Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
[Samba] Samba4 on CentOS 6.3 - IPTABLES how-to???
138 views
Skip to first unread message
Andreas Krupp
Nov 26, 2012, 8:50:02 AM11/26/12
to
Hello,
I do appologize if this is something that was already discussed somewhere else... but for now I was not able to find the appropriate How-To.
Would anybody know what the IPTABLES entries are to have working Samba4 Domain Controller?
I tried the following:
-A INPUT -p tcp -m state --state NEW -m tcp --dport 88 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 749 -j ACCEPT
-A INPUT -p udp -m state --state NEW -m udp --dport 88 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 389 -j ACCEPT
-A INPUT -d SERVERIP/32 -p udp -m udp --sport 1024:65535 --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
-A INPUT -d SERVERIP/32 -p udp -m udp --sport 53 --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
-A INPUT -p udp -m udp --dport 137 -j ACCEPT
-A INPUT -p udp -m udp --dport 138 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 139 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 445 -j ACCEPT
With the above I was not able to connect via remote Administration tools to the Active Directory Service.
Does anybody have a comprehensive list of ports/protocols one has to "open" in IPTABLES to get DNS, Samba, Fileshares, Active Directory, etc. working?
Cheers & thank you very much for your help!
Best,
Andreas
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
I do appologize if this is something that was already discussed somewhere else... but for now I was not able to find the appropriate How-To.
Would anybody know what the IPTABLES entries are to have working Samba4 Domain Controller?
I tried the following:
-A INPUT -p tcp -m state --state NEW -m tcp --dport 88 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 749 -j ACCEPT
-A INPUT -p udp -m state --state NEW -m udp --dport 88 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 389 -j ACCEPT
-A INPUT -d SERVERIP/32 -p udp -m udp --sport 1024:65535 --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
-A INPUT -d SERVERIP/32 -p udp -m udp --sport 53 --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
-A INPUT -p udp -m udp --dport 137 -j ACCEPT
-A INPUT -p udp -m udp --dport 138 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 139 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 445 -j ACCEPT
With the above I was not able to connect via remote Administration tools to the Active Directory Service.
Does anybody have a comprehensive list of ports/protocols one has to "open" in IPTABLES to get DNS, Samba, Fileshares, Active Directory, etc. working?
Cheers & thank you very much for your help!
Best,
Andreas
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Sven Tegethoff
Nov 26, 2012, 9:40:02 AM11/26/12
to
On 26.11.2012 14:39, Andreas Krupp wrote:
> With the above I was not able to connect via remote Administration
> tools to the Active Directory Service. Does anybody have a
> comprehensive list of ports/protocols one has to "open" in IPTABLES to
> get DNS, Samba, Fileshares, Active Directory, etc. working? Cheers &
> thank you very much for your help! Best, Andreas
Here is the official list:
> With the above I was not able to connect via remote Administration
> tools to the Active Directory Service. Does anybody have a
> comprehensive list of ports/protocols one has to "open" in IPTABLES to
> get DNS, Samba, Fileshares, Active Directory, etc. working? Cheers &
> thank you very much for your help! Best, Andreas
http://support.microsoft.com/kb/832017
Executive summary: It's hopeless. With so many RPC-based services that
use dynamically assigned port numbers, you can't effectively put a
packet filter between domain controller and the client.
--
Mit freundlichen Grüßen
Sven Tegethoff
EDV-Team
_________________________________________________________
UDO BÄR GmbH & Co. KG
Fürstenstraße 18
47051 Duisburg
Tel.: +49 (0) 203 28117-142
Fax: +49 (0) 203 28117-151
E-Mail: tege...@udobaer.de
Ust.-Idnr.: DE119562189, HRA 6056, Sitz der Gesellschaft: Duisburg,
Gerichtsstand: Duisburg Geschäftsführer: Bodo Badnowitz, Jürgen Dietz
Ein Unternehmen der BTI Gruppe: www.bti-group.com
Diese E-Mail enthält vertrauliche und/oder rechtlich geschützte Informationen. Wenn Sie nicht der richtige Adressat sind oder diese E-Mail irrtümlich erhalten haben, informieren Sie bitte sofort den Absender und vernichten Sie diese E-Mail. Das unerlaubte Kopieren sowie die unbefugte Weitergabe dieser E-Mail ist nicht gestattet. This e-mail may contain confidential and/or privileged information. If you are not the intended recipient (or have received this e-mail in error) please notify the sender immediately and destroy this e-mail. Any unauthorized copying, disclosure or distribution of the material in this e-mail is strictly forbidden.
Stephen Jones
Nov 26, 2012, 12:50:02 PM11/26/12
to
Hi,
Here is an extract from my post on installing Samba4 on CentOS6. I have
iptables working - I used netstat and Wireshark to monitor the packets.
-----
The ports needed are:
53, TCP & UDP (DNS)
88, TCP & UDP (Kerberos authentication)
135, TCP (MS RPC)
137, UDP (NetBIOS name service)
138, UDP (NetBIOS datagram service)
139, TCP (NetBIOS session service)
389, TCP & UDP (LDAP)
445, TCP (MS-DS AD)
464, TCP & UDP (Kerberos change/set password)
1024, TCP (this is a strange one but AD is using it)
Add these to iptables:
# iptables -A INPUT -p tcp --dport 53 -j ACCEPT
# iptables -A INPUT -p udp --dport 53 -j ACCEPT
# iptables -A INPUT -p udp --dport 137:138 -j ACCEPT
# iptables -A INPUT -p tcp --dport 139 -j ACCEPT
# iptables -A INPUT -p tcp --dport 445 -j ACCEPT
# iptables -A INPUT -p tcp --dport 135 -j ACCEPT
# iptables -A INPUT -p tcp --dport 88 -j ACCEPT
# iptables -A INPUT -p udp --dport 88 -j ACCEPT
# iptables -A INPUT -p tcp --dport 464 -j ACCEPT
# iptables -A INPUT -p tcp --dport 389 -j ACCEPT
# iptables -A INPUT -p udp --dport 389 -j ACCEPT
# iptables -A INPUT -p tcp --dport 1024 -j ACCEPT
-----
Looking at your rules, they are close to this. I believe it's the
missing RPC (135) that's blocking RSAT.
Cheers,
Stephen Jones
Lloyd Systems Engineering
Here is an extract from my post on installing Samba4 on CentOS6. I have
iptables working - I used netstat and Wireshark to monitor the packets.
-----
The ports needed are:
53, TCP & UDP (DNS)
88, TCP & UDP (Kerberos authentication)
135, TCP (MS RPC)
137, UDP (NetBIOS name service)
138, UDP (NetBIOS datagram service)
139, TCP (NetBIOS session service)
389, TCP & UDP (LDAP)
445, TCP (MS-DS AD)
464, TCP & UDP (Kerberos change/set password)
1024, TCP (this is a strange one but AD is using it)
Add these to iptables:
# iptables -A INPUT -p tcp --dport 53 -j ACCEPT
# iptables -A INPUT -p udp --dport 53 -j ACCEPT
# iptables -A INPUT -p udp --dport 137:138 -j ACCEPT
# iptables -A INPUT -p tcp --dport 139 -j ACCEPT
# iptables -A INPUT -p tcp --dport 445 -j ACCEPT
# iptables -A INPUT -p tcp --dport 135 -j ACCEPT
# iptables -A INPUT -p tcp --dport 88 -j ACCEPT
# iptables -A INPUT -p udp --dport 88 -j ACCEPT
# iptables -A INPUT -p tcp --dport 464 -j ACCEPT
# iptables -A INPUT -p tcp --dport 389 -j ACCEPT
# iptables -A INPUT -p udp --dport 389 -j ACCEPT
# iptables -A INPUT -p tcp --dport 1024 -j ACCEPT
-----
Looking at your rules, they are close to this. I believe it's the
missing RPC (135) that's blocking RSAT.
Cheers,
Stephen Jones
Lloyd Systems Engineering
Stephen Jones
Dec 2, 2012, 9:00:02 PM12/2/12
to
I should update this list with another port I discovered:
3268, TCP (MSFT-GC)
Used by global catalog - a LDAP service to browse the AD forest.
Found this with Wireshark when trying to add a new user from ADUC.
Stephen Jones
Lloyd Systems Engineering
3268, TCP (MSFT-GC)
Used by global catalog - a LDAP service to browse the AD forest.
Found this with Wireshark when trying to add a new user from ADUC.
Stephen Jones
Lloyd Systems Engineering
0 new messages