LinuxQuestions.org
Latest LQ Deal: Linux Power User Bundle
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 04-15-2014, 11:34 AM   #1
NotionCommotion
Member
 
Registered: Aug 2012
Posts: 543

Rep: Reputation: Disabled
iptables and Samba


I have a shared file provided by Samba. I cannot access it from a Windows 7 PC located on my LAN. If I turn iptables off, I can then access it. Furthermore, if I later turn iptables back on, I can still access it. It appears that the ESTABLISHED rule allows the later. I am thinking I must use a different protocol than tcp, most likely udp for potentially ports 137, 138, and 139. Before just willy nilly proceeding, I would like to understand the implications. Do I really need ports 137, 138, 139, and 445? udp on each of them? Also tcp on each of them? Even though I have a hardware firewall between my LAN and the Internet and configured Samba to only allow hosts from 127. and 192.168.0., is it best to have iptables restrict these ports to 192.168.0.? Thank you

Code:
[root@devServer ~]# iptables -L -v
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination 
    9  1115 ACCEPT     all  --  any    any     anywhere             anywhere            state RELATED,ESTABLISHED
    0     0 ACCEPT     icmp --  any    any     anywhere             anywhere    
    1    57 ACCEPT     all  --  lo     any     anywhere             anywhere    
    0     0 ACCEPT     tcp  --  any    any     anywhere             anywhere            state NEW tcp dpt:ssh
    0     0 ACCEPT     tcp  --  any    any     anywhere             anywhere            tcp dpt:microsoft-ds state NEW
    0     0 ACCEPT     tcp  --  any    any     anywhere             anywhere            tcp dpt:netbios-ssn state NEW
    0     0 ACCEPT     tcp  --  any    any     anywhere             anywhere            tcp dpt:netbios-dgm state NEW
    0     0 ACCEPT     tcp  --  any    any     anywhere             anywhere            tcp dpt:netbios-ns state NEW
    0     0 ACCEPT     tcp  --  any    any     anywhere             anywhere            tcp dpt:smtp state NEW
    0     0 ACCEPT     tcp  --  any    any     anywhere             anywhere            tcp dpt:ndmp state NEW
    0     0 ACCEPT     tcp  --  any    any     anywhere             anywhere            tcp dpt:https state NEW
    0     0 ACCEPT     tcp  --  any    any     anywhere             anywhere            tcp dpt:http state NEW
    0     0 REJECT     all  --  any    any     anywhere             anywhere            reject-with icmp-host-prohibited

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination 
    0     0 REJECT     all  --  any    any     anywhere             anywhere            reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT 10 packets, 1348 bytes)
 pkts bytes target     prot opt in     out     source               destination 


[root@devServer ~]# cat /etc/samba/smb.conf
[global]
workgroup=WORKGROUP
server string = Samba Server Version %v

# interfaces = lo wlan0 192.168.0.1/24
hosts allow = 127. 192.168.0.

log file = /var/log/samba/log.%m
max log size = 50

security = user
passdb backend = tdbsam

[www]
        comment = Apache WWW Directory
        path = /var/www
        public = no
        # valid users = phped
        writable = yes
        browseable = yes
        create mask = 0775
        create mode = 0775
        directory mode = 0775
        share modes = yes
[root@devServer ~]#
 
Old 04-16-2014, 05:17 AM   #2
grail
LQ Guru
 
Registered: Sep 2009
Location: Perth
Distribution: Manjaro
Posts: 9,256

Rep: Reputation: 2686Reputation: 2686Reputation: 2686Reputation: 2686Reputation: 2686Reputation: 2686Reputation: 2686Reputation: 2686Reputation: 2686Reputation: 2686Reputation: 2686
2 of the ports are tcp and 2 are udp:

137 & 138 - udp
139 & 445 - tcp

Try changing the first 2, as you have all set for tcp, and you should be good to go
 
1 members found this post helpful.
Old 04-16-2014, 06:04 AM   #3
NotionCommotion
Member
 
Registered: Aug 2012
Posts: 543

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by grail View Post
2 of the ports are tcp and 2 are udp:

137 & 138 - udp
139 & 445 - tcp

Try changing the first 2, as you have all set for tcp, and you should be good to go
Thanks Grail, works great!

Even though I have a hardware firewall between my LAN and the Internet and configured Samba to only allow hosts from 127. and 192.168.0., is it best to have iptables restrict these ports to 192.168.0.? Thank you
 
Old 04-16-2014, 12:40 PM   #4
grail
LQ Guru
 
Registered: Sep 2009
Location: Perth
Distribution: Manjaro
Posts: 9,256

Rep: Reputation: 2686Reputation: 2686Reputation: 2686Reputation: 2686Reputation: 2686Reputation: 2686Reputation: 2686Reputation: 2686Reputation: 2686Reputation: 2686Reputation: 2686
hmmm ... it may be, unfortunately I am in the process of learning about iptables too :$ My thoughts are that the tighter you restrict things the safer you are, however it may also mean
you need to perform a lot more settings to make other things available.

Hopefully one of the firewall gurus will jump on and advise further
 
Old 04-18-2014, 05:51 AM   #5
fotoguy
Senior Member
 
Registered: Mar 2003
Location: Brisbane Queensland Australia
Distribution: KirraMail Live Email Server
Posts: 1,285

Rep: Reputation: 61
If you were having anyone from the internet accessing the samba server for any other service, then yes you would run a firewall, the hardware firewall will help to protect the server, but anything allowed through you can do a final filter with iptables
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Samba and iptables jnojr Linux - Networking 6 09-12-2008 05:28 PM
iptables and samba Ammad Linux - Security 3 07-25-2006 02:48 AM
samba with iptables mraconnor Linux - Networking 5 06-24-2006 04:34 AM
Iptables and Samba MrBiggZ Linux - Security 1 10-08-2005 03:20 PM
iptables and samba shankariyer Linux - Security 1 02-18-2004 02:26 AM


All times are GMT -5. The time now is 11:14 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration