iptables rules for Samba 4 in Red Hat Linux

by
In my earlier articles I had explained step by step guide for the configuration for Samba 4 and Samba
4.1 on Red Hat Linux OS. The links for the same can be found at the bottom of this page.
But in those guides I had disabled my firewall which obviously can not be considered secure in any production environment where security is the main concern. So let me show you some iptables rules which you should apply on your domain server.

The required ports for Samba 4 domain server are as shown below ( Collected from Microsoft page)

Protocols and Ports
Usage
Type of Traffic
TCP and UDP 389
Directory, Replication, User and Computer Authentication, Group Policy, Trusts
LDAP
TCP and UDP 88
User and Computer Authentication, Forest Level Trusts
Kerberos
TCP and UDP 53
User and Computer Authentication, Name Resolution, Trusts
DNS
TCP and UDP 445
Replication, User and Computer Authentication, Group Policy, Trusts
SMB,CIFS,SMB2
TCP 135
Replication
RPC
TCP 5722
File Replication
RPC, DFSR (SYSVOL)
UDP 123
Windows Time, Trusts
Windows Time
TCP and UDP 464
Replication, User and Computer Authentication, Trusts
Kerberos change/set password
UDP Dynamic
Group Policy
DCOM, RPC, EPM
UDP 138
DFS, Group Policy
DFSN, NetLogon, NetBIOS Datagram Service
TCP 9389
AD DS Web Services
SOAP
UDP 67 and UDP 2535
DHCP
DHCP
UDP 137
User and Computer Authentication,
NetLogon, NetBIOS Name Resolution
TCP 139
User and Computer Authentication, Replication
DFSN, NetBIOS Session Service, NetLogon

Now there are two ways to configure the rule

  1. Create individual rule for each port
  2. Create a single rule for all the ports
The first way is very lengthy and boring but I believe it will be more helpful in the long run to troubleshoot and debug the issues but just for test purpose you can use the second and easier method.

Creating individual rules for all the required ports

# iptables -I INPUT -s 192.168.0.0/24 -p tcp --dport 389 -j ACCEPT
# iptables -I INPUT -s 192.168.0.0/24 -p tcp --dport 88 -j ACCEPT
# iptables -I INPUT -s 192.168.0.0/24 -p tcp --dport 53 -j ACCEPT
# iptables -I INPUT -s 192.168.0.0/24 -p tcp --dport 445 -j ACCEPT
# iptables -I INPUT -s 192.168.0.0/24 -p tcp --dport 135 -j ACCEPT
# iptables -I INPUT -s 192.168.0.0/24 -p tcp --dport 5722 -j ACCEPT
# iptables -I INPUT -s 192.168.0.0/24 -p tcp --dport 464 -j ACCEPT
# iptables -I INPUT -s 192.168.0.0/24 -p tcp --dport 9389 -j ACCEPT
# iptables -I INPUT -s 192.168.0.0/24 -p tcp --dport 139 -j ACCEPT

# iptables -I INPUT -s 192.168.0.0/24 -p udp --dport 389 -j ACCEPT
# iptables -I INPUT -s 192.168.0.0/24 -p udp --dport 88 -j ACCEPT
# iptables -I INPUT -s 192.168.0.0/24 -p udp --dport 53 -j ACCEPT
# iptables -I INPUT -s 192.168.0.0/24 -p udp --dport 445 -j ACCEPT
# iptables -I INPUT -s 192.168.0.0/24 -p udp --dport 464 -j ACCEPT
# iptables -I INPUT -s 192.168.0.0/24 -p udp --dport 138 -j ACCEPT
# iptables -I INPUT -s 192.168.0.0/24 -p udp --dport 67 -j ACCEPT
# iptables -I INPUT -s 192.168.0.0/24 -p udp --dport 2535 -j ACCEPT
# iptables -I INPUT -s 192.168.0.0/24 -p udp --dport 137 -j ACCEPT

So as you can see I have divided the rules in 2 sections where the first section allows connection from 192.168.0.0/24 for tcp ports and 2nd section consists of rules accepting connection for udp ports

Now the rule part is done but how can you verify if your rules are working and how will you debug any sort of issues with firewall rules?
So it is always advised to configure a separate log file for iptables.
You can follow the below link for more help on configuring LOG file for iptables as I will be very brief here

Here we will divide the rules into sub chains using a separate chain containing all the log rules for iptables
# iptables -N LOGGER
# iptables -I INPUT 1 -s 192.168.0.0/24 -j LOGGER

Using the above 2 rules we have created a new chain which will be used as reference by INPUT chain. So any traffic coming to the INPUT chain will look at the LOGGER chain for any applicable rule and will log the traffic accordingly inside your log file which for us is /var/log/firewall.log 
# iptables -I LOGGER  -p tcp --dport 389 -j LOG --log-prefix="LDAP:  "
# iptables -I LOGGER  -p tcp --dport 88 -j LOG --log-prefix="Kerberos:  "
# iptables -I LOGGER  -p tcp --dport 53 -j LOG --log-prefix="DNS  :"
# iptables -I LOGGER  -p tcp --dport 445 -j LOG --log-prefix="SMB: "
# iptables -I LOGGER  -p tcp --dport 135 -j LOG --log-prefix="RPC:  "
# iptables -I LOGGER  -p tcp --dport 5722 -j LOG --log-prefix="SYSVOL:  "
# iptables -I LOGGER  -p tcp --dport 464 -j LOG --log-prefix="Kerberos pswd:  "
# iptables -I LOGGER  -p tcp --dport 9389 -j LOG --log-prefix="SOAP:  "
# iptables -I LOGGER  -p tcp --dport 139 -j LOG --log-prefix="NetLogon:  "

# iptables -I LOGGER  -p udp --dport 389 -j LOG --log-prefix="LDAP:  "
# iptables -I LOGGER  -p udp --dport 88 -j LOG --log-prefix="Kerberos:  "
# iptables -I LOGGER  -p udp --dport 53 -j LOG --log-prefix="DNS:  "
# iptables -I LOGGER  -p udp --dport 445 -j LOG --log-prefix="SMB :"
# iptables -I LOGGER  -p udp --dport 464 -j LOG --log-prefix="Kerberos pswd:  "
# iptables -I LOGGER  -p udp --dport 138 -j LOG --log-prefix="Group Policy:  "
# iptables -I LOGGER  -p udp --dport 67 -j LOG  --log-prefix="DHCP:  "
# iptables -I LOGGER  -p udp --dport 2535 -j LOG  --log-prefix="DHCP:  "
# iptables -I LOGGER  -p udp --dport 137 -j LOG  --log-prefix="NetBIOS:  "

In case you want to deny all other traffic from connecting your domain server except 192.168.0.0/24

NOTE: This rule can be dangerous in any production environement as it will block traffic from all other network range other than the mentioned range
# iptables -I INPUT ! -s 192.168.0.0/24 -j DROP

Creating a single rule for multiple ports

# iptables -I INPUT -s 192.168.0.0/24 -p tcp -m multiport --dport 389,88,53,445,135,5722,464,9389,139 -j ACCEPT

# iptables -I INPUT -s 192.168.0.0/24 -p udp -m multiport --dport 389,88,53,445,464,138,67,2535,137 -j ACCEPT

So as you can see we have reduced the complications using one single rule for all the ports(separating tcp and udp ports).
For logging purpose either you can use the above mentioned rules (separate rule for separate port: advised) or the below rule

# iptables -I INPUT -s 192.168.0.0/24 -p tcp -m multiport --dport 389,88,53,445,135,5722,464,9389,139 -j LOG --log-prefix="TCP_LOG:  "

# iptables -I INPUT -s 192.168.0.0/24 -p udp -m multiport --dport 389,88,53,445,464,138,67,2535,137 -j LOG --log-prefix="UDP_LOG:  "

For testing purpose I applied these rules in my machine and you can verify the logs below
# cat /var/log/firewall.log
Sep 24 15:07:31 test kernel: TCP_LOG:  IN=eth0 OUT= MAC=00:50:56:9e:79:17:00:50:56:8a:71:2b:08:00 SRC=192.168.0.30 DST=192.168.0.61 LEN=40 TOS=0x00 PREC=0x00 TTL=128 ID=3224 DF PROTO=TCP SPT=1181 DPT=389 WINDOW=64912 RES=0x00 ACK FIN URGP=0

Sep 24 15:07:32 test kernel: TCP_LOG:  IN=eth0 OUT= MAC=00:50:56:9e:79:17:00:50:56:8a:71:2b:08:00 SRC=192.168.0.30 DST=192.168.0.61 LEN=40 TOS=0x00 PREC=0x00 TTL=128 ID=3262 DF PROTO=TCP SPT=65107 DPT=53 WINDOW=65460 RES=0x00 ACK FIN URGP=0

Sep 24 15:07:32 test kernel: TCP_LOG:  IN=eth0 OUT= MAC=00:50:56:9e:79:17:00:50:56:8a:71:2b:08:00 SRC=192.168.0.30 DST=192.168.0.61 LEN=40 TOS=0x00 PREC=0x00 TTL=128 ID=3248 DF PROTO=TCP SPT=1173 DPT=445 WINDOW=64343 RES=0x00 ACK URGP=0

Sep 24 15:07:32 test kernel: UDP_LOG:  IN=eth0 OUT= MAC=00:50:56:9e:79:17:00:50:56:8a:71:2b:08:00 SRC=192.168.0.30 DST=192.168.0.61 LEN=342 TOS=0x00 PREC=0x00 TTL=128 ID=3249 PROTO=UDP SPT=1191 DPT=88 LEN=322

Sep 24 15:07:39 test kernel: TCP_LOG:  IN=eth0 OUT= MAC=00:50:56:9e:79:17:00:50:56:8a:71:2b:08:00 SRC=192.168.0.30 DST=192.168.0.61 LEN=41 TOS=0x00 PREC=0x00 TTL=128 ID=3276 DF PROTO=TCP SPT=1187 DPT=135 WINDOW=65311 RES=0x00 ACK URGP=0

Sep 24 15:07:39 test kernel: UDP_LOG:  IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:50:56:8a:13:1c:08:00 SRC=192.168.0.148 DST=192.168.0.255 LEN=78 TOS=0x00 PREC=0x00 TTL=128 ID=15968 PROTO=UDP SPT=137 DPT=137 LEN=58

Sep 24 15:07:39 test kernel: UDP_LOG:  IN=eth0 OUT= MAC=00:50:56:9e:79:17:00:50:56:8a:71:2b:08:00 SRC=192.168.0.30 DST=192.168.0.61 LEN=318 TOS=0x00 PREC=0x00 TTL=128 ID=3278 PROTO=UDP SPT=138 DPT=138 LEN=298

Related Articles
Samba 4.1 as Active Directory configuration guide


Follow the below links for more tutorials

What is the difference/comparison between Unix and Linux ?
What are the maximum and minimum limits for RHEL 4 vs 5 vs 6 ?
Step by Step Linux Boot Process Explained In Detail
What is the difference between ext3 and ext4 filesystem in Linux ?
How to configure Private Network in VMware Workstation
9 examples to help you understand top command usage in Unix/Linux
Configure Red Hat Cluster using VMware, Quorum Disk, GFS2, Openfiler
Tutorial for Monitoring Tools SAR and KSAR with examples in Linux
15 tips to enhance security of your Linux machine
Why is Linux more secure than windows and any other OS
Understanding Load Average in Linux and when to be worried about it?
Disk Attachment Technology FC vs SAS vs iSCSI
Understanding UMASK value in Linux
How to keep a track of all the commands run by any user in Linux
How do you check Linux machine is Physical or Virtual remotely?
RAID levels 0, 1, 2, 3, 4, 5, 6, 0+1, 1+0 features explained in detail