Alfresco tips and tricks – #6 CIFS and FTP on non privileged ports using IPTABLES

The CIFS server (as well as FTP) uses ports in the privileged socket range (137, 138, 139, 21 etc.), so if you are in a unix machine you will be required to run Alfresco from a privileged account. To avoid this you can run CIFS on non privileged ports using iptables (administration tool for IPv4 packet filtering and NAT) and the built-ins PREROUTING chain in a nat table.
Let’s see how to configure iptable in a CentOS operative system.

Ensure you define non privileged ports in the alfresco-global.properties.

### CIFS/SMB
###
cifs.enabled=true
cifs.ipv6.enabled=false
cifs.tcpipSMB.port=1445
cifs.netBIOSSMB.namePort=1137
cifs.netBIOSSMB.datagramPort=1138
cifs.netBIOSSMB.sessionPort=1139

### FTP
###
ftp.enabled=true
ftp.port=2121

Update the iptables configuration file.

$ vi /etc/sysconfig/iptables

### Define the nat table
###
*nat
:PREROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A PREROUTING -p udp --dport 137 -j REDIRECT --to-ports 1137
-A PREROUTING -p udp --dport 138 -j REDIRECT --to-ports 1138
-A PREROUTING -p tcp --dport 139 -j REDIRECT --to-ports 1139
-A PREROUTING -p tcp --dport 445 -j REDIRECT --to-ports 1445
-A PREROUTING -p tcp --dport 21 -j REDIRECT --to-ports 2121
COMMIT

### Define the filter table to firewalling services
###
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 8080 -j ACCEPT
-A RH-Firewall-1-INPUT -m tcp -p tcp --dport 139 -j ACCEPT
-A RH-Firewall-1-INPUT -m tcp -p tcp --dport 445 -j ACCEPT
-A RH-Firewall-1-INPUT -m tcp -p tcp --dport 21 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT

/etc/init.d/iptables restart

A note about the ipv4 forwarding

$ vi /etc/sysctl.conf

net.ipv4.ip_forward = 1

$ sysctl -p /etc/sysctl.conf

$ /etc/init.d/iptables restart
$ iptables -t nat -L -nv

4 Comments

Richard Esplin
24 June 2014 at 15:42

It is nice to have a recipe for this common task.

Giuseppe Urso
24 June 2014 at 15:43

Thanks!
My idea is to collect a series of quick useful tips for rapid settings and maintenances. When I client call for support I need a practical vademecum…you now 😉

Max
23 February 2015 at 16:25

Hi, can you explain why it says :
cifs.enabled=false
Or is this just a mistake?

1. Giuseppe Urso
  23 February 2015 at 16:49
  
  Hi Max,
  
  thanks for you comments.
  Obviously the cifs service must be enabled. I updated it
  😉

share

Leave a Reply to Max Cancel Reply