[SLUG] IPTables (was Linux Magazine)

Paul Teasdale pdt at rcsuk.fsnet.co.uk
Mon Jun 16 17:56:01 BST 2003 

Phil,

Firstly please use these rules with caution as I have typed this posting
from my Windows box and the rules I am about to mention are from memory and
have not been tested; anyhow enough of the disclaimers.

SAMBA uses the ports 137, 138 and 139. It may also use port 901 if you use
the SAMBA Web Administration Tool (SWAT).

As Gavin said in his talk you can check out /etc/services to confirm all
these port numbers.

The rules you will need will look something like the following (and
obviously you will need to work them in around your existing rules probably
ensuring that they are in the correct place):-

# Accept incoming packets for new and established connections from your
internal network to ports 137, 138, 139
iptables -A INPUT -i $INTERFACE -s $INTERNAL_NETWORK -p udp --dport
137:139 -m state --state NEW,ESTABLISHED -j ACCEPT

# Accept incoming packets for new and established connections from your
internal network to port 901 (not needed if you don't use SWAT)
iptables -A INPUT -i $INTERFACE -s $INTERNAL_NETWORK -p udp --dport 901 -m
state --state NEW,ESTABLISHED -j ACCEPT

You will also (probably) want to put a line in your rules something like the
following:

# Allow outgoing packets on your network for new and established connections
on ports 137, 138, 139
# I think that new connections can probably go in both directions hence
NEW,ESTABLISHED here too
# What I am saying is your Linux box can create a new connection to your
Windows box and vice versa
iptables -O OUTPUT -o $INTERFACE -d $INTERNAL_NETWORK -p udp --sport
137:139 -m state --state NEW,ESTABLISHED -j ACCEPT

You may also want to do something about the FORWARD chain if you have
enabled IP forwarding.

An example of INTERFACE could be eth0 but you may need to modify it to suit
your network interface.

An example of INTERNAL_NETWORK could be 192.168.1.0/24 (or
192.168.1.0/255.255.255.0) but you may need to modify it to suit your IP
range.

To get the -m state switch working you need to ensure that ip connection
tracking is active (which is usually a kernel module).

Try: modprobe ip_conntrack

Finally I can't remember if SAMBA uses tcp, udp or both. Look at the
/etc/services to determine this and modify and/or add rules according to
your findings.

Hope this helps.

Kind regards,

Paul.

----- Original Message -----
From: "whsmith" <pkershaw at whsmithnet.co.uk>
To: <scarborough at mailman.lug.org.uk>
Sent: Thursday, June 12, 2003 8:16 PM
Subject: Re: [SLUG] Linux Magazine

<SNIP>

>Are there any particular rules for using samba with
> iptables.
>
> Thanks again Gav.
>
> Phil Kershaw

More information about the Scarborough mailing list