# Samba over nat issues (iptables) [solved]

## machinelou

I've got Samba working on an internal network; I can connect my windows laptop to a switch (call this Switch A) via a wire and browse the samba shares on another machine on that same switch.  However, the external interface of that switch is connected as a client to a wireless network.  I would like to be able to allow machines on the wireless network to also access the samba shares.  I've already figured out how to do this for other services on that machine (e.g., ssh, apache) by editing the iptables on Switch A (its a linksys running openwrt) but I can't figure out how to do it for samba. 

I don't know much about iptables so I'm assuming that I'm just doing it wrong.

Here are the iptable rules I have at the moment (from what I've read online, windows file sharing seems to use ports 137 and 138 (via udp) and 149 and 445 (via tcp)):

```
### Samba

iptables -t nat -A prerouting_wan -p udp --dport 137 -j DNAT --to 192.168.1.101:137

iptables        -A forwarding_wan -p udp --dport 137 -d 192.168.1.101 -j ACCEPT

iptables -t nat -A prerouting_wan -p udp --dport 138 -j DNAT --to 192.168.1.101:138

iptables        -A forwarding_wan -p udp --dport 138 -d 192.168.1.101 -j ACCEPT

iptables -t nat -A prerouting_wan -p tcp --dport 139 -j DNAT --to 192.168.1.101:139

iptables        -A forwarding_wan -p tcp --dport 139 -d 192.168.1.101 -j ACCEPT

iptables -t nat -A prerouting_wan -p tcp --dport 445 -j DNAT --to 192.168.1.101:445

iptables        -A forwarding_wan -p tcp --dport 445 -d 192.168.1.101 -j ACCEPT

```

And just for comparison, here are the rules I use for some other services that work:

```
iptables -t nat -A prerouting_wan -p tcp --dport 22 -j DNAT --to 192.168.1.101:22

iptables        -A forwarding_wan -p tcp --dport 22 -d 192.168.1.101 -j ACCEPT

iptables -t nat -A prerouting_wan -p tcp --dport 80 -j DNAT --to 192.168.1.101:80

iptables        -A forwarding_wan -p tcp --dport 80 -d 192.168.1.101 -j ACCEPT

iptables -t nat -A prerouting_wan -p tcp --dport 88 -j DNAT --to 192.168.1.101:88

iptables        -A forwarding_wan -p tcp --dport 88 -d 192.168.1.101 -j ACCEPT

iptables -t nat -A prerouting_wan -p tcp --dport 89 -j DNAT --to 192.168.1.102:443

iptables        -A forwarding_wan -p tcp --dport 443 -d 192.168.1.102 -j ACCEPT

iptables -t nat -A prerouting_wan -p tcp --dport 443 -j DNAT --to 192.168.1.101:443

iptables        -A forwarding_wan -p tcp --dport 443 -d 192.168.1.101 -j ACCEPT

```

Last edited by machinelou on Wed Jan 02, 2008 11:17 pm; edited 1 time in total

----------

## gentoo_dude

try allowing tcp 137 through 139.

EDIT:  I just rechecked my firewall rules, it should be only tcp 139 and 445 and udp 137 and 138, so the ports open are correct.

Do you have firewall enabled on the server, or just the router's firewall?

----------

## machinelou

 *gentoo_dude wrote:*   

> Do you have firewall enabled on the server, or just the router's firewall?

 

Just the router...

----------

## machinelou

Can someone at least tell me if there are any obvious mistakes?

----------

## Veldrin

 *Quote:*   

> Can someone at least tell me if there are any obvious mistakes?

 

Not sure about obvious, but UDP is a stateless protocol, you need to open it both ways.

below is a excerpt (just the samba part) from the iptables, I have running on my server... hope it give you an idea, what to do.

```

[0:0] -A INPUT -s 192.168.180.112/28 -p udp -m udp --dport 137:138 -j ACCEPT

[0:0] -A INPUT -s 192.168.180.112/28 -p udp -m udp --sport 137:138 -j ACCEPT

[0:0] -A INPUT -s 192.168.180.112/28 -p tcp -m tcp --dport 139 -j ACCEPT

[0:0] -A INPUT -s 192.168.180.112/28 -p tcp -m tcp --dport 445 -j ACCEPT

```

cheers

V.

----------

## machinelou

 *Veldrin wrote:*   

> Not sure about obvious, but UDP is a stateless protocol, you need to open it both ways.
> 
> 

 

Thanks for the hint..  Can you tell me a little about what these lines do?

```

[0:0] -A INPUT -s 192.168.180.112/28 -p udp -m udp --dport 137:138 -j ACCEPT

[0:0] -A INPUT -s 192.168.180.112/28 -p udp -m udp --sport 137:138 -j ACCEPT

[0:0] -A INPUT -s 192.168.180.112/28 -p tcp -m tcp --dport 139 -j ACCEPT

[0:0] -A INPUT -s 192.168.180.112/28 -p tcp -m tcp --dport 445 -j ACCEPT

```

Like, what does -s 192.168.180.112/28 do?

--dport?

--sport?

Would these lines (or something like them) go above the lines I already have?  Thanks, sorry I have so many questions...

----------

## machinelou

Ok, I added those lines.  My config now looks like this:

```
### Samba

iptables        -A INPUT -p udp -m udp --dport 137:138 -j ACCEPT

iptables        -A INPUT -p udp -m udp --sport 137:138 -j ACCEPT

iptables -t nat -A prerouting_wan -p udp --dport 137 -j DNAT --to 192.168.1.101:137

iptables        -A forwarding_wan -p udp --dport 137 -d 192.168.1.101 -j ACCEPT

iptables -t nat -A prerouting_wan -p udp --dport 138 -j DNAT --to 192.168.1.101:138

iptables        -A forwarding_wan -p udp --dport 138 -d 192.168.1.101 -j ACCEPT

iptables -t nat -A prerouting_wan -p tcp --dport 139 -j DNAT --to 192.168.1.101:139

iptables        -A forwarding_wan -p tcp --dport 139 -d 192.168.1.101 -j ACCEPT

iptables -t nat -A prerouting_wan -p tcp --dport 445 -j DNAT --to 192.168.1.101:445

iptables        -A forwarding_wan -p tcp --dport 445 -d 192.168.1.101 -j ACCEPT

```

It still doesn't work  :Sad: 

----------

## machinelou

Okay, I found some more clues...

I increased the log level in /etc/samba/smb.conf to 3.  I also turned on wins support.  When I set my window's client WINS server IP to the samba server, I got this on the logs:

```
[2008/01/02 16:19:32, 3] nmbd/nmbd_winsserver.c:wins_process_name_refresh_request(836)

  wins_process_name_refresh_request: Name refresh for name FENGHU<00> IP 192.168.0.109

[2008/01/02 16:20:27, 3] nmbd/nmbd_winsserver.c:wins_process_name_refresh_request(836)

  wins_process_name_refresh_request: Name refresh for name __MSBROWSE__<01> IP 192.168.0.109

[2008/01/02 16:20:27, 3] nmbd/nmbd_winsserver.c:wins_process_name_refresh_request(836)

  wins_process_name_refresh_request: Name refresh for name MEDIA<1d> IP 192.168.0.109

[2008/01/02 16:20:27, 3] nmbd/nmbd_winsserver.c:wins_process_name_refresh_request(854)

  wins_process_name_refresh_request: Name refresh for name MEDIA<1d> and the name does not exist.  Treating as registration.

[2008/01/02 16:20:27, 3] nmbd/nmbd_winsserver.c:wins_process_name_registration_request(1138)

  wins_process_name_registration_request: Unique name registration for name MEDIA<1d> IP 192.168.0.109

[2008/01/02 16:20:27, 3] nmbd/nmbd_winsserver.c:wins_process_name_registration_request(1205)

  wins_process_name_registration_request: Ignoring request to register name MEDIA<1d> from IP 192.168.0.109.

[2008/01/02 16:20:27, 3] nmbd/nmbd_winsserver.c:wins_process_name_refresh_request(836)

  wins_process_name_refresh_request: Name refresh for name MEDIA<1e> IP 192.168.0.109

[2008/01/02 16:20:27, 3] nmbd/nmbd_winsserver.c:wins_process_name_refresh_request(836)

  wins_process_name_refresh_request: Name refresh for name FENGHU<20> IP 192.168.0.109

[2008/01/02 16:20:27, 3] nmbd/nmbd_winsserver.c:wins_process_name_refresh_request(836)

  wins_process_name_refresh_request: Name refresh for name MEDIA<00> IP 192.168.0.109

[2008/01/02 16:20:27, 3] nmbd/nmbd_winsserver.c:wins_process_name_refresh_request(836)

  wins_process_name_refresh_request: Name refresh for name FENGHU<00> IP 192.168.0.109

[2008/01/02 16:21:18, 3] nmbd/nmbd_winsserver.c:wins_process_name_query_request(1892)

  wins_process_name_query: name query for name SATURN<00> from IP 192.168.0.109

[2008/01/02 16:21:18, 3] nmbd/nmbd_winsserver.c:wins_process_name_query_request(1944)

  wins_process_name_query: name query for name SATURN<00> returning first IP 192.168.1.101.

[2008/01/02 16:21:21, 3] nmbd/nmbd_winsserver.c:wins_process_name_refresh_request(836)

  wins_process_name_refresh_request: Name refresh for name __MSBROWSE__<01> IP 192.168.0.109

[2008/01/02 16:21:21, 3] nmbd/nmbd_winsserver.c:wins_process_name_refresh_request(836)

  wins_process_name_refresh_request: Name refresh for name MEDIA<1d> IP 192.168.0.109

```

I don't really know what any of that nonsense means, except that the windows client (with ip 192.168.0.109) is able to talk to the wins server.

I then tried to ping the samba server using it's name, "SATURN".. Instead of resolving with the router's ip address (192.168.0.10) it resolved to the address behind the nat (192.168.1.101).  So, it didn't connect...

Now what?

----------

## gentoo_dude

This is my samba rule on my server

[6649:336946] -A INPUT -s 192.168.1.0/255.255.255.0 -d 192.168.1.0/255.255.255.0 -i eth1 -p tcp -m state --state NEW -m tcp -m multiport --dports 139,445 -j ACCEPT

[99632:23528029] -A OUTPUT -s 192.168.1.0/255.255.255.0 -d 192.168.1.0/255.255.255.0 -o eth1 -p udp -m udp -m multiport --sports 137,138 -j ACCEPT

----------

## machinelou

More progress.. A kind soul on #openwrt pointed out to me that one could access samba shares on a windows client using just an ip address.  You type //ip.address into the Run dialog and viola!  It works!

I can now see the shares on my samba server.  Only problem is now, I can't login.  It says it is not accessible.  It's unusual because I could login fine when attached to the same router as the server.

----------

## machinelou

Solved!

I turned on some options in smb.conf during this whole debacle (preferred master, domain master, local master, and os level).  Turning them off allowed me to login.  Yahooo!

----------

