<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html;charset=ISO-8859-1" http-equiv="Content-Type">
<title></title>
</head>
<body bgcolor="#ffffff" text="#000000">
<small>With the rules:<br>
<tt>Allow connections from host<br>
192.168.1.101</tt><br>
and<br>
<tt>Allow Service Port For<br>
Samba(SMB) 137-139 445 192.168.1.101</tt><br>
</small><br>
<small>On the system attempting access, Network Tools, Devices,
Ethernet Interface (eth0), shows it's ipV4 address as 192.168.1.101.<br>
Places > Network usually shows the target system, but double
clicking its icon results in the message "Failed to windows share".<br>
<br>
</small><small>The output of iptables-save is:<tt><br>
# Generated by iptables-save v1.4.4 on Thu Feb 4 19:01:58 2010<br>
*nat<br>
:PREROUTING ACCEPT [25:2894]<br>
:POSTROUTING ACCEPT [8:1115]<br>
:OUTPUT ACCEPT [9:1183]<br>
COMMIT<br>
# Completed on Thu Feb 4 19:01:58 2010<br>
# Generated by iptables-save v1.4.4 on Thu Feb 4 19:01:58 2010<br>
*mangle<br>
:PREROUTING ACCEPT [36:4264]<br>
:INPUT ACCEPT [36:4264]<br>
:FORWARD ACCEPT [0:0]<br>
:OUTPUT ACCEPT [16:3488]<br>
:POSTROUTING ACCEPT [18:3839]<br>
COMMIT<br>
# Completed on Thu Feb 4 19:01:58 2010<br>
# Generated by iptables-save v1.4.4 on Thu Feb 4 19:01:58 2010<br>
*filter<br>
:INPUT DROP [0:0]<br>
:FORWARD DROP [0:0]<br>
:OUTPUT DROP [0:0]<br>
:INBOUND - [0:0]<br>
:LOG_FILTER - [0:0]<br>
:LSI - [0:0]<br>
:LSO - [0:0]<br>
:OUTBOUND - [0:0]<br>
-A INPUT -s 68.87.77.134/32 -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK
SYN -j ACCEPT <br>
-A INPUT -s 68.87.77.134/32 -p udp -j ACCEPT <br>
-A INPUT -s 68.87.72.134/32 -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK
SYN -j ACCEPT <br>
-A INPUT -s 68.87.72.134/32 -p udp -j ACCEPT <br>
-A INPUT -i lo -j ACCEPT <br>
-A INPUT -p icmp -m limit --limit 10/sec -j ACCEPT <br>
-A INPUT -d 255.255.255.255/32 -i eth0 -j DROP <br>
-A INPUT -d 192.168.1.255/32 -j DROP <br>
-A INPUT -s 224.0.0.0/8 -j DROP <br>
-A INPUT -d 224.0.0.0/8 -j DROP <br>
-A INPUT -s 255.255.255.255/32 -j DROP <br>
-A INPUT -d 0.0.0.0/32 -j DROP <br>
-A INPUT -m state --state INVALID -j DROP <br>
-A INPUT -f -m limit --limit 10/min -j LSI <br>
-A INPUT -i eth0 -j INBOUND <br>
-A INPUT -j LOG_FILTER <br>
-A INPUT -j LOG --log-prefix "Unknown Input" --log-level 6 <br>
-A FORWARD -p icmp -m limit --limit 10/sec -j ACCEPT <br>
-A FORWARD -j LOG_FILTER <br>
-A FORWARD -j LOG --log-prefix "Unknown Forward" --log-level 6 <br>
-A OUTPUT -s 192.168.1.100/32 -d 68.87.77.134/32 -p tcp -m tcp --dport
53 -j ACCEPT <br>
-A OUTPUT -s 192.168.1.100/32 -d 68.87.77.134/32 -p udp -m udp --dport
53 -j ACCEPT <br>
-A OUTPUT -s 192.168.1.100/32 -d 68.87.72.134/32 -p tcp -m tcp --dport
53 -j ACCEPT <br>
-A OUTPUT -s 192.168.1.100/32 -d 68.87.72.134/32 -p udp -m udp --dport
53 -j ACCEPT <br>
-A OUTPUT -o lo -j ACCEPT <br>
-A OUTPUT -s 224.0.0.0/8 -j DROP <br>
-A OUTPUT -d 224.0.0.0/8 -j DROP <br>
-A OUTPUT -s 255.255.255.255/32 -j DROP <br>
-A OUTPUT -d 0.0.0.0/32 -j DROP <br>
-A OUTPUT -m state --state INVALID -j DROP <br>
-A OUTPUT -o eth0 -j OUTBOUND <br>
-A OUTPUT -j LOG_FILTER <br>
-A OUTPUT -j LOG --log-prefix "Unknown Output" --log-level 6 <br>
-A INBOUND -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT <br>
-A INBOUND -p udp -m state --state RELATED,ESTABLISHED -j ACCEPT <br>
-A INBOUND -s 192.168.1.101/32 -j ACCEPT <br>
-A INBOUND -s 192.168.1.101/32 -p tcp -m tcp --dport 137:139 -j ACCEPT <br>
-A INBOUND -s 192.168.1.101/32 -p udp -m udp --dport 137:139 -j ACCEPT <br>
-A INBOUND -s 192.168.1.101/32 -p tcp -m tcp --dport 445 -j ACCEPT <br>
-A INBOUND -s 192.168.1.101/32 -p udp -m udp --dport 445 -j ACCEPT <br>
-A INBOUND -j LSI <br>
-A LSI -j LOG_FILTER <br>
-A LSI -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit
1/sec -j LOG --log-prefix "Inbound " --log-level 6 <br>
-A LSI -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j DROP <br>
-A LSI -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK RST -m limit --limit
1/sec -j LOG --log-prefix "Inbound " --log-level 6 <br>
-A LSI -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK RST -j DROP <br>
-A LSI -p icmp -m icmp --icmp-type 8 -m limit --limit 1/sec -j LOG
--log-prefix "Inbound " --log-level 6 <br>
-A LSI -p icmp -m icmp --icmp-type 8 -j DROP <br>
-A LSI -m limit --limit 5/sec -j LOG --log-prefix "Inbound "
--log-level 6 <br>
-A LSI -j DROP <br>
-A LSO -j LOG_FILTER <br>
-A LSO -m limit --limit 5/sec -j LOG --log-prefix "Outbound "
--log-level 6 <br>
-A LSO -j REJECT --reject-with icmp-port-unreachable <br>
-A OUTBOUND -p icmp -j ACCEPT <br>
-A OUTBOUND -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT <br>
-A OUTBOUND -p udp -m state --state RELATED,ESTABLISHED -j ACCEPT <br>
-A OUTBOUND -j ACCEPT <br>
COMMIT<br>
# Completed on Thu Feb 4 19:01:58 2010</tt><br>
<br>
<br>
<br>
</small>Florin Iucha wrote:
<blockquote cite="mid:20100204223411.GF2519@iris.iucha.org" type="cite">
<pre wrap="">On Thu, Feb 04, 2010 at 04:16:12PM -0600, Larry McMains wrote:
</pre>
<blockquote type="cite">
<pre wrap="">I have two Ubuntu 9.10 systems on a local network provided by a Linksys
router. I installed Firestarter on one of them and found that, as
expected, it blocked access for file sharing by the other system.
However, I tried adding rules to allow connections from the other
system, and to allow specific service (SMB) requests from the other
system, both by specific network address and by host name, each rule
alone and both of them together. All combinations of neither, either, or
both rules result in the other computer being blocked (if I turn off the
firewall, access works fine, so the sharing part is set up correctly).
I'm obviously missing something, any suggestions?
</pre>
</blockquote>
<pre wrap=""><!---->
Show us the rules, together with the output of '/sbin/iptables-save' .
Cheers,
florin
</pre>
<pre wrap="">
<hr size="4" width="90%">
_______________________________________________
TCLUG Mailing List - Minneapolis/St. Paul, Minnesota
<a class="moz-txt-link-abbreviated" href="mailto:tclug-list@mn-linux.org">tclug-list@mn-linux.org</a>
<a class="moz-txt-link-freetext" href="http://mailman.mn-linux.org/mailman/listinfo/tclug-list">http://mailman.mn-linux.org/mailman/listinfo/tclug-list</a>
</pre>
</blockquote>
</body>
</html>