服务器 Gind.cn
  1. 服务器 Gind.cn
  3. Samba只在禁用防火墙的情况下才起作用
Intereting Posts
如何停止/禁用Nagios电子邮件通知 Windows文件共享帐户信息保存在哪里? WinZip,7zip,Winrar命令行来压缩文件夹的结构 tar + tar不能打开所有的文件 Samba 4架构扩展 – 需要重启? Tomcat拒绝服务 在Amazon Linux上安装Google Chrome openVAS – Microsoft RDP服务器私钥信息泄漏漏洞 – 虚警? 镜像NTFS目录结构(Linux或Windows)的最佳方法 使用最新的proftpd远程利用进行grsecurity effieffectivenesstesting 相同的SSHlogin过程适用于用户A,但不适用于用户B. VAMT表示两个修订级别不兼容 了解ec2 freebsd实例上的磁盘空间 SPF – 软包装将被包含在inheritance? linux redhat +如何在/ boot下只安装最新的内核rpm

Samba只在禁用防火墙的情况下才起作用

我似乎无法让桑巴正确工作,而不禁用iptables 。 只要我禁用iptables一切正常,虽然我不喜欢没有防火墙的地方。 我希望有人能告诉我我做错了什么,我猜测iptables里面有一个缺失的规则,但我已经搜遍了,我相信我有所有需要的规则。

我在iptables设置了以下规则 

 # Firewall configuration written by system-config-securitylevel # Manual customization of this file is not recommended. *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :RH-Firewall-1-INPUT - [0:0] -A INPUT -j RH-Firewall-1-INPUT -A RH-Firewall-1-INPUT -i lo -j ACCEPT -A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT -A RH-Firewall-1-INPUT -p 50 -j ACCEPT -A RH-Firewall-1-INPUT -p 51 -j ACCEPT -A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT -A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT -A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT -A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited -A FORWARD -j REJECT --reject-with icmp-host-prohibited -A RH-Firewall-1-INPUT -s 192.168.168.0/24 -m state --state NEW -p tcp --dport 137 -j ACCEPT -A RH-Firewall-1-INPUT -s 192.168.168.0/24 -m state --state NEW -p tcp --dport 138 -j ACCEPT -A RH-Firewall-1-INPUT -s 192.168.168.0/24 -m state --state NEW -p tcp --dport 139 -j ACCEPT -A RH-Firewall-1-INPUT -s 192.168.168.0/24 -m state --state NEW -p tcp --dport 445 -j ACCEPT COMMIT

我连接的IP地址是: 192.168.168.62 192.168.168.84所以他们不应该被拒绝。

当我运行命令netstat -tulpn | egrep "samba|smbd|nmbd|winbind" netstat -tulpn | egrep "samba|smbd|nmbd|winbind"我回来了: 

 tcp 0 0 0.0.0.0:139 0.0.0.0:* LISTEN 2972/smbd tcp 0 0 0.0.0.0:445 0.0.0.0:* LISTEN 2972/smbd udp 0 0 192.168.168.88:137 0.0.0.0:* 2953/nmbd udp 0 0 0.0.0.0:137 0.0.0.0:* 2953/nmbd udp 0 0 192.168.168.88:138 0.0.0.0:* 2953/nmbd udp 0 0 0.0.0.0:138 0.0.0.0:* 2953/nmbd

我的smb.conf文件的全局部分是: 

  lanman auth = no obey pam restrictions = yes client ntlmv2 auth = yes client signing = yes ntlm auth = no map to guest = bad user passwd program = /usr/bin/passwd %u passdb backend = tdbsam dns proxy = no unix password sync = yes security = user usershare allow guests = yes workgroup = WORKGROUP server string = %h server netbios name = QUICKBOOKS interfaces = lo eth0 192.168.168.88 hosts allow = 192.168.168.0/24

smb.conf的共享部分是: 

 [quickbooks] path = /home/quickbooks public = no browseable = yes guest ok = yes writeable = yes guest only = yes read only = no follow symlinks = yes wide links = no create mask = 0777 force user = quickbooks

对于UDPstream量而不是TCP打开端口137和138: 

 -A RH-Firewall-1-INPUT -s 192.168.168.0/24 -m state --state NEW -p udp --dport 137 -j ACCEPT -A RH-Firewall-1-INPUT -s 192.168.168.0/24 -m state --state NEW -p udp --dport 138 -j ACCEPT -A RH-Firewall-1-INPUT -s 192.168.168.0/24 -m state --state NEW -p tcp --dport 139 -j ACCEPT -A RH-Firewall-1-INPUT -s 192.168.168.0/24 -m state --state NEW -p tcp --dport 445 -j ACCEPT

资源:

在RH-Firewall-1-INPUT链中拒绝规则之前,添加一条logging所有通信的规则。 它可以帮助识别哪些软件包被阻止:-HR-firewall-1-INPUT -j LOG