www.jdmz.net troy.jdmz.net

Samba and IPTables
Allowing Windows Client Access
This document explains how to configure an IPTables firewall to allow Windows networking clients to access the Samba server on your Linux host. The examples assume Red Hat Fedora Core 3, but others should work without much modification.
I have run Samba servers for a number of years now, always on private networks behind firewalls, and have usually turned off the firewall on the internal host so as not to complicate setup or troubleshooting. Having grown more security conscious over the years, I am now more likely to want to have a firewall up and only allow the minimum necessary holes through it. This short reference should explain the basics of allowing Samba traffic through an IPTables firewall, but little of configuring Samba itself.
Ports, Protocols, and Daemons
In the /etc/services file you will find a few lines that refer to Samba services:
netbios-ns 137/tcp # NetBIOS Name Service
netbios-ns 137/udp
netbios-dgm 138/tcp # NetBIOS Datagram Service
netbios-dgm 138/udp
netbios-ssn 139/tcp # NetBIOS Session Service
netbios-ssn 139/udp
microsoft-ds 445/tcp # Microsoft Directory Service
microsoft-ds 445/udp
The picture this provides is somewhat deceiving, since the half of those lines could be removed and condensed to:
netbios-ns 137/udp # NetBIOS Name Service
netbios-dgm 138/udp # NetBIOS Datagram Service
netbios-ssn 139/tcp # NetBIOS Session Service
microsoft-ds 445/tcp # Microsoft Directory Service
because these are the ports the Samba server daemons listen on. The first three lines represent ports used by windows networking since TCP/IP networking came standard on the Windows 95 operating system. The remaining port came to be used when Microsoft introduced it's directory service with Windows 2000. It may be useful to note for troubleshooting or configuration purposes that the UDP protocols (ports 137 and 138) are serviced by the nmbd daemon, while the TCP protocols (ports 139 and 445) are serviced by smbd [1].
You can demonstrate what ports are being used by Samba by using these commands as root (in /tmp or someplace safe to make temporary files) [2]:
# service smb stop
# netstat -ln > netstat-ln-smb.before
# service smb start
# netstat -ln > netstat-ln-smb.after
# diff netstat-ln-smb.*
and you will see the ports listed above appear in the output, along with the protocol (TCP or UDP) they use to communicate. Please take a look at the man pages for netstat and diff if you find the output confusing.
Configuring IPTables
In it's simplest form, on a Red Hat-ish system like Fedora Core 3, you can add four lines to /etc/sysconfig/iptables just before the line with "-j REJECT" in it:
-A RH-Firewall-1-INPUT -p udp -m udp --dport 137 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 138 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 139 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 445 -j ACCEPT
and then restart the iptables service:
# service iptables restart
On many networks, there are hosts that don't need and should not have access to the Samba server on a Linux host. You may wish to limit the range of IP addresses that can successfully connect to the Samba server. Here is an example set that would replace the lines above:
-A RH-Firewall-1-INPUT -p udp -m udp -s 192.168.0.0/24 --dport 137 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp -s 192.168.0.0/24 --dport 138 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp -s 192.168.0.0/24 --dport 139 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp -s 192.168.0.0/24 --dport 445 -j ACCEPT
This example would allow only hosts with IP addresses between 192.168.0.1 and 192.168.0.254 to contact the Samba server running on this host. Alternatively, if wanted limit access to a single host, use these lines as a replacement:
-A RH-Firewall-1-INPUT -p udp -m udp -s 192.168.0.10/32 --dport 137 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp -s 192.168.0.10/32 --dport 138 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp -s 192.168.0.10/32 --dport 139 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp -s 192.168.0.10/32 --dport 445 -j ACCEPT
This example would allow only the host with the IP address of 192.168.0.10 to contact the Samba server.
If you want multiple single hosts, or multiple subnets, to be able to connect to the Samba server, you will have to use multiple sets of the four configuration lines to express those rules before the "-j REJECT" line. IPTables has great power and flexibility, and more information concerning it is available from other sources.
Configuring Samba
As a sort of backstop to the firewall, you can configure Samba to only interoperate with certain network interfaces and hosts. Before doing this, consider documenting that both Samba and IPTables are being used to limit access to Samba, and possibly put comments in both configuration files.
interfaces is a global smb.conf configuration option that can remove the possibility of Samba connections occuring on one or more interfaces in a multihomed system. On systems with a single network interface, this option can still be useful for only allowing Samba to operate on the loopback interface, or those created by software like VMware. Here is a typical example of this options usage:
interfaces = 172.16.1.1 127.0.0.1
hosts allow and hosts deny are global smb.conf configuration options that allow (or deny) designated hosts or networks to make connections to the Samba server. These options are well documented in the man page, so I will only give an example here:
hosts deny = 172.16.1.128/255.255.255.128
hosts allow = 172.16.1.0/255.255.255.128 172.16.1.254
and mention that items listed in hosts allow override those things mentioned in hosts deny, and that the IP addresses allowed still need to authenticate to access Samba server resources.
Notes:
[1] If you watch your Windows hosts with snort or iptraf you may notice some traffic on port 135. This port is used for DCE RPC (Distributed Computing Environment and Remote Procedure Call) mapping, or telling those connected where the actual service they wish to connect to resides (like the portmap service). It has been exploited by at least a couple of worms, and on many Windows hosts the service may be turned off withoutdefect. Samba-3 (and previous Samba versions) do not use port 135, and so it is not included in the firewall configuration.
[2] It should not make a difference, but the commands were executed using the bash shell.
© 2006 Troy Johnson
Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.2 or any later version published by the Free Software Foundation; with no Invariant Sections, no Front-Cover Texts, and no Back-Cover Texts. A copy of the license should be available here and here.
The current copy of this document should be available here.
www.jdmz.net troy.jdmz.net