp --dport 80 -j ACCEPT 
-A INPUT -i eth0 -p udp -m udp --dport 80 -j ACCEPT 
-A INPUT -i lo -m state --state NEW -j ACCEPT 
-A INPUT -j LOG --log-prefix "FW_INPUT  " 
-A INPUT -p tcp -j REJECT --reject-with tcp-reset 
-A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable 
-A INPUT -p tcp -m multiport --dports 445,135,136,137,138,139 -j ACCEPT 
-A INPUT -p udp -m multiport --dports 445,135,136,137,138,139 -j ACCEPT 
-A OUTPUT -p tcp -m multiport --dports 445,135,136,137,138,139 -j ACCEPT 
-A OUTPUT -p udp -m multiport --dports 445,135,136,137,138,139 -j ACCEPT 
-A OUTPUT -o lo -j ACCEPT 
-A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A OUTPUT -p tcp -m tcp --dport 22 -j ACCEPT 
-A OUTPUT -p tcp -m tcp --dport 53 -j ACCEPT 
-A OUTPUT -j LOG --log-prefix "FW_OUTPUT  " 
COMMIT
# Completed on Fri Jan 26 19:34:44 2007

cactus · 2007-01-27 18:49:24

first off, I would drop this filter.
-A INPUT -d 255.255.255.255 -i eth0 -j DROP

you also shouldn't put any restrictions on the loopback, and put that rule at the top of your chain.
-A INPUT -i lo -j ACCEPT

and you should move these two to the bottom of the input chain.
-A INPUT -p tcp -j REJECT --reject-with tcp-reset
-A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable

Your multiport samba rules shouldn't even be hit with the heirarchy you have now. Moving the above two to the bottom should fix that.

As for output..again, always recommended to move loopback rules to the top.

jd1p3k · 2007-02-09 13:31:12

Thanks, this worked

Arch Linux

#1 2007-01-22 15:11:01