[Firehol-support] samba problems

Costa Tsaousis costa at tsaousis.gr
Mon Nov 3 20:32:49 GMT 2003


Hi Goetz,

This is the output of:

firehol explain

for the command:

server samba accept src pc1

--- snip ---

#
\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/
# Cmd Line : 3
# Command  : server samba accept src pc1

# Preparing for service 'samba' of type 'server' under interface 'internet'

# Creating chain 'in_internet_samba_s2' under 'in_internet' in table 'filter'
/sbin/iptables -t filter -N in_internet_samba_s2
/sbin/iptables -t filter -A in_internet -j in_internet_samba_s2

# Creating chain 'out_internet_samba_s2' under 'out_internet' in table
'filter'
/sbin/iptables -t filter -N out_internet_samba_s2
/sbin/iptables -t filter -A out_internet -j out_internet_samba_s2

# Running complex rules function rules_samba() for server 'samba'

# Setting up rules for SAMBA/NETBIOS-NS (server)
/sbin/iptables -t filter -A in_internet_samba_s2 -p udp -s pc1 --sport
netbios-ns --dport netbios-ns -m state --state NEW\,ESTABLISHED -j ACCEPT
/sbin/iptables -t filter -A in_internet_samba_s2 -p udp -s pc1 --sport
1024:65535 --dport netbios-ns -m state --state NEW\,ESTABLISHED -j ACCEPT
/sbin/iptables -t filter -A out_internet_samba_s2 -p udp --sport
netbios-ns -d pc1 --dport netbios-ns -m state --state ESTABLISHED -j
ACCEPT
/sbin/iptables -t filter -A out_internet_samba_s2 -p udp --sport
netbios-ns -d pc1 --dport 1024:65535 -m state --state ESTABLISHED -j
ACCEPT

# Setting up rules for SAMBA/NETBIOS-DGM (server)
/sbin/iptables -t filter -A in_internet_samba_s2 -p udp -s pc1 --sport
netbios-dgm --dport netbios-dgm -m state --state NEW\,ESTABLISHED -j
ACCEPT
/sbin/iptables -t filter -A in_internet_samba_s2 -p udp -s pc1 --sport
1024:65535 --dport netbios-dgm -m state --state NEW\,ESTABLISHED -j ACCEPT
/sbin/iptables -t filter -A out_internet_samba_s2 -p udp --sport
netbios-dgm -d pc1 --dport netbios-dgm -m state --state ESTABLISHED -j
ACCEPT
/sbin/iptables -t filter -A out_internet_samba_s2 -p udp --sport
netbios-dgm -d pc1 --dport 1024:65535 -m state --state ESTABLISHED -j
ACCEPT

# Setting up rules for SAMBA/NETBIOS-SSN (server)
/sbin/iptables -t filter -A in_internet_samba_s2 -p tcp -s pc1 --sport
1024:65535 --dport netbios-ssn -m state --state NEW\,ESTABLISHED -j ACCEPT
/sbin/iptables -t filter -A out_internet_samba_s2 -p tcp --sport
netbios-ssn -d pc1 --dport 1024:65535 -m state --state ESTABLISHED -j
ACCEPT

# > OK <

--- snip ---

As you can see above, FireHOL explicitly allows this connection
(netbios-ns is port 137):

/sbin/iptables -t filter -A out_internet_samba_s2 -p udp --sport
netbios-ns -d pc1 --dport 1024:65535 -m state --state ESTABLISHED -j
ACCEPT

The problem with your setup is that the iptables connection tracker does
not see the reply packet as part of an ESTABLISHED connection. There are
two possible causes for this:

a. The iptables connection tracker has a timeout for ESTABLISHing
connections for UDP. This is about 20 seconds. If the server cannot reply
within this time limit, then iptables considers this is a NEW connection.

b. Another reason is given in the iptables mailing lists:

--- snip ---

> /proc/net/ip_conntrack lists both connections (answer&reply) as unreplied.
> Can someone explain to me why the reply is seen as a new connection?

this sounds like the connection is not symmetrically.  The conntrack
core assumes that connections are always symmetrically:

request:
(srcip x, scrport a)  -> (dstip y, dstport b)

reply:
(srcip y, srcport b) -> (dstip x, dstport a)

If this is not the case, you are in serious trouble.

--- snip ---

This is another case where the connection tracker gets confused.

Do you believe that either of the two apply to you?

-- 
Costa


> I've a problem with samba:
>
> I've two PC's: pc1 (a.b.c.24/27) and pc2 (a.b.c.17/27).
> pc2 is running fireHOL (1.161) with
>
> ineterface eth0 world
>     server  samba   accept  src $pc1
>     ...
>     client  samba   accept  dst $pc1 # it's not needed for this setup
>     ...
>
> when I now try:
>
> user at pc1 ~ > smbclient \\\\pc2\\user -U user -W domain
> added interface ip=a.b.c.24 bcast=a.b.c.31 nmask=255.255.255.224
> Connection to files failed
> user at pc1 ~ >
>
> that's not good, on pc2 the log tells me (dmesg):
>
> OUT-world:IN= OUT=eth0 SRC=a.b.c.17 DST=a.b.c.24 LEN=90 TOS=0x00 PREC=0x00
> TTL=64 ID=0 DF PROTO=UDP SPT=137 DPT=32771 LEN=70
> OUT-world:IN= OUT=eth0 SRC=a.b.c.17 DST=a.b.c.24 LEN=90 TOS=0x00 PREC=0x00
> TTL=64 ID=0 DF PROTO=UDP SPT=137 DPT=32771 LEN=70
>
>
> cat /proc/net/ip_conntrack
>
> udp      17 16 src=a.b.c.24 dst=a.b.c.17 sport=137 dport=137 [UNREPLIED]
> src=a.b.c.17 dst=a.b.c.24 sport=137 dport=137 use=1
> udp      17 16 src=a.b.c.17 dst=a.b.c.31 sport=138 dport=138 [UNREPLIED]
> src=a.b.c.31 dst=a.b.c.17 sport=138 dport=138 use=1
> udp      17 16 src=a.b.c.17 dst=a.b.c.31 sport=137 dport=137 [UNREPLIED]
> src=a.b.c.31 dst=a.b.c.17 sport=137 dport=137 use=1
> udp      17 24 src=a.b.c.24 dst=a.b.c.31 sport=32771 dport=137 [UNREPLIED]
> src=a.b.c.31 dst=a.b.c.24 sport=137 dport=32771 use=1
>
>
> If I disablel the firewall everything works fine.
> (pc1 and pc2 are UMLs with non modular kernel, but all conntrack and nat
>  modules compiled in)
> --
> /"\ Goetz Bock at blacknet dot de  --  secure mobile Linux everNETting
> \ /                     (c) 2003 as GNU FDL 1.1
>  X   [ 1. Use descriptive subjects - 2. Edit a reply for brevity -  ]
> / \  [ 3. Reply to the list - 4. Read the archive *before* you post ]





More information about the Firehol-support mailing list