[Fedora-users-br] Problema com firewall e samba
Diego
slipkorn85 em gmail.com
Sexta Setembro 29 12:25:57 UTC 2006
Ola,
Tenho um servidor samba rodando como PDC da rede, estou utilizando o Fedora
5.
Tem algumas mensagens que estao se repetindo no log...
p 29 09:09:25 linuxserver smbd[28045]: [2006/09/29 09:09:25, 0]
lib/util_sock.c:read_data(534)
Sep 29 09:09:25 linuxserver smbd[28045]: read_data: read failure for 4
bytes to client 192.168.254.235. Error = Conexão fechada pela outra ponta
Nas estacoes eu consegui conectar com o servidor, o que nao funcionou foi a
configuracao para usuario administrador! Segui esse tutorial para a
configuracao:
http://www.dicas-l.com.br/dicas-l/20050202.php
#####Arquivo configuracao firewall######
#!/bin/sh
echo "Iniciando FIREWALL em modo Cliente com politica DROP"
iptables -F
iptables -t nat -F
iptables -t mangle -F
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
##Verificar essas regras####
##### Proteção contra IP Spoofing #####
echo "Ativando protecao contra IP Spoofing..."
for i in /proc/sys/net/ipv4/conf/*/rp_filter; do
echo 1 >$i
done
##### Ativamos o redirecionamento de pacotes (requerido para NAT) #####
echo "Ativando o redirecionamento de pacotes..."
echo 1 >/proc/sys/net/ipv4/ip_forward
echo 1 >/proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
###############################################################
# Tabela filter #
###############################################################
# LIBERA TODAS AS CONEXOES ESTABELECIDAS OU RELATADAS
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED, RELATED -j ACCEPT
# LIBERA LOCALHOST
iptables -A INPUT -s 127.0.0.1 -j ACCEPT
iptables -A OUTPUT -d 127.0.0.1 -j ACCEPT
##Cliente###
# LIBERA DNS
iptables -A OUTPUT -p udp --dport 53 -j ACCEPT
iptables -A INPUT -p udp --sport 53 -j ACCEPT
# LIBERA HTTP
iptables -A OUTPUT -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp --sport 80 -j ACCEPT
# LIBERA PROXY
iptables -A OUTPUT -p tcp --dport 3128 -j ACCEPT
iptables -A INPUT -p tcp --sport 3128 -j ACCEPT
# LIBERA FTP
iptables -A OUTPUT -p tcp --dport 21 -j ACCEPT
iptables -A INPUT -p tcp --sport 21 -j ACCEPT
iptables -A OUTPUT -p udp --dport 21 -j ACCEPT
iptables -A INPUT -p udp --sport 21 -j ACCEPT
iptables -A OUTPUT -p tcp --dport 20 -j ACCEPT
iptables -A INPUT -p tcp --sport 20 -j ACCEPT
iptables -A OUTPUT -p udp --dport 20 -j ACCEPT
iptables -A INPUT -p udp --sport 20 -j ACCEPT
# LIBERA SSH
iptables -A OUTPUT -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -p tcp --sport 22 -j ACCEPT
# LIBERA HTTPS
iptables -A OUTPUT -p tcp --dport 443 -j ACCEPT
iptables -A INPUT -p tcp --sport 443 -j ACCEPT
# LIBERA MSN
iptables -A OUTPUT -p tcp --dport 1863 -j ACCEPT
iptables -A INPUT -p tcp --sport 1863 -j ACCEPT
#SERVIDOR
# LIBERA TUDO PARA VINDO DA REDE LOCAL
iptables -A INPUT -s 192.168.254.0/24 -i eth0 -j ACCEPT
iptables -A OUTPUT -d 192.168.254.0/24 -o eth0 -j ACCEPT
# ACEITA CONEXOES FTP
iptables -A INPUT -p tcp --dport 2121 -j ACCEPT
iptables -A OUTPUT -p tcp --sport 2121 -j ACCEPT
iptables -A INPUT -p tcp --dport 8800:8900 -j ACCEPT
iptables -A OUTPUT -p tcp --sport 8800:8900 -j ACCEPT
# ACEITA CONEXOES NOVAS SSH (SERVIDOR)
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
# ACEITA CONEXOES NOVAS HTTP (SERVIDOR)
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -A OUTPUT -p tcp --sport 80 -j ACCEPT
#ACEITA CONEXOES OPENVPN
iptables -A INPUT -p tcp --dport 5000:5001 -j ACCEPT
iptables -A OUTPUT -p tcp --sport 5000:5001 -j ACCEPT
# LIBERANDO PING
#Ping da internet
iptables -A INPUT -i eth1 -p icmp -m limit --limit 2/s -j ACCEPT
iptables -A OUTPUT -p icmp -j ACCEPT
##### Chain FORWARD ####
echo "Definindo regras da Chain FORWARD..."
#Habilitar depois
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
#Liberando tudo!
iptables -A FORWARD -j ACCEPT
#######################################################
# Tabela nat #
#######################################################
echo "Definindo regras da tabela NAT..."
##### Chain POSTROUTING #####
# Permite qualquer conexão vinda com destino a lo e rede local para eth0
iptables -t nat -A POSTROUTING -o lo -j ACCEPT
iptables -t nat -A POSTROUTING -s 192.168.254.0/24 -o eth0 -j ACCEPT
# É feito masquerading dos outros serviços da rede interna indo para a
interface eth1
iptables -t nat -A POSTROUTING -s 192.168.254.0/24 -o eth1 -j MASQUERADE
########### Chain PREROUTING #################################
#Redirecionando conexao do squid para a porta 3128
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT
--to-port 3128
#===============FIM===================
# BLOQUEIA TUDO O RESTO COM REGRAS TBM
iptables -A OUTPUT -j DROP
iptables -A INPUT -j DROP
echo "FIREWALL OK..."
#======================= Global Settings
=====================================
[global]
# Grupo, nome e comentáo
workgroup = JSINFO
netbios name = SERVER
server string = Servidor de Arquivos
# Wins suporte
wins support = yes
# Arquivo de log
log file = /var/log/samba/%m.log
# Tamanho maximo do mesmo
max log size = 50
# Nivel de detalhamento dos logs
debug level = 2
# Aqui eu alterei o 'security = SHARE' para o abaixo
security = USER
# Necessáo para Windows >= 98
encrypt passwords = yes
# Senha criptografada :)
unix password sync = yes
smb passwd file = /etc/samba/smbpasswd
username map = /etc/samba/smbusers
passwd program = /usr/bin/passwd %u
passwd chat = *New*UNIX*password* %n\n *Retype*new*UNIX*password* %n\n
*passwd:*all*authentication*tokens*updated*successfully*
# Isso tem a ver com o desempenho do servidor
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
# Essa linha é fodona que coloca estaçs 2k para sambar!
add machine script = /usr/sbin/adduser -n -r -g machines -c "Samba machine"
-d /dev/null -s /bin/false %u
passdb backend = smbpasswd
# Somente para a LAN
interfaces = eth0
bind interfaces only = yes
# Acentos pt_BR
unix charset = iso8859-1
display charset = cp850
# Opcoes para PDC da rede
domain logons = Yes
os level = 150
preferred master = Yes
domain master = Yes
# Arquivo de lote que sera executado no logon
logon script = %U.bat
# Para nãcriar profile so server
#logon path =
#idmap uid = 16777216-33554431
#idmap gid = 16777216-33554431
#template shell = /bin/false
#winbind use default domain = no
#-------------------------share-----------------------------------------
[homes]
comment = Home Directories
browseable = no
writable = yes
[assistencia]
comment = Area da Assistencia
path = /home/jsinfo/assistencia
browseable = yes
# writeable = yes
# guest ok = yes
write list = diego,sergio,rogerio,hidalgo
valid users = diego,sergio,rogerio,hidalgo
force create mode = 0775
force directory mode = 0775
admin users = diego
[loja]
comment = Area Loja JS
path = /home/jsinfo/loja
public = yes
browseable = yes
writeable = yes
read only = no
# valid users = diego,sergio,rogerio,karina
# write list = diego,sergio,rogerio,karina
force create mode = 0775
force directory mode = 0775
admin users = diego
# Compartilhamento dados dos clientes
[copias]
comment = Dados dos Clientes
path = /copias
public = yes
browseable = yes
read only = no
write list = diego,sergio,rogerio,hidalgo
force create mode = 0775
force directory mode = 0775
admin users = diego
# Area da Programacao
[programacao]
comment = Desenvolvimento de Programas
path = /home/jsinfo/programacao
# public = yes
read only = no
browseable = yes
valid users = diego,sergio,rogerio,desteu
force create mode = 0775
force directory mode = 0775
admin users = diego
# Un-comment the following and create the netlogon directory for Domain
Logons
[netlogon]
comment = Network Logon Service
path = /home/netlogon
guest ok = yes
writable = no
share modes = no
-------------- Próxima Parte ----------
Um anexo em HTML foi limpo...
URL: http://lists.fedoraproject.org/pipermail/br-users/attachments/20060929/d1a6800b/attachment.html
Mais detalhes sobre a lista de discussão br-users