Re: [K12OSN] Samba/iptables problem

Daniel Loomis wrote:

Since upgrading from 2.1.1 to 3.1.1 I have had problems with a conflict between samba and the iptables firewall. I have added ports 137-139 to the iptables configuration (using lokkit)to allow netbios tcp traffic to pass through.

When iptables is started, I can no longer access the server via netbios (from windows or linux boxes) via eth1. eth0 is trusted and connects my thin clients.

Do I need to add passthrough for udp traffic on ports 137-139?

It might not be iptables at all, check /etc/samba/smb.conf for the 'hosts allow' section. Your allowed networks should be listed there In my case the line from smb.conf looks like this.

hosts allow = 192.168.0. 192.168.2. 127. 10.0.1.
You'll have to replace 10.0.1. with your network segment.

You can check /var/log/samba/smbd.log for lines like this, to see if this is your problem.

[2003/06/17 16:39:29, 0] lib/access.c:check_access(333)
Denied connection from  (

In case it is iptables:
I don't think you have to add UDP, IIRC, but you may also have to add tcp port 445 if you use Windows 2000 or XP clients. Here are the snippets from /etc/sysconfig/iptables that work for me. They may need to be adjusted to match your file, or you could just use lokkit to add tcp port 445.

137-139 and 445 are all bad ports to have open to the internet, and are constantly scanned, so you may want to limit traffic to your local network segment as I have here. To customise it, replace the with your own network segment. (mine specifies hosts from, unless I am mistaken). Also check that the RH-Lokkit-0-50-INPUT matches what is defined at the top of the file.

#allow clients on 10.0.1.x to connect to samba
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp -s -d 0/0 --dport 137:139 --syn -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp -s -d 0/0 --dport 445 --syn -j ACCEPT
#end samba

Ben Nickell

