4

When I try to connect to my CentOS 6.2 x86_64 server's samba shares using address \\REPO (NETBIOS name of REPO), it times out and shows an error; if I do so directly via IP, it works fine. Furthermore, my server does not work correctly as a WINS server despite my samba settings being correct for it (see below for details).

If I stop the iptables service, things work properly.

I'm using this page as a reference for which ports to use: http://www.samba.org/samba/docs/server_security.html

Specifically:

UDP/137    - used by nmbd
UDP/138    - used by nmbd
TCP/139    - used by smbd
TCP/445    - used by smbd


I really really really want to keep the secure iptables design I have below but just fix this particular problem.

SMB.CONF

[global]
netbios name = REPO
workgroup = AWESOME

security = user
encrypt passwords = yes

# Use the native linux password database
#passdb backend = tdbsam

# Be a WINS server
wins support = yes

# Make this server a master browser
local master = yes
preferred master = yes
os level = 65

# Disable print support
load printers = no
printing = bsd
printcap name = /dev/null
disable spoolss = yes

# Restrict who can access the shares
hosts allow = 127.0.0. 10.1.1.




[public]
path = /mnt/repo/public
create mode = 0640
directory mode = 0750
writable = yes
valid users = mangs repoman


IPTABLES CONFIGURE SCRIPT

# Remove all existing rules
iptables -F


# Set default chain policies
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP


# Allow incoming SSH
iptables -A INPUT -i eth0 -p tcp --dport 22222 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --sport 22222 -m state --state ESTABLISHED -j ACCEPT


# Allow incoming HTTP
#iptables -A INPUT -i eth0 -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
#iptables -A OUTPUT -o eth0 -p tcp --sport 80 -m state --state ESTABLISHED -j ACCEPT


# Allow incoming Samba
iptables -A INPUT -i eth0 -p udp --dport 137 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p udp --sport 137 -m state --state ESTABLISHED -j ACCEPT
iptables -A INPUT -i eth0 -p udp --dport 138 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p udp --sport 138 -m state --state ESTABLISHED -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --dport 139 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --sport 139 -m state --state ESTABLISHED -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --dport 445 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --sport 445 -m state --state ESTABLISHED -j ACCEPT


# Make these rules permanent
service iptables save
service iptables restart**strong text**
Eric
  • 237
  • 1
  • 6
  • 12

2 Answers2

4

Your symptoms are consistent with NMB not being reachable. Your IPTables config looks good to me. It could be as simple as the nmbd service is not started. I've had that very problem when trying to figure out why a brand new Samba service isn't reachable by name.

sysadmin1138
  • 131,083
  • 18
  • 173
  • 296
  • I've restarted both the smb and nmb services a million times. The server runs CentOS 6.2 x86_64 if that helps. Here's the service output: eric # service --status-all | grep 'smb|nmb' 51:nmbd (pid 9736) is running... 59:smbd (pid 9752) is running... – Eric Jun 22 '12 at 02:16
1

Turns out I chose to ditch NETBIOS name resolution and use DNS instead (which works better). Thus I only need port 445 to function which results in a smaller firewall config.

Eric
  • 237
  • 1
  • 6
  • 12