Can not connect to CIFS, ports not allowed in iptables

perelin

Hi,

Im trying to connect to a CIFS drive (Hetzner StorageBox) but didnt succeed. After some debugging it seems that the CIFS ports (139,445) are not allowed in the Cloudron iptables config.

I already ran sudo systemctl restart cloudron-firewall and rebooted the machine.

I followed this Hetzner guide to mount from CLI: https://docs.hetzner.com/storage/storage-box/access/access-samba-cifs

$ sudo mount.cifs -o user=uxxxxx,pass=xxxxx,iocharset=utf8 //uxxxxxx.your-storagebox.de/backup /mnt/cifs-test
mount error(115): Operation now in progress
Refer to the mount.cifs(8) manual page (e.g. man mount.cifs) and kernel log messages (dmesg)

$ sudo iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
CLOUDRON_RATELIMIT  all  --  anywhere             anywhere            
CLOUDRON   all  --  anywhere             anywhere            

Chain FORWARD (policy DROP)
target     prot opt source               destination         
CLOUDRON_RATELIMIT  all  --  anywhere             anywhere            
DOCKER-USER  all  --  anywhere             anywhere            
DOCKER-ISOLATION-STAGE-1  all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
DOCKER     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
DOCKER     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
DOCKER     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         

Chain CLOUDRON (1 references)
target     prot opt source               destination         
DROP       all  --  anywhere             anywhere             match-set cloudron_blocklist src
ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED
ACCEPT     tcp  --  anywhere             anywhere             tcp multiport dports ssh,http,202,https
ACCEPT     tcp  --  anywhere             anywhere             multiport dports 3478,5349
ACCEPT     udp  --  anywhere             anywhere             multiport dports 3478,5349
ACCEPT     udp  --  anywhere             anywhere             multiport dports 50000:51000
ACCEPT     icmp --  anywhere             anywhere             icmp echo-request
ACCEPT     icmp --  anywhere             anywhere             icmp echo-reply
ACCEPT     udp  --  anywhere             anywhere             udp spt:domain
ACCEPT     tcp  --  172.18.0.0/16        p2-main-htz          multiport dports 3002,3003
ACCEPT     udp  --  172.18.0.0/16        anywhere             udp dpt:domain
ACCEPT     all  --  anywhere             anywhere            
LOG        all  --  anywhere             anywhere             limit: avg 2/min burst 5 LOG level debug prefix "Packet dropped: "
DROP       all  --  anywhere             anywhere            

Chain CLOUDRON_RATELIMIT (2 references)
target     prot opt source               destination         
CLOUDRON_RATELIMIT_LOG  tcp  --  anywhere             anywhere             tcp dpt:http flags:FIN,SYN,RST,ACK/SYN #conn src/32 > 5000
CLOUDRON_RATELIMIT_LOG  tcp  --  anywhere             anywhere             tcp dpt:https flags:FIN,SYN,RST,ACK/SYN #conn src/32 > 5000
           tcp  --  anywhere             anywhere             tcp dpt:ssh state NEW recent: SET name: public-22 side: source mask: 255.255.255.255
CLOUDRON_RATELIMIT_LOG  tcp  --  anywhere             anywhere             tcp dpt:ssh state NEW recent: UPDATE seconds: 10 hit_count: 5 name: public-22 side: source mask: 255.255.255.255
           tcp  --  anywhere             anywhere             tcp dpt:202 state NEW recent: SET name: public-202 side: source mask: 255.255.255.255
CLOUDRON_RATELIMIT_LOG  tcp  --  anywhere             anywhere             tcp dpt:202 state NEW recent: UPDATE seconds: 10 hit_count: 5 name: public-202 side: source mask: 255.255.255.255
           tcp  --  anywhere             anywhere             tcp dpt:222 state NEW recent: SET name: public-222 side: source mask: 255.255.255.255
CLOUDRON_RATELIMIT_LOG  tcp  --  anywhere             anywhere             tcp dpt:222 state NEW recent: UPDATE seconds: 10 hit_count: 5 name: public-222 side: source mask: 255.255.255.255
CLOUDRON_RATELIMIT_LOG  tcp  --  anywhere             anywhere             tcp dpt:ldaps flags:FIN,SYN,RST,ACK/SYN #conn src/32 > 5000
CLOUDRON_RATELIMIT_LOG  tcp  --  anywhere             anywhere             tcp dpt:3004 flags:FIN,SYN,RST,ACK/SYN #conn src/32 > 5000
CLOUDRON_RATELIMIT_LOG  tcp  -- !172.18.0.0/16        172.18.0.0/16        tcp dpt:2525 flags:FIN,SYN,RST,ACK/SYN #conn src/32 > 50
CLOUDRON_RATELIMIT_LOG  tcp  -- !172.18.0.0/16        172.18.0.0/16        tcp dpt:sieve flags:FIN,SYN,RST,ACK/SYN #conn src/32 > 50
CLOUDRON_RATELIMIT_LOG  tcp  -- !172.18.0.0/16        172.18.0.0/16        tcp dpt:9993 flags:FIN,SYN,RST,ACK/SYN #conn src/32 > 50
CLOUDRON_RATELIMIT_LOG  tcp  --  172.18.0.0/16        172.18.0.0/16        tcp dpt:2525 flags:FIN,SYN,RST,ACK/SYN #conn src/32 > 500
CLOUDRON_RATELIMIT_LOG  tcp  --  172.18.0.0/16        172.18.0.0/16        tcp dpt:3002 flags:FIN,SYN,RST,ACK/SYN #conn src/32 > 500
CLOUDRON_RATELIMIT_LOG  tcp  --  172.18.0.0/16        172.18.0.0/16        tcp dpt:sieve flags:FIN,SYN,RST,ACK/SYN #conn src/32 > 500
CLOUDRON_RATELIMIT_LOG  tcp  --  172.18.0.0/16        172.18.0.0/16        tcp dpt:9993 flags:FIN,SYN,RST,ACK/SYN #conn src/32 > 500
CLOUDRON_RATELIMIT_LOG  tcp  --  172.18.0.0/16        172.18.0.0/16        tcp dpt:9995 flags:FIN,SYN,RST,ACK/SYN #conn src/32 > 500
CLOUDRON_RATELIMIT_LOG  tcp  --  172.18.0.0/16        172.18.0.0/16        tcp dpt:mysql flags:FIN,SYN,RST,ACK/SYN #conn src/32 > 5000
CLOUDRON_RATELIMIT_LOG  tcp  --  172.18.0.0/16        172.18.0.0/16        tcp dpt:postgresql flags:FIN,SYN,RST,ACK/SYN #conn src/32 > 5000
CLOUDRON_RATELIMIT_LOG  tcp  --  172.18.0.0/16        172.18.0.0/16        tcp dpt:redis flags:FIN,SYN,RST,ACK/SYN #conn src/32 > 5000
CLOUDRON_RATELIMIT_LOG  tcp  --  172.18.0.0/16        172.18.0.0/16        tcp dpt:27017 flags:FIN,SYN,RST,ACK/SYN #conn src/32 > 5000

Chain CLOUDRON_RATELIMIT_LOG (19 references)
target     prot opt source               destination         
LOG        all  --  anywhere             anywhere             limit: avg 2/min burst 5 LOG level debug prefix "IPTables RateLimit: "
DROP       all  --  anywhere             anywhere            

Chain DOCKER (3 references)
target     prot opt source               destination         
ACCEPT     tcp  --  anywhere             172.17.0.2           tcp dpt:postgresql
ACCEPT     tcp  --  anywhere             172.18.0.3           tcp dpt:2003
ACCEPT     udp  --  anywhere             172.18.19.208        udp dpt:8443
ACCEPT     tcp  --  anywhere             172.18.0.5           tcp dpt:ssh

Chain DOCKER-ISOLATION-STAGE-1 (1 references)
target     prot opt source               destination         
DOCKER-ISOLATION-STAGE-2  all  --  anywhere             anywhere            
DOCKER-ISOLATION-STAGE-2  all  --  anywhere             anywhere            
DOCKER-ISOLATION-STAGE-2  all  --  anywhere             anywhere            
RETURN     all  --  anywhere             anywhere            

Chain DOCKER-ISOLATION-STAGE-2 (3 references)
target     prot opt source               destination         
DROP       all  --  anywhere             anywhere            
DROP       all  --  anywhere             anywhere            
DROP       all  --  anywhere             anywhere            
RETURN     all  --  anywhere             anywhere            

Chain DOCKER-USER (1 references)
target     prot opt source               destination         
DROP       all  --  anywhere             anywhere             match-set cloudron_blocklist src
RETURN     all  --  anywhere             anywhere

Any ideas what to do here? thx!

joseph

@perelin said in Can not connect to CIFS, ports not allowed in iptables:

CIFS ports (139,445)

These are outbound ports and not blocked by firewall.

Are you able to ping your storage box? I can ping mine . If you are on hetzner, this could aso be an IPv6 routing issue (you have to open a support ticket issue with them to resolve this. I had to do this for my dedi)

perelin

Thx for the hint. Will see what Hetzner support has to say.

Cloudron makes it easy to run web apps like WordPress, Nextcloud, GitLab on your server. Find out more or install now.

Cloudron Forum

Can not connect to CIFS, ports not allowed in iptables