Connecting to a Win Computer with Samba

Temlakos temlakos at gmail.com
Tue Apr 26 18:34:44 UTC 2005 

Basil Copeland wrote:
>>I am too having this problem my network consists of Windows XP.I can
>>see the linux shares from Windows but not the windows share from the
>>Linux.
>>
>>Any help would be appreciate.
>>
>>Thanks & Regards
> 
> 
> Do you have IPTABLES blocking the ports needed by smb? 
> 
> Basil
> 

An excellent point. Running Samba without opening the ports on IPTABLES 
is a common-enough error. I've made it myself. WinXP/SP2, of course, now 
has its own firewall that recognizes local shares--and Zone Labs has a 
firewall that lets you define "trusted zones" consisting of whatever 
subnets you care to define. But when you're working with IPTABLES, you 
have to get your hands dirty.

Here's a solution I developed, in consultation with a networking expert 
who uses Fedora extensively at our church. Make sure your file 
/etc/sysconfig/iptables has the following lines in the appropriate place 
in the sequence:

> -A RH-Firewall-1-INPUT -p udp -m udp -s 192.168.1.0/24 --dport 137 -j ACCEPT
> -A RH-Firewall-1-INPUT -p udp -m udp -s 192.168.1.0/24 --sport 137 -j ACCEPT
> -A RH-Firewall-1-INPUT -p tcp -m tcp -s 192.168.1.0/24 --dport 139 -j ACCEPT
> -A RH-Firewall-1-INPUT -p tcp -m tcp -s 192.168.1.0/24 --sport 139 -j ACCEPT
> -A RH-Firewall-1-INPUT -p tcp -m tcp -s 192.168.1.0/24 --dport 445 -j ACCEPT
> -A RH-Firewall-1-INPUT -p tcp -m tcp -s 192.168.1.0/24 --sport 445 -j ACCEPT

Depending on what sort of router you use, you need to open each port as 
/both/ a source port /and/ a destination port, each on a separate line. 
That will make /sure/ that IPTABLES will not drop your Samba packets.

Just to be clear, the ports you need to open are UDP port 137 and TCP 
ports 139 and 445. I use that setup right now to connect to and from a 
machine running WinXP/SP2.

The "-s 192.168.1.0/24" means "make this good only for subnet 
192.168.1.0/255.255.255.0." That's the typical "down network" that most 
SO/HO routers define. To sniff these out and verify them, I used 
Ethereal while making a Samba connection. By limiting it to this subnet, 
I make sure that my box is not open to any old hacker anywhere else on 
the Internet who wants to "connect" to my Samba shares--or anything else 
on my box--through those ports.

I /do not/ recommend disabling the firewall. Instead, I recommend that 
you learn how to use it effectively to "clear" only certain transactions 
and maintain the protection that a firewall gives you.

Temlakos

More information about the fedora-list mailing list