November 15, 2019

Alfresco tips and tricks – #6 CIFS and FTP on non privileged ports using IPTABLES

The CIFS server (as well as FTP) uses ports in the privileged socket range (137, 138, 139, 21 etc.), so if you are in a unix machine you will be required to run Alfresco from a privileged account. To avoid this you can run CIFS on non privileged ports using iptables (administration tool for IPv4 packet filtering and NAT) and the built-ins PREROUTING chain in a nat table.
Let’s see how to configure iptable in a CentOS operative system.

Ensure you define non privileged ports in the alfresco-global.properties.

### CIFS/SMB
###
cifs.enabled=true
cifs.ipv6.enabled=false
cifs.tcpipSMB.port=1445
cifs.netBIOSSMB.namePort=1137
cifs.netBIOSSMB.datagramPort=1138
cifs.netBIOSSMB.sessionPort=1139

### FTP
###
ftp.enabled=true
ftp.port=2121

Update the iptables configuration file.

$ vi /etc/sysconfig/iptables
### Define the nat table
###
*nat
:PREROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A PREROUTING -p udp --dport 137 -j REDIRECT --to-ports 1137
-A PREROUTING -p udp --dport 138 -j REDIRECT --to-ports 1138
-A PREROUTING -p tcp --dport 139 -j REDIRECT --to-ports 1139
-A PREROUTING -p tcp --dport 445 -j REDIRECT --to-ports 1445
-A PREROUTING -p tcp --dport 21 -j REDIRECT --to-ports 2121
COMMIT

### Define the filter table to firewalling services
###
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 8080 -j ACCEPT
-A RH-Firewall-1-INPUT -m tcp -p tcp --dport 139 -j ACCEPT
-A RH-Firewall-1-INPUT -m tcp -p tcp --dport 445 -j ACCEPT
-A RH-Firewall-1-INPUT -m tcp -p tcp --dport 21 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT
/etc/init.d/iptables restart

A note about the ipv4 forwarding

$ vi /etc/sysctl.conf

net.ipv4.ip_forward = 1

$ sysctl -p /etc/sysctl.conf

$ /etc/init.d/iptables restart
$ iptables -t nat -L -nv

 

4 Comments

  1. Giuseppe Urso

    Thanks!
    My idea is to collect a series of quick useful tips for rapid settings and maintenances. When I client call for support I need a practical vademecum…you now 😉 

    Reply

Leave a Reply

Your email address will not be published.