iptables rules to allow nautilus samba access [SOLVED]

Bill Tangren bjt at aa.usno.navy.mil
Fri Jul 29 15:13:12 UTC 2005 

Will McDonald wrote:
> On 28/07/05, Bill Tangren <bjt at aa.usno.navy.mil> wrote:
> 
>>Will McDonald wrote:
>>
>>>On 28/07/05, Bill Tangren <bjt at aa.usno.navy.mil> wrote:
>>>
>>>
>>>
>>>>They are applied on the samba server. I can get to the samba server from
>>>>a Windoze box. That was never a problem. What IS a problem is getting to
>>>>the Windoze box from the samba box. That's what I am trying to get help
>>>>with.
>>>
>>>
>>>Ah, sorry, should've paid a little more attention. :)
>>>
>>>As we found, we needed the following incoming ports.
>>>
>>>137/udp
>>>138/udp
>>>139/tcp
>>>445/tcp
>>>
>>>I assume you'd need to allow traffic out from the SMB server to these
>>>destination ports on the windows box. How restrictive are you being on
>>>outbound traffic from the host? What do your OUTPUT or
>>>tcp_outbound/udp_outbound chains like?
>>>
>>>Assuming you're not (statefully) allowing anything and everything out
>>>from the Samba server by default (a reasonable assumption given it
>>>works without the firewall in place and doesn't when it is) I imagine
>>>you'd want to see something like...
>>>
>>>Chain OUTPUT (policy DROP)
>>>ACCEPT  udp  --  anywhere  $windowsbox  udp dpt:137 state NEW
>>>ACCEPT  udp  --  anywhere  $windowsbox  udp dpt:138 state NEW
>>>ACCEPT  tcp  --  anywhere  $windowsbox  tcp dpt:139 state NEW
>>>ACCEPT  tcp  --  anywhere  $windowsbox  tcp dpt:445 state NEW
>>>
>>>Depending on exactly how you generate your rules something like...
>>>
>>>$IPTABLES -A OUTPUT -p udp --dport 137 -m state --state NEW -j ACCEPT
>>>$IPTABLES -A OUTPUT -p udp --dport 138 -m state --state NEW -j ACCEPT
>>>$IPTABLES -A OUTPUT -p tcp --dport 139 -m state --state NEW -j ACCEPT
>>>$IPTABLES -A OUTPUT -p tcp --dport 445 -m state --state NEW -j ACCEPT
>>>
>>>... might do it for you.
>>>
>>>Will.
>>>
>>
>>I'm not stopping anything outbound. I'm the only one with an account on
>>this box:
>>
>>Chain up_outbound (0 references)
>>target     prot opt source               destination
>>ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0
>>
>>Chain tcp_outbound (0 references)
>>target     prot opt source               destination
>>ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0
>>
>>My original post indicated that nautilus was using high level ports
>>(>32800) to talk to the Windows boxes. I think the problem is there, but
>>I don't know how to get it to specify a specific range or to not use
>>those ranges at all.
> 
> 
> Hmm, OK then, does this inward bound source port approach help...
> 
> https://lists.netfilter.org/pipermail/netfilter/2002-March/032383.html
> 
> Will.
> 
> (Or anything else enlightening from searches like...
> 
> http://www.google.co.uk/search?hl=en&safe=off&q=iptables+samba+high+ports&meta=
> )
> 

None of these links helped. The problem I was having is that findsmb 
uses ports 32820+ and 38960+. [findsmb is what nautilus uses to get a 
list of network neighborhood boxes on the LAN.] The only way around this 
that I could find is to open these port ranges in the firewall, but 
restrict them to local (LAN) boxes. This solved my problem, but I was 
hoping to find a way to get findsmb to not use high ports.

Oh well...

Thanks for the help.

Bill

More information about the redhat-list mailing list