| Autor |
Nachricht |
|
|
Titel: Samba firewalled?
 Verfasst am: 09.09.2006, 19:51 Uhr
|
|
Anmeldung: 21. Apr 2006
Beiträge: 152
Wohnort: Ice and Snow
|
|
I've installed frehol to help work my iptables. (Alot easier for a noobie then trying fixing them after you broke them trying to follow directions). I have a few lines that say:
iptables -t filter -I OUTPUT -d 127.0.0.1 -p tcp --dport 3128 -m owner ! --uid-owner dansguardian -j DROP
transparent_squid 8080 "root root"
server cups accept
server samba accept
client all accept
Now they do the job that they are intended to do the only prob I am having is with samba. I have 2 boxes one M$ and one Linux. The box M$ has access to the Linux box, but the Linux box has no access to the M$. The prob is not with M$ for when I stop firehol samba works fine. Now I do need firehol, or try and configure Iptables myself   , because I am using dansguardian. Is there an iptable line that I could use to get samba working? |
|
|
| |
|
|
|
 |
|
|
|
Titel: RE: Samba firewalled?
Verfasst am: 09.09.2006, 20:16 Uhr
|
|
Anmeldung: 21. Jun 2006
Beiträge: 193
Wohnort: Switzerland
|
|
Only guessing - but in my firewall, for SMB via TCP the destination port is (pre-) configured to 445 ...
HTH
Bernd |
_________________
Arlekin's Dream Ltd. | http://www.arlekin.ch/
- Bernd Villiger et al. | http://www.penguin.ch/
|
| |
|
|
|
|
|
|
|
Titel: RE: Samba firewalled?
Verfasst am: 09.09.2006, 20:34 Uhr
|
|
Anmeldung: 21. Apr 2006
Beiträge: 152
Wohnort: Ice and Snow
|
|
| In firehol, firehol sees the servers that you want controlled, in my case cups and samba, and accepts or denys (depending on your command) all ports that server calls for. Because the M$ box has access to the LInux box, I believe samba is fine. I think what the problem is that since the iptables are calling for everything to be routed through 127.0.0.1 to be filtered by dansguardian, I need to have samba going through 127.0.0.1, rather then my ip address of 192.168.7.151, but I do not know how to do that. |
|
|
| |
|
|
|
|
|
|
|
Titel: RE: Samba firewalled?
Verfasst am: 09.09.2006, 23:37 Uhr
|
|
Anmeldung: 21. Jan 2006
Beiträge: 185
|
|
Dan's Guardian is a web filtering tool. Why would you want SMB traffic filtered by it?
I'm not sure what that iptables command does. Looks like it only affects port 3128 though.
I also have firehol and samba and don't have problems, but I don't run Dan's Guardian... |
|
|
| |
|
|
|
|
|
|
|
Titel: RE: Samba firewalled?
Verfasst am: 10.09.2006, 03:01 Uhr
|
|
Anmeldung: 21. Apr 2006
Beiträge: 152
Wohnort: Ice and Snow
|
|
| I ran firehol without dansguardian fine too. But dansguardian is aweb filter (which I really want) and the way it works is that evrything going into and out of your box gets filtered, unless of course there is someone who knows how to setup samba to bypass it. |
|
|
| |
|
|
|
|
|
|
|
Titel: RE: Samba firewalled?
Verfasst am: 10.09.2006, 03:32 Uhr
|
|
Anmeldung: 21. Jan 2006
Beiträge: 185
|
|
| but that's the point...SMB traffic is windows file sharing...it's not web traffic. I don't know why you'd want this filtered through dansguardian at all.... |
|
|
| |
|
|
|
|
|
|
|
Titel: RE: Samba firewalled?
Verfasst am: 10.09.2006, 20:08 Uhr
|
|
Anmeldung: 21. Apr 2006
Beiträge: 152
Wohnort: Ice and Snow
|
|
| May I say that I am a TOTAL noobie to iptables. I have no idea how to set them up, I have no idea how they work. All I did was cut and paste. What I am saying is that based on the fact that when the proxy system that is put in place to make dansguardian work samba does not work and when I don't have the proxy system running it does. Therefore the ONLY conclusion you can come to is that something about how the proxy system is running samba is getting intercepted on the output. Why I don't know. The whole reason for this post, in case it iis not clear enough, is I want samba working, and I do not know how. I don't care whether or not it is filtered, I just want it to work. What little I do know is that it is how the iptables are set up is the prob. |
|
|
| |
|
|
|
|
|
|
|
Titel:
Verfasst am: 11.09.2006, 01:36 Uhr
|
|
Anmeldung: 26. Jun 2005
Beiträge: 389
|
|
LRC, did a little googling and found that the command you have:
Code:
iptables -t filter -I OUTPUT -d 127.0.0.1 -p tcp --dport 3128 -m owner ! --uid-owner dansguardian -j DROP
is for setting up DG on a SINGLE PC. IT is a simple way of forcing all traffic to dansguardian using the ip for localhost, 127.0.0.1. In other words it assumes no network traffic. This is to ensure that clever people cannot configure their browsers to use other ports to bypass DG.
Personally I'd use Shorewall to configure iptables - it is very flexible and I'm sure it is able to allow all network traffic and yet open only 1 port for internet. But it also means that you need to spend time to read the documentation. And from what I can see, setting up DG is not so straightforward either.
Anyway, good luck. |
|
|
| |
|
|
|
|
|
|
|
Titel:
Verfasst am: 13.09.2006, 05:01 Uhr
|
|
Anmeldung: 21. Apr 2006
Beiträge: 152
Wohnort: Ice and Snow
|
|
I found this:
One of the common causes of difficulty when installing Samba and SWAT is the existsnece of some type of firewall or port filtering software on the Samba server. Make sure that the appropriate ports outlined in this man page are available on the server and are not currently being blocked by some type of security software such as iptables or "port sentry". For more troubleshooting information, refer to the additional documentation included in the Samba distribution.
I now know that the prob I am having is "being blocked by some type of security software such as iptables or "port sentry"". The only thing is I didn't get samba through a box so I have no manual for trouble shooting. Would anyone know where I could get the info I need to unblock samba. I am begining to see that where one of linux greatest strengths is its iptables, but at the same time its greatest weakness, because it is so hard to understand and therefore get good easily understood instructions as to how to manage them. |
|
|
| |
|
|
|
|
|
|
|
Titel:
Verfasst am: 13.09.2006, 06:10 Uhr
|
|
Anmeldung: 21. Jun 2006
Beiträge: 193
Wohnort: Switzerland
|
|
LRC,
as allready mentioned by others, there are graphical interfaces to help you through the burden of setting up a firewall - I prefer and use Guarddog. |
_________________
Arlekin's Dream Ltd. | http://www.arlekin.ch/
- Bernd Villiger et al. | http://www.penguin.ch/
|
| |
|
|
|
|
|
|
|
Titel:
Verfasst am: 13.09.2006, 12:49 Uhr
|
|
Anmeldung: 21. Apr 2006
Beiträge: 152
Wohnort: Ice and Snow
|
|
| arlekin I think you are failing to realize my prob. Imn almost every standard setup you have 1 port for internet and 1 port for lan. I have seen alot of examples to work that solution or also server setups which does not aply to me. My prob is that both internet and lan go out of my box through eth0 which means that I since I am using a port sentury for the internet on port eth0, I have to give some kind of special instuctions so that samba knows that the normal Ip address and ports that it listens to has to be changed. I am sure it is a simple solution, but I have not seen it. I am using firehol that is have very simple instructions to solve your iptable probs but again I do not have a standard setup. |
|
|
| |
|
|
|
|
|
|
|
Titel:
Verfasst am: 13.09.2006, 13:26 Uhr
|
|
Anmeldung: 21. Jun 2006
Beiträge: 193
Wohnort: Switzerland
|
|
|
|
|
|
|
|
|
Titel:
Verfasst am: 14.09.2006, 01:49 Uhr
|
|
Anmeldung: 21. Apr 2006
Beiträge: 152
Wohnort: Ice and Snow
|
|
| By the way, finally found a Howto that worked. http://hr.uoregon.edu/davidrl/samba.html. The weird thing is that it couldn't find the url via computer name, but had no probs with finding it via ip address, that is after I made the small changes in Firehol and Samba. YAHUUUU!!! Evene my cups is working, after changing from name to IP. But hey its working. |
|
|
| |
|
|
|
|
|
|
