Page 1 of 3 123 LastLast
Results 1 to 10 of 26

Thread: Allow Samba on local network with linux iptable rules firewall csf / lfd

Hybrid View

  1. #1
    Join Date
    May 2006
    Location
    UK
    Beans
    295

    Allow Samba on local network with linux iptable rules firewall csf / lfd

    Hi any help would be really appreciated for the correct IPTABLE rules set to allow samba on my local network. Currently my firewall is blocking it...

    I've looked around and I realise you can lookup the right ports with netstat -tulpn | egrep "samba|smbd|nmbd|winbind"

    but I've no idea the correct syntax and the correct rules needed to do this right and still keep the firewall safely working etc.

    Can anyone please post the lines I would need to add to achieve this on my ubuntu server?

    Thanks again for any help!
    www.mgcarforum.co.uk - Free forum community for MG car enthusiasts.

  2. #2
    Join Date
    Aug 2009
    Location
    Makati City, Philippines
    Beans
    2,270
    Distro
    Xubuntu 16.04 Xenial Xerus

    Re: Allow Samba on local network with linux iptable rules firewall csf / lfd

    If you use ubuntu, better use the ufw utility instead. Samba runs on TCP ports 139 and 445 and UDP ports 137 and 138

    So I guess the simplest command to allow those:
    Code:
     sudo ufw allow 139
    sudo ufw allow 445
    sudo ufw allow 137
    sudo ufw allow 138

  3. #3
    Join Date
    May 2006
    Location
    UK
    Beans
    295

    Re: Allow Samba on local network with linux iptable rules firewall csf / lfd

    hi thanks for the help. Unfortunately this doesn't seem to work for me as I'm using CSF and LFD. I would use ufw but I also have webmin installed which offers a csf module. I'd rather use that as I'm used to the same on the other cPanel servers I have.

    Does anyone know how I can get local-only samba to work with CSF?

    Thanks again for any help.
    www.mgcarforum.co.uk - Free forum community for MG car enthusiasts.

  4. #4
    Join Date
    Nov 2009
    Location
    Mataro, Spain
    Beans
    13,849
    Distro
    Ubuntu 14.04 Trusty Tahr

    Re: Allow Samba on local network with linux iptable rules firewall csf / lfd

    Pardon my ignorance, but what's CSF and LFD? Type of firewall?

    Since you found out how to check relevant ports, you only need to open those ports for inbound traffic and that's it. Doesn't matter much what the firewall is if you do that right.

    For direct iptables, you would do something like:
    Code:
    sudo iptables -A INPUT -p tcp --dport 139 -j ACCEPT
    Do that for all needed tcp and udp ports and test if it worked. However, if you are using some firewall "frontend" that uses iptables at the end, such commands directly with iptables might not be supported.

    Those rules will be temporary unless you make them permanent, but only for testing it will do. After that, there are variations like if you want to allow it only for some source IPs/networks you should use the '-s x.x.x.x/xx' option added to the above command. That will allow the traffic only from those IPs and networks. But if you need worldwide access, you can't really limit by IP.

    PS. Webmin??? Try to learn what you need and not to use webmin. There is a reason it is not a recommended and supported tool.
    Darko.
    -----------------------------------------------------------------------
    Ubuntu 14.04 LTS 64bit & Windows 10 Pro 64bit

  5. #5
    Join Date
    May 2006
    Location
    UK
    Beans
    295

    Re: Allow Samba on local network with linux iptable rules firewall csf / lfd

    Hi thanks for the reply.

    CSF is just an iptables firewall for linux servers: http://configserver.com/cp/csf.html

    Doing netstat -tulpn | egrep "samba|smbd|nmbd|winbind"

    gives me:

    Code:
    tcp        0      0 0.0.0.0:139             0.0.0.0:*               LISTEN      23102/smbd      
    tcp        0      0 0.0.0.0:445             0.0.0.0:*               LISTEN      23102/smbd      
    tcp6       0      0 :::139                  :::*                    LISTEN      23102/smbd      
    tcp6       0      0 :::445                  :::*                    LISTEN      23102/smbd      
    udp        0      0 192.168.122.255:137     0.0.0.0:*                           1267/nmbd       
    udp        0      0 192.168.122.1:137       0.0.0.0:*                           1267/nmbd       
    udp        0      0 192.168.0.255:137       0.0.0.0:*                           1267/nmbd       
    udp        0      0 192.168.0.100:137       0.0.0.0:*                           1267/nmbd       
    udp        0      0 0.0.0.0:137             0.0.0.0:*                           1267/nmbd       
    udp        0      0 192.168.122.255:138     0.0.0.0:*                           1267/nmbd       
    udp        0      0 192.168.122.1:138       0.0.0.0:*                           1267/nmbd       
    udp        0      0 192.168.0.255:138       0.0.0.0:*                           1267/nmbd       
    udp        0      0 192.168.0.100:138       0.0.0.0:*                           1267/nmbd       
    udp        0      0 0.0.0.0:138             0.0.0.0:*                           1267/nmbd
    so that's my ports and such. But I'm not sure how I actually add them correctly in the right syntax and format to the iptables so that my local network has access to samba but no one else does?

    Thanks again for any help. I can paste my iptables as they are currently if that helps?
    www.mgcarforum.co.uk - Free forum community for MG car enthusiasts.

  6. #6
    Join Date
    Nov 2009
    Location
    Mataro, Spain
    Beans
    13,849
    Distro
    Ubuntu 14.04 Trusty Tahr

    Re: Allow Samba on local network with linux iptable rules firewall csf / lfd

    I am confused why do you need a firewall on this server at all. The server is in the private network 192.168.x.x right? This network is not routeable for anyone outside, no one can reach it from the internet. Usually local networks already have a firewall on the gateway to the internet. You don't need more than that...

    I'm not familiar with that firewall, so you will have to do that part of the investigation by yourself. They probably have FAQ or support page with what you need.

    If you want the server open to the whole 192.168.122.x network you need to allow ports tcp/139, tcp/445, udp/137 and udp/138 for source 192.168.122.0/24. That covers the whole network.

    But again, if the machine is already behind a firewall/gateway, don't use any firewall on it and save yourself the trouble...
    Darko.
    -----------------------------------------------------------------------
    Ubuntu 14.04 LTS 64bit & Windows 10 Pro 64bit

  7. #7
    Join Date
    Feb 2011
    Location
    Coquitlam, B.C. Canada
    Beans
    2,481
    Distro
    Ubuntu 16.04 Xenial Xerus

    Re: Allow Samba on local network with linux iptable rules firewall csf / lfd

    Quote Originally Posted by darkod View Post
    If you want the server open to the whole 192.168.122.x network you need to allow ports tcp/139, tcp/445, udp/137 and udp/138 for source 192.168.122.0/24. That covers the whole network.
    Does it? I see also 192.168.0.100 so we would need to know more about the local area network to know for sure. Maybe its 192.168.0.0/16 or somehow two subnets, 192.168.122.0/24 and 192.168.0.0/24 or?

    I agree, why bother at all, if the computer in already internal.

    Quote Originally Posted by nerdtron View Post
    If you use ubuntu, better use the ufw utility instead.
    That is an opinion. My opinion is that iptables is better.
    Any follow-up information on your issue would be appreciated. Please have the courtesy to report back.

  8. #8
    Join Date
    May 2006
    Location
    UK
    Beans
    295

    Re: Allow Samba on local network with linux iptable rules firewall csf / lfd

    Hi thanks for the reply.

    The server is actually mainly for hosting/storage externally. The samba part is just handy for my internal network as a way to access parts of it and stream content to other devices.

    So I would like to keep the firewall running for outside, but just have the samba shares for internal use and only have them blocked to the outside world if anyone did try to gain access. Currently the firewall just blocks samba completely!
    www.mgcarforum.co.uk - Free forum community for MG car enthusiasts.

  9. #9
    Join Date
    Nov 2009
    Location
    Mataro, Spain
    Beans
    13,849
    Distro
    Ubuntu 14.04 Trusty Tahr

    Re: Allow Samba on local network with linux iptable rules firewall csf / lfd

    FYI, if you want samba available only to one of the private networks, you can also attach it to only one of the interfaces. That way the other private network will not be able to use/open it.

    But if you insist doing it with a firewall inside a private network, you know what to do. Allow the network you want to (the 192.168.0.x or 192.168.122.x) for inbound traffic on the four ports mentioned above, and that's it... Basically you allow inbound traffic to those ports from specific source network.

    Depends how the CFS interface is done, it should not be difficult.
    Darko.
    -----------------------------------------------------------------------
    Ubuntu 14.04 LTS 64bit & Windows 10 Pro 64bit

  10. #10
    Join Date
    May 2006
    Location
    UK
    Beans
    295

    Re: Allow Samba on local network with linux iptable rules firewall csf / lfd

    I've tried adding the below to my /etc/csf/csf.allow file and restarted but for some reason it is still blocked:


    Code:
    # TCP connections inbound to port 139 and 445 from local network (192.168.0.0/24)
    tcp|in|d=139|s=192.168.0.0/24
    tcp|in|d=445|s=192.168.0.0/24
    
    # UDP connections inbound to port 137 and 138 from local network (192.168.0.0/24)
    udp|in|d=137|s=192.168.0.0/24
    udp|in|d=138|s=192.168.0.0/24
    The above seems to be the correct syntax I can find for CSF... Here is what it says at the top of the file:

    ################################################## #############################
    # Copyright 2006-2016, Way to the Web Limited
    # URL: http://www.configserver.com
    # Email: sales@waytotheweb.com
    ################################################## #############################
    # The following IP addresses will be allowed through iptables.
    # One IP address per line.
    # CIDR addressing allowed with a quaded IP (e.g. 192.168.254.0/24).
    # Only list IP addresses, not domain names (they will be ignored)
    #
    # Advanced port+ip filtering allowed with the following format
    # tcp/udp|in/out|s/d=port|s/d=ip
    # See readme.txt for more information
    #
    # Note: IP addressess listed in this file will NOT be ignored by lfd, so they
    # can still be blocked. If you do not want lfd to block an IP address you must
    # add it to csf.ignore
    Thanks again for any help.
    www.mgcarforum.co.uk - Free forum community for MG car enthusiasts.

Page 1 of 3 123 LastLast

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •