- Community Home
- >
- Servers and Operating Systems
- >
- Operating Systems
- >
- Operating System - Linux
- >
- How to configure IPTables in suse linux
Operating System - Linux
1822532
Members
2574
Online
109642
Solutions
Forums
Categories
Company
Local Language
юдл
back
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Forums
Discussions
Discussions
Discussions
Forums
Forums
Discussions
юдл
back
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Blogs
Information
Community
Resources
Community Language
Language
Forums
Blogs
Go to solution
Topic Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО06-23-2010 04:42 AM
тАО06-23-2010 04:42 AM
Hi All,
There is one suse linux 9 (SLES 9) server running samba service.
I am not able to write or copy the files under samba shares for some times, it happens continuously.
Therefore I checked the log and found following.
# grep -i "getpeername failed" messages
Jun 23 04:35:05 emdlagas71 smbd[30186]: getpeername failed. Error was Transport endpoint is not connected
Jun 23 04:35:05 emdlagas71 smbd[30187]: getpeername failed. Error was Transport endpoint is not connected
Jun 23 04:35:05 emdlagas71 smbd[30197]: getpeername failed. Error was Transport endpoint is not connected
Jun 23 04:35:07 emdlagas71 smbd[30213]: getpeername failed. Error was Transport endpoint is not connected
Jun 23 04:40:45 emdlagas71 smbd[30516]: getpeername failed. Error was Transport endpoint is not connected
Jun 23 04:40:45 emdlagas71 smbd[30518]: getpeername failed. Error was Transport endpoint is not connected
Jun 23 04:40:46 emdlagas71 smbd[30519]: getpeername failed. Error was Transport endpoint is not connected
Jun 23 04:40:50 emdlagas71 smbd[30527]: getpeername failed. Error was Transport endpoint is not connected
Jun 23 05:12:58 emdlagas71 smbd[32657]: getpeername failed. Error was Transport endpoint is not connected
Jun 23 05:12:58 emdlagas71 smbd[32660]: getpeername failed. Error was Transport endpoint is not connected
Jun 23 05:12:59 emdlagas71 smbd[32661]: getpeername failed. Error was Transport endpoint is not connected
Jun 23 05:12:59 emdlagas71 smbd[32665]: getpeername failed. Error was Transport endpoint is not connected
Jun 23 05:13:00 emdlagas71 smbd[32667]: getpeername failed. Error was Transport endpoint is not connected
Jun 23 05:13:00 emdlagas71 smbd[32673]: getpeername failed. Error was Transport endpoint is not connected
Jun 23 05:13:00 emdlagas71 smbd[32676]: getpeername failed. Error was Transport endpoint is not connected
Jun 23 05:13:01 emdlagas71 smbd[32679]: getpeername failed. Error was Transport endpoint is not connected
Jun 23 05:35:05 emdlagas71 smbd[1492]: getpeername failed. Error was Transport endpoint is not connected
Jun 23 05:35:06 emdlagas71 smbd[1493]: getpeername failed. Error was Transport endpoint is not connected
Jun 23 05:40:46 emdlagas71 smbd[1817]: getpeername failed. Error was Transport endpoint is not connected
Jun 23 05:40:47 emdlagas71 smbd[1819]: getpeername failed. Error was Transport endpoint is not connected
I searched for solution in google and I found following solution.
http://lists.samba.org/archive/samba/2004-April/084048.html
Therefore, as per above solution I tried to add the following entry in iptables.
I have done following steps:
Step 1: Have added that rule
#iptables -I INPUT 1 -p tcp --dport 445 -j DROP
Step 2: Saved iptables
# iptables-save
Step 3: Started firewall
#sbin/SuSEfirewall2 start
After that I am not able to connect my server through SSH.
So I connected the server through console and checked.
# iptables -L
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
input_ext all -- anywhere anywhere
input_ext all -- anywhere anywhere
LOG all -- anywhere anywhere limit: avg 3/min burst 5 LOG level warning tcp-options ip-options pref
ix `SFW2-IN-ILL-TARGET '
DROP all -- anywhere anywhere
Chain FORWARD (policy DROP)
target prot opt source destination
LOG all -- anywhere anywhere limit: avg 3/min burst 5 LOG level warning tcp-options ip-options pref
ix `SFW2-FWD-ILL-ROUTING '
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere state NEW,RELATED,ESTABLISHED
LOG all -- anywhere anywhere limit: avg 3/min burst 5 LOG level warning tcp-options ip-options pref
ix `SFW2-OUT-ERROR '
Chain forward_ext (0 references)
target prot opt source destination
Chain input_ext (2 references)
target prot opt source destination
DROP all -- anywhere anywhere PKTTYPE = broadcast
ACCEPT icmp -- anywhere anywhere icmp source-quench
ACCEPT icmp -- anywhere anywhere icmp echo-request
ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp echo-reply
ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp destination-unreachable
ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp time-exceeded
ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp parameter-problem
ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp timestamp-reply
ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp address-mask-reply
ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp protocol-unreachable
ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp redirect
reject_func tcp -- anywhere anywhere tcp dpt:ident state NEW
LOG all -- anywhere anywhere limit: avg 3/min burst 5 PKTTYPE = multicast LOG level warning tcp-opt
ions ip-options prefix `SFW2-INext-DROP-DEFLT '
DROP all -- anywhere anywhere PKTTYPE = multicast
LOG tcp -- anywhere anywhere limit: avg 3/min burst 5 tcp flags:FIN,SYN,RST,ACK/SYN LOG level warni
ng tcp-options ip-options prefix `SFW2-INext-DROP-DEFLT '
LOG icmp -- anywhere anywhere limit: avg 3/min burst 5 LOG level warning tcp-options ip-options pref
ix `SFW2-INext-DROP-DEFLT '
LOG udp -- anywhere anywhere limit: avg 3/min burst 5 LOG level warning tcp-options ip-options pref
ix `SFW2-INext-DROP-DEFLT '
LOG all -- anywhere anywhere limit: avg 3/min burst 5 state INVALID LOG level warning tcp-options i
p-options prefix `SFW2-INext-DROP-DEFLT-INV '
DROP all -- anywhere anywhere
Chain reject_func (1 references)
target prot opt source destination
REJECT tcp -- anywhere anywhere reject-with tcp-reset
REJECT udp -- anywhere anywhere reject-with icmp-port-unreachable
REJECT all -- anywhere anywhere reject-with icmp-proto-unreachable
My Questions:
1)I have added one single rule only , how those rules are being added?
2)I want to block port 445 only and allow all other traffics, how to do that?
3)Are my steps of adding rules, saving iptables and starting iptables (firewall) correct?
There is one suse linux 9 (SLES 9) server running samba service.
I am not able to write or copy the files under samba shares for some times, it happens continuously.
Therefore I checked the log and found following.
# grep -i "getpeername failed" messages
Jun 23 04:35:05 emdlagas71 smbd[30186]: getpeername failed. Error was Transport endpoint is not connected
Jun 23 04:35:05 emdlagas71 smbd[30187]: getpeername failed. Error was Transport endpoint is not connected
Jun 23 04:35:05 emdlagas71 smbd[30197]: getpeername failed. Error was Transport endpoint is not connected
Jun 23 04:35:07 emdlagas71 smbd[30213]: getpeername failed. Error was Transport endpoint is not connected
Jun 23 04:40:45 emdlagas71 smbd[30516]: getpeername failed. Error was Transport endpoint is not connected
Jun 23 04:40:45 emdlagas71 smbd[30518]: getpeername failed. Error was Transport endpoint is not connected
Jun 23 04:40:46 emdlagas71 smbd[30519]: getpeername failed. Error was Transport endpoint is not connected
Jun 23 04:40:50 emdlagas71 smbd[30527]: getpeername failed. Error was Transport endpoint is not connected
Jun 23 05:12:58 emdlagas71 smbd[32657]: getpeername failed. Error was Transport endpoint is not connected
Jun 23 05:12:58 emdlagas71 smbd[32660]: getpeername failed. Error was Transport endpoint is not connected
Jun 23 05:12:59 emdlagas71 smbd[32661]: getpeername failed. Error was Transport endpoint is not connected
Jun 23 05:12:59 emdlagas71 smbd[32665]: getpeername failed. Error was Transport endpoint is not connected
Jun 23 05:13:00 emdlagas71 smbd[32667]: getpeername failed. Error was Transport endpoint is not connected
Jun 23 05:13:00 emdlagas71 smbd[32673]: getpeername failed. Error was Transport endpoint is not connected
Jun 23 05:13:00 emdlagas71 smbd[32676]: getpeername failed. Error was Transport endpoint is not connected
Jun 23 05:13:01 emdlagas71 smbd[32679]: getpeername failed. Error was Transport endpoint is not connected
Jun 23 05:35:05 emdlagas71 smbd[1492]: getpeername failed. Error was Transport endpoint is not connected
Jun 23 05:35:06 emdlagas71 smbd[1493]: getpeername failed. Error was Transport endpoint is not connected
Jun 23 05:40:46 emdlagas71 smbd[1817]: getpeername failed. Error was Transport endpoint is not connected
Jun 23 05:40:47 emdlagas71 smbd[1819]: getpeername failed. Error was Transport endpoint is not connected
I searched for solution in google and I found following solution.
http://lists.samba.org/archive/samba/2004-April/084048.html
Therefore, as per above solution I tried to add the following entry in iptables.
I have done following steps:
Step 1: Have added that rule
#iptables -I INPUT 1 -p tcp --dport 445 -j DROP
Step 2: Saved iptables
# iptables-save
Step 3: Started firewall
#sbin/SuSEfirewall2 start
After that I am not able to connect my server through SSH.
So I connected the server through console and checked.
# iptables -L
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
input_ext all -- anywhere anywhere
input_ext all -- anywhere anywhere
LOG all -- anywhere anywhere limit: avg 3/min burst 5 LOG level warning tcp-options ip-options pref
ix `SFW2-IN-ILL-TARGET '
DROP all -- anywhere anywhere
Chain FORWARD (policy DROP)
target prot opt source destination
LOG all -- anywhere anywhere limit: avg 3/min burst 5 LOG level warning tcp-options ip-options pref
ix `SFW2-FWD-ILL-ROUTING '
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere state NEW,RELATED,ESTABLISHED
LOG all -- anywhere anywhere limit: avg 3/min burst 5 LOG level warning tcp-options ip-options pref
ix `SFW2-OUT-ERROR '
Chain forward_ext (0 references)
target prot opt source destination
Chain input_ext (2 references)
target prot opt source destination
DROP all -- anywhere anywhere PKTTYPE = broadcast
ACCEPT icmp -- anywhere anywhere icmp source-quench
ACCEPT icmp -- anywhere anywhere icmp echo-request
ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp echo-reply
ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp destination-unreachable
ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp time-exceeded
ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp parameter-problem
ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp timestamp-reply
ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp address-mask-reply
ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp protocol-unreachable
ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp redirect
reject_func tcp -- anywhere anywhere tcp dpt:ident state NEW
LOG all -- anywhere anywhere limit: avg 3/min burst 5 PKTTYPE = multicast LOG level warning tcp-opt
ions ip-options prefix `SFW2-INext-DROP-DEFLT '
DROP all -- anywhere anywhere PKTTYPE = multicast
LOG tcp -- anywhere anywhere limit: avg 3/min burst 5 tcp flags:FIN,SYN,RST,ACK/SYN LOG level warni
ng tcp-options ip-options prefix `SFW2-INext-DROP-DEFLT '
LOG icmp -- anywhere anywhere limit: avg 3/min burst 5 LOG level warning tcp-options ip-options pref
ix `SFW2-INext-DROP-DEFLT '
LOG udp -- anywhere anywhere limit: avg 3/min burst 5 LOG level warning tcp-options ip-options pref
ix `SFW2-INext-DROP-DEFLT '
LOG all -- anywhere anywhere limit: avg 3/min burst 5 state INVALID LOG level warning tcp-options i
p-options prefix `SFW2-INext-DROP-DEFLT-INV '
DROP all -- anywhere anywhere
Chain reject_func (1 references)
target prot opt source destination
REJECT tcp -- anywhere anywhere reject-with tcp-reset
REJECT udp -- anywhere anywhere reject-with icmp-port-unreachable
REJECT all -- anywhere anywhere reject-with icmp-proto-unreachable
My Questions:
1)I have added one single rule only , how those rules are being added?
2)I want to block port 445 only and allow all other traffics, how to do that?
3)Are my steps of adding rules, saving iptables and starting iptables (firewall) correct?
Solved! Go to Solution.
8 REPLIES 8
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО06-23-2010 04:53 AM
тАО06-23-2010 04:53 AM
Solution
hi,
follow this article from INET :
http://wendt.wisc.edu/site/public/?title=liniptables
iptables example startup script :
http://wendt.wisc.edu/site/public/files/liniptablesfiles/iptables.txt
link related to your problem :
http://www.pelennorfields.com/matt/2005/04/13/samba-error-getpeername-failed/
http://forums.opensuse.org/get-help-here/network-internet/413860-errors-log-smbd.html
hope it will help
mikap
follow this article from INET :
http://wendt.wisc.edu/site/public/?title=liniptables
iptables example startup script :
http://wendt.wisc.edu/site/public/files/liniptablesfiles/iptables.txt
link related to your problem :
http://www.pelennorfields.com/matt/2005/04/13/samba-error-getpeername-failed/
http://forums.opensuse.org/get-help-here/network-internet/413860-errors-log-smbd.html
hope it will help
mikap
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО06-23-2010 07:41 AM
тАО06-23-2010 07:41 AM
Re: How to configure IPTables in suse linux
Hi Senthil,
Some more links-
http://www.topology.org/linux/fwsuse.html
http://www.linux.com/archive/feed/44818
Hope this helps.
Regards,
Murali
Some more links-
http://www.topology.org/linux/fwsuse.html
http://www.linux.com/archive/feed/44818
Hope this helps.
Regards,
Murali
Let There Be Rock - AC/DC
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО06-23-2010 08:03 AM
тАО06-23-2010 08:03 AM
Re: How to configure IPTables in suse linux
SUSE firewall configuration is done in a different way, you must use /etc/sysconfig/SuSEfirewall2.
Doing DROP is not good, probably you may wat to do REJECT or your connections will be "hang" for a while.
You can just add the following option to your configuration file instead of using a firewall:
smb ports = 139
And disable your firewall.
I had a similar problem and was solved by using:
server signing = mandatory
Cheers.
Doing DROP is not good, probably you may wat to do REJECT or your connections will be "hang" for a while.
You can just add the following option to your configuration file instead of using a firewall:
smb ports = 139
And disable your firewall.
I had a similar problem and was solved by using:
server signing = mandatory
Cheers.
Por que hacerlo dificil si es posible hacerlo facil? - Why do it the hard way, when you can do it the easy way?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО06-23-2010 09:00 AM
тАО06-23-2010 09:00 AM
Re: How to configure IPTables in suse linux
Hi All,
Still I am not clear.
Please explain me how to do this.
1)I want to block port 445 only and allow all other traffics, how to do that?
Still I am not clear.
Please explain me how to do this.
1)I want to block port 445 only and allow all other traffics, how to do that?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО06-23-2010 09:20 AM
тАО06-23-2010 09:20 AM
Re: How to configure IPTables in suse linux
Hi Ivan Ferreira,
Do you want to add following lines in /etc/samba/smb.conf and restart samba.
smb ports = 139
server signing = mandatory
My Questions:
1)After doing above things, will not get the error message "getpeername failed. Error was Transport endpoint is not connected" in /var/log/messages?
2)Will it really resolve the file copy and write in issue on samba shares from XP samba client?
Do you want to add following lines in /etc/samba/smb.conf and restart samba.
smb ports = 139
server signing = mandatory
My Questions:
1)After doing above things, will not get the error message "getpeername failed. Error was Transport endpoint is not connected" in /var/log/messages?
2)Will it really resolve the file copy and write in issue on samba shares from XP samba client?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО06-23-2010 10:32 AM
тАО06-23-2010 10:32 AM
Re: How to configure IPTables in suse linux
1)After doing above things, will not get the error message "getpeername failed. Error was Transport endpoint is not connected" in /var/log/messages?
It should as it won't be listening on that port, but anyway, the port used nowdays is 445.
2)Will it really resolve the file copy and write in issue on samba shares from XP samba client?
Not sure.
It should as it won't be listening on that port, but anyway, the port used nowdays is 445.
2)Will it really resolve the file copy and write in issue on samba shares from XP samba client?
Not sure.
Por que hacerlo dificil si es posible hacerlo facil? - Why do it the hard way, when you can do it the easy way?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО06-23-2010 10:32 PM
тАО06-23-2010 10:32 PM
Re: How to configure IPTables in suse linux
Hi Senthil,
>> 1)I want to block port 445 only and allow all other traffics, how to do that?
To block particular TCP port in Linux is to use iptables rule as follows:
#iptables -A INPUT -p tcp --destination-port PORT-NUBMER -j DROP
For example block port 22 for everyone:
#iptables -A INPUT -p tcp --destination-port 22 -j DROP
Now let us say you want block port 22 for everyone except for IP 202.65.11.10
#iptables -A INPUT -p tcp --destination-port 22 -s \! 202.65.11.10 -j DROP
To block UDP ports use --tcp udp option:
#iptables -A INPUT -p udp --destination-port PORT-NUBMER -j DROP
Link-
http://nixcraft.com/linux-software/479-blocking-ports-linux.html
Hope this helps.
Regards,
Murali
>> 1)I want to block port 445 only and allow all other traffics, how to do that?
To block particular TCP port in Linux is to use iptables rule as follows:
#iptables -A INPUT -p tcp --destination-port PORT-NUBMER -j DROP
For example block port 22 for everyone:
#iptables -A INPUT -p tcp --destination-port 22 -j DROP
Now let us say you want block port 22 for everyone except for IP 202.65.11.10
#iptables -A INPUT -p tcp --destination-port 22 -s \! 202.65.11.10 -j DROP
To block UDP ports use --tcp udp option:
#iptables -A INPUT -p udp --destination-port PORT-NUBMER -j DROP
Link-
http://nixcraft.com/linux-software/479-blocking-ports-linux.html
Hope this helps.
Regards,
Murali
Let There Be Rock - AC/DC
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО06-24-2010 12:24 PM
тАО06-24-2010 12:24 PM
Re: How to configure IPTables in suse linux
Shalom,
Samba needs port 445 and 139 minimally. See /etc/services for more there.
You might try a firewall gui if your version of SUSE has it, or take a look at firestarter for basic configuration. Firestarter is orphaned, but is very helpful.
SEP
Samba needs port 445 and 139 minimally. See /etc/services for more there.
You might try a firewall gui if your version of SUSE has it, or take a look at firestarter for basic configuration. Firestarter is orphaned, but is very helpful.
SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.
Company
Learn About
News and Events
Support
© Copyright 2025 Hewlett Packard Enterprise Development LP