You are not logged in.
- Topics: Active | Unanswered
#1 2017-01-28 14:35:35
- dviktor
- Member
- From: Moscow
- Registered: 2015-10-18
- Posts: 162
[SOLVED] Can't resolve LAN NetBIOS names with iptables enabled
Hi all! I have server machine with Samba 4.5.4 installed.
The NetBIOS for my Samba server is server1
[root ~]# cat /etc/samba/smb.conf | grep netbios
netbios name = server1smbd.service, nmbd.service and winbindd.service are enabled and running successfully.
[root ~]# cat /etc/nsswitch.conf | grep wins
hosts: files wins mymachines resolve [!UNAVAIL=return] dns myhostnameWhen I disable iptables I can ping any machine on my LAN by its NetBIOS name:
[root ~]# ping -4 freesky-laptop
PING freesky-laptop (192.168.10.101) 56(84) bytes of data.
64 bytes from 192.168.10.101 (192.168.10.101): icmp_seq=1 ttl=64 time=0.409 ms
64 bytes from 192.168.10.101 (192.168.10.101): icmp_seq=2 ttl=64 time=0.452 ms
64 bytes from 192.168.10.101 (192.168.10.101): icmp_seq=3 ttl=64 time=0.422 ms
^C
--- freesky-laptop ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2000ms
rtt min/avg/max/mdev = 0.409/0.427/0.452/0.029 msBut when I enable my iptables rule set I can't anymore ping hosts by their NetBIOS (ping: name or service not known). There is my iptables settings:
[root ~]# cat /etc/iptables/iptables.rules
# Generated by iptables-save v1.4.21 on Sat Jan 9 02:13:57 2016
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:TCP - [0:0]
:UDP - [0:0]
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m conntrack --ctstate INVALID -j DROP
-A INPUT -p icmp -m icmp --icmp-type 8 -m conntrack --ctstate NEW -j ACCEPT
-A INPUT -p udp -m conntrack --ctstate NEW -j UDP
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m conntrack --ctstate NEW -j TCP
-A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable
-A INPUT -p tcp -j REJECT --reject-with tcp-reset
-A INPUT -j REJECT --reject-with icmp-proto-unreachable
-A TCP -p tcp -m multiport --dports 20,21,65000:65535 -j ACCEPT
-A TCP -p tcp -m tcp --dport 8022 -j ACCEPT
-A TCP -p tcp -m tcp --dport 80 -j ACCEPT
-A TCP -s 192.168.10.0/24 -p tcp -m multiport --dports 135,139,445 -j ACCEPT
-A UDP -s 192.168.10.0/24 -p udp -m multiport --dports 137,138 -j ACCEPT
COMMIT
# Completed on Sat Jan 9 02:13:57 2016There is some stats after doing ping with iptables enabled:
[root ~]# iptables -L -v -n
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
29 2020 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 8 ctstate NEW
6 438 UDP udp -- * * 0.0.0.0/0 0.0.0.0/0 ctstate NEW
0 0 TCP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x17/0x02 ctstate NEW
5 360 REJECT udp -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 reject-with tcp-reset
0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-proto-unreachable
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 23 packets, 2950 bytes)
pkts bytes target prot opt in out source destination
Chain TCP (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 20,21,65000:65535
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:8022
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
0 0 ACCEPT tcp -- * * 192.168.10.0/24 0.0.0.0/0 multiport dports 135,139,445
Chain UDP (1 references)
pkts bytes target prot opt in out source destination
1 78 ACCEPT udp -- * * 192.168.10.0/24 0.0.0.0/0 multiport dports 137,138Seems like UDP datagrams enters the UDP chain but only one is accepted while others not by specified rule and they are rejected on the later steps (1 accepted + 5 rejected = 6 total received).
However, I can successfully ping my Samba server from freesky-laptop client when iptables is up on Samba server.
Is I missed something in my config? Any help is greatly appreciated!
EDIT
Seems like I found a solution. According to the wiki article one must add some extra rule to the iptables ruleset to handle UDP packets tracking. In my case:
iptables -t raw -A OUTPUT -d 192.168.10.0/24 -p udp -m udp --dport 137 -j CT --helper netbios-nsNow my iptables ruleset seems like that:
[root ~]# cat /etc/iptables/iptables.rules
# Generated by iptables-save v1.6.0 on Sat Jan 28 22:48:36 2017
*raw
:PREROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A OUTPUT -d 192.168.10.0/24 -p udp -m udp --dport 137 -j CT --helper netbios-ns
COMMIT
# Completed on Sat Jan 28 22:48:36 2017
# Generated by iptables-save v1.6.0 on Sat Jan 28 22:48:36 2017
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:TCP - [0:0]
:UDP - [0:0]
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m conntrack --ctstate INVALID -j DROP
-A INPUT -p icmp -m icmp --icmp-type 8 -m conntrack --ctstate NEW -j ACCEPT
-A INPUT -p udp -m conntrack --ctstate NEW -j UDP
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m conntrack --ctstate NEW -j TCP
-A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable
-A INPUT -p tcp -j REJECT --reject-with tcp-reset
-A INPUT -j REJECT --reject-with icmp-proto-unreachable
-A TCP -p tcp -m multiport --dports 20,21,65000:65535 -j ACCEPT
-A TCP -p tcp -m tcp --dport 8022 -j ACCEPT
-A TCP -p tcp -m tcp --dport 80 -j ACCEPT
-A TCP -s 192.168.10.0/24 -p tcp -m multiport --dports 135,139,445 -j ACCEPT
-A UDP -s 192.168.10.0/24 -p udp -m multiport --dports 137,138 -j ACCEPT
COMMIT
# Completed on Sat Jan 28 22:48:36 2017Last edited by dviktor (2017-01-28 20:06:29)
Offline