Andrew Robinson wrote:
Knowing less about iptables than smb.conf and based on what I found in the existing /etc/sysconfig/iptables, I added these two lines:
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 137:139 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 445 -j ACCEPT
Are these the entries I _should_ add to iptables?
I ended up with the following on my samba PDC: -A RH-Firewall-1-INPUT -p udp -m udp --dport 137:138 -j ACCEPT -A RH-Firewall-1-INPUT -p udp -m udp --sport 137:138 -j ACCEPT -A RH-Firewall-1-INPUT -p tcp -m tcp --dport 139 -j ACCEPT
Note that 137 and 138 use UDP rather than TCP.
The following were neccessary for making samba a WINS server:
-A RH-Firewall-1-INPUT -p udp -m udp --dport 1512 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 1512 -j ACCEPT
(Well, I probably only need one of the tcp/udp, but opening both shouldn't cause any security meltdowns at this stage... and it was easier than figuring out which are actually neccessary.)
445 doesn't seem to have been neccessary for my purposes, YMMV.