Firewall / Samba Problem

adi67 · 15 Aug 2008 at 16:34

My Ubuntu box has Samba running so that my Vista PC can monitor it's folding using FahMon. All was working well until I decided to configure some firewall rules using Firestarter. I went through the wizard then allowed access through the Samba ports and...lost my network share.

It reappears when I disable the Firewall.

Any ideas why this should be happening? I'm letting the Firewall determine which ports to open by picking Samba by name from the 'Allow Service' dropdown. It seems to be opening 137-139 and 445.

I'm a complete noob with Linux firewalls, so any help would be appreciated.

Ethics · 15 Aug 2008 at 16:55

Your port range seems fine for samba, network discovery, Netbios etc.

how have you mapped the drive? with the hostname or the IP? try the IP directly.

Also do sudo iptables -L and list the rules here

adi67 · 15 Aug 2008 at 18:11

I believe I mapped using a hostname. Edit: nope, if you mean in the firewall rules "allow connections from host" it's by IP.

sudo iptables -L produced this:
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT tcp -- . anywhere tcp flags:!FIN,SYN,RST,ACK/SYN
ACCEPT udp -- . anywhere
ACCEPT all -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere limit: avg 10/sec burst 5
DROP all -- anywhere 255.255.255.255
DROP all -- anywhere 192.168.2.255
DROP all -- base-address.mcast.net/8 anywhere
DROP all -- anywhere base-address.mcast.net/8
DROP all -- 255.255.255.255 anywhere
DROP all -- anywhere 0.0.0.0
DROP all -- anywhere anywhere state INVALID
LSI all -f anywhere anywhere limit: avg 10/min burst 5
INBOUND all -- anywhere anywhere
LOG_FILTER all -- anywhere anywhere
LOG all -- anywhere anywhere LOG level info prefix `Unknown Input'

Chain FORWARD (policy DROP)
target prot opt source destination
ACCEPT icmp -- anywhere anywhere limit: avg 10/sec burst 5
LOG_FILTER all -- anywhere anywhere
LOG all -- anywhere anywhere LOG level info prefix `Unknown Forward'

Chain OUTPUT (policy DROP)
target prot opt source destination
ACCEPT tcp -- 192.168.2.26 . tcp dpt:domain
ACCEPT udp -- 192.168.2.26 . udp dpt:domain
ACCEPT all -- anywhere anywhere
DROP all -- base-address.mcast.net/8 anywhere
DROP all -- anywhere base-address.mcast.net/8
DROP all -- 255.255.255.255 anywhere
DROP all -- anywhere 0.0.0.0
DROP all -- anywhere anywhere state INVALID
OUTBOUND all -- anywhere anywhere
LOG_FILTER all -- anywhere anywhere
LOG all -- anywhere anywhere LOG level info prefix `Unknown Output'

Chain INBOUND (1 references)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT udp -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT all -- 192.168.2.25 anywhere
ACCEPT tcp -- anywhere anywhere tcp dpts:netbios-ns:netbios-ssn
ACCEPT udp -- anywhere anywhere udp dpts:netbios-ns:netbios-ssn
ACCEPT tcp -- anywhere anywhere tcp dpt:microsoft-ds
ACCEPT udp -- anywhere anywhere udp dpt:microsoft-ds
LSI all -- anywhere anywhere

Chain LOG_FILTER (5 references)
target prot opt source destination

Chain LSI (2 references)
target prot opt source destination
LOG_FILTER all -- anywhere anywhere
LOG tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,ACK/SYN limit: avg 1/sec burst 5 LOG level info prefix `Inbound '
DROP tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,ACK/SYN
LOG tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,ACK/RST limit: avg 1/sec burst 5 LOG level info prefix `Inbound '
DROP tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,ACK/RST
LOG icmp -- anywhere anywhere icmp echo-request limit: avg 1/sec burst 5 LOG level info prefix `Inbound '
DROP icmp -- anywhere anywhere icmp echo-request
LOG all -- anywhere anywhere limit: avg 5/sec burst 5 LOG level info prefix `Inbound '
DROP all -- anywhere anywhere

Chain LSO (0 references)
target prot opt source destination
LOG_FILTER all -- anywhere anywhere
LOG all -- anywhere anywhere limit: avg 5/sec burst 5 LOG level info prefix `Outbound '
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable

Chain OUTBOUND (1 references)
target prot opt source destination
ACCEPT icmp -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT udp -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere

adi67 · 15 Aug 2008 at 18:48

I'm beginning to wish I'd never started down this road!

I've now noticed that the shared folder on my Ubuntu machine only 'appears' (for want of a better word) to be shared when I look at it as root (ie by running sudo nautilus or net share), when I examine the folders properties as a regular user (who is a member of the sambashare group, should that be relevant) it doesn't appear to be shared and returns an error message if I try to share it.

I really don't remember folder sharing to have been quite such a pain with Fedora or Gentoo when I dabbled with them as it is under Ubuntu 8.04

adi67 · 17 Aug 2008 at 23:05

Bump.

Still in need of assistance with this, if any one can help.

Also noticed that I can't connect to my Samba share without using Firestarter to start and then stop the firewall...ie when I boot up by default my Windows box can't connect.

zetec452 · 18 Aug 2008 at 14:27

That would suggest that you have something incorrect with your firewall rules.

Perhaps start your firewall config from a very basic level and build it up.

adi67 · 18 Aug 2008 at 15:45

That's what I was hoping that using Lokkit/Firestarter would achieve, but unfortunately not.

Any pointers as to where I should be looking and perhaps what I should be looking for? Is there a configuration file I should perhaps delete to start again from a clean sheet?

I'm very unfamiliar with Linux firewalls, as is probably apparent.

zetec452 · 19 Aug 2008 at 04:54

Perhaps start off with this guide.

https://help.ubuntu.com/community/IptablesHowTo