At 05:43 PM 9/15/2003, you wrote:Hi Ian,
On Mon, 2003-09-15 at 20:32, Ian L wrote:
> Hey all,
>
> I'm trying to set up samba to work with a win2k3 server and a redhat 8
> server. I've got samba 2.x installed. It seems to be working, although i
> havent finished setting up all the user permissions. When i turn iptables
> off, i get a password prompt in windows when i click on the server.
>
> when i turn ip tables on, it just sits for 20 seconds and then tells me i
> dont have permission to access this network resource.
Hi Ian. Hopefully I can offer a suggestion that will not only solve your problem, but show *you* how to do it. You know, the old "give a man a fish" theory. ;-)
Install tcpdump, if you don't have it already. Determine what traffic (SSH, HTTP, DNS, etc.) you might see across the relevant network interface (eth1?) that Samba traffic should traverse. Now, run the following (with iptables enabled):
"tcpdump -ni eth1 not port 22 and not port 80 and not port 53" (etc, etc.) Include a "and not port XX" for each known service you *don't* want to see. This should (hopefully) reveal which ports/protocols that Samba is using. Those will be the ones you'll want to add to your iptables ruleset to allow SMB traffic through.
There's always a chance that you'll catch more traffic than you expect. It's a case of trial and error. You're generally looking for TCP/UDP traffic between ports 135-139 and possibly 445. Hope this helps!
Thanks,
i do appreciate the information. however, i think i have information overload from tcpdump right now. There is a LOT of info scrolling across the screen. Some of it i can figure out what its trying to do, although i cant figure out ports or anything useful for iptables. Most of the traffic seems to be broadcast messages from other networked PC's and printers. It became a little more readable if i used -nnqi but it was still mostly greek to me.
I did try allowing ports 135-139 and 445 in iptables for both tcp and udp. But i guess i did something wrong.
Hmm, looks like i got it working by playing with the config file a bit more.
-A RH-Lokkit-0-50-INPUT -i eth0 -p tcp -m multiport --dport 135,139,445 -j ACCEPT
-A RH-Lokkit-0-50-INPUT -i eth0 -p udp -m multiport --dport 135,137,138,139,445 -j ACCEPT
those are the two lines i added, which seem to have it working now. One last question though ... what's the parameter to tell it to only accept this traffic from a specific IP? is it -s ip-address ?
thanks for the help,
ian
I was just having the same problem and here is what Ben told me to do. This is a quote from him:
Yep, if this box is your firewall, protecting your windows clients from the internet, you could be in some serious trouble right now...
If we assume that you are running a standard class C network, then I think the two rules should look like:
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp -s 192.168.1.0/24 --dport 137:139 -j ACCEPT -A RH-Lokkit-0-50-INPUT -p udp -m udp -s 192.168.1.0/24 --dport 137:139 -j ACCEPT
the -s option tells iptables what source IPs to match the packet against, so if your ip range is different, you'll need to put a different number there. Of course, there's always shorewall (http://www.shorewall.net) :)
Ben
HTH. It sure has helped me out.
Lee Perez
-- redhat-list mailing list unsubscribe mailto:[EMAIL PROTECTED] https://www.redhat.com/mailman/listinfo/redhat-list
