Firewall blocking Samba - any tips for a solution?

svarreby · #1 7th April 2004, 05:03 PM

I have struggled with Samba last 24 hours and soon I'm getting nasty

It turns out that Fedora's built-in firewall is blocking all communication with the Samba server. This is not an option to me - choose between security + no network integration and on the other hand, no security and integration

I have seen a tip at www.justlinux.com about the same topic and one guy suggested that one should include these lines in the firewall script:
__________________________________________
iptables -P INPUT DROP

iptables -P FORWARD DROP

iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

iptables -A INPUT -s 127.0.0.0/8 -d 127.0.0.0/8 -i lo -j ACCEPT

iptables -A INPUT -p tcp --dport 22 -i eth0 -j ACCEPT

# Smb Connections allowed from 192.168.1.100/24
iptables -A INPUT -i eth0 -p tcp -s 192.168.1.100/24 --sport 137:139 -j ACCEPT
iptables -A INPUT -i eth0 -p udp -s 192.168.1.100/24 --sport 137:139 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp -s 192.168.1.100/24 --sport 445 -j ACCEPT
iptables -A INPUT -i eth0 -p udp -s 192.168.1.100/24 --sport 445 -j ACCEPT
___________________________________________

My problem is:
how do I "paste" these lines into the existing firewall script?

if that won't work ...
where do I go from here?

ghenry · #2 7th April 2004, 07:34 PM

You just write a script called firewall.sh, starting with:

#!/bin/bash

The best guide in the world for Bash Scripting

Scroll down to Advanced Bash Scripting.

Put those commands into your script and execute it.

LordMorgul · #3 9th April 2004, 11:15 AM

This is basically the framework I have setup, I omitted the individual chains used of course. This takes care of prepping the new config to work at boot even if the system does not shutdown cleanly.

Code:

#!/bin/bash
##config script for iptables
# updated xx month xxxx
 
# stop iptables service
/etc/init.d/iptables stop
 
# store backup of old iptables config being replaced now
# this is moving the file from /etc/sysconfig and the new file is built here
mv /etc/sysconfig/iptables /root/admin-scripts/iptables-replaced
 
# start iptables service
/etc/init.d/iptables start
 
# force clearing of all chains and counters
iptables -F
iptables -Z
 
#  --  policies
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -P FORWARD DROP

put your main iptables chains here 

#  --  Store setup for system boot
iptables-save > /root/admin-scripts/iptables-inserted
iptables-save > /etc/sysconfig/iptables
 
# output completion
echo 'Iptables configuration script complete'

ghenry · #4 9th April 2004, 11:28 AM

Looks good.

Have you tried to copy the previous commands into this and run the script?

svarreby · #5 10th April 2004, 05:57 PM

It's Ok to laugh if you fell like it

The script above, could I save it as "firewall.sh"
and just run it as a regular user, or is it root that run it?

ghenry · #6 10th April 2004, 06:24 PM

as root, as it's kernel level stuff.

svarreby · #7 10th April 2004, 07:11 PM

eehh ..., kernel level ?!?! you sure got me on that one

What level is that?

ghenry · #8 10th April 2004, 07:34 PM

IPTables are kernel level modules. The kernel TCP stack handles all the internet stuff, and the iptables stuff interacts with that. Type lsmod as root to see all the iptables modules that are loaded.

svarreby · #9 10th April 2004, 07:53 PM

Whe I ran lsmod, this was the result:

Module Size Used by
snd_mixer_oss 13952 2
snd_emu10k1 88068 3
snd_rawmidi 21408 1 snd_emu10k1
snd_pcm 82568 1 snd_emu10k1
snd_timer 25092 1 snd_pcm
snd_seq_device 6280 2 snd_emu10k1,snd_rawmidi
snd_ac97_codec 54404 1 snd_emu10k1
snd_page_alloc 8068 2 snd_emu10k1,snd_pcm
snd_util_mem 3328 1 snd_emu10k1
snd_hwdep 6532 1 snd_emu10k1
snd 43748 11 snd_mixer_oss,snd_emu10k1,snd_rawmidi,snd_pcm,snd_ timer,snd_seq_device,snd_ac97_codec,snd_util_mem,s nd_hwdep
soundcore 7520 3 snd
parport_pc 20800 1
lp 9068 0
parport 35784 2 parport_pc,lp
autofs4 16896 0
sunrpc 129480 1
3c59x 32936 0
ipt_state 1536 1
ip_conntrack 24368 1 ipt_state
iptable_filter 2176 1
ip_tables 13568 2 ipt_state,iptable_filter
floppy 53808 0
uhci_hcd 35228 0
ehci_hcd 26120 0
microcode 5408 0
button 4632 0
battery 7052 0
asus_acpi 8600 0
ac 3596 0
ipv6 208928 6
ext3 93480 1
jbd 66328 1 ext3
ata_piix 5892 0
libata 31232 1 ata_piix,[permanent]
sd_mod 16896 0
scsi_mod 103504 2 libata,sd_mod

ghenry · #10 10th April 2004, 10:37 PM

These are them:

ipt_state 1536 1
ip_conntrack 24368 1 ipt_state
iptable_filter 2176 1
ip_tables 13568 2 ipt_state,iptable_filter

svarreby · #11 11th April 2004, 12:02 PM

This is how my/etc/init.d/iptables looks like after I've executed the firewall.sh script:

#!/bin/sh
#
# iptables Start iptables firewall
#
# chkconfig: 2345 08 92
# description: Starts, stops and saves iptables firewall
#
# config: /etc/sysconfig/iptables
# config: /etc/sysconfig/iptables-config

# Source function library.
. /etc/init.d/functions

IPTABLES=iptables
IPTABLES_DATA=/etc/sysconfig/$IPTABLES
IPTABLES_CONFIG=/etc/sysconfig/${IPTABLES}-config
IPV=${IPTABLES%tables} # ip for ipv4 | ip6 for ipv6
PROC_IPTABLES_NAMES=/proc/net/${IPV}_tables_names
VAR_SUBSYS_IPTABLES=/var/lock/subsys/$IPTABLES

if [ ! -x /sbin/$IPTABLES ]; then
echo -n $"/sbin/$IPTABLES does not exist."; warning; echo
exit 0
fi

if lsmod 2>/dev/null | grep -q ipchains ; then
echo -n $"ipchains and $IPTABLES can not be used together."; warning; echo
exit 0
fi

# Old or new modutils
/sbin/modprobe --version 2>&1 | grep -q module-init-tools \
&& NEW_MODUTILS=1 \
|| NEW_MODUTILS=0

# Default firewall configuration:
IPTABLES_MODULES=""
IPTABLES_MODULES_UNLOAD="yes"
IPTABLES_SAVE_ON_STOP="no"
IPTABLES_SAVE_ON_RESTART="no"
IPTABLES_SAVE_COUNTER="no"
IPTABLES_STATUS_NUMERIC="no"

# Load firewall configuration.
[ -f "$IPTABLES_CONFIG" ] && . "$IPTABLES_CONFIG"

rmmod_r() {
# Unload module with all referring modules.
# At first all referring modules will be unloaded, then the module itself.
local mod=$1
local ret=0
local ref=

# Get referring modules.
# New modutils have another output format.
[ $NEW_MODUTILS = 1 ] \
&& ref=`lsmod | awk "/^${mod}/ { print \\\$4; }" | tr ',' ' '` \
|| ref=`lsmod | grep ^${mod} | cut -d "[" -s -f 2 | cut -d "]" -s -f 1`

# recursive call for all referring modules
for i in $ref; do
rmmod_r $i
let ret+=$?;
done

# Unload module.
# The extra test is for 2.6: The module might have autocleaned,
# after all referring modules are unloaded.
if grep -q "^${mod}" /proc/modules ; then
modprobe -r $mod > /dev/null 2>&1
let ret+=$?;
fi

return $ret
}

flush_n_delete() {
# Flush firewall rules and delete chains.
[ -e "$PROC_IPTABLES_NAMES" ] || return 1

# Check if firewall is configured (has tables)
tables=`cat $PROC_IPTABLES_NAMES 2>/dev/null`
[ -z "$tables" ] && return 1

echo -n $"Flushing firewall rules: "
ret=0
# For all tables
for i in $tables; do
# Flush firewall rules.
$IPTABLES -t $i -F;
let ret+=$?;

# Delete firewall chains.
$IPTABLES -t $i -X;
let ret+=$?;

# Set counter to zero.
$IPTABLES -t $i -Z;
let ret+=$?;
done

[ $ret -eq 0 ] && success || failure
echo
return $ret
}

set_policy() {
# Set policy for configured tables.
policy=$1

# Check if iptable module is loaded
[ ! -e "$PROC_IPTABLES_NAMES" ] && return 1

# Check if firewall is configured (has tables)
tables=`cat $PROC_IPTABLES_NAMES 2>/dev/null`
[ -z "$tables" ] && return 1

echo -n $"Setting chains to policy $policy: "
ret=0
for i in $tables; do
echo -n "$i "
case "$i" in
filter)
$IPTABLES -t filter -P INPUT $policy \
&& $IPTABLES -t filter -P OUTPUT $policy \
&& $IPTABLES -t filter -P FORWARD $policy \
|| let ret+=1
;;
nat)
$IPTABLES -t nat -P PREROUTING $policy \
&& $IPTABLES -t nat -P POSTROUTING $policy \
&& $IPTABLES -t nat -P OUTPUT $policy \
|| let ret+=1
;;
mangle)
$IPTABLES -t mangle -P PREROUTING $policy \
&& $IPTABLES -t mangle -P POSTROUTING $policy \
&& $IPTABLES -t mangle -P INPUT $policy \
&& $IPTABLES -t mangle -P OUTPUT $policy \
&& $IPTABLES -t mangle -P FORWARD $policy \
|| let ret+=1
;;
*)
let ret+=1
;;
esac
done

[ $ret -eq 0 ] && success || failure
echo
return $ret
}

start() {
# Do not start if there is no config file.
[ -f "$IPTABLES_DATA" ] || return 1

echo -n $"Applying $IPTABLES firewall rules: "

OPT=
[ "x$IPTABLES_SAVE_COUNTER" = "xyes" ] && OPT="-c"

$IPTABLES-restore $OPT $IPTABLES_DATA
if [ $? -eq 0 ]; then
success; echo
else
failure; echo; return 1
fi

# Load additional modules (helpers)
if [ -n "$IPTABLES_MODULES" ]; then
echo -n $"Loading additional $IPTABLES modules: "
ret=0
for mod in $IPTABLES_MODULES; do
echo -n "$mod "
modprobe $mod > /dev/null 2>&1
let ret+=$?;
done
[ $ret -eq 0 ] && success || failure
echo
fi

touch $VAR_SUBSYS_IPTABLES
return $ret
}

stop() {
# Do not stop if iptables module is not loaded.
[ -e "$PROC_IPTABLES_NAMES" ] || return 1

flush_n_delete
set_policy ACCEPT

if [ "x$IPTABLES_MODULES_UNLOAD" = "xyes" ]; then
echo -n $"Unloading $IPTABLES modules: "
ret=0
rmmod_r ${IPV}_tables
let ret+=$?;
rmmod_r ${IPV}_conntrack
let ret+=$?;
[ $ret -eq 0 ] && success || failure
echo
fi

rm -f $VAR_SUBSYS_IPTABLES
return $ret
}

save() {
# Check if iptable module is loaded
[ ! -e "$PROC_IPTABLES_NAMES" ] && return 1

# Check if firewall is configured (has tables)
tables=`cat $PROC_IPTABLES_NAMES 2>/dev/null`
[ -z "$tables" ] && return 1

echo -n $"Saving firewall rules to $IPTABLES_DATA: "

OPT=
[ "x$IPTABLES_SAVE_COUNTER" = "xyes" ] && OPT="-c"

ret=0
TMP_FILE=`/bin/mktemp -q /tmp/$IPTABLES.XXXXXX` \
&& chmod 600 "$TMP_FILE" \
&& $IPTABLES-save $OPT > $TMP_FILE 2>/dev/null \
&& size=`stat -c '%s' $TMP_FILE` && [ $size -gt 0 ] \
|| ret=1
if [ $ret -eq 0 ]; then
if [ -e $IPTABLES_DATA ]; then
cp -f $IPTABLES_DATA $IPTABLES_DATA.save \
&& chmod 600 $IPTABLES_DATA.save \
|| ret=1
fi
if [ $ret -eq 0 ]; then
cp -f $TMP_FILE $IPTABLES_DATA \
&& chmod 600 $IPTABLES_DATA \
|| ret=1
fi
fi
[ $ret -eq 0 ] && success || failure
echo
rm -f $TMP_FILE
return $ret
}

status() {
# Do not print status if lockfile is missing and iptables modules are not
# loaded.
# Check if iptable module is loaded
if [ ! -f "$VAR_SUBSYS_IPTABLES" ]; then
echo $"Firewall is stopped."
return 1
fi

# Check if firewall is configured (has tables)
if [ ! -e "$PROC_IPTABLES_NAMES" ]; then
echo $"Firewall is not configured. "
return 1
fi
tables=`cat $PROC_IPTABLES_NAMES 2>/dev/null`
if [ -z "$tables" ]; then
echo $"Firewall is not configured. "
return 1
fi

NUM=
[ "x$IPTABLES_STATUS_NUMERIC" = "xyes" ] && NUM="-n"

for table in $tables; do
echo $"Table: $table"
$IPTABLES -t $table --list $NUM && echo
done

return 0
}

restart() {
[ "x$IPTABLES_SAVE_ON_RESTART" = "xyes" ] && save
stop
start
}

case "$1" in
start)
stop
start
RETVAL=$?
;;
stop)
[ "x$IPTABLES_SAVE_ON_STOP" = "xyes" ] && save
stop
RETVAL=$?
;;
restart)
restart
RETVAL=$?
;;
condrestart)
[ -e "$VAR_SUBSYS_IPTABLES" ] && restart
;;
status)
status
RETVAL=$?
;;
panic)
flush_n_delete
set_policy DROP
RETVAL=$?
;;
save)
save
RETVAL=$?
;;
*)
echo $"Usage: $0 {start|stop|restart|condrestart|status|panic|save} "
exit 1
;;
esac

exit $RETVAL

There's still problems accessing my shares. If iptables run, there's no way to get thru

LordMorgul · #12 12th April 2004, 06:40 PM

This script, that you posted, should not be changed to configure the firewall, it will stay just as it was installed.

The changes you make will show up in /etc/sysconfig/iptables

The output of the current iptables filters you are running would be more helpful for us to determine why your samba traffic is stopped. You can get this output by listing the iptables rules:
iptables -L -n