[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Iptables



Le vendredi 27 juin 2014 à 14:13:48 +0200, Diogene Laerce a écrit:
> Hi,
Hello.
> 
> I try to authorize the 192.168.0.2 host to connect to samba  but the
> server host 192.168.0.1 won't let me with the following statement :
> 
> ************************************************************************
> 
> iptables -A INPUT -i eth0 -p udp -s 192.168.0.2/32 -d 192.168.0.1
> --dport 137 -j ACCEPT
> iptables -A INPUT -i eth0 -p udp -s 192.168.0.2/32 -d 192.168.0.1
> --dport 138 -j ACCEPT
> iptables -A INPUT -i eth0 -m state --state NEW,ESTABLISHED -p tcp -s
> 192.168.0.2/32 -d 192.168.0.1 --dport 139 -j ACCEPT
> iptables -A INPUT -i eth0 -m state --state NEW,ESTABLISHED -p tcp -s
> 192.168.0.2/32 -d 192.168.0.1 --dport 445 -j ACCEPT
> 
> ************************************************************************
> 
> So I enabled the CIFS profile in UFW, which is more permissive and does
> work (yes the whole SAMBA configuration is.. :) ). But I'd like to make
> those iptables rules work as they are more efficient.
> 
> Any clue ?
I don't know Samba ports very well, but I would try to use the RELATED
state ; if, as I guess, connections on ports 139 and 445 are made after
others on ports 137 and 138, the RELATED state must be used instead of
the NEW state. In fact, using --state NEW-ESTABLISHED is useless,
because these cumulated states will match every connection on ports 139
and 445, as TCP packets are always in an ESTABLISHED connection, except
the first one which will be NEW.

That said, maybe this filter is too strict ; maybe you only need to get
these ports opened ; in addition, did you also opened ports for output
packets ? That can seem silly, but one can easily forget them without
noting.

Besides, /32 masks can be omitted in your rules ; without mask, /32
is assumed and I think this should make your commands more readable.

Regards.
-- 
David Guyot
Administrateur système, réseau et télécommunications / Sysadmin
Europe Camions Interactive / Stockway
Moulin Collot
F-88500 Ambacourt
Tel: +33 (0)3 29 30 47 85
Fax : +33 (0)3 29 31 31 31

Attachment: signature.asc
Description: Digital signature


Reply to: