Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in

  FAQ | Search | Memberlist | Usergroups | Statistics | Profile | Log in to check your private messages | Log in | Register

Samba over nat issues (iptables) [solved]
 View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
machinelou
Apprentice
Apprentice


Joined: 05 Apr 2003
Posts: 267
PostPosted: Wed Jan 02, 2008 4:24 am    Post subject: Samba over nat issues (iptables) [solved] Reply with quote
I've got Samba working on an internal network; I can connect my windows laptop to a switch (call this Switch A) via a wire and browse the samba shares on another machine on that same switch. However, the external interface of that switch is connected as a client to a wireless network. I would like to be able to allow machines on the wireless network to also access the samba shares. I've already figured out how to do this for other services on that machine (e.g., ssh, apache) by editing the iptables on Switch A (its a linksys running openwrt) but I can't figure out how to do it for samba.

I don't know much about iptables so I'm assuming that I'm just doing it wrong.

Here are the iptable rules I have at the moment (from what I've read online, windows file sharing seems to use ports 137 and 138 (via udp) and 149 and 445 (via tcp)):

Code:
### Samba
iptables -t nat -A prerouting_wan -p udp --dport 137 -j DNAT --to 192.168.1.101:137
iptables        -A forwarding_wan -p udp --dport 137 -d 192.168.1.101 -j ACCEPT

iptables -t nat -A prerouting_wan -p udp --dport 138 -j DNAT --to 192.168.1.101:138
iptables        -A forwarding_wan -p udp --dport 138 -d 192.168.1.101 -j ACCEPT

iptables -t nat -A prerouting_wan -p tcp --dport 139 -j DNAT --to 192.168.1.101:139
iptables        -A forwarding_wan -p tcp --dport 139 -d 192.168.1.101 -j ACCEPT

iptables -t nat -A prerouting_wan -p tcp --dport 445 -j DNAT --to 192.168.1.101:445
iptables        -A forwarding_wan -p tcp --dport 445 -d 192.168.1.101 -j ACCEPT


And just for comparison, here are the rules I use for some other services that work:
Code:
iptables -t nat -A prerouting_wan -p tcp --dport 22 -j DNAT --to 192.168.1.101:22
iptables        -A forwarding_wan -p tcp --dport 22 -d 192.168.1.101 -j ACCEPT

iptables -t nat -A prerouting_wan -p tcp --dport 80 -j DNAT --to 192.168.1.101:80
iptables        -A forwarding_wan -p tcp --dport 80 -d 192.168.1.101 -j ACCEPT


iptables -t nat -A prerouting_wan -p tcp --dport 88 -j DNAT --to 192.168.1.101:88
iptables        -A forwarding_wan -p tcp --dport 88 -d 192.168.1.101 -j ACCEPT

iptables -t nat -A prerouting_wan -p tcp --dport 89 -j DNAT --to 192.168.1.102:443
iptables        -A forwarding_wan -p tcp --dport 443 -d 192.168.1.102 -j ACCEPT

iptables -t nat -A prerouting_wan -p tcp --dport 443 -j DNAT --to 192.168.1.101:443
iptables        -A forwarding_wan -p tcp --dport 443 -d 192.168.1.101 -j ACCEPT


Last edited by machinelou on Wed Jan 02, 2008 11:17 pm; edited 1 time in total
Back to top
View user's profile Send private message
gentoo_dude
l33t
l33t


Joined: 08 May 2004
Posts: 645
Location: Washington, DC
PostPosted: Wed Jan 02, 2008 6:26 am    Post subject: Reply with quote
try allowing tcp 137 through 139.

EDIT: I just rechecked my firewall rules, it should be only tcp 139 and 445 and udp 137 and 138, so the ports open are correct.
Do you have firewall enabled on the server, or just the router's firewall?
Back to top
View user's profile Send private message
machinelou
Apprentice
Apprentice


Joined: 05 Apr 2003
Posts: 267
PostPosted: Wed Jan 02, 2008 12:56 pm    Post subject: Reply with quote
gentoo_dude wrote:
Do you have firewall enabled on the server, or just the router's firewall?


Just the router...
Back to top
View user's profile Send private message
machinelou
Apprentice
Apprentice


Joined: 05 Apr 2003
Posts: 267
PostPosted: Wed Jan 02, 2008 5:48 pm    Post subject: Reply with quote
Can someone at least tell me if there are any obvious mistakes?
Back to top
View user's profile Send private message
Veldrin
Veteran
Veteran


Joined: 27 Jul 2004
Posts: 1945
Location: Zurich, Switzerland
PostPosted: Wed Jan 02, 2008 6:08 pm    Post subject: Reply with quote
Quote:
Can someone at least tell me if there are any obvious mistakes?


Not sure about obvious, but UDP is a stateless protocol, you need to open it both ways.

below is a excerpt (just the samba part) from the iptables, I have running on my server... hope it give you an idea, what to do.
Code:

[0:0] -A INPUT -s 192.168.180.112/28 -p udp -m udp --dport 137:138 -j ACCEPT
[0:0] -A INPUT -s 192.168.180.112/28 -p udp -m udp --sport 137:138 -j ACCEPT
[0:0] -A INPUT -s 192.168.180.112/28 -p tcp -m tcp --dport 139 -j ACCEPT
[0:0] -A INPUT -s 192.168.180.112/28 -p tcp -m tcp --dport 445 -j ACCEPT


cheers
V.
Back to top
View user's profile Send private message
machinelou
Apprentice
Apprentice


Joined: 05 Apr 2003
Posts: 267
PostPosted: Wed Jan 02, 2008 6:24 pm    Post subject: Reply with quote
Veldrin wrote:
Not sure about obvious, but UDP is a stateless protocol, you need to open it both ways.


Thanks for the hint.. Can you tell me a little about what these lines do?

Code:

[0:0] -A INPUT -s 192.168.180.112/28 -p udp -m udp --dport 137:138 -j ACCEPT
[0:0] -A INPUT -s 192.168.180.112/28 -p udp -m udp --sport 137:138 -j ACCEPT
[0:0] -A INPUT -s 192.168.180.112/28 -p tcp -m tcp --dport 139 -j ACCEPT
[0:0] -A INPUT -s 192.168.180.112/28 -p tcp -m tcp --dport 445 -j ACCEPT


Like, what does -s 192.168.180.112/28 do?

--dport?
--sport?

Would these lines (or something like them) go above the lines I already have? Thanks, sorry I have so many questions...
Back to top
View user's profile Send private message
machinelou
Apprentice
Apprentice


Joined: 05 Apr 2003
Posts: 267
PostPosted: Wed Jan 02, 2008 7:02 pm    Post subject: Reply with quote
Ok, I added those lines. My config now looks like this:

Code:
### Samba
iptables        -A INPUT -p udp -m udp --dport 137:138 -j ACCEPT
iptables        -A INPUT -p udp -m udp --sport 137:138 -j ACCEPT

iptables -t nat -A prerouting_wan -p udp --dport 137 -j DNAT --to 192.168.1.101:137
iptables        -A forwarding_wan -p udp --dport 137 -d 192.168.1.101 -j ACCEPT

iptables -t nat -A prerouting_wan -p udp --dport 138 -j DNAT --to 192.168.1.101:138
iptables        -A forwarding_wan -p udp --dport 138 -d 192.168.1.101 -j ACCEPT

iptables -t nat -A prerouting_wan -p tcp --dport 139 -j DNAT --to 192.168.1.101:139
iptables        -A forwarding_wan -p tcp --dport 139 -d 192.168.1.101 -j ACCEPT

iptables -t nat -A prerouting_wan -p tcp --dport 445 -j DNAT --to 192.168.1.101:445
iptables        -A forwarding_wan -p tcp --dport 445 -d 192.168.1.101 -j ACCEPT


It still doesn't work :(
Back to top
View user's profile Send private message
machinelou
Apprentice
Apprentice


Joined: 05 Apr 2003
Posts: 267
PostPosted: Wed Jan 02, 2008 9:31 pm    Post subject: Reply with quote
Okay, I found some more clues...

I increased the log level in /etc/samba/smb.conf to 3. I also turned on wins support. When I set my window's client WINS server IP to the samba server, I got this on the logs:

Code:
[2008/01/02 16:19:32, 3] nmbd/nmbd_winsserver.c:wins_process_name_refresh_request(836)
  wins_process_name_refresh_request: Name refresh for name FENGHU<00> IP 192.168.0.109
[2008/01/02 16:20:27, 3] nmbd/nmbd_winsserver.c:wins_process_name_refresh_request(836)
  wins_process_name_refresh_request: Name refresh for name __MSBROWSE__<01> IP 192.168.0.109
[2008/01/02 16:20:27, 3] nmbd/nmbd_winsserver.c:wins_process_name_refresh_request(836)
  wins_process_name_refresh_request: Name refresh for name MEDIA<1d> IP 192.168.0.109
[2008/01/02 16:20:27, 3] nmbd/nmbd_winsserver.c:wins_process_name_refresh_request(854)
  wins_process_name_refresh_request: Name refresh for name MEDIA<1d> and the name does not exist.  Treating as registration.
[2008/01/02 16:20:27, 3] nmbd/nmbd_winsserver.c:wins_process_name_registration_request(1138)
  wins_process_name_registration_request: Unique name registration for name MEDIA<1d> IP 192.168.0.109
[2008/01/02 16:20:27, 3] nmbd/nmbd_winsserver.c:wins_process_name_registration_request(1205)
  wins_process_name_registration_request: Ignoring request to register name MEDIA<1d> from IP 192.168.0.109.
[2008/01/02 16:20:27, 3] nmbd/nmbd_winsserver.c:wins_process_name_refresh_request(836)
  wins_process_name_refresh_request: Name refresh for name MEDIA<1e> IP 192.168.0.109
[2008/01/02 16:20:27, 3] nmbd/nmbd_winsserver.c:wins_process_name_refresh_request(836)
  wins_process_name_refresh_request: Name refresh for name FENGHU<20> IP 192.168.0.109
[2008/01/02 16:20:27, 3] nmbd/nmbd_winsserver.c:wins_process_name_refresh_request(836)
  wins_process_name_refresh_request: Name refresh for name MEDIA<00> IP 192.168.0.109
[2008/01/02 16:20:27, 3] nmbd/nmbd_winsserver.c:wins_process_name_refresh_request(836)
  wins_process_name_refresh_request: Name refresh for name FENGHU<00> IP 192.168.0.109
[2008/01/02 16:21:18, 3] nmbd/nmbd_winsserver.c:wins_process_name_query_request(1892)
  wins_process_name_query: name query for name SATURN<00> from IP 192.168.0.109
[2008/01/02 16:21:18, 3] nmbd/nmbd_winsserver.c:wins_process_name_query_request(1944)
  wins_process_name_query: name query for name SATURN<00> returning first IP 192.168.1.101.
[2008/01/02 16:21:21, 3] nmbd/nmbd_winsserver.c:wins_process_name_refresh_request(836)
  wins_process_name_refresh_request: Name refresh for name __MSBROWSE__<01> IP 192.168.0.109
[2008/01/02 16:21:21, 3] nmbd/nmbd_winsserver.c:wins_process_name_refresh_request(836)
  wins_process_name_refresh_request: Name refresh for name MEDIA<1d> IP 192.168.0.109


I don't really know what any of that nonsense means, except that the windows client (with ip 192.168.0.109) is able to talk to the wins server.

I then tried to ping the samba server using it's name, "SATURN".. Instead of resolving with the router's ip address (192.168.0.10) it resolved to the address behind the nat (192.168.1.101). So, it didn't connect...

Now what?
Back to top
View user's profile Send private message
gentoo_dude
l33t
l33t


Joined: 08 May 2004
Posts: 645
Location: Washington, DC
PostPosted: Wed Jan 02, 2008 9:36 pm    Post subject: Reply with quote
This is my samba rule on my server
[6649:336946] -A INPUT -s 192.168.1.0/255.255.255.0 -d 192.168.1.0/255.255.255.0 -i eth1 -p tcp -m state --state NEW -m tcp -m multiport --dports 139,445 -j ACCEPT
[99632:23528029] -A OUTPUT -s 192.168.1.0/255.255.255.0 -d 192.168.1.0/255.255.255.0 -o eth1 -p udp -m udp -m multiport --sports 137,138 -j ACCEPT
Back to top
View user's profile Send private message
machinelou
Apprentice
Apprentice


Joined: 05 Apr 2003
Posts: 267
PostPosted: Wed Jan 02, 2008 11:09 pm    Post subject: Reply with quote
More progress.. A kind soul on #openwrt pointed out to me that one could access samba shares on a windows client using just an ip address. You type //ip.address into the Run dialog and viola! It works!

I can now see the shares on my samba server. Only problem is now, I can't login. It says it is not accessible. It's unusual because I could login fine when attached to the same router as the server.
Back to top
View user's profile Send private message
machinelou
Apprentice
Apprentice


Joined: 05 Apr 2003
Posts: 267
PostPosted: Wed Jan 02, 2008 11:17 pm    Post subject: Reply with quote
Solved!

I turned on some options in smb.conf during this whole debacle (preferred master, domain master, local master, and os level). Turning them off allowed me to login. Yahooo!
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum



 Links: forums.gentoo.org | www.gentoo.org | bugs.gentoo.org | wiki.gentoo.org | forum-mods@gentoo.org

Copyright 2001-2025 Gentoo Foundation, Inc. Designed by Kyle Manna © 2003; Style derived from original subSilver theme. | Hosting by Gossamer Threads Inc. © | Powered by phpBB 2.0.23-gentoo-p11 © 2001, 2002 phpBB Group
Privacy Policy