You are not logged in.

#1 2010-11-16 03:54:53

jlacroix
Member
Registered: 2009-08-16
Posts: 576

Restricting Access to Samba Shares by IP

Hello everyone. I run an all-Linux household, but I also fix Windows computers for money on the side. A great deal of the Windows computers I fix have viruses, and the last thing I want is for them to infect my Samba shares. (My samba shares are read-write). What I want to do is restrict access by IP, because each and every one of my computers use static IP's, and the DHCP range begins above x.x.x.100. Thus, I figure if I don't allow any IP with an address of x.x.x.100 or above, I'm safe. Should I do this through my smb.conf, or through hosts.allow? Not sure, but here are my samba files:

smb.conf

[global]
server string = J's Laptop
workgroup = LITTLEBIGPLANET
security = share
include = /etc/samba/smbshared.conf

wins support = no

Here is my smbshared.conf:

[Shared] ; user="jlacroix"
    force user = jlacroix
    path = /home/jlacroix/Shared
    writable = yes
    public = yes

[Music] ; user="jlacroix"
    force user = jlacroix
    path = /home/jlacroix/Music
    writable = no
    public = yes

Offline

#2 2010-11-16 04:53:01

Fruity
Member
Registered: 2009-12-16
Posts: 198

Re: Restricting Access to Samba Shares by IP

You need to add a "hosts allow" option.  like:

hosts allow = 192.168.1.86

Offline

#3 2010-11-16 07:59:39

fukawi2
Ex-Administratorino
From: .vic.au
Registered: 2007-09-28
Posts: 6,227
Website

Re: Restricting Access to Samba Shares by IP

man smb.conf wrote:

hosts allow (S)

           A synonym for this parameter is allow hosts.

           This parameter is a comma, space, or tab delimited set of hosts which are permitted to access a service.

           If specified in the [global] section then it will apply to all services, regardless of whether the individual service has a different setting.

           You can specify the hosts by name or IP number. For example, you could restrict access to only the hosts on a Class C subnet with something like allow hosts
           = 150.203.5.. The full syntax of the list is described in the man page hosts_access(5). Note that this man page may not be present on your system, so a brief
           description will be given here also.

           Note that the localhost address 127.0.0.1 will always be allowed access unless specifically denied by a hosts deny option.

           You can also specify hosts by network/netmask pairs and by netgroup names if your system supports netgroups. The EXCEPT keyword can also be used to limit a
           wildcard list. The following examples may provide some help:

           Example 1: allow all IPs in 150.203.*.*; except one

           hosts allow = 150.203. EXCEPT 150.203.6.66

           Example 2: allow hosts that match the given network/netmask

           hosts allow = 150.203.15.0/255.255.255.0

           Example 3: allow a couple of hosts

           hosts allow = lapland, arvidsjaur

           Example 4: allow only hosts in NIS netgroup "foonet", but deny access from one particular host

           hosts allow = @foonet

           hosts deny = pirate

               Note
               Note that access still requires suitable user-level passwords.
           See testparm(1) for a way of testing your host access to see if it does what you expect.

           Default: hosts allow =  # none (i.e., all hosts permitted access)

           Example: hosts allow = 150.203.5. myhost.mynet.edu.au

Offline

#4 2010-11-16 14:17:20

jlacroix
Member
Registered: 2009-08-16
Posts: 576

Re: Restricting Access to Samba Shares by IP

I've read that, but it doesn't mention anything specific to Samba unless I missed it.

Offline

#5 2010-11-16 22:39:18

fukawi2
Ex-Administratorino
From: .vic.au
Registered: 2007-09-28
Posts: 6,227
Website

Re: Restricting Access to Samba Shares by IP

smb.conf is the Samba configuration file.... How does that not apply to Samba?

Offline

#6 2010-11-17 00:06:17

jlacroix
Member
Registered: 2009-08-16
Posts: 576

Re: Restricting Access to Samba Shares by IP

Sorry, I misunderstood. Now I know how to add the "hosts allow" option, but how do I make it into a range? Basically I want IP addresses 172.16.254.100 and above to NOT be able to access any Samba share. (My DHCP range begins at .100, all my computers are static). Thanks!

Offline

#7 2010-11-17 06:15:15

fukawi2
Ex-Administratorino
From: .vic.au
Registered: 2007-09-28
Posts: 6,227
Website

Re: Restricting Access to Samba Shares by IP

Probably something like this...

hosts allow = 172.16.254.1/26 172.16.254.64/27 172.16.254.96/30
hosts deny = 172.16.254.0/24

Offline

#8 2010-11-17 14:44:49

jlacroix
Member
Registered: 2009-08-16
Posts: 576

Re: Restricting Access to Samba Shares by IP

fukawi2 wrote:

Probably something like this...

hosts allow = 172.16.254.1/26 172.16.254.64/27 172.16.254.96/30
hosts deny = 172.16.254.0/24

Thank you. Before I try this, I want to understand more about what it's doing. I see that you're using CIDR notation, which is still my weak point. I'm not understanding how that restricts access to 172.16.254.100 and above. I'm sure what you posted will work, I just don't understand how it works. Sorry to be a pain, I'm just trying to learn as much as I can.

Offline

#9 2010-11-17 18:05:52

pseudonomous
Member
Registered: 2008-04-23
Posts: 349

Re: Restricting Access to Samba Shares by IP

Edit: I think fukawi2's example  are fine, I forgot to look a the "deny" section.

fukawi2's examples doesn't do exactly what you want it to do, he's merely giving you an example of the proper syntax to use for your config file.

You might consider reading this article about network addressing to understand how CIDR notation works.  It should make total sense once you understand how network addressing works.

Also, there are CIDR to iprange converters available via webapps, as well as some console-based ones such as "ipcalc" available in the arch repositories.

Last edited by pseudonomous (2010-11-17 22:50:59)

Offline

#10 2010-11-17 21:46:54

fukawi2
Ex-Administratorino
From: .vic.au
Registered: 2007-09-28
Posts: 6,227
Website

Re: Restricting Access to Samba Shares by IP

pseudonomous wrote:

fukawi2's examples doesn't do exactly what you want it to do, he's merely giving you an example of the proper syntax to use for your config file.

It should do it, unless I'm missing something now?

Default to deny, then allow the 3 CIDR's:

 ~ $ for CIDR in 172.16.254.1/26 172.16.254.64/27 172.16.254.96/30 ; do ipcalc $CIDR | egrep '(Broadcast|Network)' ; done
Network:   172.16.254.0/26      10101100.00010000.11111110.00 000000
Broadcast: 172.16.254.63        10101100.00010000.11111110.00 111111
Network:   172.16.254.64/27     10101100.00010000.11111110.010 00000
Broadcast: 172.16.254.95        10101100.00010000.11111110.010 11111
Network:   172.16.254.96/30     10101100.00010000.11111110.011000 00
Broadcast: 172.16.254.99        10101100.00010000.11111110.011000 11

Last edited by fukawi2 (2010-11-17 21:47:38)

Offline

#11 2010-11-17 22:51:33

pseudonomous
Member
Registered: 2008-04-23
Posts: 349

Re: Restricting Access to Samba Shares by IP

Sorry fukawi2, I forgot to look at the "deny" line, when I was calculating things. (and I also had reversed in my mind the network address range that the OP wanted to deny access to with the network he wanted to allow access to)

Last edited by pseudonomous (2010-11-17 22:54:45)

Offline

#12 2010-11-18 00:24:54

fukawi2
Ex-Administratorino
From: .vic.au
Registered: 2007-09-28
Posts: 6,227
Website

Re: Restricting Access to Samba Shares by IP

No problem, just wanted to make sure I wasn't missing something smile

Offline

Board footer

Powered by FluxBB