Iptables and SMB/CIFS share don't work well togheter [need some help]

  • I set up my OMV 3 pretty straight forward and everything seems to works fine since the beginning.


    Smb shares worked fine from the start, then I decided to use iptables rules from the browser interface to make my server more secure.


    I followed @tekkb instructions for firewall settings to permit samba shares and other services I need.


    To be more specific for samba I added:


    • INPUT ACCEPT IPv4 192.168.1.0/24 - 192.168.1.25 137 UDP
    • INPUT ACCEPT IPv4 192.168.1.0/24 - 192.168.1.25 138 UDP
    • INPUT ACCEPT IPv4 192.168.1.0/24 - 192.168.1.25 139 TCP
    • INPUT ACCEPT IPv4 192.168.1.0/24 - 192.168.1.25 445 TCP


    and added a couple of my own to allow outbound traffic originated locally from the server.


    The equivalent to those two rules:



    Code
    iptables -I OUTPUT -o eth0 -d 0.0.0.0/0 -j ACCEPT 
    iptables -I INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT

    Everything seemed to work just fine, except then now every time the server reboot samba got disconnected from the network and I cannot access it through my windows machine.
    Every other services is working just fine with the firewall rules, so it's just samba acting weird.


    As a workaround I have to disable iptables rules and then everything shows up again, then enable them again and everything works fine until next reboot and so on (that's really strange).


    I thought those 4 rules where enough for samba to work...am I missing some other ones?
    Did anybody have the same problem ever?I would like to solve this problem rather than have iptables disabled.

  • Sure! my bad..


    here is the full ruleset




    Can't see why it shouldn't work ?(

    • Offizieller Beitrag

    Lines number 22 to 25 are restricted to destination IP of the server, the netbios daemon traffic is broadcast, so is 192.168.1.255. Delete the destination restriction.
    Next time to debug this use the packet counters on first column and add a log entry before rejecting all traffic. You can do it right now and you'll see in dmesg this, this is the broadcast packet being logged before getting rejected


    [118790.732521] IN=ens18 OUT= MAC=ff:ff:ff:ff:ff:ff:1e:51:4f:f8:6c:fb:08:00 SRC=10.10.7.2 DST=10.10.7.255 LEN=240 TOS=0x00 PREC=0x00 TTL=128 ID=21193 PROTO=UDP SPT=138 DPT=138 LEN=220


    While the counters on lines 22 to 25 remain in zero while i press refresh in windows network.


    No expert on this, but pretty sure you can find could just find this using google. Better is to understand how netbios work, which honestly i have no idea, but there must be some explanation at samba wiki

  • :S never thought that samba was broadcast, I thought the destination would be just the server IP , thanks you for the tip on how to debug it, I love linux ^^ there is everytime something new to learn :D


    I will try it and see what changes



    Thank you very much @subzero79

  • That's really interesting, I'm wondering though, why didn't the samba share disconnected as soon as the rules were built instead of wait for reboot? I mean if I was blocking it with the destination ip, why does it kept working anyway until next reboot?! just out of curiosity.



    In the meanwhile, you were right everything worked well after removed the destination ip and now I'm playing around with iptables LOG rules to see the messages that's fun to do :) despite the fact sometimes iptables gives me headaches, by the way thank you for the heads up man :)

Jetzt mitmachen!

Sie haben noch kein Benutzerkonto auf unserer Seite? Registrieren Sie sich kostenlos und nehmen Sie an unserer Community teil!