topic Re: How to configure IPTables in suse linux in Operating System - Linux

How to configure IPTables in suse linux

senthil_kumar_1 — Wed, 23 Jun 2010 11:42:34 GMT

Hi All,

There is one suse linux 9 (SLES 9) server running samba service.

I am not able to write or copy the files under samba shares for some times, it happens continuously.

Therefore I checked the log and found following.

# grep -i "getpeername failed" messages
Jun 23 04:35:05 emdlagas71 smbd[30186]: getpeername failed. Error was Transport endpoint is not connected
Jun 23 04:35:05 emdlagas71 smbd[30187]: getpeername failed. Error was Transport endpoint is not connected
Jun 23 04:35:05 emdlagas71 smbd[30197]: getpeername failed. Error was Transport endpoint is not connected
Jun 23 04:35:07 emdlagas71 smbd[30213]: getpeername failed. Error was Transport endpoint is not connected
Jun 23 04:40:45 emdlagas71 smbd[30516]: getpeername failed. Error was Transport endpoint is not connected
Jun 23 04:40:45 emdlagas71 smbd[30518]: getpeername failed. Error was Transport endpoint is not connected
Jun 23 04:40:46 emdlagas71 smbd[30519]: getpeername failed. Error was Transport endpoint is not connected
Jun 23 04:40:50 emdlagas71 smbd[30527]: getpeername failed. Error was Transport endpoint is not connected
Jun 23 05:12:58 emdlagas71 smbd[32657]: getpeername failed. Error was Transport endpoint is not connected
Jun 23 05:12:58 emdlagas71 smbd[32660]: getpeername failed. Error was Transport endpoint is not connected
Jun 23 05:12:59 emdlagas71 smbd[32661]: getpeername failed. Error was Transport endpoint is not connected
Jun 23 05:12:59 emdlagas71 smbd[32665]: getpeername failed. Error was Transport endpoint is not connected
Jun 23 05:13:00 emdlagas71 smbd[32667]: getpeername failed. Error was Transport endpoint is not connected
Jun 23 05:13:00 emdlagas71 smbd[32673]: getpeername failed. Error was Transport endpoint is not connected
Jun 23 05:13:00 emdlagas71 smbd[32676]: getpeername failed. Error was Transport endpoint is not connected
Jun 23 05:13:01 emdlagas71 smbd[32679]: getpeername failed. Error was Transport endpoint is not connected
Jun 23 05:35:05 emdlagas71 smbd[1492]: getpeername failed. Error was Transport endpoint is not connected
Jun 23 05:35:06 emdlagas71 smbd[1493]: getpeername failed. Error was Transport endpoint is not connected
Jun 23 05:40:46 emdlagas71 smbd[1817]: getpeername failed. Error was Transport endpoint is not connected
Jun 23 05:40:47 emdlagas71 smbd[1819]: getpeername failed. Error was Transport endpoint is not connected

I searched for solution in google and I found following solution.

http://lists.samba.org/archive/samba/2004-April/084048.html

Therefore, as per above solution I tried to add the following entry in iptables.

I have done following steps:

Step 1: Have added that rule

#iptables -I INPUT 1 -p tcp --dport 445 -j DROP

Step 2: Saved iptables

# iptables-save

Step 3: Started firewall

#sbin/SuSEfirewall2 start

After that I am not able to connect my server through SSH.

So I connected the server through console and checked.

# iptables -L

Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
input_ext all -- anywhere anywhere
input_ext all -- anywhere anywhere
LOG all -- anywhere anywhere limit: avg 3/min burst 5 LOG level warning tcp-options ip-options pref
ix `SFW2-IN-ILL-TARGET '
DROP all -- anywhere anywhere

Chain FORWARD (policy DROP)
target prot opt source destination
LOG all -- anywhere anywhere limit: avg 3/min burst 5 LOG level warning tcp-options ip-options pref
ix `SFW2-FWD-ILL-ROUTING '

Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere state NEW,RELATED,ESTABLISHED
LOG all -- anywhere anywhere limit: avg 3/min burst 5 LOG level warning tcp-options ip-options pref
ix `SFW2-OUT-ERROR '

Chain forward_ext (0 references)
target prot opt source destination

Chain input_ext (2 references)
target prot opt source destination
DROP all -- anywhere anywhere PKTTYPE = broadcast
ACCEPT icmp -- anywhere anywhere icmp source-quench
ACCEPT icmp -- anywhere anywhere icmp echo-request
ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp echo-reply
ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp destination-unreachable
ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp time-exceeded
ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp parameter-problem
ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp timestamp-reply
ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp address-mask-reply
ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp protocol-unreachable
ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp redirect
reject_func tcp -- anywhere anywhere tcp dpt:ident state NEW
LOG all -- anywhere anywhere limit: avg 3/min burst 5 PKTTYPE = multicast LOG level warning tcp-opt
ions ip-options prefix `SFW2-INext-DROP-DEFLT '
DROP all -- anywhere anywhere PKTTYPE = multicast
LOG tcp -- anywhere anywhere limit: avg 3/min burst 5 tcp flags:FIN,SYN,RST,ACK/SYN LOG level warni
ng tcp-options ip-options prefix `SFW2-INext-DROP-DEFLT '
LOG icmp -- anywhere anywhere limit: avg 3/min burst 5 LOG level warning tcp-options ip-options pref
ix `SFW2-INext-DROP-DEFLT '
LOG udp -- anywhere anywhere limit: avg 3/min burst 5 LOG level warning tcp-options ip-options pref
ix `SFW2-INext-DROP-DEFLT '
LOG all -- anywhere anywhere limit: avg 3/min burst 5 state INVALID LOG level warning tcp-options i
p-options prefix `SFW2-INext-DROP-DEFLT-INV '
DROP all -- anywhere anywhere

Chain reject_func (1 references)
target prot opt source destination
REJECT tcp -- anywhere anywhere reject-with tcp-reset
REJECT udp -- anywhere anywhere reject-with icmp-port-unreachable
REJECT all -- anywhere anywhere reject-with icmp-proto-unreachable

My Questions:

1)I have added one single rule only , how those rules are being added?

2)I want to block port 445 only and allow all other traffics, how to do that?

3)Are my steps of adding rules, saving iptables and starting iptables (firewall) correct?

Re: How to configure IPTables in suse linux

Michal Kapalka (mikap) — Wed, 23 Jun 2010 11:53:25 GMT

hi,

follow this article from INET :

http://wendt.wisc.edu/site/public/?title=liniptables

iptables example startup script :

http://wendt.wisc.edu/site/public/files/liniptablesfiles/iptables.txt

link related to your problem :

http://www.pelennorfields.com/matt/2005/04/13/samba-error-getpeername-failed/

http://forums.opensuse.org/get-help-here/network-internet/413860-errors-log-smbd.html

hope it will help

mikap

Re: How to configure IPTables in suse linux

P Muralidhar Kini — Wed, 23 Jun 2010 14:41:18 GMT

Hi Senthil,

Some more links-
http://www.topology.org/linux/fwsuse.html
http://www.linux.com/archive/feed/44818

Hope this helps.

Regards,
Murali

Re: How to configure IPTables in suse linux

Ivan Ferreira — Wed, 23 Jun 2010 15:03:17 GMT

SUSE firewall configuration is done in a different way, you must use /etc/sysconfig/SuSEfirewall2.

Doing DROP is not good, probably you may wat to do REJECT or your connections will be "hang" for a while.

You can just add the following option to your configuration file instead of using a firewall:

smb ports = 139

And disable your firewall.

I had a similar problem and was solved by using:

server signing = mandatory

Cheers.

Re: How to configure IPTables in suse linux

senthil_kumar_1 — Wed, 23 Jun 2010 16:00:51 GMT

Hi All,

Still I am not clear.

Please explain me how to do this.

1)I want to block port 445 only and allow all other traffics, how to do that?

Re: How to configure IPTables in suse linux

senthil_kumar_1 — Wed, 23 Jun 2010 16:20:57 GMT

Hi Ivan Ferreira,

Do you want to add following lines in /etc/samba/smb.conf and restart samba.

smb ports = 139
server signing = mandatory

My Questions:

1)After doing above things, will not get the error message "getpeername failed. Error was Transport endpoint is not connected" in /var/log/messages?

2)Will it really resolve the file copy and write in issue on samba shares from XP samba client?

Re: How to configure IPTables in suse linux

Ivan Ferreira — Wed, 23 Jun 2010 17:32:15 GMT

1)After doing above things, will not get the error message "getpeername failed. Error was Transport endpoint is not connected" in /var/log/messages?

It should as it won't be listening on that port, but anyway, the port used nowdays is 445.

2)Will it really resolve the file copy and write in issue on samba shares from XP samba client?

Not sure.

Re: How to configure IPTables in suse linux

P Muralidhar Kini — Thu, 24 Jun 2010 05:32:19 GMT

Hi Senthil,

>> 1)I want to block port 445 only and allow all other traffics, how to do that?
To block particular TCP port in Linux is to use iptables rule as follows:
#iptables -A INPUT -p tcp --destination-port PORT-NUBMER -j DROP

For example block port 22 for everyone:
#iptables -A INPUT -p tcp --destination-port 22 -j DROP

Now let us say you want block port 22 for everyone except for IP 202.65.11.10
#iptables -A INPUT -p tcp --destination-port 22 -s \! 202.65.11.10 -j DROP

To block UDP ports use --tcp udp option:
#iptables -A INPUT -p udp --destination-port PORT-NUBMER -j DROP

Link-
http://nixcraft.com/linux-software/479-blocking-ports-linux.html

Hope this helps.

Regards,
Murali

Re: How to configure IPTables in suse linux

Steven E. Protter — Thu, 24 Jun 2010 19:24:04 GMT

Shalom,

Samba needs port 445 and 139 minimally. See /etc/services for more there.

You might try a firewall gui if your version of SUSE has it, or take a look at firestarter for basic configuration. Firestarter is orphaned, but is very helpful.

SEP