Allow Samba on local network with linux iptable rules firewall csf / lfd

[jonah1980]

Hi any help would be really appreciated for the correct IPTABLE rules set to allow samba on my local network. Currently my firewall is blocking it...

I've looked around and I realise you can lookup the right ports with netstat -tulpn | egrep "samba|smbd|nmbd|winbind"

but I've no idea the correct syntax and the correct rules needed to do this right and still keep the firewall safely working etc.

Can anyone please post the lines I would need to add to achieve this on my ubuntu server?

Thanks again for any help!

[nerdtron]

If you use ubuntu, better use the ufw utility instead. Samba runs on TCP ports 139 and 445 and UDP ports 137 and 138

So I guess the simplest command to allow those:

Code:

 sudo ufw allow 139
sudo ufw allow 445
sudo ufw allow 137
sudo ufw allow 138

[jonah1980]

hi thanks for the help. Unfortunately this doesn't seem to work for me as I'm using CSF and LFD. I would use ufw but I also have webmin installed which offers a csf module. I'd rather use that as I'm used to the same on the other cPanel servers I have.

Does anyone know how I can get local-only samba to work with CSF?

Thanks again for any help.

[darkod]

Pardon my ignorance, but what's CSF and LFD? Type of firewall?

Since you found out how to check relevant ports, you only need to open those ports for inbound traffic and that's it. Doesn't matter much what the firewall is if you do that right.

For direct iptables, you would do something like:

Code:

sudo iptables -A INPUT -p tcp --dport 139 -j ACCEPT

Do that for all needed tcp and udp ports and test if it worked. However, if you are using some firewall "frontend" that uses iptables at the end, such commands directly with iptables might not be supported.

Those rules will be temporary unless you make them permanent, but only for testing it will do. After that, there are variations like if you want to allow it only for some source IPs/networks you should use the '-s x.x.x.x/xx' option added to the above command. That will allow the traffic only from those IPs and networks. But if you need worldwide access, you can't really limit by IP.

PS. Webmin??? Try to learn what you need and not to use webmin. There is a reason it is not a recommended and supported tool.

[jonah1980]

Hi thanks for the reply.

CSF is just an iptables firewall for linux servers: http://configserver.com/cp/csf.html

Doing netstat -tulpn | egrep "samba|smbd|nmbd|winbind"

gives me:

Code:

tcp        0      0 0.0.0.0:139             0.0.0.0:*               LISTEN      23102/smbd      
tcp        0      0 0.0.0.0:445             0.0.0.0:*               LISTEN      23102/smbd      
tcp6       0      0 :::139                  :::*                    LISTEN      23102/smbd      
tcp6       0      0 :::445                  :::*                    LISTEN      23102/smbd      
udp        0      0 192.168.122.255:137     0.0.0.0:*                           1267/nmbd       
udp        0      0 192.168.122.1:137       0.0.0.0:*                           1267/nmbd       
udp        0      0 192.168.0.255:137       0.0.0.0:*                           1267/nmbd       
udp        0      0 192.168.0.100:137       0.0.0.0:*                           1267/nmbd       
udp        0      0 0.0.0.0:137             0.0.0.0:*                           1267/nmbd       
udp        0      0 192.168.122.255:138     0.0.0.0:*                           1267/nmbd       
udp        0      0 192.168.122.1:138       0.0.0.0:*                           1267/nmbd       
udp        0      0 192.168.0.255:138       0.0.0.0:*                           1267/nmbd       
udp        0      0 192.168.0.100:138       0.0.0.0:*                           1267/nmbd       
udp        0      0 0.0.0.0:138             0.0.0.0:*                           1267/nmbd

so that's my ports and such. But I'm not sure how I actually add them correctly in the right syntax and format to the iptables so that my local network has access to samba but no one else does?

Thanks again for any help. I can paste my iptables as they are currently if that helps?

[darkod]

I am confused why do you need a firewall on this server at all. The server is in the private network 192.168.x.x right? This network is not routeable for anyone outside, no one can reach it from the internet. Usually local networks already have a firewall on the gateway to the internet. You don't need more than that...

I'm not familiar with that firewall, so you will have to do that part of the investigation by yourself. They probably have FAQ or support page with what you need.

If you want the server open to the whole 192.168.122.x network you need to allow ports tcp/139, tcp/445, udp/137 and udp/138 for source 192.168.122.0/24. That covers the whole network.

But again, if the machine is already behind a firewall/gateway, don't use any firewall on it and save yourself the trouble...

[Doug S]

If you want the server open to the whole 192.168.122.x network you need to allow ports tcp/139, tcp/445, udp/137 and udp/138 for source 192.168.122.0/24. That covers the whole network.

Does it? I see also 192.168.0.100 so we would need to know more about the local area network to know for sure. Maybe its 192.168.0.0/16 or somehow two subnets, 192.168.122.0/24 and 192.168.0.0/24 or?

I agree, why bother at all, if the computer in already internal.

If you use ubuntu, better use the ufw utility instead.

That is an opinion. My opinion is that iptables is better.

[jonah1980]

Hi thanks for the reply.

The server is actually mainly for hosting/storage externally. The samba part is just handy for my internal network as a way to access parts of it and stream content to other devices.

So I would like to keep the firewall running for outside, but just have the samba shares for internal use and only have them blocked to the outside world if anyone did try to gain access. Currently the firewall just blocks samba completely!

[darkod]

FYI, if you want samba available only to one of the private networks, you can also attach it to only one of the interfaces. That way the other private network will not be able to use/open it.

But if you insist doing it with a firewall inside a private network, you know what to do. Allow the network you want to (the 192.168.0.x or 192.168.122.x) for inbound traffic on the four ports mentioned above, and that's it... Basically you allow inbound traffic to those ports from specific source network.

Depends how the CFS interface is done, it should not be difficult.

[jonah1980]

I've tried adding the below to my /etc/csf/csf.allow file and restarted but for some reason it is still blocked:

Code:

# TCP connections inbound to port 139 and 445 from local network (192.168.0.0/24)
tcp|in|d=139|s=192.168.0.0/24
tcp|in|d=445|s=192.168.0.0/24

# UDP connections inbound to port 137 and 138 from local network (192.168.0.0/24)
udp|in|d=137|s=192.168.0.0/24
udp|in|d=138|s=192.168.0.0/24

The above seems to be the correct syntax I can find for CSF... Here is what it says at the top of the file:

################################################## #############################
# Copyright 2006-2016, Way to the Web Limited
# URL: http://www.configserver.com
# Email: sales@waytotheweb.com
################################################## #############################
# The following IP addresses will be allowed through iptables.
# One IP address per line.
# CIDR addressing allowed with a quaded IP (e.g. 192.168.254.0/24).
# Only list IP addresses, not domain names (they will be ignored)
#
# Advanced port+ip filtering allowed with the following format
# tcp/udp|in/out|s/d=port|s/d=ip
# See readme.txt for more information
#
# Note: IP addressess listed in this file will NOT be ignored by lfd, so they
# can still be blocked. If you do not want lfd to block an IP address you must
# add it to csf.ignore

Thanks again for any help.