本文档介绍如何配置iptables防火墙,以便让Windows客户端能够访问Linux主机上的Samba服务器。文中提供了针对Red Hat Fedora Core 3的具体示例,并解释了Samba服务使用的端口及其对应的守护进程。
This document explains how to configure an IPTables firewall to allow Windows networking clients to access the Samba server on your Linux host. The examples assume Red Hat Fedora Core 3, but others should work without much modification.
I have run Samba servers for a number of years now, always on private networks behind firewalls, and have usually turned off the firewall on the internal host so as not to complicate setup or troubleshooting. Having grown more security conscious over the years, I am now more likely to want to have a firewall up and only allow the minimum necessary holes through it. This short reference should explain the basics of allowing Samba traffic through an IPTables firewall, but nothing of configuring Samba itself.
Ports, Protocols, and Daemons
In the
/etc/services file you will find a few lines that refer to Samba services:
netbios-ns 137/tcp # NetBIOS Name Service
netbios-ns 137/udp
netbios-dgm 138/tcp # NetBIOS Datagram Service
netbios-dgm 138/udp
netbios-ssn 139/tcp # NetBIOS Session Service
netbios-ssn 139/udp
microsoft-ds 445/tcp # Microsoft Directory Service
microsoft-ds 445/udp
The picture this provides is somewhat deceiving, since the half of those lines could be removed and condensed to:
netbios-ns 137/udp
netbios-dgm 138/tcp # NetBIOS Datagram Service
netbios-dgm 138/udp
netbios-ssn 139/tcp # NetBIOS Session Service
netbios-ssn 139/udp
microsoft-ds 445/tcp # Microsoft Directory Service
microsoft-ds 445/udp
netbios-ns 137/udp # NetBIOS Name Service
netbios-dgm 138/udp # NetBIOS Datagram Service
netbios-ssn 139/tcp # NetBIOS Session Service
microsoft-ds 445/tcp # Microsoft Directory Service
because these are the ports the Samba server daemons listen on. The first three lines represent ports used by windows networking since TCP/IP networking came standard on the Windows 95 operating system. The remaining port came to be used when Microsoft introduced it's directory service with Windows 2000. It may be useful to note for troubleshooting or configuration purposes that the UDP protocols (ports 137 and 138) are serviced by the
nmbd daemon, while the TCP protocols (ports 139 and 445) are serviced by
smbd
[1].
netbios-dgm 138/udp # NetBIOS Datagram Service
netbios-ssn 139/tcp # NetBIOS Session Service
microsoft-ds 445/tcp # Microsoft Directory Service
You can demonstrate what ports are being used by Samba by using these commands as root (in
/tmp or someplace safe to make temporary files)
[2]:
# service smb stop
# netstat -ln > netstat-ln-smb.before
# service smb start
# netstat -ln > netstat-ln-smb.after
# diff netstat-ln-smb.*
and you will see the ports listed above appear in the output, along with the protocol (TCP or UDP) they use to communicate. Please take a look at the
man pages for
netstat and
diff if you find the output confusing.
# netstat -ln > netstat-ln-smb.before
# service smb start
# netstat -ln > netstat-ln-smb.after
# diff netstat-ln-smb.*
Configuring IPTables
In it's simplest form, on a
Red Hat-ish system like Fedora Core 3, you can add four lines to
/etc/sysconfig/iptables just before the line with "-j REJECT" in it:
-A RH-Firewall-1-INPUT -p udp -m udp --dport 137 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 138 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 139 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 445 -j ACCEPT
and then restart the
iptables service:
-A RH-Firewall-1-INPUT -p udp -m udp --dport 138 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 139 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 445 -j ACCEPT
# service iptables restart
On many networks, there are hosts that don't need and should not have access to the Samba server on a Linux host. You may wish to limit the range of IP addresses that can successfully connect to the Samba server. Here is an example set that would replace the lines above:
-A RH-Firewall-1-INPUT -p udp -m udp -s 192.168.0.0/24 --dport 137 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp -s 192.168.0.0/24 --dport 138 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp -s 192.168.0.0/24 --dport 139 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp -s 192.168.0.0/24 --dport 445 -j ACCEPT
This example would allow only hosts with IP addresses between 192.168.0.1 and 192.168.0.254 to contact the Samba server running on this host. Alternatively, if wanted limit access to a single host, use these lines as a replacement:
-A RH-Firewall-1-INPUT -p udp -m udp -s 192.168.0.0/24 --dport 138 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp -s 192.168.0.0/24 --dport 139 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp -s 192.168.0.0/24 --dport 445 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp -s 192.168.0.10/32 --dport 137 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp -s 192.168.0.10/32 --dport 138 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp -s 192.168.0.10/32 --dport 139 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp -s 192.168.0.10/32 --dport 445 -j ACCEPT
This example would allow only the host with the IP address of 192.168.0.10 to contact the Samba server.
-A RH-Firewall-1-INPUT -p udp -m udp -s 192.168.0.10/32 --dport 138 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp -s 192.168.0.10/32 --dport 139 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp -s 192.168.0.10/32 --dport 445 -j ACCEPT
If you want multiple single hosts, or multiple subnets, to be able to connect to the Samba server, you will have to use multiple sets of the four configuration lines to express those rules before the "-j REJECT" line. IPTables has great power and flexibility, and more information concerning it is available from other
sources.
扫一扫
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
