Connecting to a Win Computer with Samba
Temlakos
temlakos at gmail.com
Tue Apr 26 18:34:44 UTC 2005
Basil Copeland wrote:
>>I am too having this problem my network consists of Windows XP.I can
>>see the linux shares from Windows but not the windows share from the
>>Linux.
>>
>>Any help would be appreciate.
>>
>>Thanks & Regards
>
>
> Do you have IPTABLES blocking the ports needed by smb?
>
> Basil
>
An excellent point. Running Samba without opening the ports on IPTABLES
is a common-enough error. I've made it myself. WinXP/SP2, of course, now
has its own firewall that recognizes local shares--and Zone Labs has a
firewall that lets you define "trusted zones" consisting of whatever
subnets you care to define. But when you're working with IPTABLES, you
have to get your hands dirty.
Here's a solution I developed, in consultation with a networking expert
who uses Fedora extensively at our church. Make sure your file
/etc/sysconfig/iptables has the following lines in the appropriate place
in the sequence:
> -A RH-Firewall-1-INPUT -p udp -m udp -s 192.168.1.0/24 --dport 137 -j ACCEPT
> -A RH-Firewall-1-INPUT -p udp -m udp -s 192.168.1.0/24 --sport 137 -j ACCEPT
> -A RH-Firewall-1-INPUT -p tcp -m tcp -s 192.168.1.0/24 --dport 139 -j ACCEPT
> -A RH-Firewall-1-INPUT -p tcp -m tcp -s 192.168.1.0/24 --sport 139 -j ACCEPT
> -A RH-Firewall-1-INPUT -p tcp -m tcp -s 192.168.1.0/24 --dport 445 -j ACCEPT
> -A RH-Firewall-1-INPUT -p tcp -m tcp -s 192.168.1.0/24 --sport 445 -j ACCEPT
Depending on what sort of router you use, you need to open each port as
/both/ a source port /and/ a destination port, each on a separate line.
That will make /sure/ that IPTABLES will not drop your Samba packets.
Just to be clear, the ports you need to open are UDP port 137 and TCP
ports 139 and 445. I use that setup right now to connect to and from a
machine running WinXP/SP2.
The "-s 192.168.1.0/24" means "make this good only for subnet
192.168.1.0/255.255.255.0." That's the typical "down network" that most
SO/HO routers define. To sniff these out and verify them, I used
Ethereal while making a Samba connection. By limiting it to this subnet,
I make sure that my box is not open to any old hacker anywhere else on
the Internet who wants to "connect" to my Samba shares--or anything else
on my box--through those ports.
I /do not/ recommend disabling the firewall. Instead, I recommend that
you learn how to use it effectively to "clear" only certain transactions
and maintain the protection that a firewall gives you.
Temlakos
More information about the fedora-list
mailing list