Pablo Allietti
asked on
Iptables block Windows Neigb.
hi all, i cant understand too much windows. and i have a problem
in a network 192.168.x.x i install a firewall to block access and other stuffs. but my problem is when i start the firewall the 60 Windows client cant see between us with see computers in Workgroup
but if use a internet explorer and type \\machinename the machine appears..
in fact i block network browser but i dont know how. and i need to open again .
i open udp/tcp ports 137 / 138 / 139
but nothing any ideas??? tanks
in a network 192.168.x.x i install a firewall to block access and other stuffs. but my problem is when i start the firewall the 60 Windows client cant see between us with see computers in Workgroup
but if use a internet explorer and type \\machinename the machine appears..
in fact i block network browser but i dont know how. and i need to open again .
i open udp/tcp ports 137 / 138 / 139
but nothing any ideas??? tanks
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
you only posted rules for tcp/137,138,139
but we need to understand why this server blocks your neighborhood. it is the gateway between two different subnets?
are you doing something with PREROUTING rules?
but we need to understand why this server blocks your neighborhood. it is the gateway between two different subnets?
are you doing something with PREROUTING rules?
ASKER
here its all. i change the realip numbers not for you, for other kidding guys :)
and for protect my poor customer jejejejeje
[root@omega root]# iptables -L -vn
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
20866 2693K ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
26063 3547K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:21 flags:0x16/0x02
494 29664 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
187 11040 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:25 flags:0x16/0x02
1 48 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:53
251 16125 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:53
64 3084 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 flags:0x16/0x02
201 9648 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:110
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:143
10 600 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:443
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:953
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:995
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:1099
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:1098
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:1097
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:1096
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:137
3097 244K ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:137
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:138
2174 462K ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:138
34 1676 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:139
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:139
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:3306
5 240 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:5222
3 210 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:5223
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:5269
2 96 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:8080
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:5347
55 6663 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 255
2675 286K dropwall all -- * * 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy ACCEPT 73391 packets, 27M bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- eth0 eth0 0.0.0.0/0 0.0.0.0/0
3496 2799K ACCEPT all -- eth1 eth1 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT 18905 packets, 2545K bytes)
pkts bytes target prot opt in out source destination
30165 5132K ACCEPT all -- * * 200.1.1.1/28 0.0.0.0/0
4867 1218K ACCEPT all -- * * 192.168.1.0/24 0.0.0.0/0
Chain dropwall (1 references)
pkts bytes target prot opt in out source destination
2675 286K DROP all -- * * 0.0.0.0/0 0.0.0.0/0
[root@omega root]# iptables -L -vn -t nat
Chain PREROUTING (policy ACCEPT 6522 packets, 531K bytes)
pkts bytes target prot opt in out source destination
301 16100 DNAT all -- * * 0.0.0.0/0 200.29.10.11 to:192.168.1.79
207 11759 DNAT all -- * * 0.0.0.0/0 200.10.10.10 to:192.168.1.89
Chain POSTROUTING (policy ACCEPT 7493 packets, 506K bytes)
pkts bytes target prot opt in out source destination
0 0 SNAT all -- * * 192.168.1.79 0.0.0.0/0 to:200.29.10.11
2745 188K SNAT all -- * * 192.168.1.0/24 0.0.0.0/0 to:200.10.10.10
Chain OUTPUT (policy ACCEPT 7516 packets, 560K bytes)
pkts bytes target prot opt in out source destination
and for protect my poor customer jejejejeje
[root@omega root]# iptables -L -vn
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
20866 2693K ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
26063 3547K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:21 flags:0x16/0x02
494 29664 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
187 11040 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:25 flags:0x16/0x02
1 48 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:53
251 16125 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:53
64 3084 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 flags:0x16/0x02
201 9648 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:110
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:143
10 600 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:443
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:953
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:995
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:1099
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:1098
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:1097
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:1096
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:137
3097 244K ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:137
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:138
2174 462K ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:138
34 1676 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:139
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:139
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:3306
5 240 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:5222
3 210 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:5223
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:5269
2 96 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:8080
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:5347
55 6663 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 255
2675 286K dropwall all -- * * 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy ACCEPT 73391 packets, 27M bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- eth0 eth0 0.0.0.0/0 0.0.0.0/0
3496 2799K ACCEPT all -- eth1 eth1 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT 18905 packets, 2545K bytes)
pkts bytes target prot opt in out source destination
30165 5132K ACCEPT all -- * * 200.1.1.1/28 0.0.0.0/0
4867 1218K ACCEPT all -- * * 192.168.1.0/24 0.0.0.0/0
Chain dropwall (1 references)
pkts bytes target prot opt in out source destination
2675 286K DROP all -- * * 0.0.0.0/0 0.0.0.0/0
[root@omega root]# iptables -L -vn -t nat
Chain PREROUTING (policy ACCEPT 6522 packets, 531K bytes)
pkts bytes target prot opt in out source destination
301 16100 DNAT all -- * * 0.0.0.0/0 200.29.10.11 to:192.168.1.79
207 11759 DNAT all -- * * 0.0.0.0/0 200.10.10.10 to:192.168.1.89
Chain POSTROUTING (policy ACCEPT 7493 packets, 506K bytes)
pkts bytes target prot opt in out source destination
0 0 SNAT all -- * * 192.168.1.79 0.0.0.0/0 to:200.29.10.11
2745 188K SNAT all -- * * 192.168.1.0/24 0.0.0.0/0 to:200.10.10.10
Chain OUTPUT (policy ACCEPT 7516 packets, 560K bytes)
pkts bytes target prot opt in out source destination
ASKER
ok.. i solve part of the problem
my problem is the samba server when i down the server i can view all machines...
and now how to solve this problem because i need both services running samba and see my my windows neigb..
my problem is the samba server when i down the server i can view all machines...
and now how to solve this problem because i need both services running samba and see my my windows neigb..
ASKER
what happend if i close ports 137/138/139 in the samba server???
the clients can copy your files to server ??? or blocking this ports i block samba?
the clients can copy your files to server ??? or blocking this ports i block samba?
if you block the port, you block samba...
what is pretty extrange is why if you turn on the firewall, the other servers lost communication.
for the samba server, you can set it up to not be master browser of the net, and also not to be PDC of the domain. that should address most of the problem.
As I see your firewall, such computer is just sharing internet access... using a static ip you see from an ethernet interfase to a router or something like that.
it should be your default gateway also, and your default dns, maybe via DHCP.
do you have some setup on the dhcp that can redirect windows clients to different WINS or the like?
what is pretty extrange is why if you turn on the firewall, the other servers lost communication.
for the samba server, you can set it up to not be master browser of the net, and also not to be PDC of the domain. that should address most of the problem.
As I see your firewall, such computer is just sharing internet access... using a static ip you see from an ethernet interfase to a router or something like that.
it should be your default gateway also, and your default dns, maybe via DHCP.
do you have some setup on the dhcp that can redirect windows clients to different WINS or the like?
ASKER
no nothing about wins in dhcpd.conf.. is really really extrange.
did you ran tcpdump?
maybe check debug and messages log in both machines?
specially the output log on the samba one.... there could be the root cause
BTW: Thanks for the points
maybe check debug and messages log in both machines?
specially the output log on the samba one.... there could be the root cause
BTW: Thanks for the points
ASKER
i modify this setting like you tell me and now all work. :)
when i discover the iptables bug. in here i tell you
thnks you for your help
# Domain Master specifies Samba to be the Domain Master Browser. This
# allows Samba to collate browse lists between subnets. Don't use this
# if you already have a Windows NT domain controller doing this job
domain master = no
# Preferred Master causes Samba to force a local browser election on startup
# and gives it a slightly higher chance of winning the election
preferred master = no
when i discover the iptables bug. in here i tell you
thnks you for your help
# Domain Master specifies Samba to be the Domain Master Browser. This
# allows Samba to collate browse lists between subnets. Don't use this
# if you already have a Windows NT domain controller doing this job
domain master = no
# Preferred Master causes Samba to force a local browser election on startup
# and gives it a slightly higher chance of winning the election
preferred master = no
Good!
ASKER
when i start iptables rules.
>b) if it is the machine, and it is somethink like redhat or the like, maybe you are starting samba as well. a samba server >configured to be the network browser can make some problem. just disable samba, with, say, service samba stop
samba is running but in other server in the same network but in other server. maybe this is the problem????
if the answer is yes. any solution for that???? becasuse the samba server is only for backup files. but is neccesary
3097 244K ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:137
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:138
2174 462K ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:138
34 1676 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:139
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:139