Samba and Firewalld

Good afternoon everyone,

I sincerely hope that this is not a duplicate. I used the forum search with “samba firewall” but I wasn’t able to solve my problem.
I have a Windows 7 virtual machine configured using libvirt (through virt-manager). I intend to share files using Samba between host and guest OS through an isolated virtual network (device is virbr1 at 192.168.100.1). I have followed the instructions from swerdna to set up the firewall but I am not able to connect to my samba server from within the guest with an active firewall. If I turn the firewall of everything works fine. I think I have tried almost every possible configuration, but I can’t get it to work. If anyone has an idea, please let me know.
These settings actually worked before using gnome-boxes but now with virt-manager it’s kinda messed up.

firewall-cmd --list-all


public
  target: default
  icmp-block-inversion: no
  interfaces: 
  sources: 
  services: dhcpv6-client samba ssh
  ports: 
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 

smb.conf:


[global]
    workgroup = SAMBA
    dns proxy = no
    lanman auth = yes
    ntlm auth = yes
    log file = /var/log/samba/log.%m
    max log size = 1000
    syslog = 0
    panic action = /usr/share/samba/panic-action %d
    server role = standalone server
    passdb backend = tdbsam
    obey pam restrictions = yes
    unix password sync = yes
    passwd program = /usr/bin/passwd %u
    passwd chat = *Enter\snew\s*\spassword:* %n
 *Retype\snew\s*\spassword:* %n
 *password\supdated\ssuccessfully* .
    pam password change = yes

[Downloads]
    comment = Download Folder
    read only = no
    locking = no
    path = /home/sascha/Downloads
    guest ok = no

[printers]
    comment = All Printers
    browseable = no
    path = /var/spool/samba
    printable = yes
    guest ok = no
    read only = yes
    create mask = 0700

[print$]
    comment = Printer Drivers
    path = /var/lib/samba/printers
    browseable = yes
    read only = yes
    guest ok = no

Öffentlich]
    comment = 
    inherit acls = Yes
    path = /home/sascha/Öffentlich
    read only = No
    vfs objects = 

If you need more information please let me know!

You have no interfaces listed in the public zone.

Thank you. You are absolutely right. Since I try to use the virtual adapter “virbr1” I assume that this needs to be listed in the public zone. Therefore I added it to the public zone using

sudo firewall-cmd --zone=public --change-interface=virbr1

Leading to

user@machine:~>  firewall-cmd --list-all
public (active)
  target: default
  icmp-block-inversion: no
  interfaces: virbr1
  sources: 
  services: dhcpv6-client samba ssh
  ports: 
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 


But still neither \192.168.122.1 nor \10.0.2.2 result in a connection in the windows guest system.

Edit: When checking the firewalld logs I found the following.


2019-08-07 13:50:48 WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -w --table filter --insert LIBVIRT_INP --in-interface virbr1 --protocol tcp --destination-port 67 --jump ACCEPT' failed: iptables: No chain/target/match by that name.

2019-08-07 13:50:48 WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -w --table filter --delete LIBVIRT_FWX --in-interface virbr1 --out-interface virbr1 --jump ACCEPT' failed: iptables: Bad rule (does a matching rule exist in that chain?).

2019-08-07 13:50:48 WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -w --table filter --delete LIBVIRT_FWI --out-interface virbr1 --jump REJECT' failed: iptables: Bad rule (does a matching rule exist in that chain?).

2019-08-07 13:50:48 WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -w --table filter --delete LIBVIRT_FWO --in-interface virbr1 --jump REJECT' failed: iptables: Bad rule (does a matching rule exist in that chain?).

2019-08-07 13:50:48 WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -w --table filter --delete LIBVIRT_INP --in-interface virbr1 --protocol udp --destination-port 53 --jump ACCEPT' failed: iptables: Bad rule (does a matching rule exist in that chain?).

2019-08-07 13:50:48 WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -w --table filter --delete LIBVIRT_INP --in-interface virbr1 --protocol tcp --destination-port 53 --jump ACCEPT' failed: iptables: Bad rule (does a matching rule exist in that chain?).

2019-08-07 13:50:48 WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -w --table filter --delete LIBVIRT_OUT --out-interface virbr1 --protocol udp --destination-port 68 --jump ACCEPT' failed: iptables: Bad rule (does a matching rule exist in that chain?).

2019-08-07 13:50:48 WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -w --table filter --delete LIBVIRT_INP --in-interface virbr1 --protocol udp --destination-port 67 --jump ACCEPT' failed: iptables: Bad rule (does a matching rule exist in that chain?).

2019-08-07 13:50:48 WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -w --table filter --delete LIBVIRT_INP --in-interface virbr1 --protocol tcp --destination-port 67 --jump ACCEPT' failed: iptables: Bad rule (does a matching rule exist in that chain?).

Sounds like it isn’t able to add rules libvirt tries to introduce for virbr1. But I have basically not experience with firewalld so far.

Can you ping the guest IP address from the host OS successfully? If not, please show us the complete IP details on the guest

ip a
ip r

and on the host OS…

route print -4

Sounds like it isn’t able to add rules libvirt tries to introduce for virbr1. But I have basically not experience with firewalld so far.

From reading a similar report redhat thread, I note that a RH employee mentioned that they can be ignored with the following explanation given

Ignore these, these are not errors. Firewallds design makes it impossible
for it to distinguish real errors from failures that the caller expects
to happen. Libvirt is running these commands to ensure the rules in
question do not exist, and it expects them to give errors most of the
time. There is no way for libvirt to stop these errors getting into
firewallds logs.

I am not able to ping the guest. See the following output:

user@machine:~> ping 169.254.215.250
PING 169.254.215.250 (169.254.215.250) 56(84) bytes of data.
From 188.1.245.13 icmp_seq=15 Packet filtered
From 188.1.245.13 icmp_seq=28 Packet filtered
From 188.1.245.13 icmp_seq=47 Packet filtered
^C
--- 169.254.215.250 ping statistics ---
47 packets transmitted, 0 received, +3 errors, 100% packet loss, time 47017ms

I am not able to to execute “ip a” or “ip r” on the guest, since it is a Windows machine. All I can give you is the following (I hope you are ok with German, if not I will translate it):

Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. Alle Rechte vorbehalten.

C:\Users\User>ipconfig

Windows-IP-Konfiguration


Ethernet-Adapter LAN-Verbindung 2:

   Verbindungsspezifisches DNS-Suffix:
   Verbindungslokale IPv6-Adresse  . : fe80::6874:7102:fb27:d7fa%13
   IPv4-Adresse (Auto. Konfiguration): 169.254.215.250
   Subnetzmaske  . . . . . . . . . . : 255.255.0.0
   Standardgateway . . . . . . . . . :

Tunneladapter isatap.{80E053E9-5822-4B8A-A96C-01832D8AF7F1}:

   Medienstatus. . . . . . . . . . . : Medium getrennt
   Verbindungsspezifisches DNS-Suffix:

Actually it appears that the guest isn’t able to connect to the virtual network. Since virbr1 's DHCP range is 192.168.100.128 - 192.168.100.254. And I cannot run “route print -4”, even after installing “net-tools-deprecated” because it doesn’t know the argument “print”:

user@machine:~> route print -4
Benutzung: route -nNvee] -FC] <AF>]           Kernelroutentabelle anzeigen
       route -v] -FC] {add|del|flush} ...  Routentabelle für AF ändern.

       route {-h|--help} <AF>]              Genaue Syntax für AF anzeigen.
       route {-V|--version}                  Version/Autor anzeigen und Ende.

        -v, --verbose            Ausführliche Ausgaben
        -n, --numeric            don't resolve names
        -e, --extend             display other/more information
        -F, --fib                display Forwarding Information Base (default)
        -C, --cache              Routencache statt FIB anzeigen

  <AF>=Use -4, -6, '-A <af>' or '--<af>'; default: inet
  Liste möglicher Adressfamilien, die Routen unterstützen:
    inet (DARPA Internet) inet6 (IPv6) ax25 (AMPR AX.25) 
    netrom (AMPR NET/ROM) ipx (Novell IPX) ddp (Appletalk DDP) 
    x25 (CCITT X.25) 


Ok, it appears that I got it running.
After the guest didn’t seem to be able to connect to the network device I rechecked

ip a

on my host and discovered that virbr1 was DOWN (although I could swear I checked this before and at that time it was UP). But this does of course explain why the guest isn’t able to connect to it. So I ran

ifconfig virbr1 up

and rebooted and now I can reach the SAMBA server with \192.168.100.1.

I will try to reproduce this on another machine to see if it really just was the deactivated module or the combination with adding it to the public zone of the firewall.
But so far, thank you both very much for your help and pointing me into the right direction. I appreciated it very much.

Glad to have been of assistance. :slight_smile:

Glad to have been of assistance - although there was only one of us. :slight_smile: