4.1 on Red Hat Linux OS. The links for the same can be found at the bottom of this page.
The required ports for Samba 4 domain server are as shown below ( Collected from Microsoft page)
Protocols and Ports
|
Usage
|
Type of Traffic
|
TCP and UDP 389
|
Directory, Replication, User and Computer Authentication, Group Policy, Trusts
|
LDAP
|
TCP and UDP 88
|
User and Computer Authentication, Forest Level Trusts
|
Kerberos
|
TCP and UDP 53
|
User and Computer Authentication, Name Resolution, Trusts
|
DNS
|
TCP and UDP 445
|
Replication, User and Computer Authentication, Group Policy, Trusts
|
SMB,CIFS,SMB2
|
TCP 135
|
Replication
|
RPC
|
TCP 5722
|
File Replication
|
RPC, DFSR (SYSVOL)
|
UDP 123
|
Windows Time, Trusts
|
Windows Time
|
TCP and UDP 464
|
Replication, User and Computer Authentication, Trusts
|
Kerberos change/set password
|
UDP Dynamic
|
Group Policy
|
DCOM, RPC, EPM
|
UDP 138
|
DFS, Group Policy
|
DFSN, NetLogon, NetBIOS Datagram Service
|
TCP 9389
|
AD DS Web Services
|
SOAP
|
UDP 67 and UDP 2535
|
DHCP
|
DHCP
|
UDP 137
|
User and Computer Authentication,
|
NetLogon, NetBIOS Name Resolution
|
TCP 139
|
User and Computer Authentication, Replication
|
DFSN, NetBIOS Session Service, NetLogon
|
Now there are two ways to configure the rule
- Create individual rule for each port
- Create a single rule for all the ports
Creating individual rules for all the required ports
# iptables -I INPUT -s 192.168.0.0/24 -p tcp --dport 88 -j ACCEPT
# iptables -I INPUT -s 192.168.0.0/24 -p tcp --dport 53 -j ACCEPT
# iptables -I INPUT -s 192.168.0.0/24 -p tcp --dport 445 -j ACCEPT
# iptables -I INPUT -s 192.168.0.0/24 -p tcp --dport 135 -j ACCEPT
# iptables -I INPUT -s 192.168.0.0/24 -p tcp --dport 5722 -j ACCEPT
# iptables -I INPUT -s 192.168.0.0/24 -p tcp --dport 464 -j ACCEPT
# iptables -I INPUT -s 192.168.0.0/24 -p tcp --dport 9389 -j ACCEPT
# iptables -I INPUT -s 192.168.0.0/24 -p tcp --dport 139 -j ACCEPT
# iptables -I INPUT -s 192.168.0.0/24 -p udp --dport 389 -j ACCEPT
# iptables -I INPUT -s 192.168.0.0/24 -p udp --dport 88 -j ACCEPT
# iptables -I INPUT -s 192.168.0.0/24 -p udp --dport 53 -j ACCEPT
# iptables -I INPUT -s 192.168.0.0/24 -p udp --dport 445 -j ACCEPT
# iptables -I INPUT -s 192.168.0.0/24 -p udp --dport 464 -j ACCEPT
# iptables -I INPUT -s 192.168.0.0/24 -p udp --dport 138 -j ACCEPT
# iptables -I INPUT -s 192.168.0.0/24 -p udp --dport 67 -j ACCEPT
# iptables -I INPUT -s 192.168.0.0/24 -p udp --dport 2535 -j ACCEPT
# iptables -I INPUT -s 192.168.0.0/24 -p udp --dport 137 -j ACCEPT
# iptables -I INPUT 1 -s 192.168.0.0/24 -j LOGGER
# iptables -I LOGGER -p tcp --dport 88 -j LOG --log-prefix="Kerberos: "
# iptables -I LOGGER -p tcp --dport 53 -j LOG --log-prefix="DNS :"
# iptables -I LOGGER -p tcp --dport 445 -j LOG --log-prefix="SMB: "
# iptables -I LOGGER -p tcp --dport 135 -j LOG --log-prefix="RPC: "
# iptables -I LOGGER -p tcp --dport 5722 -j LOG --log-prefix="SYSVOL: "
# iptables -I LOGGER -p tcp --dport 464 -j LOG --log-prefix="Kerberos pswd: "
# iptables -I LOGGER -p tcp --dport 9389 -j LOG --log-prefix="SOAP: "
# iptables -I LOGGER -p tcp --dport 139 -j LOG --log-prefix="NetLogon: "
# iptables -I LOGGER -p udp --dport 389 -j LOG --log-prefix="LDAP: "
# iptables -I LOGGER -p udp --dport 88 -j LOG --log-prefix="Kerberos: "
# iptables -I LOGGER -p udp --dport 53 -j LOG --log-prefix="DNS: "
# iptables -I LOGGER -p udp --dport 445 -j LOG --log-prefix="SMB :"
# iptables -I LOGGER -p udp --dport 464 -j LOG --log-prefix="Kerberos pswd: "
# iptables -I LOGGER -p udp --dport 138 -j LOG --log-prefix="Group Policy: "
# iptables -I LOGGER -p udp --dport 67 -j LOG --log-prefix="DHCP: "
# iptables -I LOGGER -p udp --dport 2535 -j LOG --log-prefix="DHCP: "
# iptables -I LOGGER -p udp --dport 137 -j LOG --log-prefix="NetBIOS: "
In case you want to deny all other traffic from connecting your domain server except 192.168.0.0/24
NOTE: This rule can be dangerous in any production environement as it will block traffic from all other network range other than the mentioned range
# iptables -I INPUT ! -s 192.168.0.0/24 -j DROP
Creating a single rule for multiple ports
# iptables -I INPUT -s 192.168.0.0/24 -p tcp -m multiport --dport 389,88,53,445,135,5722,464,9389,139 -j ACCEPT
# iptables -I INPUT -s 192.168.0.0/24 -p udp -m multiport --dport 389,88,53,445,464,138,67,2535,137 -j ACCEPT
# iptables -I INPUT -s 192.168.0.0/24 -p tcp -m multiport --dport 389,88,53,445,135,5722,464,9389,139 -j LOG --log-prefix="TCP_LOG: "
# iptables -I INPUT -s 192.168.0.0/24 -p udp -m multiport --dport 389,88,53,445,464,138,67,2535,137 -j LOG --log-prefix="UDP_LOG: "
For testing purpose I applied these rules in my machine and you can verify the logs below
# cat /var/log/firewall.log
Sep 24 15:07:31 test kernel: TCP_LOG: IN=eth0 OUT= MAC=00:50:56:9e:79:17:00:50:56:8a:71:2b:08:00 SRC=192.168.0.30 DST=192.168.0.61 LEN=40 TOS=0x00 PREC=0x00 TTL=128 ID=3224 DF PROTO=TCP SPT=1181 DPT=389 WINDOW=64912 RES=0x00 ACK FIN URGP=0
Sep 24 15:07:32 test kernel: TCP_LOG: IN=eth0 OUT= MAC=00:50:56:9e:79:17:00:50:56:8a:71:2b:08:00 SRC=192.168.0.30 DST=192.168.0.61 LEN=40 TOS=0x00 PREC=0x00 TTL=128 ID=3262 DF PROTO=TCP SPT=65107 DPT=53 WINDOW=65460 RES=0x00 ACK FIN URGP=0
Sep 24 15:07:32 test kernel: TCP_LOG: IN=eth0 OUT= MAC=00:50:56:9e:79:17:00:50:56:8a:71:2b:08:00 SRC=192.168.0.30 DST=192.168.0.61 LEN=40 TOS=0x00 PREC=0x00 TTL=128 ID=3248 DF PROTO=TCP SPT=1173 DPT=445 WINDOW=64343 RES=0x00 ACK URGP=0
Sep 24 15:07:32 test kernel: UDP_LOG: IN=eth0 OUT= MAC=00:50:56:9e:79:17:00:50:56:8a:71:2b:08:00 SRC=192.168.0.30 DST=192.168.0.61 LEN=342 TOS=0x00 PREC=0x00 TTL=128 ID=3249 PROTO=UDP SPT=1191 DPT=88 LEN=322
Sep 24 15:07:39 test kernel: TCP_LOG: IN=eth0 OUT= MAC=00:50:56:9e:79:17:00:50:56:8a:71:2b:08:00 SRC=192.168.0.30 DST=192.168.0.61 LEN=41 TOS=0x00 PREC=0x00 TTL=128 ID=3276 DF PROTO=TCP SPT=1187 DPT=135 WINDOW=65311 RES=0x00 ACK URGP=0
Sep 24 15:07:39 test kernel: UDP_LOG: IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:50:56:8a:13:1c:08:00 SRC=192.168.0.148 DST=192.168.0.255 LEN=78 TOS=0x00 PREC=0x00 TTL=128 ID=15968 PROTO=UDP SPT=137 DPT=137 LEN=58
Sep 24 15:07:39 test kernel: UDP_LOG: IN=eth0 OUT= MAC=00:50:56:9e:79:17:00:50:56:8a:71:2b:08:00 SRC=192.168.0.30 DST=192.168.0.61 LEN=318 TOS=0x00 PREC=0x00 TTL=128 ID=3278 PROTO=UDP SPT=138 DPT=138 LEN=298
Related Articles
Samba 4.1 as Active Directory configuration guide
Configure NTP server for Samba4
Samba4 related commands
Create Roaming Profiles in Samba4
Follow the below links for more tutorials
What are the maximum and minimum limits for RHEL 4 vs 5 vs 6 ?
Step by Step Linux Boot Process Explained In Detail
What is the difference between ext3 and ext4 filesystem in Linux ?
How to configure Private Network in VMware Workstation
9 examples to help you understand top command usage in Unix/Linux
Configure Red Hat Cluster using VMware, Quorum Disk, GFS2, Openfiler
Tutorial for Monitoring Tools SAR and KSAR with examples in Linux
15 tips to enhance security of your Linux machine
Why is Linux more secure than windows and any other OS
Understanding Load Average in Linux and when to be worried about it?
Disk Attachment Technology FC vs SAS vs iSCSI
Understanding UMASK value in Linux
How to keep a track of all the commands run by any user in Linux
How do you check Linux machine is Physical or Virtual remotely?
RAID levels 0, 1, 2, 3, 4, 5, 6, 0+1, 1+0 features explained in detail