# Iptables can't see computers on samba

## XenoTerraCide

k here's the script I used to generate my rules

```
#!/bin/bash

IPTABLES='/sbin/iptables'

# flush rules and delete chains

$IPTABLES -F

$IPTABLES -X

#                                                                                       RULE

# SSH server

$IPTABLES -A INPUT --protocol tcp --dport 22 -j ACCEPT                                  #1

$IPTABLES -A INPUT --protocol udp --dport 22 -j ACCEPT                                  #2

# allow access to the HTTP Server

$IPTABLES -A INPUT --protocol tcp --dport 80 -j ACCEPT                                  #3

$IPTABLES -A INPUT --protocol udp --dport 80 -j ACCEPT                                  #4

# allow access to samba (netbios)

$IPTABLES -A INPUT --protocol tcp --dport 137 -j ACCEPT                                 #5

$IPTABLES -A INPUT --protocol tcp --dport 138 -j ACCEPT                                 #6

$IPTABLES -A INPUT --protocol tcp --dport 139 -j ACCEPT                                 #7

$IPTABLES -A INPUT --protocol udp --dport 137 -j ACCEPT                                 #8

$IPTABLES -A INPUT --protocol udp --dport 138 -j ACCEPT                                 #9

$IPTABLES -A INPUT --protocol udp --dport 139 -j ACCEPT                                 #10

# allow access to instant messangers

# MSN messenger

#line 1 is the messenger line 2 is file transfer

$IPTABLES -A INPUT --protocol tcp --dport 1863 -j ACCEPT                                #11

$IPTABLES -A INPUT --protocol tcp --dport 6891 -j ACCEPT                                #12

#

# AIM line 1 is the messenger

$IPTABLES -A INPUT --protocol tcp --dport 5190 -j ACCEPT                                #13

#

# Yahoo Messenger

# line 1 is the messenger line 2 is file transfer

$IPTABLES -A INPUT --protocol tcp --dport 5050 -j ACCEPT                                #14

$IPTABLES -A INPUT --protocol tcp --dport 4443 -j ACCEPT                                #15

# accept vela connections

$IPTABLES -A INPUT -i eth0 -s 158.80.4.10 -j ACCEPT                                     #16

# echo request limit echo's

$IPTABLES -A INPUT -i eth0 --protocol tcp --dport 7 -j ACCEPT                           #17

$IPTABLES -A INPUT -i eth0 --protocol udp --dport 7 -j ACCEPT                           #18

#accept related and established packets

$IPTABLES -A INPUT -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT               #19

#accept rcsync

$IPTABLES -A INPUT -i eth0 --protocol tcp --dport 873 -j ACCEPT                         #20

$IPTABLES -A INPUT -i eth0 --protocol udp --dport 873 -j ACCEPT                         #21

# block all access

$IPTABLES -A INPUT -i eth0 -m state --state NEW,INVALID -j DROP                         #22

$IPTABLES -A INPUT -i eth0 --protocol tcp --dport 0:65535 -j DROP                       #23

$IPTABLES -A INPUT -i eth0 --protocol udp --dport 0:65535 -j DROP                       #24

```

 I can see workgroups but not the computers inside them why? I dropped the firewall and was then able to access them so I know that's the problem.

----------

## adaptr

Those last 3 lines make everything cludgy and unclear; use the chain policy to DROP everything after it has processed your rules.

As to the problem: SMB usually needs broadcasts to find computers.

Also, if there are two or more NICs in this box your rules could use some work...

And if there aren't, then you can drop the eth0 references, since they're superfluous.

```
$IPTABLES -A INPUT --protocol udp --dport 22 -j ACCEPT                                  #2 
```

No, no UDP for SSH.

```
$IPTABLES -A INPUT --protocol tcp --dport 80 -j ACCEPT                                  #3 
```

Or for HTTP.

```
# allow access to samba (netbios) 

$IPTABLES -A INPUT --protocol tcp --dport 137 -j ACCEPT                                 #5 

$IPTABLES -A INPUT --protocol tcp --dport 138 -j ACCEPT                                 #6 

$IPTABLES -A INPUT --protocol tcp --dport 139 -j ACCEPT                                 #7 

$IPTABLES -A INPUT --protocol udp --dport 137 -j ACCEPT                                 #8 

$IPTABLES -A INPUT --protocol udp --dport 138 -j ACCEPT                                 #9 

$IPTABLES -A INPUT --protocol udp --dport 139 -j ACCEPT                                 #10 
```

Samba, OTOH, uses only UDP 137, UDP 138, and TCP 139.

Here is a complete description of the session setup and use:

http://info.ccone.at/INFO/Samba/IntroSMB.html#id2876169

```
# echo request limit echo's 

$IPTABLES -A INPUT -i eth0 --protocol tcp --dport 7 -j ACCEPT                           #17 

$IPTABLES -A INPUT -i eth0 --protocol udp --dport 7 -j ACCEPT                           #18 
```

Nonono - echo is not a TCP/UDP service! It is an ICMP protocol.

This won't work at all.

```
#accept related and established packets 

$IPTABLES -A INPUT -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT               #19
```

You had better separate this - for clarity's sake.

```
# block all access 

$IPTABLES -A INPUT -i eth0 -m state --state NEW,INVALID -j DROP                         #22 

$IPTABLES -A INPUT -i eth0 --protocol tcp --dport 0:65535 -j DROP                       #23 

$IPTABLES -A INPUT -i eth0 --protocol udp --dport 0:65535 -j DROP                       #24 
```

This is a bad idea; drop it and replace with the following:

```
iptables -A INPUT -m state --state INVALID -j DROP
```

Make this the very first rule in the INPUT chain!

Start the whole thing with this:

```
iptables -P INPUT DROP
```

And the last three lines are no longer needed.

----------

## XenoTerraCide

I don't manage this network I have no Idea what else is on it, it's a p2p network all connected to a central routing sytem. college dormatory on school server. and I know my rules could prob use work, this is the first time I tried writing rules. and I barely understand it. but I'll try changing that last part.

----------

## ter_roshak

Just an FYI, Samba uses UDP ports 137 and 138, while it uses TCP ports 139 and 445.

----------

## XenoTerraCide

I change my last 3 lines to what u said but I don't see a drop in the input chain. and I don't really understand what you mean by broadcast. networking is not what I'm the best at.

----------

## adaptr

445 is not necessary if you don't communicate with an Active Directory.

If you use it as a standalone NT server then 137-139 are sufficient.

----------

## XenoTerraCide

I was using what it said https://www.redhat.com/docs/manuals/enterprise/RHEL-3-Manual/security-guide/ch-ports.html were the netbios ports

----------

## XenoTerraCide

I am so tired. ug AS/400 frying the brain lol I skipped over half of what adaptr first post was somehow. apologies. reworking the script.

----------

## XenoTerraCide

```
#!/bin/bash

IPTABLES='/sbin/iptables'

# flush rules and delete chains

$IPTABLES -F

$IPTABLES -X

#                                                                                       RULE

$IPTABLES -P INPUT DROP                                                                 #1

# SSH server

$IPTABLES -A INPUT --protocol tcp --dport 22 -j ACCEPT                                  #2

#allow access to the HTTP Server

$IPTABLES -A INPUT --protocol tcp --dport 80 -j ACCEPT                                  #3

# allow access to samba (netbios)

$IPTABLES -A INPUT --protocol tcp --dport 137 -j ACCEPT                                 #4

$IPTABLES -A INPUT --protocol tcp --dport 138 -j ACCEPT                                 #5

$IPTABLES -A INPUT --protocol tcp --dport 139 -j ACCEPT                                 #6

# allow access to instant messangers

# MSN messenger

#line 1 is the messenger line 2 is file transfer

$IPTABLES -A INPUT --protocol tcp --dport 1863 -j ACCEPT                                #7

$IPTABLES -A INPUT --protocol tcp --dport 6891 -j ACCEPT                                #8

#

# AIM line 1 is the messenger

$IPTABLES -A INPUT --protocol tcp --dport 5190 -j ACCEPT                                #9

#

# Yahoo Messenger

# line 1 is the messenger line 2 is file transfer

$IPTABLES -A INPUT --protocol tcp --dport 5050 -j ACCEPT                                #10

$IPTABLES -A INPUT --protocol tcp --dport 4443 -j ACCEPT                                #11

# accept vela connections

$IPTABLES -A INPUT -i eth0 -s 158.80.4.10 -j ACCEPT                                     #12

# accept related and established packets

$IPTABLES -A INPUT -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT               #13

# accept rcsync

$IPTABLES -A INPUT -i eth0 --protocol tcp --dport 873 -j ACCEPT                         #14

$IPTABLES -A INPUT -i eth0 --protocol udp --dport 873 -j ACCEPT                         #15

# block invalid packets

$iptables -A INPUT -m state --state INVALID -j DROP                                     #16

```

 that better?

----------

## XenoTerraCide

well now with that script I can't even see workgroups AT ALL. great.

----------

## adaptr

The first thing to do is edit your smb.conf and set the log level to at least 2.

Then try to access a share on the machine, and examine the logs.

A small warning: on higher log levels, samba will generate insane amounts of information!

Feel free to post parts of the logs here if you can't figure out what they mean ("cryptic" is a major understatement in this case..)

Since this machine is on a LAN, why restrict networking at all ?

If you apply some sense to your services file(s) no other ports should be open anyway.

The only thing you could prevent with additional firewalling is actual hacking, i.e. DoS attacks and the like.

If you notice any of that going on the best solution is to apply a solid 2x4 to the miscreant  :Wink: 

EDIT: you probably should get some sleep before trying this... you're still fucking up the UDP/TCP requirements for Samba  :Wink: 

UDP 137, UDP 138, and TCP 139

No more, no less...

----------

## XenoTerraCide

yeah I caught those, after my last post, but... well KDE just went to hell on me. so right now I'm working on other stuff. The firewall is to prevent the almost nonexistant chance of whatever it is these other idiots around here do. we've had worms virus's and whatever else going around this network. that and I just want to learn how, for when I'm directly connected to the internet.

----------

## ter_roshak

 *adaptr wrote:*   

> 445 is not necessary if you don't communicate with an Active Directory.
> 
> If you use it as a standalone NT server then 137-139 are sufficient.

 

I don't think that you are correct.  Port 445 is used with Windows 2000/XP by default when transferring files with CIFS/SMB.  I have been using Samba as a PDC at home and work for several years now and have tried this just now.  TCP port 139 is used for transfers when using Netbios over TCP or if port 445 is not available, but port 445 is used when Netbios is not available or needed.  The initial connection request will be on port 445 when attempting to transfer a file.

----------

## XenoTerraCide

well I can't test anything now, everything went bad with KDE, and I end mostly wiping that system. but I know with just whatever ports I've had in this (so far) samba didn't work with the firewall up.

----------

## magic919

I think IPTables are great but it's important to keep it simple.  Take a look at http://www.pettingers.org/code/firewall.html .  It helped me loads.

Start by accepting the established and related.  Then create chains for Samba, Messenger and all sevices you expect to let through.  Then have an explicit drop at the end of the Input.

I'd open UDP 137 and 138.  And TCP 139 and 445.

This is what mines looks like.  You don't want the LAN open like mine, of course.

```

Chain INPUT (policy DROP 0 packets, 0 bytes)

 pkts bytes target     prot opt in     out     source               destination

1910K 6011M ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0

7921K 8020M ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED

21811 2800K ACCEPT     all  --  *      *       192.168.0.0/24       0.0.0.0/0

  678 35040 MAIL       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:25

    0     0 WEB        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:80 flags:0x16/0x02

 5991  405K BLACKLIST  all  --  *      *       0.0.0.0/0            0.0.0.0/0

 5991  405K THRU       all  --  *      *       0.0.0.0/0            0.0.0.0/0

  211 66860 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0           limit: avg 1/sec burst 5 LOG flags 0 level 7 prefix `drop_packet'

  211 66860 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain FORWARD (policy DROP 0 packets, 0 bytes)

 pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 7600K packets, 6802M bytes)

 pkts bytes target     prot opt in     out     source               destination

Chain BLACKLIST (1 references)

 pkts bytes target     prot opt in     out     source               destination

Chain LOGDROP (0 references)

 pkts bytes target     prot opt in     out     source               destination

Chain MAIL (1 references)

 pkts bytes target     prot opt in     out     source               destination

    0     0 REJECT     all  --  *      *       x.x.x.x          0.0.0.0/0           reject-with icmp-host-prohibited

   58  2784 REJECT     all  --  *      *       y.y.y.y      0.0.0.0/0           reject-with icmp-host-prohibited

Chain THRU (1 references)

 pkts bytes target     prot opt in     out     source               destination

    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           limit: avg 1/sec burst 5 icmp type 8

    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:21

 5160  306K ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:22

  620 32256 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:25

    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:80

    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:110

Chain WEB (1 references)

 pkts bytes target     prot opt in     out     source               destination

```

----------

## XenoTerraCide

Hey looking for help on a new Iptables problem. https://forums.gentoo.org/viewtopic-p-2983253.html#2983253

----------

