Restricting Access to Samba Shares by IP

jlacroix · 2010-11-16 03:54:53

Hello everyone. I run an all-Linux household, but I also fix Windows computers for money on the side. A great deal of the Windows computers I fix have viruses, and the last thing I want is for them to infect my Samba shares. (My samba shares are read-write). What I want to do is restrict access by IP, because each and every one of my computers use static IP's, and the DHCP range begins above x.x.x.100. Thus, I figure if I don't allow any IP with an address of x.x.x.100 or above, I'm safe. Should I do this through my smb.conf, or through hosts.allow? Not sure, but here are my samba files:

smb.conf

[global]
server string = J's Laptop
workgroup = LITTLEBIGPLANET
security = share
include = /etc/samba/smbshared.conf

wins support = no

Here is my smbshared.conf:

[Shared] ; user="jlacroix"
    force user = jlacroix
    path = /home/jlacroix/Shared
    writable = yes
    public = yes

[Music] ; user="jlacroix"
    force user = jlacroix
    path = /home/jlacroix/Music
    writable = no
    public = yes

Fruity · 2010-11-16 04:53:01

You need to add a "hosts allow" option. like:

hosts allow = 192.168.1.86

fukawi2 · 2010-11-16 07:59:39

man smb.conf wrote:

hosts allow (S)
A synonym for this parameter is allow hosts.
This parameter is a comma, space, or tab delimited set of hosts which are permitted to access a service.
If specified in the [global] section then it will apply to all services, regardless of whether the individual service has a different setting.
You can specify the hosts by name or IP number. For example, you could restrict access to only the hosts on a Class C subnet with something like allow hosts
= 150.203.5.. The full syntax of the list is described in the man page hosts_access(5). Note that this man page may not be present on your system, so a brief
description will be given here also.
Note that the localhost address 127.0.0.1 will always be allowed access unless specifically denied by a hosts deny option.
You can also specify hosts by network/netmask pairs and by netgroup names if your system supports netgroups. The EXCEPT keyword can also be used to limit a
wildcard list. The following examples may provide some help:
Example 1: allow all IPs in 150.203.*.*; except one
hosts allow = 150.203. EXCEPT 150.203.6.66
Example 2: allow hosts that match the given network/netmask
hosts allow = 150.203.15.0/255.255.255.0
Example 3: allow a couple of hosts
hosts allow = lapland, arvidsjaur
Example 4: allow only hosts in NIS netgroup "foonet", but deny access from one particular host
hosts allow = @foonet
hosts deny = pirate
Note
Note that access still requires suitable user-level passwords.
See testparm(1) for a way of testing your host access to see if it does what you expect.
Default: hosts allow = # none (i.e., all hosts permitted access)
Example: hosts allow = 150.203.5. myhost.mynet.edu.au

jlacroix · 2010-11-16 14:17:20

I've read that, but it doesn't mention anything specific to Samba unless I missed it.

fukawi2 · 2010-11-16 22:39:18

smb.conf is the Samba configuration file.... How does that not apply to Samba?

jlacroix · 2010-11-17 00:06:17

Sorry, I misunderstood. Now I know how to add the "hosts allow" option, but how do I make it into a range? Basically I want IP addresses 172.16.254.100 and above to NOT be able to access any Samba share. (My DHCP range begins at .100, all my computers are static). Thanks!

fukawi2 · 2010-11-17 06:15:15

Probably something like this...

hosts allow = 172.16.254.1/26 172.16.254.64/27 172.16.254.96/30
hosts deny = 172.16.254.0/24

jlacroix · 2010-11-17 14:44:49

fukawi2 wrote:

Probably something like this...

hosts allow = 172.16.254.1/26 172.16.254.64/27 172.16.254.96/30
hosts deny = 172.16.254.0/24

Thank you. Before I try this, I want to understand more about what it's doing. I see that you're using CIDR notation, which is still my weak point. I'm not understanding how that restricts access to 172.16.254.100 and above. I'm sure what you posted will work, I just don't understand how it works. Sorry to be a pain, I'm just trying to learn as much as I can.

pseudonomous · 2010-11-17 18:05:52

Edit: I think fukawi2's example are fine, I forgot to look a the "deny" section.

fukawi2's examples doesn't do exactly what you want it to do, he's merely giving you an example of the proper syntax to use for your config file.

You might consider reading this article about network addressing to understand how CIDR notation works. It should make total sense once you understand how network addressing works.

Also, there are CIDR to iprange converters available via webapps, as well as some console-based ones such as "ipcalc" available in the arch repositories.

Last edited by pseudonomous (2010-11-17 22:50:59)

fukawi2 · 2010-11-17 21:46:54

pseudonomous wrote:

fukawi2's examples doesn't do exactly what you want it to do, he's merely giving you an example of the proper syntax to use for your config file.

It should do it, unless I'm missing something now?

Default to deny, then allow the 3 CIDR's:

 ~ $ for CIDR in 172.16.254.1/26 172.16.254.64/27 172.16.254.96/30 ; do ipcalc $CIDR | egrep '(Broadcast|Network)' ; done
Network:   172.16.254.0/26      10101100.00010000.11111110.00 000000
Broadcast: 172.16.254.63        10101100.00010000.11111110.00 111111
Network:   172.16.254.64/27     10101100.00010000.11111110.010 00000
Broadcast: 172.16.254.95        10101100.00010000.11111110.010 11111
Network:   172.16.254.96/30     10101100.00010000.11111110.011000 00
Broadcast: 172.16.254.99        10101100.00010000.11111110.011000 11

Last edited by fukawi2 (2010-11-17 21:47:38)

pseudonomous · 2010-11-17 22:51:33

Sorry fukawi2, I forgot to look at the "deny" line, when I was calculating things. (and I also had reversed in my mind the network address range that the OP wanted to deny access to with the network he wanted to allow access to)

Last edited by pseudonomous (2010-11-17 22:54:45)

fukawi2 · 2010-11-18 00:24:54

No problem, just wanted to make sure I wasn't missing something

Arch Linux

#1 2010-11-16 03:54:53

Restricting Access to Samba Shares by IP

#2 2010-11-16 04:53:01

Re: Restricting Access to Samba Shares by IP

#3 2010-11-16 07:59:39

Re: Restricting Access to Samba Shares by IP

#4 2010-11-16 14:17:20

Re: Restricting Access to Samba Shares by IP

#5 2010-11-16 22:39:18

Re: Restricting Access to Samba Shares by IP

#6 2010-11-17 00:06:17

Re: Restricting Access to Samba Shares by IP

#7 2010-11-17 06:15:15

Re: Restricting Access to Samba Shares by IP

#8 2010-11-17 14:44:49

Re: Restricting Access to Samba Shares by IP

#9 2010-11-17 18:05:52

Re: Restricting Access to Samba Shares by IP

#10 2010-11-17 21:46:54

Re: Restricting Access to Samba Shares by IP

#11 2010-11-17 22:51:33

Re: Restricting Access to Samba Shares by IP

#12 2010-11-18 00:24:54

Re: Restricting Access to Samba Shares by IP

Board footer