Le vendredi 27 juin 2014 à 14:13:48 +0200, Diogene Laerce a écrit: > Hi, Hello. > > I try to authorize the 192.168.0.2 host to connect to samba but the > server host 192.168.0.1 won't let me with the following statement : > > ************************************************************************ > > iptables -A INPUT -i eth0 -p udp -s 192.168.0.2/32 -d 192.168.0.1 > --dport 137 -j ACCEPT > iptables -A INPUT -i eth0 -p udp -s 192.168.0.2/32 -d 192.168.0.1 > --dport 138 -j ACCEPT > iptables -A INPUT -i eth0 -m state --state NEW,ESTABLISHED -p tcp -s > 192.168.0.2/32 -d 192.168.0.1 --dport 139 -j ACCEPT > iptables -A INPUT -i eth0 -m state --state NEW,ESTABLISHED -p tcp -s > 192.168.0.2/32 -d 192.168.0.1 --dport 445 -j ACCEPT > > ************************************************************************ > > So I enabled the CIFS profile in UFW, which is more permissive and does > work (yes the whole SAMBA configuration is.. :) ). But I'd like to make > those iptables rules work as they are more efficient. > > Any clue ? I don't know Samba ports very well, but I would try to use the RELATED state ; if, as I guess, connections on ports 139 and 445 are made after others on ports 137 and 138, the RELATED state must be used instead of the NEW state. In fact, using --state NEW-ESTABLISHED is useless, because these cumulated states will match every connection on ports 139 and 445, as TCP packets are always in an ESTABLISHED connection, except the first one which will be NEW. That said, maybe this filter is too strict ; maybe you only need to get these ports opened ; in addition, did you also opened ports for output packets ? That can seem silly, but one can easily forget them without noting. Besides, /32 masks can be omitted in your rules ; without mask, /32 is assumed and I think this should make your commands more readable. Regards. -- David Guyot Administrateur système, réseau et télécommunications / Sysadmin Europe Camions Interactive / Stockway Moulin Collot F-88500 Ambacourt Tel: +33 (0)3 29 30 47 85 Fax : +33 (0)3 29 31 31 31
Attachment:
signature.asc
Description: Digital signature