Difference between revisions of "Samba"

From Christoph's Personal Wiki
Jump to: navigation, search
(Samba and iptables)
Line 2: Line 2:
  
 
==Samba (smb/cifs) and iptables==
 
==Samba (smb/cifs) and iptables==
If you have a firewall and wish to open it up to Samba on a specific machine (i.e. a single IP address), try the following [[iptables]]:
+
As an example Samba-share setup, assume the Windows machine ("Samba server") has an IP address of <code>128.35.125.23</code>, your Linux machine ("Samba client") has an IP address of <code>10.0.32.145</code>, and the Linux machine is behind a dedicated firewall (which does NAT).
-A FORWARD -s xxx.xxx.xxx.xxx/24 -d xxx.xxx.xxx.xxx -p tcp -m tcp --dport 137 -j ACCEPT
+
 
-A FORWARD -s xxx.xxx.xxx.xxx/24 -d xxx.xxx.xxx.xxx -p udp -m udp --dport 137 -j ACCEPT
+
The only [[iptables]] rules you will need to implement are <code>FORWARD</code> all "source" requests (Linux box) via TCP on ports 139 and 445 with a jump target of "<code>ACCEPT</code>".
-A FORWARD -s xxx.xxx.xxx.xxx/24 -d xxx.xxx.xxx.xxx -p tcp -m tcp --dport 138 -j ACCEPT
+
 
-A FORWARD -s xxx.xxx.xxx.xxx/24 -d xxx.xxx.xxx.xxx -p udp -m udp --dport 138 -j ACCEPT
+
The following two rules will allow the above traffic:
  -A FORWARD -s xxx.xxx.xxx.xxx/24 -d xxx.xxx.xxx.xxx -p tcp -m tcp --dport 139 -j ACCEPT
+
  -A FORWARD -s 10.0.32.0/24 -d 128.35.125.23 -p tcp -m tcp --dport 139 -m mark --mark 0x1/0x1 -j ACCEPT
-A FORWARD -s xxx.xxx.xxx.xxx/24 -d xxx.xxx.xxx.xxx -p udp -m udp --dport 139 -j ACCEPT
+
  -A FORWARD -s 10.0.32.0/24 -d 128.35.125.23 -p tcp -m tcp --dport 445 -m mark --mark 0x1/0x1 -j ACCEPT
  -A FORWARD -s xxx.xxx.xxx.xxx/24 -d xxx.xxx.xxx.xxx -p tcp -m tcp --dport 445 -j ACCEPT
+
-A FORWARD -s xxx.xxx.xxx.xxx/24 -d xxx.xxx.xxx.xxx -p udp -m udp --dport 445 -j ACCEPT
+
 
where <code>-s</code> is your "source" IP address and <code>-d</code> is your "destination".
 
where <code>-s</code> is your "source" IP address and <code>-d</code> is your "destination".
  
Line 21: Line 19:
 
==Test-mount your Samba share==
 
==Test-mount your Samba share==
 
As root,
 
As root,
  mount -t cifs //xxx.xxx.xxx.xxx/path /mnt/samba -o username=username
+
  mount -t cifs //128.35.125.23/path /mnt/samba -o username=username
  
 
==Automount a Samba share==
 
==Automount a Samba share==
 
If you would like to automount your Samba shares, you can place the line below in your <code>/etc/fstab</code>:
 
If you would like to automount your Samba shares, you can place the line below in your <code>/etc/fstab</code>:
  //xxx.xxx.xxx.xxx/path /mnt/samba cifs username=username,password=password 0 0
+
  //128.35.125.23/path /mnt/samba cifs username=username,password=password 0 0
 
where <code>cifs</code> might need to be <code>smbfs</code>, depending on your filesystem setup.
 
where <code>cifs</code> might need to be <code>smbfs</code>, depending on your filesystem setup.
  
Line 35: Line 33:
  
 
Now, edit your <code>/etc/fstab</code> and replace the line with:
 
Now, edit your <code>/etc/fstab</code> and replace the line with:
  //xxx.xxx.xxx.xxx/path /mnt/samba cifs credentials=/etc/samba/smbpasswd 0 0
+
  //128.35.125.23/path /mnt/samba cifs credentials=/etc/samba/smbpasswd 0 0
  
 
==External links==
 
==External links==

Revision as of 23:37, 2 May 2007

Samba is a free software re-implementation of SMB/CIFS networking protocol, released under the GNU General Public License.

Samba (smb/cifs) and iptables

As an example Samba-share setup, assume the Windows machine ("Samba server") has an IP address of 128.35.125.23, your Linux machine ("Samba client") has an IP address of 10.0.32.145, and the Linux machine is behind a dedicated firewall (which does NAT).

The only iptables rules you will need to implement are FORWARD all "source" requests (Linux box) via TCP on ports 139 and 445 with a jump target of "ACCEPT".

The following two rules will allow the above traffic: 

-A FORWARD -s 10.0.32.0/24 -d 128.35.125.23 -p tcp -m tcp --dport 139 -m mark --mark 0x1/0x1 -j ACCEPT
-A FORWARD -s 10.0.32.0/24 -d 128.35.125.23 -p tcp -m tcp --dport 445 -m mark --mark 0x1/0x1 -j ACCEPT

where -s is your "source" IP address and -d is your "destination".

Note that,

  • TCP/UDP 137 (NETBIOS Name Service aka netbios-ns)
  • TCP/UDP 138 (NETBIOS Datagram Service aka netbios-dgm)
  • TCP/UDP 139 (NETBIOS session service aka netbios-ssn)
  • TCP/UDP 445 (Microsoft Naked CIFS aka microsoft-ds; Win2k/XP)

Test-mount your Samba share

As root, 

mount -t cifs //128.35.125.23/path /mnt/samba -o username=username

Automount a Samba share

If you would like to automount your Samba shares, you can place the line below in your /etc/fstab: 

//128.35.125.23/path /mnt/samba cifs username=username,password=password 0 0

where cifs might need to be smbfs, depending on your filesystem setup.

However, if you do not want your username and password in a text file that anyone can read, you can create a file in, for an example, /etc/samba/smbpasswd with the following two lines: 

username=username
password=password

Then, 

chmod 600 /etc/samba/smbpasswd

Now, edit your /etc/fstab and replace the line with: 

//128.35.125.23/path /mnt/samba cifs credentials=/etc/samba/smbpasswd 0 0

External links

Firewall

Retrieved from "http://wiki.christophchamp.com/index.php?title=Samba&oldid=3872"