restrict Samba access to only certain LAN IP addresses?
 

hello,

I apologize if this has been answered before, I'm a relatively new Samba user.
Is it possible to restrict access to Samba shares across a Windows network to only certain IP addresses in a list I would give it? My boss wants our new Linux server to only give share access to a /u/sting/ subdirectory on it to just a handful of computers on the office LAN, not the entire office and definitely not people outside of the office on the interent, since we have data on the sever that needs to stay very Secure.
Can anyone tell me the steps I would take to make this type of IP-address-based security happen?

thanks in advance,
david

Yes, you would use the Samba global variable "hosts allow".

This can be be used to list acceptable hosts, like:

Or give a range of IPs:

There is also "hosts deny", which is the exact opposite. There you name hosts or networks that are not allowed to access the server.

If your machine has two interfaces (one on the LAN, one on the Internet) then you may also want to look into binding Samba to only a single interface. For example, to bind Samba to localhost and eth0, you would add the following lines to smb.conf:

MS3FGX:
hello, thank you for the quick reply.

regarding the interfaces question, all LAN and internet traffic goes through one ethernet port.

regarding the hosts allow and hosts deny statements, where are those stored so I can edit those (in a text editor I assume?)? Is there a hosts deny syntax I could use to restrict all traffic that's not 192.168.1.###?

thanks,
david

You would change them in the Samba configuration file, which should be located at /etc/samba/smb.conf.

As for blocking different IPs/ranges, you simply need to enter in whatever IPs are appropriate for your network. I only used the 192.x addresses as an example.