# iptables and samba

## Alex26

I have 2 computer: 1-PC, 2-notebook.

Notebook(Windows Vista) connected to PC(Gentoo 2008 ~amd64) with WiFi. PC have ethernet card an WiFi USB and connected to Internet from Ethernet.

I setup network as described in http://www.gentoo.org/doc/en/home-router-howto.xml

Internet work at PC and notebook.

Samba dont work.

rc-status:

```

...

samba [crashed]

...

```

.

I think this is result of not complete iptables setup.

nmap localhost show only 3 ports opened: 111/tcp, 631/tcp, 901/tcp.

Please help me setup iptables for samba

----------

## erik258

Are you sure IPtables has anything to do with this problem?  There's no rule in the gentoo home router guide that denies samba, so if you followed that guide, you shouldn't have any problems.  I am more concerned about your samba configuration files - a type-o there could stop samba from starting, whereas a misconfigured iptables would merely prevent anyone from connecting to it.  

In any case, the community is likely to need a little more information.  For starters, `iptables -L -v` will list all iptables rules and matched packet counts - both very useful information.   That will give us the data we need to definitively say whether iptables is involved in the problem (it probably isn't).  

As for samba, I highly suggest using SWAT to configure it.  I am not usually a big fan of front-ends to what could be a simple flat configuration file to edit, but for Samba and CUPS I recommend their usage.  SWAT is a little tricky to set up in gentoo but let us know if you have problems, we'll figure it out together.  I got it workin' on my box.

----------

## Alex26

iptables -L -v

```

Chain INPUT (policy ACCEPT 5468K packets, 7584M bytes)

 pkts bytes target     prot opt in     out     source               destination                                                                                 

58828  630M ACCEPT     all  --  lo     any     anywhere             anywhere    

  794  102K ACCEPT     all  --  wlan0  any     anywhere             anywhere

    0     0 REJECT     udp  --  !wlan0 any     anywhere             anywhere        udp dpt:bootps reject-with icmp-port-unreachable

    0     0 REJECT     udp  --  !wlan0 any     anywhere             anywhere        udp dpt:domain reject-with icmp-port-unreachable

    0     0 ACCEPT     udp  --  wlan0  any     anywhere             anywhere        udp dpts:netbios-ns:netbios-dgm

    0     0 ACCEPT     udp  --  wlan0  any     anywhere             anywhere        udp spts:netbios-ns:netbios-dgm

    0     0 ACCEPT     tcp  --  wlan0  any     anywhere             anywhere        tcp dpt:netbios-ssn

    0     0 ACCEPT     tcp  --  wlan0  any     anywhere             anywhere        tcp dpt:microsoft-ds

    0     0 DROP       tcp  --  !wlan0 any     anywhere             anywhere        tcp dpts:0:1023

 4539  523K DROP       udp  --  !wlan0 any     anywhere             anywhere        udp dpts:0:1023

Chain FORWARD (policy DROP 0 packets, 0 bytes)

 pkts bytes target     prot opt in     out     source               destination

    0     0 DROP       all  --  wlan0  any     anywhere             192.168.0.0/16

18177  971K ACCEPT     all  --  wlan0  any     192.168.0.0/16       anywhere

33344   49M ACCEPT     all  --  eth0   any     anywhere             192.168.0.0/16

Chain OUTPUT (policy ACCEPT 4841K packets, 1123M bytes)

 pkts bytes target     prot opt in     out     source               destination

```

For SAMBA i use SWAT

On the page http://localhost:901/status I see

Server Status

Refresh Interval:

version:	3.0.32

smbd:	not running 		

nmbd:	running

When I try run smbd by hand it doesnot run

----------

## nurachi

Before setting up iptables, you'd better have samba up and running. Flush your iptables rules, try to launch samba and post an abstract of your samba logs (smbd and nmbd) with a decent log level if it fails again.

You need ports 137 to 139 and 445 to let samba go through.

If you need more help, please provide your iptables script.

----------

## Alex26

I run such command

First we flush our current rules

# iptables -F

# iptables -t nat -F

Setup default policies to handle unmatched traffic

# iptables -P INPUT ACCEPT

# iptables -P OUTPUT ACCEPT

# iptables -P FORWARD DROP

Copy and paste these examples ...

# export LAN=wlan0

# export WAN=eth0

Then we lock our services so they only work from the LAN

# iptables -I INPUT 1 -i ${LAN} -j ACCEPT

# iptables -I INPUT 1 -i lo -j ACCEPT

# iptables -A INPUT -p UDP --dport bootps -i ! ${LAN} -j REJECT

# iptables -A INPUT -p UDP --dport domain -i ! ${LAN} -j REJECT

(Optional) Allow access to our ssh server from the WAN

# iptables -A INPUT -p TCP --dport ssh -i ${WAN} -j ACCEPT

Drop TCP / UDP packets to privileged ports

# iptables -A INPUT -p TCP -i ! ${LAN} -d 0/0 --dport 0:1023 -j DROP

# iptables -A INPUT -p UDP -i ! ${LAN} -d 0/0 --dport 0:1023 -j DROP

Finally we add the rules for NAT

# iptables -I FORWARD -i ${LAN} -d 192.168.0.0/255.255.0.0 -j DROP

# iptables -A FORWARD -i ${LAN} -s 192.168.0.0/255.255.0.0 -j ACCEPT

# iptables -A FORWARD -i ${WAN} -d 192.168.0.0/255.255.0.0 -j ACCEPT

# iptables -t nat -A POSTROUTING -o ${WAN} -j MASQUERADE

Tell the kernel that ip forwarding is OK

# echo 1 > /proc/sys/net/ipv4/ip_forward

# for f in /proc/sys/net/ipv4/conf/*/rp_filter ; do echo 1 > $f ; done

This is so when we boot we don't have to run the rules by hand

# /etc/init.d/iptables save

# rc-update add iptables default

# nano /etc/sysctl.conf

Add/Uncomment the following lines:

net.ipv4.ip_forward = 1

net.ipv4.conf.default.rp_filter = 1

What I must add to open ports for Samba?

----------

## tgR10

if samba doesn't work opening ports won't help anythin in here ...

and # mean that it's commented out, that command won't work ... because for system it's don't exists as a command, it exist as a comment

----------

## erik258

 *Quote:*   

> and # mean that it's commented out, that command won't work ... because for system it's don't exists as a command, it exist as a comment

 

Often the # will denote a command to be run with root access (the # sign is the prompt in bash for root)

 *Quote:*   

> What I must add to open ports for Samba?

 

The following rule allows all traffic coming from ${LAN}.  That includes the Samba ports so as long as you're trying to access samba on ${LAN} and not through ${WAN} the firewall's not going to prevent it.  

 *Quote:*   

> # iptables -I INPUT 1 -i ${LAN} -j ACCEPT 

 

Your problem is almost certainly your configuration.  But we really need more information about why SMBd and NMBd are failing.  Like nurachi said, we need those verbose logs posted to help you troubleshoot further.

----------

## Alex26

How to see a logs of SMBd and NMBd?

----------

## tgR10

 *erik258 wrote:*   

> 
> 
> Often the # will denote a command to be run with root access (the # sign is the prompt in bash for root)
> 
> 

 

true but you can change prompt easly, i just thought he copy -> paste some of the lines with #

 *erik258 wrote:*   

> Your problem is almost certainly your configuration.  But we really need more information about why SMBd and NMBd are failing.  Like nurachi said, we need those verbose logs posted to help you troubleshoot further.

 

exactly, and maybe smb.conf (/etc/samba/smb.conf) ?

----------

## nurachi

 *Alex26 wrote:*   

> How to see a logs of SMBd and NMBd?

 

They ususally are in /var/log/samb. It depends on your smb.conf.

As others said, you should post it too.

1 - make Samba work (cut your connection if needed.

2 - set your firewall

Otherwise, nothing'll work till a long time.

Concerning your firewall you just have to set a simple SNAT or MASQUERADE and no one will access your Samba.

----------

## Alex26

I see the log and found this error

```

guest_user_info: Unable to locate guest account

```

After googling I add group sambagroup and sambauser to this group, write 

guest account = smbuser to config.

After this rc-status of samba is started!

----------

## nurachi

Alleluia !   :Rolling Eyes: 

----------

## erik258

congrats.

----------

