I would love to get some help.
I have already read and checked this other posts:
- How to turn YunoHost into a NAS with Samba - #7 by ljf
- Best practice to add custom IPtables?
- [SOLVED] Yunohost firewall reload deletes custom rules
My goal is to put samba behind a vpn. This should work with smb.conf or/and firewall for security reasons.
I am trying to get samba to work only on a behind a vpn/wireguard sub network but the firewall rules neither smb.conf
networking restriction rules such as host allow
, host deny
and interfaces
do apply.
[global]
log file = /var/log/samba/log.%m
max log size = 1000
logging = file
panic action = /usr/share/samba/panic-action %d
server role = standalone server
obey pam restrictions = yes
unix password sync = yes
passwd program = /usr/bin/passwd %u
passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
pam password change = yes
map to guest = bad user
usershare allow guests = yes
idmap config * : backend = tdb
workgroup = WORKGROUP
interfaces = lo enp2s0 127.0.0.0/8 10.22.10.0/24
bind interfaces only = yes
host allow = 127.0.0.1 10.22.10.0/24
host deny = 0.0.0.0/0
[sambashared]
comment = SAMBASHAREFOLDER
read only = no
path = /home/shared/server
browsable = yes
valid users = <UNICUSERNAME>
force create mode = 0775
force directory mode = 0775
guest ok = no
guest only = no
If I opent ports with yunohost firewall allow TCP 445
i get samba working, but on all IP range. It is no applying host deny = 0.0.0.0/0
I can see the rules applied running iptables -nvL
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
12 836 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:25
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:53
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:443
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:587
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:993
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:2222
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:445
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:53
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:5353
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:8096
0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
After doing:
yunohost firewall disallow Both 445
Uncomenting the custom rules that are written in:
/etc/yunohost/hooks.d/post_iptable_rules/99-samba_custom
#!/bin/bash
iptables -A INPUT -s 10.22.10.0/24 -p udp -m udp --dport 137 -j ACCEPT
iptables -A INPUT -s 10.22.10.0/24 -p udp -m udp --dport 138 -j ACCEPT
iptables -A INPUT -s 10.22.10.0/24 -p tcp -m tcp --dport 139 -j ACCEPT
iptables -A INPUT -s 10.22.10.0/24 -p tcp -m tcp --dport 445 -j ACCEPT
Appling new filters either with
yunohost firewall reload
or
systemctl restart yunohost-firewall.service
Checking changes in iptables:
iptables -nvL
Chain INPUT (policy DROP 12 packets, 522 bytes)
pkts bytes target prot opt in out source destination
286 37978 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:25
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:53
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:443
1 52 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:587
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:993
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:2222
6 445 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:53
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:5353
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:8096
8 480 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT udp -- * * 10.22.10.0/24 0.0.0.0/0 udp dpt:137
0 0 ACCEPT udp -- * * 10.22.10.0/24 0.0.0.0/0 udp dpt:138
0 0 ACCEPT tcp -- * * 10.22.10.0/24 0.0.0.0/0 tcp dpt:139
0 0 ACCEPT tcp -- * * 10.22.10.0/24 0.0.0.0/0 tcp dpt:445
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
And samba will not succeed. With this error
do_connect: Connection to oficina.biciclot.coop failed (Error NT_STATUS_IO_TIMEOUT)