[tclug-list] Ubuntu Firewall

Thu Feb 4 23:23:23 CST 2010

On Thu, Feb 04, 2010 at 07:17:20PM -0600, Larry McMains wrote:
> <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">

> <html>
> <head>
>   <meta content="text/html;charset=ISO-8859-1" http-equiv="Content-Type">
>   <title></title>
> </head>
> <body bgcolor="#ffffff" text="#000000">
> <small>With the rules:<br>
> <tt>Allow connections from host<br>
> 192.168.1.101</tt><br>
> and<br>
> <tt>Allow Service&nbsp; Port&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; For<br>
> Samba(SMB) &nbsp;&nbsp;&nbsp; 137-139 445&nbsp;&nbsp; 192.168.1.101</tt><br>
> </small><br>
> <small>On the system attempting access, Network Tools, Devices,
> Ethernet Interface (eth0), shows it's ipV4 address as 192.168.1.101.<br>
> Places &gt; Network&nbsp; usually shows the target system, but double
> clicking its icon results in the message "Failed to windows share".<br>

Oh, my eyes!

What I find puzzling is this:

> -A INBOUND -s 192.168.1.101/32 -j ACCEPT 
> -A INBOUND -s 192.168.1.101/32 -p tcp -m tcp --dport 137:139 -j ACCEPT 
> -A INBOUND -s 192.168.1.101/32 -p udp -m udp --dport 137:139 -j ACCEPT 
> -A INBOUND -s 192.168.1.101/32 -p tcp -m tcp --dport 445 -j ACCEPT 
> -A INBOUND -s 192.168.1.101/32 -p udp -m udp --dport 445 -j ACCEPT

It seems to match that you have both 'allow connections from 192.168.1.101'
and 'allow certain ports from 192.168.1.101' enabled in your firewall tool.

The first rule says that traffic from 192.168.1.101 should be accepted, so
the next four rules seem superfluous.  But I'm a bit rusty here, I gave up on
raw iptables a few years ago and I'm using Shorewall now.

My Shorewall setup says that for Samba you need the following ports:

   inbound udp     135,445
   inbound udp     137:139
   inbound udp     1024:   source = 137
   inbound tcp     135,139,445

If you check your logs, you should find the dropped packets.

florin

-- 
Bruce Schneier expects the Spanish Inquisition.
      http://geekz.co.uk/schneierfacts/fact/163
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://mailman.mn-linux.org/pipermail/tclug-list/attachments/20100204/fa80ddc0/attachment.pgp 