Iptables

[Douglas]

Hi

I have a problem with my Redhat firewall using iptables. This is the first Linux firewall I have built so forgive me if I sound a bit of an eejit.
I have created a small test network on our domain; the firewall sits between the two. The networks use different subnets. I have managed to configure rules to allow FTP, Telnet, and Web use, etc. both ways, but when I try to login to our domain from behind the firewall, I am told the domain cannot be found. Is this because of the different subnets and therefore different broadcast addresses?

Any help would be most appreciated.

Douglas.

[bpark]

Can you be more descriptive of how your network is setup? Which network does the firewall lie in?

[Douglas]

The firewall is sitting between two nets, 192.168.9.0/29 & 192.168.10.0/24. There are a small number of Windows 2000 clients on the 9. network trying to authenticate on an Windows NT DC on the 10. network. I don't seem to be able to get the broadcast packets through the firewall.

[Mystic_Slayer]

Look at your logs for iptables. Maybe you've blocked port 135:139

[Douglas]

Look at your logs for iptables. Maybe you've blocked port 135:139

Those ports on the firewall are open for both udp & tcp. The packets are only hitting the Input side of the firewall, I think they need to go through the Forward, I just don't know how to get them top do this??

[Mystic_Slayer]

Something else you'd maybe use. If you using Linux as PDC, then you can add multiple ethernet adapters to your domain.

Here's an idea of a configuration file: Check the last rule for it:

# Sample configuration file for the Samba suite for Debian GNU/Linux
#
#
# This is the main Samba Configuration file. You sheald read the
# smb.conf(5) manual page in order to understand the options listed
# here. Samba has a huge number of configurable options most of which
# are not shown in this example
#
# Any line which starts with a ; (Semi - colon) or # (Bash)
# is a comment and is ignored. In this example we will use a #
# for commentary and a ; for parts of the config file that you
# may wish to enable
#
# NOTE: Whenever you modify this file you should run the command
# 'testparm' to check that you have not many any basic syntactic
# errors.
#
#====================== Global Settings ============================

[Global]

# workgroup = NT-Domain-Name or Workgroup-Name. You use this option
# to specify if you have a domain or workgroup. You will specify later
# on if it's a domain or workgroup.
workgroup = TESTDOMAIN

# Server string is the equivalent of the NT description field. I used
# DOMAIN-PDC. PDC means Public Domain Controller
Server String = DOMAIN-PDC

# WINS Server - Tells the NMBD components of Samba to be a Wins Client
# Note: Samba can be either A WINS Server, or a WINS Client, but not both.
# We have disabled this option.
; wins server = w.x.y.z

# Windows Internet Name Serving Support Section:
# WINS support - Tells the NMBD component of Samba to enable its WINS Server
; wins support = yes

# WINS Proxy - Tells Samba to answer name resolution queries on behalf
# of a non WINS capable client, for this to work there must be at least
# one WINS Server on the network. The default is NO.
; wins proxy = yes

# DNS Proxy - Tells Samba whether or not to try to resolve NetBIOS names
# via DNS nslookups. The default is NO
# Because we use this machine as a Windows Domain Controller we set this option
# to yes
dns proxy = yes

# this tells Samba to use a separate log file for each machine
# that connects
log file = /var/log/samba/log.%m

# Put a capping on the size of the log files (in Kb).
max log size = 100

#========================== Security Settings =================================

# "security = user" is always a good idea. This will require a Unix account
# in this server for every user accessing the server. See
# /usr/share/doc/samba-doc/htmldocs/ServerType.html in the samba-doc
# package for details.
security = user

# Backend to store user information in. New installations should
# use either tdbsam or ldapsam. smbpasswd is available for backwards
# compatibility. tdbsam requires no further configuration.
passdb backend = smbpasswd

These are the main security options. There will follow some other options.

#========================== Printer Settings ==================================

# If you want to automatically load your printer list rather
# than setting them up individually then you'll need this
; load printers = yes

# you may wish to override the location of the printcap file
; printcap name = /etc/printcap

# on SystemV system setting printcap name to lpstat should allow
# you to automatically obtain a printer list from the SystemV spool
# system
; printcap name = lpstat

# It should not be necessary to specify the print system type unless
# it is non-standard. Currently supported print systems include:
# bsd, cups, sysv, plp, lprng, aix, hpux, qnx
; printing = cups

#================================= Misc =======================================

# Using the following line enables you to customise your configuration
# on a per machine basis. The %m gets replaced with the netbios name
# of the machine that is connecting.
# Note: Consider carefully the location in the configuration file of
# this line. The included file is read at that point.
; include = /etc/samba/smb.conf.%I

# Most people will find that this option gives better performance.
# See the chapter 'Samba performance issues' in the Samba HOWTO Collection
# and the manual pages for details.
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192

# Browser Control Options:
# set local master to no if you don't want Samba to become a master
# browser on your network. Otherwise the normal election rules apply
local master = yes

# OS Level determines the precedence of this server in master browser
# elections.
os level = 65

# Domain Master specifies Samba to be the Domain Master Browser. This
# allows Samba to collate browse lists between subnets. Don't use this
# if you already have a Windows NT domain controller doing this job
domain master = yes

# Preferred Master causes Samba to force a local browser election on startup
# and gives it a slightly higher chance of winning the election
preferred master = yes

# Enable this if you want Samba to be a domain logon server for
# Windows95 workstations.
domain logons = yes

# if you enable domain logons then you may want a per-machine or
# per user logon script
# run a specific logon batch file per workstation (machine)
; logon script = %I.bat
# run a specific logon batch file per username
logon script = %U.bat

# Where to store roving profiles (only for Win95 and WinNT)
# %L substitutes for this servers netbios name, %U is username
# You must uncomment the [Profiles] share below
logon path = \\%L\Profiles\%U

# These scripts are used on a domain controller or stand-alone
# machine to add or delete corresponding unix accounts
add user script = /usr/sbin/useradd %u
; add group script = /usr/sbin/groupadd %g
add machine script = /usr/sbin/adduser -n -g machines -c Machine -d /dev/null -s /bin/false %u
; delete user script = /usr/sbin/userdle %u
; delete user from group script = /usr/sbin/deluser %u %g
; delete group script = /usr/sbin/groupdel %g

# If you want your Domain Controller rulez the times from your client machines then put this in your
# Samba config file.
time server = yes

# Configure Samba to use multiple interfaces
# If you have multiple network interfaces then you must list them
# here. See the man page for details.
interfaces = 192.168.9.0/24 192.168.10.0/24