* Samba blocked? @ 2002-11-26 21:05 Dan Egli 2002-11-27 0:00 ` Robert Wideman 2002-11-27 1:14 ` Michael 0 siblings, 2 replies; 8+ messages in thread From: Dan Egli @ 2002-11-26 21:05 UTC (permalink / raw) To: netfilter Ok. I'm a fair bit confused here. I'm trying to setup a IPtables filter set that will block certain ports and allow others. It seems to work perfectly for anything other than Samba. If I try: smbclient //myserver/shared1, it fails to connect. But using the IP in place of it: smbclient //192.168.0.2/shared1 works just fine. I am specifically allowing NetBIOS-ns, NetBIOS-ssn, and NetBIOS-dgm. Still no go. What's wrong? Thanks! -- Dan tables: #!/bin/bash IPT=/sbin/iptables # step 1 - ensure iptables are loaded modprobe ip_conntrack_ftp # that should pull in all dependant modules #step 2 SET DEFAULT POLICY $IPT -P INPUT DROP $IPT -P OUTPUT ACCEPT $IPT -P FORWARD DROP # step 3 FLUSH THE TABLES $IPT -F INPUT $IPT -F OUTPUT $IPT -F FORWARD $IPT -t nat -F PREROUTING $IPT -t nat -F POSTROUTING $IPT -t nat -F OUTPUT # setp 4 - setup rules $IPT -A INPUT -p tcp -m multiport --dports smtp,ftp,telnet,ssh -j ACCEPT $IPT -A INPUT -p tcp -i eth0 -m multiport --dports telnet,ssh,domain,nntp,ntp,printer,pop3,imap,http,https,netbios-ns,netbios-d gm,netbios-ssn -j ACCEPT $IPT -A INPUT -p udp -i eth0 -m multiport --dports domain,ntp,netbios-ns,netbios-dgm,netbios-ssn -j ACCEPT $IPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT $IPT -A INPUT -j LOG $IPT -A FORWARD -i eth0 -j ACCEPT $IPT -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT $IPT -A FORWARD -j LOG # step 5 - enable NAT $IPT -t nat -A POSTROUTING -o eth1 -j SNAT --to-source 64.122.31.38 # step 6 - setup the proc files for a propper firewall echo 1 > /proc/sys/net/ipv4/ip_forward P.S. With these rules, it should only log packets that are failing, and I see the packets on port 137 in the log, so I don't know what's wrong. ^ permalink raw reply [flat|nested] 8+ messages in thread
* RE: Samba blocked? 2002-11-26 21:05 Samba blocked? Dan Egli @ 2002-11-27 0:00 ` Robert Wideman 2002-11-27 1:14 ` Michael 1 sibling, 0 replies; 8+ messages in thread From: Robert Wideman @ 2002-11-27 0:00 UTC (permalink / raw) To: 'Dan Egli', netfilter Check your DNS settings. Your using the DNS name or hosts in the first one and the in the second you use the IP address...... Robert Wideman -----Original Message----- From: netfilter-admin@lists.netfilter.org [mailto:netfilter-admin@lists.netfilter.org]On Behalf Of Dan Egli Sent: Tuesday, November 26, 2002 3:06 PM To: netfilter@lists.netfilter.org Subject: Samba blocked? Ok. I'm a fair bit confused here. I'm trying to setup a IPtables filter set that will block certain ports and allow others. It seems to work perfectly for anything other than Samba. If I try: smbclient //myserver/shared1, it fails to connect. But using the IP in place of it: smbclient //192.168.0.2/shared1 works just fine. I am specifically allowing NetBIOS-ns, NetBIOS-ssn, and NetBIOS-dgm. Still no go. What's wrong? Thanks! -- Dan tables: #!/bin/bash IPT=/sbin/iptables # step 1 - ensure iptables are loaded modprobe ip_conntrack_ftp # that should pull in all dependant modules #step 2 SET DEFAULT POLICY $IPT -P INPUT DROP $IPT -P OUTPUT ACCEPT $IPT -P FORWARD DROP # step 3 FLUSH THE TABLES $IPT -F INPUT $IPT -F OUTPUT $IPT -F FORWARD $IPT -t nat -F PREROUTING $IPT -t nat -F POSTROUTING $IPT -t nat -F OUTPUT # setp 4 - setup rules $IPT -A INPUT -p tcp -m multiport --dports smtp,ftp,telnet,ssh -j ACCEPT $IPT -A INPUT -p tcp -i eth0 -m multiport --dports telnet,ssh,domain,nntp,ntp,printer,pop3,imap,http,https,netbios-ns,netbios-d gm,netbios-ssn -j ACCEPT $IPT -A INPUT -p udp -i eth0 -m multiport --dports domain,ntp,netbios-ns,netbios-dgm,netbios-ssn -j ACCEPT $IPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT $IPT -A INPUT -j LOG $IPT -A FORWARD -i eth0 -j ACCEPT $IPT -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT $IPT -A FORWARD -j LOG # step 5 - enable NAT $IPT -t nat -A POSTROUTING -o eth1 -j SNAT --to-source 64.122.31.38 # step 6 - setup the proc files for a propper firewall echo 1 > /proc/sys/net/ipv4/ip_forward P.S. With these rules, it should only log packets that are failing, and I see the packets on port 137 in the log, so I don't know what's wrong. ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: Samba blocked? 2002-11-26 21:05 Samba blocked? Dan Egli 2002-11-27 0:00 ` Robert Wideman @ 2002-11-27 1:14 ` Michael 2002-11-27 2:31 ` Dan Egli 2002-11-27 2:41 ` Dan Egli 1 sibling, 2 replies; 8+ messages in thread From: Michael @ 2002-11-27 1:14 UTC (permalink / raw) To: Dan Egli, netfilter Dan Egli wrote: >Ok. I'm a fair bit confused here. I'm trying to setup a IPtables filter set >that will block certain ports and allow others. It seems to work perfectly >for anything other than Samba. If I try: > >smbclient //myserver/shared1, it fails to connect. But using the IP in place >of it: >smbclient //192.168.0.2/shared1 works just fine. I am specifically allowing >NetBIOS-ns, NetBIOS-ssn, and NetBIOS-dgm. Still no go. What's wrong? > > > Probably nothing wrong with the iptables rules. Might be something wrong with the name lookups for smbclient though. Have a look at man pages for smbclient, in particular the name resolve order (-R) command switch. Also have a look at man page for smb.conf, as the method for name look ups is defined there (The order too) The default order is lmhosts, host, wins, bcast for name look ups. I beleive that for bcast name lookups to work you need to allow bcast traffic too. ie you need to allow 192.168.0.255 port 137. If you don't want that, a quick fix is to try adding the 'myserver' name and IP to /etc/hosts .. Cheers, Michael ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: Samba blocked? 2002-11-27 1:14 ` Michael @ 2002-11-27 2:31 ` Dan Egli 2002-11-27 3:12 ` Michael 2002-11-27 2:41 ` Dan Egli 1 sibling, 1 reply; 8+ messages in thread From: Dan Egli @ 2002-11-27 2:31 UTC (permalink / raw) To: Michael; +Cc: netfilter Traffic to 192.168.0.255? I don't recall seeing anythign that would block that. Here's what the table list shows: Chain INPUT (policy DROP) target prot opt source destination ACCEPT tcp -- anywhere anywhere multiport dports smtp,ftp,telnet,ssh,netbios-ns,netbios-dgm,netbios-ssn ACCEPT tcp -- anywhere anywhere multiport dports telnet,ssh,domain,nntp,ntp,printer,pop3,imap,http,https,netbios-ns,netbios-d gm,netbios-ssn ACCEPT udp -- anywhere anywhere multiport dports domain,ntp,router,netbios-ns,netbios-dgm,netbios-ssn ACCEPT udp -- anywhere anywhere multiport dports netbios-ns,netbios-dgm,netbios-ssn ACCEPT tcp -- anywhere anywhere multiport dports netbios-ns,netbios-dgm,netbios-ssn ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED LOG all -- anywhere anywhere LOG level warning Chain FORWARD (policy DROP) target prot opt source destination ACCEPT all -- anywhere anywhere ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED LOG all -- anywhere anywhere LOG level warning Chain OUTPUT (policy ACCEPT) target prot opt source destination ----- Original Message ----- From: "Michael" <mutk@iprimus.com.au> To: "Dan Egli" <dan@shortcircuit.dyndns.org>; <netfilter@lists.netfilter.org> Sent: Tuesday, November 26, 2002 6:14 PM Subject: Re: Samba blocked? > Dan Egli wrote: > > >Ok. I'm a fair bit confused here. I'm trying to setup a IPtables filter set > >that will block certain ports and allow others. It seems to work perfectly > >for anything other than Samba. If I try: > > > >smbclient //myserver/shared1, it fails to connect. But using the IP in place > >of it: > >smbclient //192.168.0.2/shared1 works just fine. I am specifically allowing > >NetBIOS-ns, NetBIOS-ssn, and NetBIOS-dgm. Still no go. What's wrong? > > > > > > > > > Probably nothing wrong with the iptables rules. Might be something wrong > with the name lookups for smbclient though. > Have a look at man pages for smbclient, in particular the name resolve > order (-R) command switch. Also have a look at man page for smb.conf, > as the method for name look ups is defined there (The order too) > > The default order is lmhosts, host, wins, bcast for name look ups. > I beleive that for bcast name lookups to work you need to allow bcast > traffic too. ie you need to allow 192.168.0.255 port 137. > > If you don't want that, a quick fix is to try adding the 'myserver' > name and IP to /etc/hosts .. > > Cheers, > Michael > > > > ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: Samba blocked? 2002-11-27 2:31 ` Dan Egli @ 2002-11-27 3:12 ` Michael 0 siblings, 0 replies; 8+ messages in thread From: Michael @ 2002-11-27 3:12 UTC (permalink / raw) To: netfilter Dan Egli wrote: >Traffic to 192.168.0.255? I don't recall seeing anythign that would block >that. Here's what the table list shows: ><snip> > Yes, ok. That's why I said "Probably nothing wrong with the iptables rules". I went on to elaborate that you do need to allow bcast for bcast name lookups to work... Like I said, have a look at the name lookups setup in smb.conf. What message does smbclient give you ?? Here's a good bcast namelookup: smbclient //mandingo/mandingo -U mandingo added interface ip=192.168.0.241 bcast=192.168.0.255 nmask=255.255.255.0 Got a positive name query response from 192.168.0.250 ( 192.168.0.250 ) Password: Domain=[WORKGROUP] OS=[Unix] Server=[Samba 2.0.6] smb: \> exit This is without /etc/hosts entry for mandingo host. What say ?: nmblookup -B 192.168.0.255 shared1 Cheers, Michael ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: Samba blocked? 2002-11-27 1:14 ` Michael 2002-11-27 2:31 ` Dan Egli @ 2002-11-27 2:41 ` Dan Egli 2002-11-27 3:22 ` Michael 1 sibling, 1 reply; 8+ messages in thread From: Dan Egli @ 2002-11-27 2:41 UTC (permalink / raw) To: Michael, netfilter Ok. I found the lookup order as: wins lmhosts bcast Which is how a windows client would connect. (except it would read lmhosts first). This needs to work not only for smbclient but also for any windows machines in the 192.168.0.x network. And adding a lmhosts to each machine is not really an option except as an absolute last resort. I need the system to be able to resolve netbios names via broadcast if at all possible. I still don't see why a request to 192.168.0.255 would fail. Here's the log fragments when I run smbclient //myserver/shared1 -U myuser: (resolve order = wins lmhosts bcast) Nov 26 20:33:22 mail last message repeated 2 times Nov 26 20:34:03 mail kernel: IN=lo OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=127.0.0.1 DST=127.0.0.1 LEN=78 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=32814 DPT=137 LEN=58 Nov 26 20:34:07 mail last message repeated 2 times Nov 26 20:34:09 mail kernel: IN=lo OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=192.168.0.2 DST=192.168.0.2 LEN=90 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=137 DPT=32814 LEN=70 Nov 26 20:34:10 mail last message repeated 2 times Nov 26 20:34:10 mail kernel: IN=lo OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=64.122.31.38 DST=64.122.31.38 LEN=90 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=137 DPT=32814 LEN=70 Any ideas, anyone? -- Dan ----- Original Message ----- From: "Michael" <mutk@iprimus.com.au> To: "Dan Egli" <dan@shortcircuit.dyndns.org>; <netfilter@lists.netfilter.org> Sent: Tuesday, November 26, 2002 6:14 PM Subject: Re: Samba blocked? > Dan Egli wrote: > > >Ok. I'm a fair bit confused here. I'm trying to setup a IPtables filter set > >that will block certain ports and allow others. It seems to work perfectly > >for anything other than Samba. If I try: > > > >smbclient //myserver/shared1, it fails to connect. But using the IP in place > >of it: > >smbclient //192.168.0.2/shared1 works just fine. I am specifically allowing > >NetBIOS-ns, NetBIOS-ssn, and NetBIOS-dgm. Still no go. What's wrong? > > > > > > > > > Probably nothing wrong with the iptables rules. Might be something wrong > with the name lookups for smbclient though. > Have a look at man pages for smbclient, in particular the name resolve > order (-R) command switch. Also have a look at man page for smb.conf, > as the method for name look ups is defined there (The order too) > > The default order is lmhosts, host, wins, bcast for name look ups. > I beleive that for bcast name lookups to work you need to allow bcast > traffic too. ie you need to allow 192.168.0.255 port 137. > > If you don't want that, a quick fix is to try adding the 'myserver' > name and IP to /etc/hosts .. > > Cheers, > Michael > > > > > ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: Samba blocked? 2002-11-27 2:41 ` Dan Egli @ 2002-11-27 3:22 ` Michael 2002-11-27 3:53 ` Dan Egli 0 siblings, 1 reply; 8+ messages in thread From: Michael @ 2002-11-27 3:22 UTC (permalink / raw) To: netfilter Dan Egli wrote: >Ok. I found the lookup order as: >wins lmhosts bcast > >Which is how a windows client would connect. (except it would read lmhosts >first). This needs to work not only for >smbclient but also for any windows machines in the 192.168.0.x network. And >adding a lmhosts to each machine is not really an option except as an >absolute last resort. > >I need the system to be able to resolve netbios names via broadcast if at >all possible. I still don't see why a request to 192.168.0.255 would fail. > >Here's the log fragments when I run smbclient //myserver/shared1 -U myuser: >(resolve order = wins lmhosts bcast) > >Nov 26 20:33:22 mail last message repeated 2 times > >Nov 26 20:34:03 mail kernel: IN=lo OUT= >MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=127.0.0.1 DST=127.0.0.1 >LEN=78 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=32814 DPT=137 LEN=58 >Nov 26 20:34:07 mail last message repeated 2 times >Nov 26 20:34:09 mail kernel: IN=lo OUT= >MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=192.168.0.2 >DST=192.168.0.2 LEN=90 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=137 >DPT=32814 LEN=70 >Nov 26 20:34:10 mail last message repeated 2 times >Nov 26 20:34:10 mail kernel: IN=lo OUT= >MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=64.122.31.38 >DST=64.122.31.38 LEN=90 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=137 >DPT=32814 LEN=70 > >Any ideas, anyone? > The logs are IN=lo. You have no rules to match interface lo. Are you running smbclient from local? You need iptables rules to allow from lo too.... Sorry I didn't think of this before... Cheers, Michael ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: Samba blocked? 2002-11-27 3:22 ` Michael @ 2002-11-27 3:53 ` Dan Egli 0 siblings, 0 replies; 8+ messages in thread From: Dan Egli @ 2002-11-27 3:53 UTC (permalink / raw) To: Michael, netfilter I didn't realize that. I'll look into that. I can not access the machine at current so I'll print this out and use it when I CAN access it. Any other ideas so if that fails I can try them? -- Dan ----- Original Message ----- From: "Michael" <mutk@iprimus.com.au> To: <netfilter@lists.netfilter.org> Sent: Tuesday, November 26, 2002 8:22 PM Subject: Re: Samba blocked? > Dan Egli wrote: > > >Ok. I found the lookup order as: > >wins lmhosts bcast > > > >Which is how a windows client would connect. (except it would read lmhosts > >first). This needs to work not only for > >smbclient but also for any windows machines in the 192.168.0.x network. And > >adding a lmhosts to each machine is not really an option except as an > >absolute last resort. > > > >I need the system to be able to resolve netbios names via broadcast if at > >all possible. I still don't see why a request to 192.168.0.255 would fail. > > > >Here's the log fragments when I run smbclient //myserver/shared1 -U myuser: > >(resolve order = wins lmhosts bcast) > > > >Nov 26 20:33:22 mail last message repeated 2 times > > > >Nov 26 20:34:03 mail kernel: IN=lo OUT= > >MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=127.0.0.1 DST=127.0.0.1 > >LEN=78 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=32814 DPT=137 LEN=58 > >Nov 26 20:34:07 mail last message repeated 2 times > >Nov 26 20:34:09 mail kernel: IN=lo OUT= > >MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=192.168.0.2 > >DST=192.168.0.2 LEN=90 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=137 > >DPT=32814 LEN=70 > >Nov 26 20:34:10 mail last message repeated 2 times > >Nov 26 20:34:10 mail kernel: IN=lo OUT= > >MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=64.122.31.38 > >DST=64.122.31.38 LEN=90 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=137 > >DPT=32814 LEN=70 > > > >Any ideas, anyone? > > > > > The logs are IN=lo. You have no rules to match interface lo. Are you > running smbclient from local? You need iptables rules to allow from lo > too.... > > Sorry I didn't think of this before... > > Cheers, > Michael > > > ^ permalink raw reply [flat|nested] 8+ messages in thread
end of thread, other threads:[~2002-11-27 3:53 UTC | newest] Thread overview: 8+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2002-11-26 21:05 Samba blocked? Dan Egli 2002-11-27 0:00 ` Robert Wideman 2002-11-27 1:14 ` Michael 2002-11-27 2:31 ` Dan Egli 2002-11-27 3:12 ` Michael 2002-11-27 2:41 ` Dan Egli 2002-11-27 3:22 ` Michael 2002-11-27 3:53 ` Dan Egli
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.