www.jdmz.net troy.jdmz.net

I have run Samba servers for a number of years now, always on private networks behind firewalls, and have usually turned off the firewall on the internal host so as not to complicate setup or troubleshooting. Having grown more security conscious over the years, I am now more likely to want to have a firewall up and only allow the minimum necessary holes through it. This short reference should explain the basics of allowing Samba traffic through an IPTables firewall, but little of configuring Samba itself.

In the /etc/services file you will find a few lines that refer to Samba services: The picture this provides is somewhat deceiving, since the half of those lines could be removed and condensed to: because these are the ports the Samba server daemons listen on. The first three lines represent ports used by windows networking since TCP/IP networking came standard on the Windows 95 operating system. The remaining port came to be used when Microsoft introduced it's directory service with Windows 2000. It may be useful to note for troubleshooting or configuration purposes that the UDP protocols (ports 137 and 138) are serviced by the nmbd daemon, while the TCP protocols (ports 139 and 445) are serviced by smbd [1].

You can demonstrate what ports are being used by Samba by using these commands as root (in /tmp or someplace safe to make temporary files) [2]: and you will see the ports listed above appear in the output, along with the protocol (TCP or UDP) they use to communicate. Please take a look at the man pages for netstat and diff if you find the output confusing.

In it's simplest form, on a Red Hat-ish system like Fedora Core 3, you can add four lines to /etc/sysconfig/iptables just before the line with "-j REJECT" in it: and then restart the iptables service:

On many networks, there are hosts that don't need and should not have access to the Samba server on a Linux host. You may wish to limit the range of IP addresses that can successfully connect to the Samba server. Here is an example set that would replace the lines above: This example would allow only hosts with IP addresses between 192.168.0.1 and 192.168.0.254 to contact the Samba server running on this host. Alternatively, if wanted limit access to a single host, use these lines as a replacement: This example would allow only the host with the IP address of 192.168.0.10 to contact the Samba server.

If you want multiple single hosts, or multiple subnets, to be able to connect to the Samba server, you will have to use multiple sets of the four configuration lines to express those rules before the "-j REJECT" line. IPTables has great power and flexibility, and more information concerning it is available from other sources.

As a sort of backstop to the firewall, you can configure Samba to only interoperate with certain network interfaces and hosts. Before doing this, consider documenting that both Samba and IPTables are being used to limit access to Samba, and possibly put comments in both configuration files.

interfaces is a global smb.conf configuration option that can remove the possibility of Samba connections occuring on one or more interfaces in a multihomed system. On systems with a single network interface, this option can still be useful for only allowing Samba to operate on the loopback interface, or those created by software like VMware. Here is a typical example of this options usage:

hosts allow and hosts deny are global smb.conf configuration options that allow (or deny) designated hosts or networks to make connections to the Samba server. These options are well documented in the man page, so I will only give an example here: and mention that items listed in hosts allow override those things mentioned in hosts deny, and that the IP addresses allowed still need to authenticate to access Samba server resources.

www.jdmz.net troy.jdmz.net