Iptables rule for windows file sharing?

Temlakos temlakos at gmail.com
Sat Jan 29 21:45:08 UTC 2005 

On Fri, 28 Jan 2005 19:50:02 +0100, cjlesh
<no-reply-gw at fcp.homelinux.org> wrote:
> Hey all:
> 
> I have a laptop running Fedora Core 3 and a dekstop with Widows XP, both connected via a Linksys router.
> 
> I am trying to figure out a way to allow the laptop 'see' the shared directories on the Windows machine. If I disable the Fedora firewall, it works.
> 
> I would like to do this without disabling the firewall.
> A google search turns up to following command:
> 
> iptables -A INPUT -p ALL -i eth0 -s 192.168.0.1 --destination-port 137:139 -j ACCEPT
> 
> however this results in an error.
> 
> Any help on a reasonable firewall rule to allow windows share traffic on my local network only?

I finally found the answer, after experimenting with this all day. My
insight comes from running an Ethereal capture of a three-minute
session, during which I browsed a Samba server (actually, two of
them--my own machine and another machine on the network) and printed
to a Samba printer (on the other machine).

In your iptables rule set, make sure you have the following as your last rules:

-A RH-Firewall-1-INPUT -p udp -m udp -s 192.168.1.0/24 --dport 137 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp -s 192.168.1.0/24 --dport
32700:32800 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp -s 192.168.1.0/24 --dport 139 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp -s 192.168.1.0/24 --dport 445 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp -s 192.168.1.0/24 --dport
32800:32900 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT

Note carefully: insert all rules quoting 192.168.1.0/24 as the source
(-s) directly above the -m state rule accepting ESTABLISHED and
RELATED states.

The above are for a network based on a Linksys router having on it a
Windows machine and/or any UNIX/Linux box running the Samba services.

The rationale is this:

UDP Port 137: NetBIOS name service.
UDP Port range 32700:32800: the upper end of a NetBIOS name service
conversation.
TCP Port 139: NetBIOS-SSN.
TCP Port 445: Microsoft-DS
TCP Port range 32800:32900: the upper end of all SMB TCP conversations.

Open these ports, and their ranges, but /only/ for 192.168.1.0/24 as a
source, and you should have Windows file and print sharing, but will
/not/ have to worry about anyone detecting you on the outside.

If I have time, I might refine this to tighten up the range. But as it
stands now, it works, and it's a lot more narrow than simply opening
my system up to /everything/ having 192.168.1.0/24 as its source.

My next experiment will probably be to restrict everything to
transactions having UDP port 137 or TCP ports 139 and 445 as /either
source or destination port./ Right now, I was concerned strictly with
opening every destination port that might come up. I have something
that works, and is less vulnerable.

Temlakos
-- 
Temlakos <temlakos at gmail.com>

More information about the fedora-list mailing list