[TCLUG] ipchains/samba

[Wayne Johnson]

Samba, AFAIK, uses ports 137:139, not 135:139.

If this is on a gateway machine (i.e. one interface on the internet, the
other in-house), you probably do not want Samba talking on the outside
interface.  Not only does it open the door to hacking, everyone can see
your shares.  Put a -i eth1 (assuming eth1 is your inside interface) in
the rules to only open to the inside interface.

Neither of these changes should fix your firewall to work, just tightens
up the hole.

As said elsewhere, the -y is probably screwing things up a bit.

Raymond Norton said:
> I am having trouble accessing samba shares from my local network. If I
> stop ipchains it works fine. can anyone tell me what changes I need to
> make to the following set up.
>
> -A input -s 0/0 -d 0/0 25 -p tcp -y -j ACCEPT
> -A input -s 0/0 -d 0/0 80 -p tcp -y -j ACCEPT
> -A input -s 0/0 -d 0/0 21 -p tcp -y -j ACCEPT
> -A input -s 0/0 -d 0/0 22 -p tcp -y -j ACCEPT
> -A input -s 0/0 -d 0/0 443 -p tcp -y -j ACCEPT
> -A input -s 0/0 -d 0/0 445 -p tcp -y -j ACCEPT
> -A input -s 0/0 -d 0/0 110 -p tcp -y -j ACCEPT
> -A input -s 0/0 135:139 -d 0/0 135:139 -p tcp -y -j ACCEPT
> -A input -s 0/0 135:139 -d 0/0 135:139 -p udp -j ACCEPT
>
> -A input -s 0/0 -d 0/0 -i lo -j ACCEPT
> -A input -p tcp -s 0/0 -d 0/0 0:1023 -y -j REJECT
> -A input -p tcp -s 0/0 -d 0/0 2049 -y -j REJECT
> # -A input -p udp -s 0/0 -d 0/0 0:1023 -j REJECT
> -A input -p udp -s 0/0 -d 0/0 2049 -j REJECT
> -A input -p tcp -s 0/0 -d 0/0 6000:6009 -y -j REJECT
> -A input -p tcp -s 0/0 -d 0/0 7100 -y -j REJECT
> -A input -s 66.103.175.185 -d 0/0 -i eth0 -j ACCEPT
> -A input -j ACCEPT -p all -l -s 66.103.174.0/24 -d 0.0.0.0/0
> -A output -p udp -s 0/0 -d 0/0 135:139 -j ACCEPT
> -A output -p tcp -s 0/0 -d 0/0 135:139 -y -j ACCEPT
>
>
> --
> Raymond Norton
> Little Crow Telemedia Network
> 320-234-0270
>
>
>
> _______________________________________________
> TCLUG Mailing List - Minneapolis/St. Paul, Minnesota
> http://www.mn-linux.org tclug-list at mn-linux.org
> https://mailman.real-time.com/mailman/listinfo/tclug-list




_______________________________________________
TCLUG Mailing List - Minneapolis/St. Paul, Minnesota
http://www.mn-linux.org tclug-list at mn-linux.org
https://mailman.real-time.com/mailman/listinfo/tclug-list