Netfilter problem with higher SAMBA UDP ports
Yan Seiner
yan@cardinalengineering.com
Tue, 26 Mar 2002 05:43:10 -0500
Aelius Maximus wrote:
>
> Please help me !
>
> Samba/netbios do not work until I staticaly open UDP
> ports above 1024 for new connections!!!
>
> As far as I know SAMBA uses TCP/UDP 137:139 for
> initiating a new connection
>
> Corect me if I'm wrong, SAMBA/netbios never send
> first packet to a destination port higher than 1024.
> (in the default install)
>
> There are packets sent to a port higher than 1024
> but they should be only a reply to a request
> If I'm right first rule should let them get in.
>
> Default policy is DROP
>
> 1 iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
>
> 2 iptables -A INPUT -p tcp --dport 137:139 -m state --state NEW -j
> ACCEPT
> 3 iptables -A INPUT -p udp --dport 137:139 -m state --state NEW -j
> ACCEPT
>
> 4 iptables -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j
> ACCEPT
>
> Is that corect ? Is that enough ?
> For me it works only if I staticaly open some UDP ports (for new
> connections)
> above 1024 like this:
>
> 5 iptables -A INPUT -p udp --dport 1024:10000 -m state --state NEW -j
> ACCEPT
Actually, you must also open the reverse connections with --sport
137:139. The reason is that windows clients apparently randomly connect
with either sport or dport in that range, sometimes sport == dport,
sometimes it's a high port, and it does not seem to be consistent. I
have win98 and winME on my network; some machines connect one way,
others connect some other way.
Once you open your firewall to connections with --sport=137:139, you can
eliminate rule 5.
--Yan
--
Future fighter pilots:
Me: Akari, WHAT are you DOING?
Akari, age 3: Pushing the envelope.
spam killer code kpwq1jkcsEzdx39gnkVvgycd15ayqq
(see http://www.paganini.net/ask)