How to configure IPTables in suse linux (3285 Views)
Reply
Super Advisor
senthil_kumar_1
Posts: 901
Registered: ‎03-02-2009
Message 1 of 9 (3,285 Views)
Accepted Solution

How to configure IPTables in suse linux

Hi All,

There is one suse linux 9 (SLES 9) server running samba service.

I am not able to write or copy the files under samba shares for some times, it happens continuously.

Therefore I checked the log and found following.

# grep -i "getpeername failed" messages
Jun 23 04:35:05 emdlagas71 smbd[30186]: getpeername failed. Error was Transport endpoint is not connected
Jun 23 04:35:05 emdlagas71 smbd[30187]: getpeername failed. Error was Transport endpoint is not connected
Jun 23 04:35:05 emdlagas71 smbd[30197]: getpeername failed. Error was Transport endpoint is not connected
Jun 23 04:35:07 emdlagas71 smbd[30213]: getpeername failed. Error was Transport endpoint is not connected
Jun 23 04:40:45 emdlagas71 smbd[30516]: getpeername failed. Error was Transport endpoint is not connected
Jun 23 04:40:45 emdlagas71 smbd[30518]: getpeername failed. Error was Transport endpoint is not connected
Jun 23 04:40:46 emdlagas71 smbd[30519]: getpeername failed. Error was Transport endpoint is not connected
Jun 23 04:40:50 emdlagas71 smbd[30527]: getpeername failed. Error was Transport endpoint is not connected
Jun 23 05:12:58 emdlagas71 smbd[32657]: getpeername failed. Error was Transport endpoint is not connected
Jun 23 05:12:58 emdlagas71 smbd[32660]: getpeername failed. Error was Transport endpoint is not connected
Jun 23 05:12:59 emdlagas71 smbd[32661]: getpeername failed. Error was Transport endpoint is not connected
Jun 23 05:12:59 emdlagas71 smbd[32665]: getpeername failed. Error was Transport endpoint is not connected
Jun 23 05:13:00 emdlagas71 smbd[32667]: getpeername failed. Error was Transport endpoint is not connected
Jun 23 05:13:00 emdlagas71 smbd[32673]: getpeername failed. Error was Transport endpoint is not connected
Jun 23 05:13:00 emdlagas71 smbd[32676]: getpeername failed. Error was Transport endpoint is not connected
Jun 23 05:13:01 emdlagas71 smbd[32679]: getpeername failed. Error was Transport endpoint is not connected
Jun 23 05:35:05 emdlagas71 smbd[1492]: getpeername failed. Error was Transport endpoint is not connected
Jun 23 05:35:06 emdlagas71 smbd[1493]: getpeername failed. Error was Transport endpoint is not connected
Jun 23 05:40:46 emdlagas71 smbd[1817]: getpeername failed. Error was Transport endpoint is not connected
Jun 23 05:40:47 emdlagas71 smbd[1819]: getpeername failed. Error was Transport endpoint is not connected


I searched for solution in google and I found following solution.

http://lists.samba.org/archive/samba/2004-April/084048.html


Therefore, as per above solution I tried to add the following entry in iptables.


I have done following steps:

Step 1: Have added that rule

#iptables -I INPUT 1 -p tcp --dport 445 -j DROP

Step 2: Saved iptables

# iptables-save

Step 3: Started firewall

#sbin/SuSEfirewall2 start


After that I am not able to connect my server through SSH.


So I connected the server through console and checked.

# iptables -L

Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
input_ext all -- anywhere anywhere
input_ext all -- anywhere anywhere
LOG all -- anywhere anywhere limit: avg 3/min burst 5 LOG level warning tcp-options ip-options pref
ix `SFW2-IN-ILL-TARGET '
DROP all -- anywhere anywhere

Chain FORWARD (policy DROP)
target prot opt source destination
LOG all -- anywhere anywhere limit: avg 3/min burst 5 LOG level warning tcp-options ip-options pref
ix `SFW2-FWD-ILL-ROUTING '

Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere state NEW,RELATED,ESTABLISHED
LOG all -- anywhere anywhere limit: avg 3/min burst 5 LOG level warning tcp-options ip-options pref
ix `SFW2-OUT-ERROR '

Chain forward_ext (0 references)
target prot opt source destination

Chain input_ext (2 references)
target prot opt source destination
DROP all -- anywhere anywhere PKTTYPE = broadcast
ACCEPT icmp -- anywhere anywhere icmp source-quench
ACCEPT icmp -- anywhere anywhere icmp echo-request
ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp echo-reply
ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp destination-unreachable
ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp time-exceeded
ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp parameter-problem
ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp timestamp-reply
ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp address-mask-reply
ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp protocol-unreachable
ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp redirect
reject_func tcp -- anywhere anywhere tcp dpt:ident state NEW
LOG all -- anywhere anywhere limit: avg 3/min burst 5 PKTTYPE = multicast LOG level warning tcp-opt
ions ip-options prefix `SFW2-INext-DROP-DEFLT '
DROP all -- anywhere anywhere PKTTYPE = multicast
LOG tcp -- anywhere anywhere limit: avg 3/min burst 5 tcp flags:FIN,SYN,RST,ACK/SYN LOG level warni
ng tcp-options ip-options prefix `SFW2-INext-DROP-DEFLT '
LOG icmp -- anywhere anywhere limit: avg 3/min burst 5 LOG level warning tcp-options ip-options pref
ix `SFW2-INext-DROP-DEFLT '
LOG udp -- anywhere anywhere limit: avg 3/min burst 5 LOG level warning tcp-options ip-options pref
ix `SFW2-INext-DROP-DEFLT '
LOG all -- anywhere anywhere limit: avg 3/min burst 5 state INVALID LOG level warning tcp-options i
p-options prefix `SFW2-INext-DROP-DEFLT-INV '
DROP all -- anywhere anywhere

Chain reject_func (1 references)
target prot opt source destination
REJECT tcp -- anywhere anywhere reject-with tcp-reset
REJECT udp -- anywhere anywhere reject-with icmp-port-unreachable
REJECT all -- anywhere anywhere reject-with icmp-proto-unreachable


My Questions:

1)I have added one single rule only , how those rules are being added?

2)I want to block port 445 only and allow all other traffics, how to do that?

3)Are my steps of adding rules, saving iptables and starting iptables (firewall) correct?



Please use plain text.
Honored Contributor
Michal Kapalka (mikap)
Posts: 2,683
Registered: ‎08-19-2007
Message 2 of 9 (3,285 Views)

Re: How to configure IPTables in suse linux

Please use plain text.
Honored Contributor
P Muralidhar Kini
Posts: 897
Registered: ‎03-14-2010
Message 3 of 9 (3,285 Views)

Re: How to configure IPTables in suse linux

Hi Senthil,

Some more links-
http://www.topology.org/linux/fwsuse.html
http://www.linux.com/archive/feed/44818

Hope this helps.

Regards,
Murali
Let There Be Rock - AC/DC
Please use plain text.
Honored Contributor
Ivan Ferreira
Posts: 6,957
Registered: ‎05-07-2004
Message 4 of 9 (3,285 Views)

Re: How to configure IPTables in suse linux

SUSE firewall configuration is done in a different way, you must use /etc/sysconfig/SuSEfirewall2.

Doing DROP is not good, probably you may wat to do REJECT or your connections will be "hang" for a while.

You can just add the following option to your configuration file instead of using a firewall:

smb ports = 139

And disable your firewall.

I had a similar problem and was solved by using:

server signing = mandatory

Cheers.
Por que hacerlo dificil si es posible hacerlo facil? - Why do it the hard way, when you can do it the easy way?
Please use plain text.
Super Advisor
senthil_kumar_1
Posts: 901
Registered: ‎03-02-2009
Message 5 of 9 (3,285 Views)

Re: How to configure IPTables in suse linux

Hi All,

Still I am not clear.

Please explain me how to do this.

1)I want to block port 445 only and allow all other traffics, how to do that?
Please use plain text.
Super Advisor
senthil_kumar_1
Posts: 901
Registered: ‎03-02-2009
Message 6 of 9 (3,285 Views)

Re: How to configure IPTables in suse linux

Hi Ivan Ferreira,

Do you want to add following lines in /etc/samba/smb.conf and restart samba.

smb ports = 139
server signing = mandatory


My Questions:

1)After doing above things, will not get the error message "getpeername failed. Error was Transport endpoint is not connected" in /var/log/messages?

2)Will it really resolve the file copy and write in issue on samba shares from XP samba client?
Please use plain text.
Honored Contributor
Ivan Ferreira
Posts: 6,957
Registered: ‎05-07-2004
Message 7 of 9 (3,285 Views)

Re: How to configure IPTables in suse linux

1)After doing above things, will not get the error message "getpeername failed. Error was Transport endpoint is not connected" in /var/log/messages?

It should as it won't be listening on that port, but anyway, the port used nowdays is 445.

2)Will it really resolve the file copy and write in issue on samba shares from XP samba client?

Not sure.
Por que hacerlo dificil si es posible hacerlo facil? - Why do it the hard way, when you can do it the easy way?
Please use plain text.
Honored Contributor
P Muralidhar Kini
Posts: 897
Registered: ‎03-14-2010
Message 8 of 9 (3,285 Views)

Re: How to configure IPTables in suse linux

Hi Senthil,

>> 1)I want to block port 445 only and allow all other traffics, how to do that?
To block particular TCP port in Linux is to use iptables rule as follows:
#iptables -A INPUT -p tcp --destination-port PORT-NUBMER -j DROP

For example block port 22 for everyone:
#iptables -A INPUT -p tcp --destination-port 22 -j DROP

Now let us say you want block port 22 for everyone except for IP 202.65.11.10
#iptables -A INPUT -p tcp --destination-port 22 -s \! 202.65.11.10 -j DROP

To block UDP ports use --tcp udp option:
#iptables -A INPUT -p udp --destination-port PORT-NUBMER -j DROP

Link-
http://nixcraft.com/linux-software/479-blocking-ports-linux.html

Hope this helps.

Regards,
Murali
Let There Be Rock - AC/DC
Please use plain text.
Exalted Contributor
Steven E. Protter
Posts: 33,806
Registered: ‎08-15-2002
Message 9 of 9 (3,285 Views)

Re: How to configure IPTables in suse linux

Shalom,

Samba needs port 445 and 139 minimally. See /etc/services for more there.

You might try a firewall gui if your version of SUSE has it, or take a look at firestarter for basic configuration. Firestarter is orphaned, but is very helpful.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
Please use plain text.
The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation