[Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 533
  • Last Modified:

Iptables block Windows Neigb.

hi all, i cant understand too much windows. and i have a problem
in a network 192.168.x.x i install a firewall to block access and other stuffs. but my problem is when i start the firewall the 60 Windows client cant see between us with see computers in Workgroup

but if use a internet explorer and type \\machinename the machine appears..

in fact i block network browser but i dont know how. and i need to open again .

i open udp/tcp  ports 137 / 138 / 139

but nothing any ideas??? tanks
0
pablouruguay
Asked:
pablouruguay
  • 6
  • 5
1 Solution
 
Gabriel OrozcoSolution ArchitectCommented:
please give more feed

a) when you start firewall it means you start the linux machine, or the firewall iptables rules?
b) if it is the machine, and it is somethink like redhat or the like, maybe you are starting samba as well. a samba server configured to be the network browser can make some problem. just disable samba, with, say, service samba stop
c) if it is iptables rules, could you please post here the output of

iptables -L -vn

and

iptables -L -vn -t nat

and

iptables -L -vn -t mangle  ?

Regards
0
 
pablouruguayAuthor Commented:
> when you start firewall it means you start the linux machine, or the firewall iptables rules?

when i start iptables rules.

>b) if it is the machine, and it is somethink like redhat or the like, maybe you are starting samba as well. a samba server >configured to be the network browser can make some problem. just disable samba, with, say, service samba stop

samba is running but in other server in the same network but in other server. maybe this is the problem????
if the answer is yes. any solution for that???? becasuse the samba server is only for backup files. but is neccesary


 3097  244K ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpt:137
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:138
 2174  462K ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpt:138
   34  1676 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:139
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpt:139
0
 
Gabriel OrozcoSolution ArchitectCommented:
you only posted rules for tcp/137,138,139

but we need to understand why this server blocks your neighborhood. it is the gateway between two different subnets?

are you doing something with PREROUTING rules?
0
Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

 
pablouruguayAuthor Commented:
here its all. i change the realip numbers not for you, for other kidding guys :)  

and for protect my poor customer jejejejeje



[root@omega root]# iptables -L -vn
Chain INPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
20866 2693K ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0
26063 3547K ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:21 flags:0x16/0x02
  494 29664 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:22
  187 11040 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:25 flags:0x16/0x02
    1    48 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:53
  251 16125 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpt:53
   64  3084 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:80 flags:0x16/0x02
  201  9648 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:110
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:143
   10   600 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:443
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:953
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:995
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:1099
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:1098
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:1097
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:1096
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:137
 3097  244K ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpt:137
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:138
 2174  462K ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpt:138
   34  1676 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:139
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpt:139
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:3306
    5   240 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:5222
    3   210 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:5223
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:5269
    2    96 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:8080
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:5347
   55  6663 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           icmp type 255
 2675  286K dropwall   all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain FORWARD (policy ACCEPT 73391 packets, 27M bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     all  --  eth0   eth0    0.0.0.0/0            0.0.0.0/0
 3496 2799K ACCEPT     all  --  eth1   eth1    0.0.0.0/0            0.0.0.0/0

Chain OUTPUT (policy ACCEPT 18905 packets, 2545K bytes)
 pkts bytes target     prot opt in     out     source               destination
30165 5132K ACCEPT     all  --  *      *       200.1.1.1/28     0.0.0.0/0
 4867 1218K ACCEPT     all  --  *      *       192.168.1.0/24       0.0.0.0/0

Chain dropwall (1 references)
 pkts bytes target     prot opt in     out     source               destination
 2675  286K DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0
[root@omega root]# iptables -L -vn -t nat
Chain PREROUTING (policy ACCEPT 6522 packets, 531K bytes)
 pkts bytes target     prot opt in     out     source               destination
  301 16100 DNAT       all  --  *      *       0.0.0.0/0           200.29.10.11       to:192.168.1.79
  207 11759 DNAT       all  --  *      *       0.0.0.0/0            200.10.10.10       to:192.168.1.89

Chain POSTROUTING (policy ACCEPT 7493 packets, 506K bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 SNAT       all  --  *      *       192.168.1.79         0.0.0.0/0           to:200.29.10.11
 2745  188K SNAT       all  --  *      *       192.168.1.0/24       0.0.0.0/0           to:200.10.10.10

Chain OUTPUT (policy ACCEPT 7516 packets, 560K bytes)
 pkts bytes target     prot opt in     out     source               destination




0
 
pablouruguayAuthor Commented:
ok.. i solve part of the problem


my problem is the samba server when i down the server i can view all machines...

and now how to solve this problem because i need both services running  samba and see my my windows neigb..
0
 
pablouruguayAuthor Commented:
what happend if i close ports 137/138/139 in the samba server???

the clients can copy your files to server ??? or blocking this ports i block samba?
0
 
Gabriel OrozcoSolution ArchitectCommented:
if you block the port, you block samba...

what is pretty extrange is why if you turn on the firewall, the other servers lost communication.

for the samba server, you can set it up to not be master browser of the net, and also not to be PDC of the domain. that should address most of the problem.

As I see your firewall, such computer is just sharing internet access... using a static ip you see from an ethernet interfase to a router or something like that.

it should be your default gateway also, and your default dns, maybe via DHCP.

do you have some setup on the dhcp that can redirect windows clients to different WINS or the like?
0
 
pablouruguayAuthor Commented:
no nothing about wins in dhcpd.conf.. is really really extrange.
0
 
Gabriel OrozcoSolution ArchitectCommented:
did you ran tcpdump?

maybe check debug and messages log in both machines?

specially the output log on the samba one.... there could be the root cause

BTW: Thanks for the points
0
 
pablouruguayAuthor Commented:
i modify this setting like you tell me and now all work. :)    
when i discover the iptables bug. in here i tell you

thnks you for your help


# Domain Master specifies Samba to be the Domain Master Browser. This
# allows Samba to collate browse lists between subnets. Don't use this
# if you already have a Windows NT domain controller doing this job
   domain master = no

# Preferred Master causes Samba to force a local browser election on startup
# and gives it a slightly higher chance of winning the election
  preferred master = no
0
 
Gabriel OrozcoSolution ArchitectCommented:
Good!
0

Featured Post

Keep up with what's happening at Experts Exchange!

Sign up to receive Decoded, a new monthly digest with product updates, feature release info, continuing education opportunities, and more.

  • 6
  • 5
Tackle projects and never again get stuck behind a technical roadblock.
Join Now