Samba blocked?

Samba blocked?

[Dan Egli]

Ok. I'm a fair bit confused here. I'm trying to setup a IPtables filter set
that will block certain ports and allow others. It seems to work perfectly
for anything other than Samba. If I try:

smbclient //myserver/shared1, it fails to connect. But using the IP in place
of it:
smbclient //192.168.0.2/shared1 works just fine. I am specifically allowing
NetBIOS-ns, NetBIOS-ssn, and NetBIOS-dgm. Still no go. What's wrong?

Thanks!
-- Dan

tables:

#!/bin/bash
IPT=/sbin/iptables
# step 1 - ensure iptables are loaded
modprobe ip_conntrack_ftp
# that should pull in all dependant modules
#step 2  SET DEFAULT POLICY

$IPT -P INPUT DROP
$IPT -P OUTPUT ACCEPT
$IPT -P FORWARD DROP

# step 3 FLUSH THE TABLES
$IPT -F INPUT
$IPT -F OUTPUT
$IPT -F FORWARD
$IPT -t nat -F PREROUTING
$IPT -t nat -F POSTROUTING
$IPT -t nat -F OUTPUT

# setp 4 - setup rules
$IPT -A INPUT -p tcp -m multiport --dports smtp,ftp,telnet,ssh -j ACCEPT
$IPT -A INPUT -p tcp -i eth0 -m multiport --dports
telnet,ssh,domain,nntp,ntp,printer,pop3,imap,http,https,netbios-ns,netbios-d
gm,netbios-ssn -j ACCEPT
$IPT -A INPUT -p udp -i eth0 -m multiport --dports
domain,ntp,netbios-ns,netbios-dgm,netbios-ssn -j ACCEPT
$IPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
$IPT -A INPUT -j LOG

$IPT -A FORWARD -i eth0 -j ACCEPT
$IPT -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
$IPT -A FORWARD -j LOG
# step 5 - enable NAT
$IPT -t nat -A POSTROUTING -o eth1 -j SNAT --to-source 64.122.31.38
# step 6 - setup the proc files for a propper firewall

echo 1 > /proc/sys/net/ipv4/ip_forward


P.S. With these rules, it should only log packets that are failing, and I
see the packets on port 137 in the log, so I don't know what's wrong.

RE: Samba blocked?

[Robert Wideman]

Check your DNS settings.  Your using the DNS name or hosts in the first one
and the in the second you use the IP address......

Robert Wideman

-----Original Message-----
From: netfilter-admin@lists.netfilter.org
[mailto:netfilter-admin@lists.netfilter.org]On Behalf Of Dan Egli
Sent: Tuesday, November 26, 2002 3:06 PM
To: netfilter@lists.netfilter.org
Subject: Samba blocked?


Ok. I'm a fair bit confused here. I'm trying to setup a IPtables filter set
that will block certain ports and allow others. It seems to work perfectly
for anything other than Samba. If I try:

smbclient //myserver/shared1, it fails to connect. But using the IP in place
of it:
smbclient //192.168.0.2/shared1 works just fine. I am specifically allowing
NetBIOS-ns, NetBIOS-ssn, and NetBIOS-dgm. Still no go. What's wrong?

Thanks!
-- Dan

tables:

#!/bin/bash
IPT=/sbin/iptables
# step 1 - ensure iptables are loaded
modprobe ip_conntrack_ftp
# that should pull in all dependant modules
#step 2  SET DEFAULT POLICY

$IPT -P INPUT DROP
$IPT -P OUTPUT ACCEPT
$IPT -P FORWARD DROP

# step 3 FLUSH THE TABLES
$IPT -F INPUT
$IPT -F OUTPUT
$IPT -F FORWARD
$IPT -t nat -F PREROUTING
$IPT -t nat -F POSTROUTING
$IPT -t nat -F OUTPUT

# setp 4 - setup rules
$IPT -A INPUT -p tcp -m multiport --dports smtp,ftp,telnet,ssh -j ACCEPT
$IPT -A INPUT -p tcp -i eth0 -m multiport --dports
telnet,ssh,domain,nntp,ntp,printer,pop3,imap,http,https,netbios-ns,netbios-d
gm,netbios-ssn -j ACCEPT
$IPT -A INPUT -p udp -i eth0 -m multiport --dports
domain,ntp,netbios-ns,netbios-dgm,netbios-ssn -j ACCEPT
$IPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
$IPT -A INPUT -j LOG

$IPT -A FORWARD -i eth0 -j ACCEPT
$IPT -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
$IPT -A FORWARD -j LOG
# step 5 - enable NAT
$IPT -t nat -A POSTROUTING -o eth1 -j SNAT --to-source 64.122.31.38
# step 6 - setup the proc files for a propper firewall

echo 1 > /proc/sys/net/ipv4/ip_forward


P.S. With these rules, it should only log packets that are failing, and I
see the packets on port 137 in the log, so I don't know what's wrong.

Re: Samba blocked?

[Michael]

Dan Egli wrote:

>Ok. I'm a fair bit confused here. I'm trying to setup a IPtables filter set
>that will block certain ports and allow others. It seems to work perfectly
>for anything other than Samba. If I try:
>
>smbclient //myserver/shared1, it fails to connect. But using the IP in place
>of it:
>smbclient //192.168.0.2/shared1 works just fine. I am specifically allowing
>NetBIOS-ns, NetBIOS-ssn, and NetBIOS-dgm. Still no go. What's wrong?
>
>  
>


Probably nothing wrong with the iptables rules. Might be something wrong 
with the name lookups for smbclient though.
Have a look at man pages for smbclient, in particular the name resolve 
order (-R) command switch. Also have a look at man page for smb.conf, 
 as the method for name look ups is defined there (The order too)

The default order is lmhosts, host, wins, bcast for name look ups.  
I beleive that for bcast name lookups to work you need to allow bcast 
traffic too. ie you need to allow 192.168.0.255 port 137.

If you don't want that, a quick fix is to try adding the 'myserver'  
name and IP to /etc/hosts ..

Cheers,
Michael

Re: Samba blocked?

[Dan Egli]

Traffic to 192.168.0.255? I don't recall seeing anythign that would block
that. Here's what the table list shows:

Chain INPUT (policy DROP)
target     prot opt source               destination
ACCEPT     tcp  --  anywhere             anywhere           multiport dports
smtp,ftp,telnet,ssh,netbios-ns,netbios-dgm,netbios-ssn
ACCEPT     tcp  --  anywhere             anywhere           multiport dports
telnet,ssh,domain,nntp,ntp,printer,pop3,imap,http,https,netbios-ns,netbios-d
gm,netbios-ssn
ACCEPT     udp  --  anywhere             anywhere           multiport dports
domain,ntp,router,netbios-ns,netbios-dgm,netbios-ssn
ACCEPT     udp  --  anywhere             anywhere           multiport dports
netbios-ns,netbios-dgm,netbios-ssn
ACCEPT     tcp  --  anywhere             anywhere           multiport dports
netbios-ns,netbios-dgm,netbios-ssn
ACCEPT     all  --  anywhere             anywhere           state
RELATED,ESTABLISHED
LOG        all  --  anywhere             anywhere           LOG level
warning

Chain FORWARD (policy DROP)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere           state
RELATED,ESTABLISHED
LOG        all  --  anywhere             anywhere           LOG level
warning

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

----- Original Message -----
From: "Michael" <mutk@iprimus.com.au>
To: "Dan Egli" <dan@shortcircuit.dyndns.org>;
<netfilter@lists.netfilter.org>
Sent: Tuesday, November 26, 2002 6:14 PM
Subject: Re: Samba blocked?


> Dan Egli wrote:
>
> >Ok. I'm a fair bit confused here. I'm trying to setup a IPtables filter
set
> >that will block certain ports and allow others. It seems to work
perfectly
> >for anything other than Samba. If I try:
> >
> >smbclient //myserver/shared1, it fails to connect. But using the IP in
place
> >of it:
> >smbclient //192.168.0.2/shared1 works just fine. I am specifically
allowing
> >NetBIOS-ns, NetBIOS-ssn, and NetBIOS-dgm. Still no go. What's wrong?
> >
> >
> >
>
>
> Probably nothing wrong with the iptables rules. Might be something wrong
> with the name lookups for smbclient though.
> Have a look at man pages for smbclient, in particular the name resolve
> order (-R) command switch. Also have a look at man page for smb.conf,
>  as the method for name look ups is defined there (The order too)
>
> The default order is lmhosts, host, wins, bcast for name look ups.
> I beleive that for bcast name lookups to work you need to allow bcast
> traffic too. ie you need to allow 192.168.0.255 port 137.
>
> If you don't want that, a quick fix is to try adding the 'myserver'
> name and IP to /etc/hosts ..
>
> Cheers,
> Michael
>
>
>
>

Re: Samba blocked?

[Dan Egli]

Ok. I found the lookup order as:
wins lmhosts bcast

Which is how a windows client would connect. (except it would read lmhosts
first). This needs to work not only for
smbclient but also for any windows machines in the 192.168.0.x network. And
adding a lmhosts to each machine is not really an option except as an
absolute last resort.

I need the system to be able to resolve netbios names via broadcast if at
all possible. I still don't see why a request to 192.168.0.255 would fail.

Here's the log fragments when I run smbclient //myserver/shared1 -U myuser:
(resolve order = wins lmhosts bcast)
Nov 26 20:33:22 mail last message repeated 2 times
Nov 26 20:34:03 mail kernel: IN=lo OUT=
MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=127.0.0.1 DST=127.0.0.1
LEN=78 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=32814 DPT=137 LEN=58
Nov 26 20:34:07 mail last message repeated 2 times
Nov 26 20:34:09 mail kernel: IN=lo OUT=
MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=192.168.0.2
DST=192.168.0.2 LEN=90 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=137
DPT=32814 LEN=70
Nov 26 20:34:10 mail last message repeated 2 times
Nov 26 20:34:10 mail kernel: IN=lo OUT=
MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=64.122.31.38
DST=64.122.31.38 LEN=90 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=137
DPT=32814 LEN=70

Any ideas, anyone?

-- Dan
----- Original Message -----
From: "Michael" <mutk@iprimus.com.au>
To: "Dan Egli" <dan@shortcircuit.dyndns.org>;
<netfilter@lists.netfilter.org>
Sent: Tuesday, November 26, 2002 6:14 PM
Subject: Re: Samba blocked?


> Dan Egli wrote:
>
> >Ok. I'm a fair bit confused here. I'm trying to setup a IPtables filter
set
> >that will block certain ports and allow others. It seems to work
perfectly
> >for anything other than Samba. If I try:
> >
> >smbclient //myserver/shared1, it fails to connect. But using the IP in
place
> >of it:
> >smbclient //192.168.0.2/shared1 works just fine. I am specifically
allowing
> >NetBIOS-ns, NetBIOS-ssn, and NetBIOS-dgm. Still no go. What's wrong?
> >
> >
> >
>
>
> Probably nothing wrong with the iptables rules. Might be something wrong
> with the name lookups for smbclient though.
> Have a look at man pages for smbclient, in particular the name resolve
> order (-R) command switch. Also have a look at man page for smb.conf,
>  as the method for name look ups is defined there (The order too)
>
> The default order is lmhosts, host, wins, bcast for name look ups.
> I beleive that for bcast name lookups to work you need to allow bcast
> traffic too. ie you need to allow 192.168.0.255 port 137.
>
> If you don't want that, a quick fix is to try adding the 'myserver'
> name and IP to /etc/hosts ..
>
> Cheers,
> Michael
>
>
>
>
>

Re: Samba blocked?

[Michael]

Dan Egli wrote:

>Traffic to 192.168.0.255? I don't recall seeing anythign that would block
>that. Here's what the table list shows:
><snip>
>

Yes, ok. That's why I said "Probably nothing wrong with the iptables 
rules". I went on to elaborate that you do need to allow bcast for bcast 
name lookups to work...

Like I said, have a look at the name lookups setup in smb.conf.

What message does smbclient give you ??

Here's a good bcast namelookup:

smbclient //mandingo/mandingo -U mandingo
added interface ip=192.168.0.241 bcast=192.168.0.255 nmask=255.255.255.0
Got a positive name query response from 192.168.0.250 ( 192.168.0.250 )
Password:
Domain=[WORKGROUP] OS=[Unix] Server=[Samba 2.0.6]
smb: \> exit

This is without /etc/hosts  entry for mandingo host.

What say ?:

nmblookup -B 192.168.0.255 shared1

Cheers, Michael

Re: Samba blocked?

[Michael]

Dan Egli wrote:

>Ok. I found the lookup order as:
>wins lmhosts bcast
>
>Which is how a windows client would connect. (except it would read lmhosts
>first). This needs to work not only for
>smbclient but also for any windows machines in the 192.168.0.x network. And
>adding a lmhosts to each machine is not really an option except as an
>absolute last resort.
>
>I need the system to be able to resolve netbios names via broadcast if at
>all possible. I still don't see why a request to 192.168.0.255 would fail.
>
>Here's the log fragments when I run smbclient //myserver/shared1 -U myuser:
>(resolve order = wins lmhosts bcast)
>
>Nov 26 20:33:22 mail last message repeated 2 times
>
>Nov 26 20:34:03 mail kernel: IN=lo OUT=
>MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=127.0.0.1 DST=127.0.0.1
>LEN=78 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=32814 DPT=137 LEN=58
>Nov 26 20:34:07 mail last message repeated 2 times
>Nov 26 20:34:09 mail kernel: IN=lo OUT=
>MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=192.168.0.2
>DST=192.168.0.2 LEN=90 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=137
>DPT=32814 LEN=70
>Nov 26 20:34:10 mail last message repeated 2 times
>Nov 26 20:34:10 mail kernel: IN=lo OUT=
>MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=64.122.31.38
>DST=64.122.31.38 LEN=90 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=137
>DPT=32814 LEN=70
>
>Any ideas, anyone?
>


The logs are IN=lo. You have no rules to match interface lo.  Are you 
running smbclient from local? You need iptables rules to allow from lo 
too....

Sorry I didn't think of this before...

Cheers,
Michael

Re: Samba blocked?

[Dan Egli]

I didn't realize that. I'll look into that. I can not access the machine at
current so I'll print this out and use it when I CAN access it. Any other
ideas so if that fails I can try them?

-- Dan
----- Original Message -----
From: "Michael" <mutk@iprimus.com.au>
To: <netfilter@lists.netfilter.org>
Sent: Tuesday, November 26, 2002 8:22 PM
Subject: Re: Samba blocked?


> Dan Egli wrote:
>
> >Ok. I found the lookup order as:
> >wins lmhosts bcast
> >
> >Which is how a windows client would connect. (except it would read
lmhosts
> >first). This needs to work not only for
> >smbclient but also for any windows machines in the 192.168.0.x network.
And
> >adding a lmhosts to each machine is not really an option except as an
> >absolute last resort.
> >
> >I need the system to be able to resolve netbios names via broadcast if at
> >all possible. I still don't see why a request to 192.168.0.255 would
fail.
> >
> >Here's the log fragments when I run smbclient //myserver/shared1 -U
myuser:
> >(resolve order = wins lmhosts bcast)
> >
> >Nov 26 20:33:22 mail last message repeated 2 times
> >
> >Nov 26 20:34:03 mail kernel: IN=lo OUT=
> >MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=127.0.0.1 DST=127.0.0.1
> >LEN=78 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=32814 DPT=137
LEN=58
> >Nov 26 20:34:07 mail last message repeated 2 times
> >Nov 26 20:34:09 mail kernel: IN=lo OUT=
> >MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=192.168.0.2
> >DST=192.168.0.2 LEN=90 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP
SPT=137
> >DPT=32814 LEN=70
> >Nov 26 20:34:10 mail last message repeated 2 times
> >Nov 26 20:34:10 mail kernel: IN=lo OUT=
> >MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=64.122.31.38
> >DST=64.122.31.38 LEN=90 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP
SPT=137
> >DPT=32814 LEN=70
> >
> >Any ideas, anyone?
> >
>
>
> The logs are IN=lo. You have no rules to match interface lo.  Are you
> running smbclient from local? You need iptables rules to allow from lo
> too....
>
> Sorry I didn't think of this before...
>
> Cheers,
> Michael
>
>
>