Ask Your Question

Revision history [back]

samba & firewall problem on fedora20

I was having some serious difficulty with getting Samba to work through the installed firewall on Fedora20. But, I did manage to finally figure out what the problem is.

Now I need some help on the proper solution/fix.

I configured Samba and then added it to the list of services for my firewall zone. Yet, I was having problems getting Samba through the firewall.

Here is what my firewall zone looks like.

[root@localhost bwalker]# firewall-cmd --zone=home --list-services
dhcpv6-client mdns samba samba-client ssh
[root@localhost bwalker]# firewall-cmd --get-active-zones
home
  interfaces: enp1s0
[root@localhost bwalker]#

So far good. But, I still wasn't able to access the Samba share from my windows box. So I took a look at the iptables and discovered that it looks like I was getting ICMP host prohibited (this agrees w/ what I was seeing in Wireshark).

So my iptables looks like this.

[root@localhost bwalker]# iptables -L -n
    Chain INPUT (policy ACCEPT)
    target     prot opt source               destination
    ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
    ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0
    INPUT_direct  all  --  0.0.0.0/0            0.0.0.0/0
    INPUT_ZONES_SOURCE  all  --  0.0.0.0/0            0.0.0.0/0
    INPUT_ZONES  all  --  0.0.0.0/0            0.0.0.0/0
    ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0
    DROP       all  --  0.0.0.0/0            0.0.0.0/0            ctstate INVALID
    REJECT     all  --  0.0.0.0/0            0.0.0.0/0            reject-with icmp-host-prohibited

    Chain FORWARD (policy ACCEPT)
    target     prot opt source               destination
    ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
    ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0
    FORWARD_direct  all  --  0.0.0.0/0            0.0.0.0/0
    FORWARD_IN_ZONES_SOURCE  all  --  0.0.0.0/0            0.0.0.0/0
    FORWARD_IN_ZONES  all  --  0.0.0.0/0            0.0.0.0/0
    FORWARD_OUT_ZONES_SOURCE  all  --  0.0.0.0/0            0.0.0.0/0
    FORWARD_OUT_ZONES  all  --  0.0.0.0/0            0.0.0.0/0
    ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0
    DROP       all  --  0.0.0.0/0            0.0.0.0/0            ctstate INVALID
    REJECT     all  --  0.0.0.0/0            0.0.0.0/0            reject-with icmp-host-prohibited

    Chain OUTPUT (policy ACCEPT)
    target     prot opt source               destination
    OUTPUT_direct  all  --  0.0.0.0/0            0.0.0.0/0

    Chain FORWARD_IN_ZONES (1 references)
    target     prot opt source               destination
    FWDI_home  all  --  0.0.0.0/0            0.0.0.0/0           [goto]
    FWDI_home  all  --  0.0.0.0/0            0.0.0.0/0           [goto]

    Chain FORWARD_IN_ZONES_SOURCE (1 references)
    target     prot opt source               destination

    Chain FORWARD_OUT_ZONES (1 references)
    target     prot opt source               destination
    FWDO_home  all  --  0.0.0.0/0            0.0.0.0/0           [goto]
    FWDO_home  all  --  0.0.0.0/0            0.0.0.0/0           [goto]

    Chain FORWARD_OUT_ZONES_SOURCE (1 references)
    target     prot opt source               destination

    Chain FORWARD_direct (1 references)
    target     prot opt source               destination

    Chain FWDI_home (2 references)
    target     prot opt source               destination
    FWDI_home_log  all  --  0.0.0.0/0            0.0.0.0/0
    FWDI_home_deny  all  --  0.0.0.0/0            0.0.0.0/0
    FWDI_home_allow  all  --  0.0.0.0/0            0.0.0.0/0

    Chain FWDI_home_allow (1 references)
    target     prot opt source               destination

    Chain FWDI_home_deny (1 references)
    target     prot opt source               destination

    Chain FWDI_home_log (1 references)
    target     prot opt source               destination

    Chain FWDO_home (2 references)
    target     prot opt source               destination
    FWDO_home_log  all  --  0.0.0.0/0            0.0.0.0/0
    FWDO_home_deny  all  --  0.0.0.0/0            0.0.0.0/0
    FWDO_home_allow  all  --  0.0.0.0/0            0.0.0.0/0

    Chain FWDO_home_allow (1 references)
    target     prot opt source               destination

    Chain FWDO_home_deny (1 references)
    target     prot opt source               destination

    Chain FWDO_home_log (1 references)
    target     prot opt source               destination

    Chain INPUT_ZONES (1 references)
    target     prot opt source               destination
    IN_home    all  --  0.0.0.0/0            0.0.0.0/0           [goto]
    IN_home    all  --  0.0.0.0/0            0.0.0.0/0           [goto]

    Chain INPUT_ZONES_SOURCE (1 references)
    target     prot opt source               destination

    Chain INPUT_direct (1 references)
    target     prot opt source               destination

    Chain IN_home (2 references)
    target     prot opt source               destination
    IN_home_log  all  --  0.0.0.0/0            0.0.0.0/0
    IN_home_deny  all  --  0.0.0.0/0            0.0.0.0/0
    IN_home_allow  all  --  0.0.0.0/0            0.0.0.0/0

    Chain IN_home_allow (1 references)
    target     prot opt source               destination
    ACCEPT     udp  --  0.0.0.0/0            224.0.0.251          udp dpt:5353 ctstate NEW
    ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0            udp dpt:137 ctstate NEW
    ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0            udp dpt:138 ctstate NEW
    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:22 ctstate NEW

    Chain IN_home_deny (1 references)
    target     prot opt source               destination

    Chain IN_home_log (1 references)
    target     prot opt source               destination

    Chain OUTPUT_direct (1 references)
    target     prot opt source               destination
    [root@localhost bwalker]#

Once I deleted rule #8 from the INPUT chain, everything starting working perfectly.

So I have 2 questions.

  1. Should firewall-cmd update (or not) the iptables when I add the service to my zone?
  2. What is the proper way to "fix" this so my iptables will leave everything intact yet allow Samba protocol through.

Thanks for any insight/help.

-brad walker