# Adding samba service to iptables

## ozric

Hello! I am trying to add samba to my iptables rules. I've done this on earlier installs using the same syntax, but for some reason it doesn't work now.

```
DEVIANT samba # iptables -A INPUT -p tcp --dport samba -j ACCEPT

iptables v1.4.21: invalid port/service `samba' specified

Try `iptables -h' or 'iptables --help' for more information.

```

Samba is installed and added to default runlevel. What am I missing?  :Smile:  Might add that I've successfully added ssh to the chain with the same synax.

----------

## szatox

 *Quote:*   

> iptables v1.4.21: invalid port/service `samba' specified 

 

here it is, iptables does not understand what you want. Why won't you just use a port number?

----------

## ozric

It is not like I am planning of using a different port than the default for smb, so I guess I could. But in the case of the ssh service - I change the listening port from time to time, and don't have to reconfigure my chain of rules in iptables when I do so. So for the convenience I would rather allow the samba service than a static port, if that makes any sense.

----------

## Anon-E-moose

You can't use a "name" it doesn't understand.

All a name is, is a shorthand for a port number.

 *Quote:*   

> I change the listening port from time to time, and don't have to reconfigure my chain of rules in iptables when I do so. 

 

You don't have to change iptables if it understands the new name, but I doubt very seriously that if you are changing the default port for ssh that iptables understands it, because it doesn't know that you want the ssh port to not refer to "22".

If you do "iptables -L -n" it will show everything it understand numberwise instead of name.

Edit to add:

From /etc/services 

```
netbios-ssn   139/tcp            # NETBIOS Session Service

netbios-ssn   139/udp

microsoft-ds   445/tcp      Microsoft-DS

microsoft-ds   445/udp      Microsoft-DS
```

These are default ports for smb and you may use these names on the left (iptables should understand them)

----------

## ozric

Ok, I'll add the ports instead. You're probably right Moose. I was under the impression that using the name of the service rather than a static port would somehow automagically use the information of what port to open from /etc/services. I've been away from this too long. But thanks anyway both of you!

----------

## The_Great_Sephiroth

I allow only SAMBA and SSH through my firewall. This works well for me. Note that I am on a laptop and have two interfaces, but here is my firewall.

```

-P INPUT DROP

-P FORWARD DROP

-P OUTPUT DROP

-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

-A INPUT -m state --state INVALID -j DROP

-A INPUT -i enp0s25 -p tcp -m tcp -m multiport --dports 445,135,139,22 -m state --state NEW -j ACCEPT

-A INPUT -i enp0s25 -p udp -m udp -m multiport --dports 138,137 -m state --state NEW -j ACCEPT

-A INPUT -i wlp12s0 -p tcp -m tcp -m multiport --dports 445,135,139,22 -m state --state NEW -j ACCEPT

-A INPUT -i wlp12s0 -p udp -m udp -m multiport --dports 138,137 -m state --state NEW -j ACCEPT

-A INPUT -i lo -m state --state NEW -j ACCEPT

-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT

-A FORWARD -m state --state INVALID -j DROP

-A FORWARD -m state --state NEW -j ACCEPT

-A FORWARD -i enp0s25 -p tcp -m tcp -m multiport --dports 445,135,139,22 -m state --state NEW -j ACCEPT

-A FORWARD -i enp0s25 -p udp -m udp -m multiport --dports 138,137 -m state --state NEW -j ACCEPT

-A FORWARD -i wlp12s0 -p tcp -m tcp -m multiport --dports 445,135,139,22 -m state --state NEW -j ACCEPT

-A FORWARD -i wlp12s0 -p udp -m udp -m multiport --dports 138,137 -m state --state NEW -j ACCEPT

-A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

-A OUTPUT -m state --state INVALID -j DROP

-A OUTPUT -m state --state NEW -j ACCEPT

```

I also use VPN to connect to various client locations (I am an IT guy) so I added a simple script which runs whenever the VPN comes up which keeps my firewall on my LAN and WLAN, but allows everything on the VPN interface. I added a second script to remove that rule when the VPN disconnects. You can see how simple it is to do this HERE.

----------

## Hu

 *ozric wrote:*   

> I was under the impression that using the name of the service rather than a static port would somehow automagically use the information of what port to open from /etc/services.

 It will use /etc/services.  Moose's point was that if you change sshd_config to specify Port 522, then /etc/services still says ssh   22, so iptables still works on port 22.

----------

