Samba help
Rick Stevens
rstevens at vitalstream.com
Fri Jan 9 02:16:58 UTC 2004
dalen wrote:
>> Knowing less about iptables than smb.conf and based on what I found in
>> the existing /etc/sysconfig/iptables, I added these two lines:
>>
>> -A RH-Firewall-1-INPUT -m state --state
>> NEW -m tcp -p tcp --dport 137:139 -j ACCEPT
>> -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 445
>> -j ACCEPT
>>
>> Are these the entries I _should_ add to iptables?
>>
>> Thanks!
>>
>> Andrew Robinson
>
>
> Andrew,
> Like you, I know little about iptables. I googled and found that
> smb needs port 137-139(basic smb) and 445(for win2k clients IIRC).
> Initially, I setup the firewall for ssh only and noticed the following
> line...
>
> -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j
> ACCEPT
>
> Using this as an example, I duplicated the above line for each
> port/protocol I needed as shown below.
>
> -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 137 -j
> ACCEPT
> -A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 137 -j
> ACCEPT
> -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 138 -j
> ACCEPT
> -A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 138 -j
> ACCEPT
> -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 139 -j
> ACCEPT
> -A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 139 -j
> ACCEPT
> -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 445 -j
> ACCEPT
> -A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 445 -j
> ACCEPT
>
> This may be opening more ports/protocols than neccesary and I may try to
> research it and close unneccesary ports later. Another option is to use
> the redhat firewall script (I don't remember the name). It basically
> asks which ports or service name to open and updates the iptables config
> file.
>
> Dale
Those first 6 rules could be rewritten as two:
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport
137:139 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport
137:139 -j ACCEPT
Saves space and typing. ;-)
----------------------------------------------------------------------
- Rick Stevens, Senior Systems Engineer rstevens at vitalstream.com -
- VitalStream, Inc. http://www.vitalstream.com -
- -
- su -; find / -name someone -exec touch \{\} \; -
- - The UNIX way of touching someone -
----------------------------------------------------------------------
More information about the fedora-list
mailing list