Samba 仅在防火墙禁用时才有效

tag-icon tag-icon iptables samba server-message-block samba4 smb-conf
Samba 仅在防火墙禁用时才有效

如果不禁用,似乎无法让 Samba 正常工作iptables。禁用后,iptables一切都会正常工作,尽管我不喜欢没有防火墙。我希望有人能告诉我我做错了什么,我猜里面缺少一条规则,iptables但我已经搜索了所有地方,我相信我拥有所有需要的规则。

我设定了以下规则iptables

# Firewall configuration written by system-config-securitylevel
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
-A RH-Firewall-1-INPUT -p 51 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
-A RH-Firewall-1-INPUT -s 192.168.168.0/24 -m state --state NEW -p tcp --dport 137 -j ACCEPT
-A RH-Firewall-1-INPUT -s 192.168.168.0/24 -m state --state NEW -p tcp --dport 138 -j ACCEPT
-A RH-Firewall-1-INPUT -s 192.168.168.0/24 -m state --state NEW -p tcp --dport 139 -j ACCEPT
-A RH-Firewall-1-INPUT -s 192.168.168.0/24 -m state --state NEW -p tcp --dport 445 -j ACCEPT
COMMIT

我连接的 IP 地址是: 192.168.168.62 192.168.168.84 所以它们不应该被拒绝。

当我运行命令时netstat -tulpn | egrep "samba|smbd|nmbd|winbind"我得到以下结果:

tcp        0      0 0.0.0.0:139                 0.0.0.0:*                   LISTEN      2972/smbd
tcp        0      0 0.0.0.0:445                 0.0.0.0:*                   LISTEN      2972/smbd
udp        0      0 192.168.168.88:137          0.0.0.0:*                               2953/nmbd
udp        0      0 0.0.0.0:137                 0.0.0.0:*                               2953/nmbd
udp        0      0 192.168.168.88:138          0.0.0.0:*                               2953/nmbd
udp        0      0 0.0.0.0:138                 0.0.0.0:*                               2953/nmbd

我的文件的全局部分smb.conf是:

        lanman auth = no
        obey pam restrictions = yes
        client ntlmv2 auth = yes
        client signing = yes
        ntlm auth = no
        map to guest = bad user
        passwd program = /usr/bin/passwd %u
        passdb backend = tdbsam
        dns proxy = no
        unix password sync = yes
        security = user
        usershare allow guests = yes
        workgroup = WORKGROUP
        server string = %h server
        netbios name = QUICKBOOKS
        interfaces = lo eth0 192.168.168.88
        hosts allow = 192.168.168.0/24

共享部分为smb.conf

[quickbooks]
path = /home/quickbooks
public = no
browseable = yes
guest ok = yes
writeable = yes
guest only = yes
read only = no
follow symlinks = yes
wide links = no
create mask = 0777
force user = quickbooks

答案1

应打开端口 137 和 138 以用于 UDP 流量,而不是 TCP:

-A RH-Firewall-1-INPUT -s 192.168.168.0/24 -m state --state NEW -p udp --dport 137 -j ACCEPT
-A RH-Firewall-1-INPUT -s 192.168.168.0/24 -m state --state NEW -p udp --dport 138 -j ACCEPT
-A RH-Firewall-1-INPUT -s 192.168.168.0/24 -m state --state NEW -p tcp --dport 139 -j ACCEPT
-A RH-Firewall-1-INPUT -s 192.168.168.0/24 -m state --state NEW -p tcp --dport 445 -j ACCEPT

来源:

答案2

在 RH-Firewall-1-INPUT 链中的拒绝规则之前,添加一条记录所有流量的规则。它可以帮助识别被阻止的包:-A RH-firewall-1-INPUT -j LOG

相关内容