• VMware

    Learn about VMware virtualization for its products like vsphere ESX and ESXi, vCenter Server, VMware View, VMware P2V and many more

  • Linux

    Step by step configuration tutorials for many of the Linux services like DNS, DHCP, FTP, Samba4 etc including many tips and tricks in Red Hat Linux.

  • Database

    Learn installation and configuration of databases like Oracle, My SQL, Postgresql, etc including many other related tutorials in Linux.

  • Life always offers you a second chance ... Its called tomorrow !!!

    Tuesday, September 24, 2013

    iptables rules for Samba 4 in Red Hat Linux

    In my earlier articles I had explained step by step guide for the configuration for Samba 4 and Samba
    4.1 on Red Hat Linux OS. The links for the same can be found at the bottom of this page.

    But in those guides I had disabled my firewall which obviously can not be considered secure in any production environment where security is the main concern. So let me show you some iptables rules which you should apply on your domain server.

    The required ports for Samba 4 domain server are as shown below ( Collected from Microsoft page)

    Protocols and Ports
    Usage
    Type of Traffic
    TCP and UDP 389
    Directory, Replication, User and Computer Authentication, Group Policy, Trusts
    LDAP
    TCP and UDP 88
    User and Computer Authentication, Forest Level Trusts
    Kerberos
    TCP and UDP 53
    User and Computer Authentication, Name Resolution, Trusts
    DNS
    TCP and UDP 445
    Replication, User and Computer Authentication, Group Policy, Trusts
    SMB,CIFS,SMB2
    TCP 135
    Replication
    RPC
    TCP 5722
    File Replication
    RPC, DFSR (SYSVOL)
    UDP 123
    Windows Time, Trusts
    Windows Time
    TCP and UDP 464
    Replication, User and Computer Authentication, Trusts
    Kerberos change/set password
    UDP Dynamic
    Group Policy
    DCOM, RPC, EPM
    UDP 138
    DFS, Group Policy
    DFSN, NetLogon, NetBIOS Datagram Service
    TCP 9389
    AD DS Web Services
    SOAP
    UDP 67 and UDP 2535
    DHCP
    DHCP
    UDP 137
    User and Computer Authentication,
    NetLogon, NetBIOS Name Resolution
    TCP 139
    User and Computer Authentication, Replication
    DFSN, NetBIOS Session Service, NetLogon
    Now there are two ways to configure the rule
    1. Create individual rule for each port
    2. Create a single rule for all the ports
    The first way is very lengthy and boring but I believe it will be more helpful in the long run to troubleshoot and debug the issues but just for test purpose you can use the second and easier method.

    Creating individual rules for all the required ports


    # iptables -I INPUT -s 192.168.0.0/24 -p tcp --dport 389 -j ACCEPT
    # iptables -I INPUT -s 192.168.0.0/24 -p tcp --dport 88 -j ACCEPT
    # iptables -I INPUT -s 192.168.0.0/24 -p tcp --dport 53 -j ACCEPT
    # iptables -I INPUT -s 192.168.0.0/24 -p tcp --dport 445 -j ACCEPT
    # iptables -I INPUT -s 192.168.0.0/24 -p tcp --dport 135 -j ACCEPT
    # iptables -I INPUT -s 192.168.0.0/24 -p tcp --dport 5722 -j ACCEPT
    # iptables -I INPUT -s 192.168.0.0/24 -p tcp --dport 464 -j ACCEPT
    # iptables -I INPUT -s 192.168.0.0/24 -p tcp --dport 9389 -j ACCEPT
    # iptables -I INPUT -s 192.168.0.0/24 -p tcp --dport 139 -j ACCEPT

    # iptables -I INPUT -s 192.168.0.0/24 -p udp --dport 389 -j ACCEPT
    # iptables -I INPUT -s 192.168.0.0/24 -p udp --dport 88 -j ACCEPT
    # iptables -I INPUT -s 192.168.0.0/24 -p udp --dport 53 -j ACCEPT
    # iptables -I INPUT -s 192.168.0.0/24 -p udp --dport 445 -j ACCEPT
    # iptables -I INPUT -s 192.168.0.0/24 -p udp --dport 464 -j ACCEPT
    # iptables -I INPUT -s 192.168.0.0/24 -p udp --dport 138 -j ACCEPT
    # iptables -I INPUT -s 192.168.0.0/24 -p udp --dport 67 -j ACCEPT
    # iptables -I INPUT -s 192.168.0.0/24 -p udp --dport 2535 -j ACCEPT
    # iptables -I INPUT -s 192.168.0.0/24 -p udp --dport 137 -j ACCEPT

    So as you can see I have divided the rules in 2 sections where the first section allows connection from 192.168.0.0/24 for tcp ports and 2nd section consists of rules accepting connection for udp ports

    Now the rule part is done but how can you verify if your rules are working and how will you debug any sort of issues with firewall rules?
    So it is always advised to configure a separate log file for iptables.

    You can follow the below link for more help on configuring LOG file for iptables as I will be very brief here


    Here we will divide the rules into sub chains using a separate chain containing all the log rules for iptables

    # iptables -N LOGGER
    # iptables -I INPUT 1 -s 192.168.0.0/24 -j LOGGER

    Using the above 2 rules we have created a new chain which will be used as reference by INPUT chain. So any traffic coming to the INPUT chain will look at the LOGGER chain for any applicable rule and will log the traffic accordingly inside your log file which for us is /var/log/firewall.log 

    # iptables -I LOGGER  -p tcp --dport 389 -j LOG --log-prefix="LDAP:  "
    # iptables -I LOGGER  -p tcp --dport 88 -j LOG --log-prefix="Kerberos:  "
    # iptables -I LOGGER  -p tcp --dport 53 -j LOG --log-prefix="DNS  :"
    # iptables -I LOGGER  -p tcp --dport 445 -j LOG --log-prefix="SMB: "
    # iptables -I LOGGER  -p tcp --dport 135 -j LOG --log-prefix="RPC:  "
    # iptables -I LOGGER  -p tcp --dport 5722 -j LOG --log-prefix="SYSVOL:  "
    # iptables -I LOGGER  -p tcp --dport 464 -j LOG --log-prefix="Kerberos pswd:  "
    # iptables -I LOGGER  -p tcp --dport 9389 -j LOG --log-prefix="SOAP:  "
    # iptables -I LOGGER  -p tcp --dport 139 -j LOG --log-prefix="NetLogon:  "

    # iptables -I LOGGER  -p udp --dport 389 -j LOG --log-prefix="LDAP:  "
    # iptables -I LOGGER  -p udp --dport 88 -j LOG --log-prefix="Kerberos:  "
    # iptables -I LOGGER  -p udp --dport 53 -j LOG --log-prefix="DNS:  "
    # iptables -I LOGGER  -p udp --dport 445 -j LOG --log-prefix="SMB :"
    # iptables -I LOGGER  -p udp --dport 464 -j LOG --log-prefix="Kerberos pswd:  "
    # iptables -I LOGGER  -p udp --dport 138 -j LOG --log-prefix="Group Policy:  "
    # iptables -I LOGGER  -p udp --dport 67 -j LOG  --log-prefix="DHCP:  "
    # iptables -I LOGGER  -p udp --dport 2535 -j LOG  --log-prefix="DHCP:  "
    # iptables -I LOGGER  -p udp --dport 137 -j LOG  --log-prefix="NetBIOS:  "

    In case you want to deny all other traffic from connecting your domain server except 192.168.0.0/24

    NOTE: This rule can be dangerous in any production environement as it will block traffic from all other network range other than the mentioned range
    # iptables -I INPUT ! -s 192.168.0.0/24 -j DROP

    Creating a single rule for multiple ports


    # iptables -I INPUT -s 192.168.0.0/24 -p tcp -m multiport --dport 389,88,53,445,135,5722,464,9389,139 -j ACCEPT

    # iptables -I INPUT -s 192.168.0.0/24 -p udp -m multiport --dport 389,88,53,445,464,138,67,2535,137 -j ACCEPT


    So as you can see we have reduced the complications using one single rule for all the ports(separating tcp and udp ports).

    For logging purpose either you can use the above mentioned rules (separate rule for separate port: advised) or the below rule
    # iptables -I INPUT -s 192.168.0.0/24 -p tcp -m multiport --dport 389,88,53,445,135,5722,464,9389,139 -j LOG --log-prefix="TCP_LOG:  "

    # iptables -I INPUT -s 192.168.0.0/24 -p udp -m multiport --dport 389,88,53,445,464,138,67,2535,137 -j LOG --log-prefix="UDP_LOG:  "


    For testing purpose I applied these rules in my machine and you can verify the logs below
    # cat /var/log/firewall.log
    Sep 24 15:07:31 test kernel:
    TCP_LOG:  IN=eth0 OUT= MAC=00:50:56:9e:79:17:00:50:56:8a:71:2b:08:00 SRC=192.168.0.30 DST=192.168.0.61 LEN=40 TOS=0x00 PREC=0x00 TTL=128 ID=3224 DF PROTO=TCP SPT=1181 DPT=389 WINDOW=64912 RES=0x00 ACK FIN URGP=0

    Sep 24 15:07:32 test kernel: TCP_LOG:  IN=eth0 OUT= MAC=00:50:56:9e:79:17:00:50:56:8a:71:2b:08:00 SRC=192.168.0.30 DST=192.168.0.61 LEN=40 TOS=0x00 PREC=0x00 TTL=128 ID=3262 DF PROTO=TCP SPT=65107 DPT=53 WINDOW=65460 RES=0x00 ACK FIN URGP=0

    Sep 24 15:07:32 test kernel: TCP_LOG:  IN=eth0 OUT= MAC=00:50:56:9e:79:17:00:50:56:8a:71:2b:08:00 SRC=192.168.0.30 DST=192.168.0.61 LEN=40 TOS=0x00 PREC=0x00 TTL=128 ID=3248 DF PROTO=TCP SPT=1173 DPT=445 WINDOW=64343 RES=0x00 ACK URGP=0

    Sep 24 15:07:32 test kernel: UDP_LOG:  IN=eth0 OUT= MAC=00:50:56:9e:79:17:00:50:56:8a:71:2b:08:00 SRC=192.168.0.30 DST=192.168.0.61 LEN=342 TOS=0x00 PREC=0x00 TTL=128 ID=3249 PROTO=UDP SPT=1191 DPT=88 LEN=322

    Sep 24 15:07:39 test kernel: TCP_LOG:  IN=eth0 OUT= MAC=00:50:56:9e:79:17:00:50:56:8a:71:2b:08:00 SRC=192.168.0.30 DST=192.168.0.61 LEN=41 TOS=0x00 PREC=0x00 TTL=128 ID=3276 DF PROTO=TCP SPT=1187 DPT=135 WINDOW=65311 RES=0x00 ACK URGP=0

    Sep 24 15:07:39 test kernel: UDP_LOG:  IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:50:56:8a:13:1c:08:00 SRC=192.168.0.148 DST=192.168.0.255 LEN=78 TOS=0x00 PREC=0x00 TTL=128 ID=15968 PROTO=UDP SPT=137 DPT=137 LEN=58

    Sep 24 15:07:39 test kernel: UDP_LOG:  IN=eth0 OUT= MAC=00:50:56:9e:79:17:00:50:56:8a:71:2b:08:00 SRC=192.168.0.30 DST=192.168.0.61 LEN=318 TOS=0x00 PREC=0x00 TTL=128 ID=3278 PROTO=UDP SPT=138 DPT=138 LEN=298



    Related Articles
    Samba 4.1 as Active Directory configuration guide


    Follow the below links for more tutorials

    What is the difference/comparison between Unix and Linux ?
    What are the maximum and minimum limits for RHEL 4 vs 5 vs 6 ?
    Step by Step Linux Boot Process Explained In Detail
    What is the difference between ext3 and ext4 filesystem in Linux ?
    How to configure Private Network in VMware Workstation
    9 examples to help you understand top command usage in Unix/Linux
    Configure Red Hat Cluster using VMware, Quorum Disk, GFS2, Openfiler
    Tutorial for Monitoring Tools SAR and KSAR with examples in Linux
    15 tips to enhance security of your Linux machine
    Why is Linux more secure than windows and any other OS
    Understanding Load Average in Linux and when to be worried about it?
    Disk Attachment Technology FC vs SAS vs iSCSI
    Understanding UMASK value in Linux
    How to keep a track of all the commands run by any user in Linux
    How do you check Linux machine is Physical or Virtual remotely?
    RAID levels 0, 1, 2, 3, 4, 5, 6, 0+1, 1+0 features explained in detail

    0 comments:

    Post a Comment