Samba uses strange port range and cause trouble with iptables

Dennis Beekman · 2010-08-24 12:16:50

I am using the latest 2.6.35.3-1 kernel from testing and the iptables 1.4.9 & Samba 3.5.4-1.

As far as i know Samba uses the following ports:
TCP: 139, 445
UDP: 137,138

But when i open these ports in iptables my computer cannot see any shares... not even it's own Samba server is visible...
Yet the computer itself is perfectly visible to other machines and allows for them to connect to the shares just fine.

I recently discovered that to be able to see the shares that are available on the network
I need to add the range UDP 1025:65535 to iptables.rules, i i make the range any smaller it won't work anymore either... has to be almost the entire range.

Below is the relevant stuff from my iptables.rules document... again if i remove the line "-A OPEN-UDP -p udp --dport 1025:65535 -j ACCEPT" or limit the range the computer cannot see itsself or any other computer on the network anymore...

*filter
-F
-X

-N OPEN-TCP
-N OPEN-UDP

-P INPUT DROP
-P OUTPUT ACCEPT
-P FORWARD DROP

-A INPUT -s 127.0.0.1 -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp --icmp-type 8 -m state --state NEW -j ACCEPT
-A INPUT -p udp -m state --state NEW -j OPEN-UDP
-A INPUT -p tcp --syn -m state --state NEW -j OPEN-TCP
-A INPUT -p udp -j REJECT --reject-with icmp-port-unreach
-A INPUT -p tcp -j REJECT --reject-with tcp-rst
-A INPUT -j REJECT --reject-with proto-unreach

-A OUTPUT -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT 
-A OUTPUT -s 127.0.0.1 -j ACCEPT

-A OPEN-TCP -m state --state NEW -m tcp -p tcp --dport 139 -j ACCEPT
-A OPEN-TCP -m state --state NEW -m tcp -p tcp --dport 445 -j ACCEPT
\-A OPEN-UDP -p udp --dport 137 -j ACCEPT
-A OPEN-UDP -p udp --dport 138 -j ACCEPT
-A OPEN-UDP -p udp --dport 1025:65535 -j ACCEPT

COMMIT

Does anyone have a clue to why samba needs these udp ports to be able to see the other computers on the network ? i would rather not have those ports open like that if possible for obvious reasons.

madeye · 2010-08-24 13:03:59

I don't have a direct answer to your question, but I found the following

http://www.samba.org/samba/docs/man/Sam … ewallports

There port 135/TCP is also listed as necessary. Don't know if it would solve your problem though.

Dennis Beekman · 2010-08-25 07:39:27

I have port 135 listed in my firewall script, i just forgot to mention it in the post .... :-)

Your link lists these ports as outgoing ports but i have to open them as incomming ports.
I gues that what goes out must come in aswell, and i will just leave this rule in my firewall.

madeye · 2010-08-25 15:42:38

Do you know what port the remote connection comes from? Does this conform to the samba ports listed?
Then you might be able to insert a source port in your rules, so only traffic coming from the ports necessary are allowed.

Something like

-A OPEN-UDP -p udp --dport 1025:65535 --sport 137:138 -j ACCEPT

If it's coming from a random high port, then there probably is not much to do but keep all ports open to everything

Sin.citadel · 2010-08-27 00:18:39

the range of high ports are only for outbound connections, since the firewall rules are for inbound connections, opening those ports is unnecessary.

Also, if your trying to connect to samba server, which is running from the same computer, make sure thats its not the samba server settings that are blocking you, -F the filter table and see if you can connect to the locally running samba server.

Arch Linux

#1 2010-08-24 12:16:50

Samba uses strange port range and cause trouble with iptables

#2 2010-08-24 13:03:59

Re: Samba uses strange port range and cause trouble with iptables

#3 2010-08-25 07:39:27

Re: Samba uses strange port range and cause trouble with iptables

#4 2010-08-25 15:42:38

Re: Samba uses strange port range and cause trouble with iptables

#5 2010-08-27 00:18:39

Re: Samba uses strange port range and cause trouble with iptables

Board footer