iptables: Enable Samba access

本文档介绍如何配置iptables防火墙,以便让Windows客户端能够访问Linux主机上的Samba服务器。文中提供了针对Red Hat Fedora Core 3的具体示例,并解释了Samba服务使用的端口及其对应的守护进程。

摘要生成于 C知道 ,由 DeepSeek-R1 满血版支持, 前往体验 >

This document explains how to configure an IPTables firewall to allow Windows networking clients to access the Samba server on your Linux host. The examples assume Red Hat Fedora Core 3, but others should work without much modification.
I have run Samba servers for a number of years now, always on private networks behind firewalls, and have usually turned off the firewall on the internal host so as not to complicate setup or troubleshooting. Having grown more security conscious over the years, I am now more likely to want to have a firewall up and only allow the minimum necessary holes through it. This short reference should explain the basics of allowing Samba traffic through an IPTables firewall, but nothing of configuring Samba itself.
Ports, Protocols, and Daemons
In the /etc/services file you will find a few lines that refer to Samba services:
netbios-ns 137/tcp # NetBIOS Name Service
netbios-ns 137/udp
netbios-dgm 138/tcp # NetBIOS Datagram Service
netbios-dgm 138/udp
netbios-ssn 139/tcp # NetBIOS Session Service
netbios-ssn 139/udp
microsoft-ds 445/tcp # Microsoft Directory Service
microsoft-ds 445/udp
The picture this provides is somewhat deceiving, since the half of those lines could be removed and condensed to:
netbios-ns 137/udp # NetBIOS Name Service
netbios-dgm 138/udp # NetBIOS Datagram Service
netbios-ssn 139/tcp # NetBIOS Session Service
microsoft-ds 445/tcp # Microsoft Directory Service
because these are the ports the Samba server daemons listen on. The first three lines represent ports used by windows networking since TCP/IP networking came standard on the Windows 95 operating system. The remaining port came to be used when Microsoft introduced it's directory service with Windows 2000. It may be useful to note for troubleshooting or configuration purposes that the UDP protocols (ports 137 and 138) are serviced by the nmbd daemon, while the TCP protocols (ports 139 and 445) are serviced by smbd [1].
You can demonstrate what ports are being used by Samba by using these commands as root (in /tmp or someplace safe to make temporary files) [2]:
# service smb stop
# netstat -ln > netstat-ln-smb.before
# service smb start
# netstat -ln > netstat-ln-smb.after
# diff netstat-ln-smb.*
and you will see the ports listed above appear in the output, along with the protocol (TCP or UDP) they use to communicate. Please take a look at the man pages for netstat and diff if you find the output confusing.
Configuring IPTables
In it's simplest form, on a Red Hat-ish system like Fedora Core 3, you can add four lines to /etc/sysconfig/iptables just before the line with "-j REJECT" in it:
-A RH-Firewall-1-INPUT -p udp -m udp --dport 137 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 138 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 139 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 445 -j ACCEPT
and then restart the iptables service:
# service iptables restart
On many networks, there are hosts that don't need and should not have access to the Samba server on a Linux host. You may wish to limit the range of IP addresses that can successfully connect to the Samba server. Here is an example set that would replace the lines above:
-A RH-Firewall-1-INPUT -p udp -m udp -s 192.168.0.0/24 --dport 137 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp -s 192.168.0.0/24 --dport 138 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp -s 192.168.0.0/24 --dport 139 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp -s 192.168.0.0/24 --dport 445 -j ACCEPT
This example would allow only hosts with IP addresses between 192.168.0.1 and 192.168.0.254 to contact the Samba server running on this host. Alternatively, if wanted limit access to a single host, use these lines as a replacement:
-A RH-Firewall-1-INPUT -p udp -m udp -s 192.168.0.10/32 --dport 137 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp -s 192.168.0.10/32 --dport 138 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp -s 192.168.0.10/32 --dport 139 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp -s 192.168.0.10/32 --dport 445 -j ACCEPT
This example would allow only the host with the IP address of 192.168.0.10 to contact the Samba server.
If you want multiple single hosts, or multiple subnets, to be able to connect to the Samba server, you will have to use multiple sets of the four configuration lines to express those rules before the "-j REJECT" line. IPTables has great power and flexibility, and more information concerning it is available from other sources.

转载于:https://www.cnblogs.com/livepencil/archive/2010/06/10/1755618.html

评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值