我目前正在尝试为 Samba 打开 iptables 防火墙,但我在不同门户上找到的配置不起作用。没有防火墙,一切都正常工作。启用防火墙后,除了 nmbd.log 之外,我在日志中看不到任何错误。
[2017/07/24 15:07:47.107717, 0] ../source3/libsmb/nmblib.c:873(send_udp)
Packet send failed to 192.168.0.46(137) ERRNO=Operation not permitted
[2017/07/24 15:07:47.107808, 0] ../source3/nmbd/nmbd_packets.c:1026(reply_netbios_packet)
reply_netbios_packet: send_packet to IP 192.168.0.46 port 137 failed
[2017/07/24 15:10:30.841301, 0] ../source3/libsmb/nmblib.c:873(send_udp)
Packet send failed to 192.168.0.255(137) ERRNO=Operation not permitted
[2017/07/24 15:10:30.841395, 0] ../source3/nmbd/nmbd_packets.c:179(send_netbios_packet)
send_netbios_packet: send_packet() to IP 192.168.0.255 port 137 failed
[2017/07/24 15:10:30.841421, 0] ../source3/nmbd/nmbd_namequery.c:245(query_name)
query_name: Failed to send packet trying to query name WORKGROUP<1d>
[2017/07/24 15:12:34.203550, 0] ../source3/libsmb/nmblib.c:873(send_udp)
Packet send failed to 192.168.0.255(138) ERRNO=Operation not permitted
[2017/07/24 15:12:34.203669, 0] ../source3/libsmb/nmblib.c:873(send_udp)
Packet send failed to 192.168.0.255(138) ERRNO=Operation not permitted
Samba 所需的所有端口均处于监听状态。
xyz@nuc:~# netstat -tulpn | egrep "samba|smbd|nmbd|winbind"
tcp 0 0 0.0.0.0:139 0.0.0.0:* LISTEN 517/smbd
tcp 0 0 0.0.0.0:445 0.0.0.0:* LISTEN 517/smbd
tcp6 0 0 :::139 :::* LISTEN 517/smbd
tcp6 0 0 :::445 :::* LISTEN 517/smbd
udp 0 0 192.168.0.255:137 0.0.0.0:* 576/nmbd
udp 0 0 192.168.0.2:137 0.0.0.0:* 576/nmbd
udp 0 0 192.168.0.255:137 0.0.0.0:* 576/nmbd
udp 0 0 192.168.0.249:137 0.0.0.0:* 576/nmbd
udp 0 0 0.0.0.0:137 0.0.0.0:* 576/nmbd
udp 0 0 192.168.0.255:138 0.0.0.0:* 576/nmbd
udp 0 0 192.168.0.2:138 0.0.0.0:* 576/nmbd
udp 0 0 192.168.0.255:138 0.0.0.0:* 576/nmbd
udp 0 0 192.168.0.249:138 0.0.0.0:* 576/nmbd
udp 0 0 0.0.0.0:138 0.0.0.0:* 576/nmbd
现在的 iptables 配置如下:
iptables -F
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
#Allow traffic on loopback
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
#dhcp
iptables -I INPUT -i enp0s25 -p udp --dport 67:68 --sport 67:68 -j ACCEPT
#Incoming ssh connection (server)
iptables -A INPUT -i enp0s25 -p tcp --dport 2222 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o enp0s25 -p tcp --sport 2222 -m state --state ESTABLISHED -j ACCEPT
#Outgoing ssh connection (client)
iptables -A OUTPUT -o enp0s25 -p tcp --dport 2222 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -i enp0s25 -p tcp --sport 2222 -m state --state ESTABLISHED -j ACCEPT
##PING INCOMING ICMP
iptables -A INPUT -p icmp --icmp-type 8 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -p icmp --icmp-type 0 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -p icmp --icmp-type 8 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p icmp --icmp-type 0 -m state --state ESTABLISHED,RELATED -j ACCEPT
##SMTP##
#iptables -A OUTPUT -p tcp --sport 25 -m conntrack --ctstate ESTABLISHED -j ACCEPT
#iptables -A OUTPUT -p tcp --dport 25 -j ACCEPT
#iptables -A INPUT -p tcp --sport 25 -m state --state ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp --dport 25 -j ACCEPT
iptables -A INPUT -p tcp --dport 587 -j ACCEPT
iptables -A INPUT -p tcp --dport 465 -j ACCEPT
##SMB
iptables -A INPUT -i enp0s25 -p udp --dport 137:138 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o enp0s25 -p udp --sport 137:138 -m state --state ESTABLISHED -j ACCEPT
iptables -A INPUT -i enp0s25 -p tcp --dport 139 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o enp0s25 -p tcp --sport 139 -m state --state ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o enp0s25 -p udp --sport 445 -m state --state ESTABLISHED -j ACCEPT
#iptables -A OUTPUT -m state --state NEW,ESTABLISHED -p udp --dport 137 -j ACCEPT
#iptables -A OUTPUT -m state --state NEW,ESTABLISHED -p udp --dport 138 -j ACCEPT
#iptables -A OUTPUT -m state --state NEW,ESTABLISHED -p tcp --dport 139 -j ACCEPT
#iptables -A OUTPUT -m state --state NEW,ESTABLISHED -p tcp --dport 445 -j ACCEPT
#iptables -A INPUT -p udp -m udp --dport 137 -j ACCEPT
#iptables -A INPUT -p udp -m udp --dport 138 -j ACCEPT
#iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 139 -j ACCEPT
#iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 445 -j ACCEPT
#iptables -A INPUT -p tcp -m multiport --dport 139,445 -j ACCEPT
#iptables -A INPUT -p udp -m multiport --dport 137,138 -j ACCEPT
#iptables -A OUTPUT -p tcp -m multiport --dport 139,445 -j ACCEPT
#iptables -A OUTPUT -p udp -m multiport --dport 137,138 -j ACCEPT
#iptables -A INPUT -p udp -m udp --dport 137 -j ACCEPT
#iptables -A INPUT -p udp -m udp --dport 138 -j ACCEPT
#iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 139 -j ACCEPT
#iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 445 -j ACCEPT
#Allow apt-get requests (HTTP)
iptables -A OUTPUT -p tcp --dport 80 --sport 32768:61000 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp --sport 80 --dport 32768:61000 -m state --state ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p udp --dport 53 --sport 32768:61000 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -p udp --sport 53 --dport 32768:61000 -m state --state ESTABLISHED -j ACCEPT
iptables -A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7
有人能提示我一下,如何正确设置 SMTP 和 samba 的 iptables 吗?
此致
卡菲
答案1
错误日志中显示的以下行表示机器无法发送发往端口 137 的 UDP 数据包(被防火墙丢弃)。因此,您需要为 UDP 添加一条 ACCEPT 规则以允许此端口。
[2017/07/24 15:07:47.107717, 0] ../source3/libsmb/nmblib.c:873(send_udp)
Packet send failed to 192.168.0.46(137) ERRNO=Operation not permitted
同样,UDP 端口 138 也出现错误。这些是 NetBios 端口。添加如下规则:
iptables -A OUTPUT -p udp --dport 137 -j ACCEPT
iptables -A OUTPUT -p udp --dport 138 -j ACCEPT