[oclug]samba iptables rules

[daniel quinn]

hello all
i'm trying to set up my iptables firewall to allow my smb server on that box 
to server shares to one windows box on my network and i've run into a little 
snag.  copying the following ruleset off of the samba.org site works just 
fine, but after looking at it a bit, i thought that i'd be able to refine and 
secure it a little more with the second version.  but the second version 
doesn't work.  can someone here tell me why?

# samba version 1
iptables -A INPUT  -p udp -s $LAN_ADDRESSES --sport 137 -d $LAN_ADDRESSES 
--dport 137 -j ACCEPT
iptables -A INPUT  -p udp -s $LAN_ADDRESSES --sport 138 -d $LAN_ADDRESSES 
--dport 138 -j ACCEPT
iptables -A INPUT  -p tcp -s $LAN_ADDRESSES --sport $UNPRIVPORTS -d 
$LAN_ADDRESSES --dport 139 -j ACCEPT

iptables -A OUTPUT -p udp -s $LAN_ADDRESSES --sport 137 -d $LAN_ADDRESSES 
--dport 137 -j ACCEPT
iptables -A OUTPUT -p udp -s $LAN_ADDRESSES --sport 138 -d $LAN_ADDRESSES 
--dport 138 -j ACCEPT
iptables -A OUTPUT -p tcp ! --syn -s $LAN_ADDRESSES --sport 139 -d 
$LAN_ADDRESSES --dport $UNPRIVPORTS -j ACCEPT


# samba: version 2 (why doesn't this one work?)
iptables -A INPUT  -p udp -s $LAN_ADDRESSES --sport 137 -d $IPADDR --dport 137 
-j ACCEPT"
iptables -A INPUT  -p udp -s $LAN_ADDRESSES --sport 138 -d $IPADDR --dport 138 
-j ACCEPT"
iptables -A INPUT  -p tcp -s $LAN_ADDRESSES --sport $UNPRIVPORTS -d $IPADDR 
--dport 139 -j ACCEPT"

iptables -A OUTPUT -p udp -s $IPADDR --sport 137 -d $LAN_ADDRESSES --dport 137 
-j ACCEPT"
iptables -A OUTPUT -p udp -s $IPADDR --sport 138 -d $LAN_ADDRESSES --dport 138 
-j ACCEPT"
iptables -A OUTPUT -p tcp ! --syn -s $IPADDR --sport 139 -d $LAN_ADDRESSES 
--dport $UNPRIVPORTS -j ACCEPT"


any helpin this area would really make my day ;-)

-- 
for every complex problem
there is a simple solution

and it's wrong.
  - unknown