Results 1 to 7 of 7

Thread: Samba and Firewalld

  1. #1

    Default Samba and Firewalld

    Good afternoon everyone,

    I sincerely hope that this is not a duplicate. I used the forum search with "samba firewall" but I wasn't able to solve my problem.
    I have a Windows 7 virtual machine configured using libvirt (through virt-manager). I intend to share files using Samba between host and guest OS through an isolated virtual network (device is virbr1 at 192.168.100.1). I have followed the instructions from swerdna to set up the firewall but I am not able to connect to my samba server from within the guest with an active firewall. If I turn the firewall of everything works fine. I think I have tried almost every possible configuration, but I can't get it to work. If anyone has an idea, please let me know.
    These settings actually worked before using gnome-boxes but now with virt-manager it's kinda messed up.

    firewall-cmd --list-all
    Code:
    public
      target: default
      icmp-block-inversion: no
      interfaces: 
      sources: 
      services: dhcpv6-client samba ssh
      ports: 
      protocols: 
      masquerade: no
      forward-ports: 
      source-ports: 
      icmp-blocks: 
      rich rules:
    smb.conf:
    Code:
    [global]
        workgroup = SAMBA
        dns proxy = no
        lanman auth = yes
        ntlm auth = yes
        log file = /var/log/samba/log.%m
        max log size = 1000
        syslog = 0
        panic action = /usr/share/samba/panic-action %d
        server role = standalone server
        passdb backend = tdbsam
        obey pam restrictions = yes
        unix password sync = yes
        passwd program = /usr/bin/passwd %u
        passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
        pam password change = yes
    
    [Downloads]
        comment = Download Folder
        read only = no
        locking = no
        path = /home/sascha/Downloads
        guest ok = no
    
    [printers]
        comment = All Printers
        browseable = no
        path = /var/spool/samba
        printable = yes
        guest ok = no
        read only = yes
        create mask = 0700
    
    [print$]
        comment = Printer Drivers
        path = /var/lib/samba/printers
        browseable = yes
        read only = yes
        guest ok = no
    
    [Öffentlich]
        comment = 
        inherit acls = Yes
        path = /home/sascha/Öffentlich
        read only = No
        vfs objects =
    If you need more information please let me know!
    I am selling these fine leather jackets...

  2. #2
    Join Date
    Jun 2008
    Location
    Auckland, NZ
    Posts
    20,382
    Blog Entries
    1

    Default Re: Samba and Firewalld

    You have no interfaces listed in the public zone.
    openSUSE Leap 15.0; KDE Plasma 5

  3. #3

    Default Re: Samba and Firewalld

    Quote Originally Posted by deano_ferrari View Post
    You have no interfaces listed in the public zone.
    Thank you. You are absolutely right. Since I try to use the virtual adapter "virbr1" I assume that this needs to be listed in the public zone. Therefore I added it to the public zone using

    Code:
    sudo firewall-cmd --zone=public --change-interface=virbr1
    Leading to

    Code:
    user@machine:~>  firewall-cmd --list-all
    public (active)
      target: default
      icmp-block-inversion: no
      interfaces: virbr1
      sources: 
      services: dhcpv6-client samba ssh
      ports: 
      protocols: 
      masquerade: no
      forward-ports: 
      source-ports: 
      icmp-blocks: 
      rich rules:
    But still neither \\192.168.122.1 nor \\10.0.2.2 result in a connection in the windows guest system.

    Edit: When checking the firewalld logs I found the following.

    Code:
    2019-08-07 13:50:48 WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -w --table filter --insert LIBVIRT_INP --in-interface virbr1 --protocol tcp --destination-port 67 --jump ACCEPT' failed: iptables: No chain/target/match by that name.
    
    2019-08-07 13:50:48 WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -w --table filter --delete LIBVIRT_FWX --in-interface virbr1 --out-interface virbr1 --jump ACCEPT' failed: iptables: Bad rule (does a matching rule exist in that chain?).
    
    2019-08-07 13:50:48 WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -w --table filter --delete LIBVIRT_FWI --out-interface virbr1 --jump REJECT' failed: iptables: Bad rule (does a matching rule exist in that chain?).
    
    2019-08-07 13:50:48 WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -w --table filter --delete LIBVIRT_FWO --in-interface virbr1 --jump REJECT' failed: iptables: Bad rule (does a matching rule exist in that chain?).
    
    2019-08-07 13:50:48 WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -w --table filter --delete LIBVIRT_INP --in-interface virbr1 --protocol udp --destination-port 53 --jump ACCEPT' failed: iptables: Bad rule (does a matching rule exist in that chain?).
    
    2019-08-07 13:50:48 WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -w --table filter --delete LIBVIRT_INP --in-interface virbr1 --protocol tcp --destination-port 53 --jump ACCEPT' failed: iptables: Bad rule (does a matching rule exist in that chain?).
    
    2019-08-07 13:50:48 WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -w --table filter --delete LIBVIRT_OUT --out-interface virbr1 --protocol udp --destination-port 68 --jump ACCEPT' failed: iptables: Bad rule (does a matching rule exist in that chain?).
    
    2019-08-07 13:50:48 WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -w --table filter --delete LIBVIRT_INP --in-interface virbr1 --protocol udp --destination-port 67 --jump ACCEPT' failed: iptables: Bad rule (does a matching rule exist in that chain?).
    
    2019-08-07 13:50:48 WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -w --table filter --delete LIBVIRT_INP --in-interface virbr1 --protocol tcp --destination-port 67 --jump ACCEPT' failed: iptables: Bad rule (does a matching rule exist in that chain?).
    Sounds like it isn't able to add rules libvirt tries to introduce for virbr1. But I have basically not experience with firewalld so far.
    Last edited by ArthurDent; 07-Aug-2019 at 05:19. Reason: Inserted additional logs
    I am selling these fine leather jackets...

  4. #4
    Join Date
    Jun 2008
    Location
    Auckland, NZ
    Posts
    20,382
    Blog Entries
    1

    Default Re: Samba and Firewalld

    Quote Originally Posted by ArthurDent View Post
    Thank you. You are absolutely right. Since I try to use the virtual adapter "virbr1" I assume that this needs to be listed in the public zone. Therefore I added it to the public zone using

    Code:
    sudo firewall-cmd --zone=public --change-interface=virbr1
    Leading to

    Code:
    user@machine:~>  firewall-cmd --list-all
    public (active)
      target: default
      icmp-block-inversion: no
      interfaces: virbr1
      sources: 
      services: dhcpv6-client samba ssh
      ports: 
      protocols: 
      masquerade: no
      forward-ports: 
      source-ports: 
      icmp-blocks: 
      rich rules:
    But still neither \\192.168.122.1 nor \\10.0.2.2 result in a connection in the windows guest system.
    Can you ping the guest IP address from the host OS successfully? If not, please show us the complete IP details on the guest
    Code:
    ip a
    Code:
    ip r
    and on the host OS....
    Code:
    route print -4
    Sounds like it isn't able to add rules libvirt tries to introduce for virbr1. But I have basically not experience with firewalld so far.
    From reading a similar report redhat thread, I note that a RH employee mentioned that they can be ignored with the following explanation given
    Ignore these, these are not errors. Firewallds design makes it impossible
    for it to distinguish real errors from failures that the caller expects
    to happen. Libvirt is running these commands to ensure the rules in
    question do not exist, and it expects them to give errors most of the
    time. There is no way for libvirt to stop these errors getting into
    firewallds logs.
    openSUSE Leap 15.0; KDE Plasma 5

  5. #5

    Default Re: Samba and Firewalld

    Quote Originally Posted by deano_ferrari View Post
    Can you ping the guest IP address from the host OS successfully? If not, please show us the complete IP details on the guest
    Code:
    ip a
    Code:
    ip r
    and on the host OS....
    Code:
    route print -4

    From reading a similar report redhat thread, I note that a RH employee mentioned that they can be ignored with the following explanation given
    I am not able to ping the guest. See the following output:

    Code:
    user@machine:~> ping 169.254.215.250
    PING 169.254.215.250 (169.254.215.250) 56(84) bytes of data.
    From 188.1.245.13 icmp_seq=15 Packet filtered
    From 188.1.245.13 icmp_seq=28 Packet filtered
    From 188.1.245.13 icmp_seq=47 Packet filtered
    ^C
    --- 169.254.215.250 ping statistics ---
    47 packets transmitted, 0 received, +3 errors, 100% packet loss, time 47017ms
    I am not able to to execute "ip a" or "ip r" on the guest, since it is a Windows machine. All I can give you is the following (I hope you are ok with German, if not I will translate it):

    Code:
    Microsoft Windows [Version 6.1.7601]
    Copyright (c) 2009 Microsoft Corporation. Alle Rechte vorbehalten.
    
    C:\Users\User>ipconfig
    
    Windows-IP-Konfiguration
    
    
    Ethernet-Adapter LAN-Verbindung 2:
    
       Verbindungsspezifisches DNS-Suffix:
       Verbindungslokale IPv6-Adresse  . : fe80::6874:7102:fb27:d7fa%13
       IPv4-Adresse (Auto. Konfiguration): 169.254.215.250
       Subnetzmaske  . . . . . . . . . . : 255.255.0.0
       Standardgateway . . . . . . . . . :
    
    Tunneladapter isatap.{80E053E9-5822-4B8A-A96C-01832D8AF7F1}:
    
       Medienstatus. . . . . . . . . . . : Medium getrennt
       Verbindungsspezifisches DNS-Suffix:
    Actually it appears that the guest isn't able to connect to the virtual network. Since virbr1 's DHCP range is 192.168.100.128 - 192.168.100.254. And I cannot run "route print -4", even after installing "net-tools-deprecated" because it doesn't know the argument "print":

    Code:
    user@machine:~> route print -4
    Benutzung: route [-nNvee] [-FC] [<AF>]           Kernelroutentabelle anzeigen
           route [-v] [-FC] {add|del|flush} ...  Routentabelle für AF ändern.
    
           route {-h|--help} [<AF>]              Genaue Syntax für AF anzeigen.
           route {-V|--version}                  Version/Autor anzeigen und Ende.
    
            -v, --verbose            Ausführliche Ausgaben
            -n, --numeric            don't resolve names
            -e, --extend             display other/more information
            -F, --fib                display Forwarding Information Base (default)
            -C, --cache              Routencache statt FIB anzeigen
    
      <AF>=Use -4, -6, '-A <af>' or '--<af>'; default: inet
      Liste möglicher Adressfamilien, die Routen unterstützen:
        inet (DARPA Internet) inet6 (IPv6) ax25 (AMPR AX.25) 
        netrom (AMPR NET/ROM) ipx (Novell IPX) ddp (Appletalk DDP) 
        x25 (CCITT X.25)
    I am selling these fine leather jackets...

  6. #6

    Default Re: Samba and Firewalld

    Ok, it appears that I got it running.
    After the guest didn't seem to be able to connect to the network device I rechecked
    Code:
    ip a
    on my host and discovered that virbr1 was DOWN (although I could swear I checked this before and at that time it was UP). But this does of course explain why the guest isn't able to connect to it. So I ran
    Code:
    ifconfig virbr1 up
    and rebooted and now I can reach the SAMBA server with \\192.168.100.1.

    I will try to reproduce this on another machine to see if it really just was the deactivated module or the combination with adding it to the public zone of the firewall.
    But so far, thank you both very much for your help and pointing me into the right direction. I appreciated it very much.
    I am selling these fine leather jackets...

  7. #7
    Join Date
    Jun 2008
    Location
    Auckland, NZ
    Posts
    20,382
    Blog Entries
    1

    Default Re: Samba and Firewalld

    Quote Originally Posted by ArthurDent View Post
    Ok, it appears that I got it running.
    After the guest didn't seem to be able to connect to the network device I rechecked
    Code:
    ip a
    on my host and discovered that virbr1 was DOWN (although I could swear I checked this before and at that time it was UP). But this does of course explain why the guest isn't able to connect to it. So I ran
    Code:
    ifconfig virbr1 up
    and rebooted and now I can reach the SAMBA server with \\192.168.100.1.

    I will try to reproduce this on another machine to see if it really just was the deactivated module or the combination with adding it to the public zone of the firewall.
    But so far, thank you both very much for your help and pointing me into the right direction. I appreciated it very much.
    Glad to have been of assistance - although there was only one of us.
    openSUSE Leap 15.0; KDE Plasma 5

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •