iptables: Enable Samba access

This document explains how to configure an IPTables firewall to allow Windows networking clients to access the Samba server on your Linux host. The examples assume Red Hat Fedora Core 3, but others should work without much modification.

I have run Samba servers for a number of years now, always on private networks behind firewalls, and have usually turned off the firewall on the internal host so as not to complicate setup or troubleshooting. Having grown more security conscious over the years, I am now more likely to want to have a firewall up and only allow the minimum necessary holes through it. This short reference should explain the basics of allowing Samba traffic through an IPTables firewall, but nothing of configuring Samba itself.

Ports, Protocols, and Daemons

In the /etc/services file you will find a few lines that refer to Samba services:

netbios-ns 137/tcp # NetBIOS Name Service
netbios-ns 137/udp
netbios-dgm 138/tcp # NetBIOS Datagram Service
netbios-dgm 138/udp
netbios-ssn 139/tcp # NetBIOS Session Service
netbios-ssn 139/udp
microsoft-ds 445/tcp # Microsoft Directory Service
microsoft-ds 445/udp

The picture this provides is somewhat deceiving, since the half of those lines could be removed and condensed to:

netbios-ns 137/udp # NetBIOS Name Service
netbios-dgm 138/udp # NetBIOS Datagram Service
netbios-ssn 139/tcp # NetBIOS Session Service
microsoft-ds 445/tcp # Microsoft Directory Service

because these are the ports the Samba server daemons listen on. The first three lines represent ports used by windows networking since TCP/IP networking came standard on the Windows 95 operating system. The remaining port came to be used when Microsoft introduced it's directory service with Windows 2000. It may be useful to note for troubleshooting or configuration purposes that the UDP protocols (ports 137 and 138) are serviced by the nmbd daemon, while the TCP protocols (ports 139 and 445) are serviced by smbd [1].

You can demonstrate what ports are being used by Samba by using these commands as root (in /tmp or someplace safe to make temporary files) [2]:

# service smb stop
# netstat -ln > netstat-ln-smb.before
# service smb start
# netstat -ln > netstat-ln-smb.after
# diff netstat-ln-smb.*

and you will see the ports listed above appear in the output, along with the protocol (TCP or UDP) they use to communicate. Please take a look at the man pages for netstat and diff if you find the output confusing.

Configuring IPTables

In it's simplest form, on a Red Hat-ish system like Fedora Core 3, you can add four lines to /etc/sysconfig/iptables just before the line with "-j REJECT" in it:

-A RH-Firewall-1-INPUT -p udp -m udp --dport 137 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 138 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 139 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 445 -j ACCEPT

and then restart the iptables service:

# service iptables restart

On many networks, there are hosts that don't need and should not have access to the Samba server on a Linux host. You may wish to limit the range of IP addresses that can successfully connect to the Samba server. Here is an example set that would replace the lines above:

-A RH-Firewall-1-INPUT -p udp -m udp -s 192.168.0.0/24 --dport 137 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp -s 192.168.0.0/24 --dport 138 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp -s 192.168.0.0/24 --dport 139 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp -s 192.168.0.0/24 --dport 445 -j ACCEPT

This example would allow only hosts with IP addresses between 192.168.0.1 and 192.168.0.254 to contact the Samba server running on this host. Alternatively, if wanted limit access to a single host, use these lines as a replacement:

-A RH-Firewall-1-INPUT -p udp -m udp -s 192.168.0.10/32 --dport 137 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp -s 192.168.0.10/32 --dport 138 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp -s 192.168.0.10/32 --dport 139 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp -s 192.168.0.10/32 --dport 445 -j ACCEPT

This example would allow only the host with the IP address of 192.168.0.10 to contact the Samba server.

If you want multiple single hosts, or multiple subnets, to be able to connect to the Samba server, you will have to use multiple sets of the four configuration lines to express those rules before the "-j REJECT" line. IPTables has great power and flexibility, and more information concerning it is available from other sources.

转载于:https://www.cnblogs.com/livepencil/archive/2010/06/10/1755618.html