Browse samba and windows shares

FernandoBasso · 2011-07-12 19:57:41

After reading and trying all of the tips suggested in this thread
I got almost everything working. Just that despite the fact that I did allow the ports
mentioned in the tutorial, I still have to stop iptables in order to be able
to browse the shares through the 'Browse Network' icon in nautilus.

Doing:

smb://192.168.x.xxx

works just fine.

vaio@nando, Tue Jul 12 16:52:18 
~ 
$ sudo iptables -L --line-numbers 
Chain INPUT (policy ACCEPT)
num  target     prot opt source               destination         
1    ACCEPT     udp  --  192.168.1.0/24       anywhere            udp dpt:netbios-ns 
2    ACCEPT     udp  --  192.168.1.0/24       anywhere            udp dpt:netbios-dgm 
3    ACCEPT     tcp  --  192.168.1.0/24       anywhere            tcp dpt:netbios-ssn 
4    ACCEPT     tcp  --  192.168.1.0/24       anywhere            tcp dpt:microsoft-ds 
5    DROP       icmp --  anywhere             anywhere            
6    ACCEPT     all  --  anywhere             anywhere            
7    ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED 
8    DROP       all  --  10.0.0.0/8           anywhere            
9    DROP       all  --  172.16.0.0/16        anywhere            
10   DROP       all  --  192.168.0.0/24       anywhere            
11   DROP       udp  --  anywhere             anywhere            udp dpts:33435:33525 
12   DROP       udp  --  anywhere             anywhere            udp dpts:33435:33525 
13   DROP       all  --  anywhere             anywhere            state INVALID 
14   DROP       all  --  anywhere             anywhere            
15   ACCEPT     tcp  --  anywhere             anywhere            tcp flags:FIN,SYN,RST,ACK/SYN limit: avg 1/sec burst 5 
16   ACCEPT     tcp  --  anywhere             anywhere            tcp flags:FIN,SYN,RST,ACK/RST limit: avg 1/sec burst 5 

Chain FORWARD (policy ACCEPT)
num  target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
num  target     prot opt source               destination         
vaio@nando, Tue Jul 12 16:52:28 
~

Any ideas?

Thanks in advance.

Last edited by FernandoBasso (2011-07-12 20:51:31)

rowdog · 2011-07-14 06:57:00

You might need ICMP for browsing the network.

FernandoBasso · 2011-07-14 11:18:27

rowdog wrote:

You might need ICMP for browsing the network.

Thanks for the reply. Allowing icmp (iptables -D INPUT 5) didn't do any good at all.
However, iptables -I INPUT -s 192.168.1.0/24 did work. Just, that I don't want to
allow everyone in the LAN to have access, and some IPs are set through DHCP, so,
I can't allow just 'this' or 'that' machine.

I am trying to find out which of the rules is blocking browsing the network.

Just for sake of information, here's /etc/iptables/iptables.rules:

# Generated by iptables-save v1.4.10 on Thu Jul 14 08:16:15 2011
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [10:696]
-A INPUT -s 192.168.1.0/24 -j LOG --log-prefix "__LOCAL_CONNECTIONS__" 
-A INPUT -s 192.168.1.0/24 -j ACCEPT 
-A INPUT -s 192.168.1.0/24 -p udp -m udp --dport 137 -j ACCEPT 
-A INPUT -s 192.168.1.0/24 -p udp -m udp --dport 138 -j ACCEPT 
-A INPUT -s 192.168.1.0/24 -p tcp -m tcp --dport 139 -j ACCEPT 
-A INPUT -s 192.168.1.0/24 -p tcp -m tcp --dport 445 -j ACCEPT 
-A INPUT -p icmp -j DROP 
-A INPUT -i lo -j ACCEPT 
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A INPUT -s 10.0.0.0/8 -j DROP 
-A INPUT -s 172.16.0.0/16 -j DROP 
-A INPUT -s 192.168.0.0/24 -j DROP 
-A INPUT -i eth0 -p udp -m udp --dport 33435:33525 -j DROP 
-A INPUT -i wlan0 -p udp -m udp --dport 33435:33525 -j DROP 
-A INPUT -m state --state INVALID -j DROP 
-A INPUT -j DROP 
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 1/sec -j ACCEPT 
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK RST -m limit --limit 1/sec -j ACCEPT 
COMMIT
# Completed on Thu Jul 14 08:16:15 2011

totsilence · 2011-07-17 21:33:20

Hello,

I think the problem is that when you try to browse for servers your machine will broadcast an udp packet to i.e. 192.168.1.255.
This packet will come from some available port on your machine (in the upper free region) and go to destination port 137 on the whole subnet.
A machine running a samba/windows network server will then reply _to_your_arbritray_port_ which your firewall will not allow.

Example:
Your machine broadcasts from 192.168.1.40 port 45123 to 192.168.1.255 port 137.
Another machine running a server replies from 192.168.1.41 port 137 to your machine 192.168.1.40 port 45123.
Your firewall will block the reply because it does not have any special rule for your port 45123.

Since I think its a bad idea to just open your firewall for all packets originating from port 137, I myself am using the "recent" module:

It works like this:

In the OUTPUT chain I have the following rule:
-A OUTPUT -d 192.168.0.255 -p udp --dport 137 -m recent --name samba --rsource --set -j ACCEPT

this keeps track of the port you used to broadcast and stores it on your machine.

In the INPUT chain I then have
-A INPUT -s 192.168.0.0/24 -p udp --sport 137 -m recent --name samba --rdest --rcheck -j ACCEPT

This checks your destination against your recently saved ip/port tupel.

Works for me (but I'm not an expert on firewall configurations, in fact I'm really new to it myself).
I'd be interested in better solutions!

FernandoBasso · 2011-07-17 22:16:07

totsilence,

Your theory makes sense. I just got myself wondering if windows (which
browses shares 'by default') has some ports open all the time for anyone
to access...

I'll investigate more on this. I'll post again in case I find
anything worthwhile.

Thanks for now.

Arch Linux

#1 2011-07-12 19:57:41

Browse samba and windows shares

#2 2011-07-14 06:57:00

Re: Browse samba and windows shares

#3 2011-07-14 11:18:27

Re: Browse samba and windows shares

#4 2011-07-17 21:33:20

Re: Browse samba and windows shares

#5 2011-07-17 22:16:07

Re: Browse samba and windows shares

Board footer