This is my iptables script:

#!/bin/sh

/sbin/modprobe ip_conntrack_ftp

/sbin/iptables -F
/sbin/iptables -F -t nat
/sbin/iptables -F -t mangle

/sbin/iptables -t filter -A INPUT --in-interface eth0 -m conntrack --ctstate INVALID -j DROP
/sbin/iptables -t filter -A INPUT --in-interface eth0 -m conntrack --ctstate ESTABLISHED -j ACCEPT
/sbin/iptables -t filter -A INPUT --in-interface eth0 -m conntrack --ctstate RELATED -j ACCEPT

/sbin/iptables -t filter -A INPUT --in-interface eth0 -m conntrack --ctstate NEW -p tcp --dport 22 -j ACCEPT

/sbin/iptables -t filter -A INPUT --in-interface eth0 -m conntrack --ctstate NEW -p tcp --dport 139 -j ACCEPT
/sbin/iptables -t filter -A INPUT --in-interface eth0 -m conntrack --ctstate NEW -p tcp --dport 445 -j ACCEPT

/sbin/iptables -t filter -A INPUT -m udp -p udp --dport 137 -j ACCEPT
/sbin/iptables -t filter -A INPUT -m udp -p udp --dport 138 -j ACCEPT

/sbin/iptables -t filter -A INPUT --in-interface eth0 -m conntrack --ctstate NEW -p icmp -j ACCEPT


# --------> Without this line samba not resolving windows names: -------<<<<<<<
/sbin/iptables -t filter -A INPUT --in-interface eth0 -m conntrack --ctstate NEW -p udp -j ACCEPT


/sbin/iptables -t filter -A INPUT --in-interface eth0 -m conntrack --ctstate NEW -j DROP

/bin/echo 1 >/proc/sys/net/ipv4/ip_forward

/sbin/iptables -t nat -A POSTROUTING -s 10.73.148.2 -o eth0 -j MASQUERADE

So I forced to open all incoming udp packets, otherwise netbios names resolving not working.

I don't know much about netbios name resolution but I see at least 2 ways you could tacke this:

1. Is eth0 your public (e.g. internet) device? If it is, then why are you even using netbios over internet? If it is a private network, you could as well enable UDP on it.

2. You can track your packets using tcpdump, try to have a look at what ports/protocols are necessary and make specific rules allowing just the necessary ports. I don't believe it would be all random ports.