[PLUG] samba, eth1 dhcp

Steven A. Adams stevea at nwtechops.com
Sat Jul 12 08:57:01 UTC 2003


I wouldn't look for this to work unless your using TCP for netbios name
and netbios datagram services on your SMB server. Samba, as well as
other SMB servers, normally implement netbios name and datagram services
(port 137 and 138) over UDP. Your opening port 137 and 138 over TCP
here, this is the -p TCP option in the iptables commands that your
script is executing. From looking at your example, it would be possible
to duplicate some of the entries in order to split out port 137:138 from
port 139 with a protocol (-p) of UDP and alter the existing -p TCP
entries to do only port 139.

It would look something like this:


if [ $SMB_CLIENT -gt 0 ]; then

iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p UDP \
--sport $UNPRIVPORTS --dport 137:138 -s $EXTERNAL_IP -d $ANYWHERE -j ACCEPT

iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p TCP \
--sport $UNPRIVPORTS --dport 139 -s $EXTERNAL_IP -d $ANYWHERE -j ACCEPT


Now further down in the script you are matching state with the -m state
option and I don't think that this is going to be valid for UDP entries,
UDP is a connectionless protocol. You can try but if you get an error
then you'll have to remove the state match.



On Fri, 2003-07-11 at 23:24, Lynn Yuan wrote:
> Hi
> 
> Here is my samba config in the iptables file, is there
> anything need to be modified? 
> 
>   # samba (137) - Accessing remote web sites as a
> client
>         #
> 
>         if [ $SMB_CLIENT -gt 0 ]; then
> 
>             iptables -A OUTPUT -o $EXTERNAL_INTERFACE
> -p TCP \
>         --sport $UNPRIVPORTS --dport 137:139 -s
> $EXTERNAL_IP -d $ANYWHERE -j ACCEPT
> 
>             iptables -A INPUT -i $EXTERNAL_INTERFACE
> -p TCP -m state --state ESTABLISHED,RELATE
> D \
>         --sport 137:139 --dport $UNPRIVPORTS -s
> $ANYWHERE -d $EXTERNAL_IP -j ACCEPT
> 
>             if [ $MASQUERADING -gt 0 ]; then
>                iptables -A FORWARD -p TCP -s
> $INTERNAL_NETWORK --sport $UNPRIVPORTS --dport 137
> :139 -j ACCEPT
>                iptables -A FORWARD -p TCP -d
> $INTERNAL_NETWORK --sport 137:139 --dport $UNPRIVP
> ORTS -j ACCEPT
>             fi
>  if [ $VERBOSE -gt 0 ]; then
>                 echo "firewall: Clients may access
> remote SMB servers"
>             fi
> 
>         fi
> 
>         #
>         # SAMBA (137) - Allowing remote access to a
> local web server
>         #
> 
>         if [ $SMB_SERVER -gt 0 ]; then
> 
>             iptables -A INPUT -i $EXTERNAL_INTERFACE
> -p TCP \
>         --sport $UNPRIVPORTS --dport 137:139 -s
> $MY_SMB_CLIENTS -d $EXTERNAL_IP -j ACCEPT
> 
>             iptables -A OUTPUT -o $EXTERNAL_INTERFACE
> -p TCP -m state --state ESTABLISHED,RELAT
> ED \
>         --sport 137:139 --dport $UNPRIVPORTS -s
> $EXTERNAL_IP -d $MY_SMB_CLIENTS -j ACCEPT
> 
>             iptables -A INPUT -i $EXTERNAL_INTERFACE
> -p TCP \
>         --sport $UNPRIVPORTS --dport 137:139 -s
> $MY_SMB_CLIENTS -d $EXTERNAL_IP -j ACCEPT
> 
>             iptables -A OUTPUT -o $EXTERNAL_INTERFACE
> -p TCP -m state --state ESTABLISHED,RELAT
> ED \
>         --sport 137:139 --dport $UNPRIVPORTS -s
> $EXTERNAL_IP -d $MY_SMB_CLIENTS -j ACCEPT
> 
>             if [ $VERBOSE -gt 0 ]; then
>                 echo "firewall: Remote clients may
> access local SMB server"
>             fi
> 
>         fi
> 
> m.y.






More information about the PLUG mailing list