From Christoph's Personal Wiki
Jump to: navigation, search

Samba is a free software re-implementation of SMB/CIFS networking protocol, released under the GNU General Public License.

Samba (smb/cifs) and iptables

As an example Samba-share setup, assume the Windows machine ("Samba server") has an IP address of, your Linux machine ("Samba client") has an IP address of, and the Linux machine is behind a dedicated firewall (which does NAT).

The only iptables rules you will need to implement are FORWARD all "source" requests (Linux box) via TCP on ports 139 and 445 with a jump target of "ACCEPT".

The following two rules will allow the above traffic:

-A FORWARD -s -d -p tcp -m tcp --dport 139 -m mark --mark 0x1/0x1 -j ACCEPT
-A FORWARD -s -d -p tcp -m tcp --dport 445 -m mark --mark 0x1/0x1 -j ACCEPT

where -s is your "source" IP address and -d is your "destination".

Note that,

  • TCP/UDP 137 (NETBIOS Name Service aka netbios-ns)
  • TCP/UDP 138 (NETBIOS Datagram Service aka netbios-dgm)
  • TCP/UDP 139 (NETBIOS session service aka netbios-ssn)
  • TCP/UDP 445 (Microsoft Naked CIFS aka microsoft-ds; Win2k/XP)

Test-mount your Samba share

As root,

mount -t cifs // /mnt/samba -o username=username

Automount a Samba share

If you would like to automount your Samba shares, you can place the line below in your /etc/fstab:

// /mnt/samba cifs username=username,password=password 0 0

where cifs might need to be smbfs, depending on your filesystem setup.

However, if you do not want your username and password in a text file that anyone can read, you can create a file in, for an example, /etc/samba/smbpasswd with the following two lines:



chmod 600 /etc/samba/smbpasswd

Now, edit your /etc/fstab and replace the line with:

// /mnt/samba cifs credentials=/etc/samba/smbpasswd 0 0


It is possible to set the mount uid, gid, and umasks for file/directory create/deletion/overwrite with the following set of options:


Example setup

In this example, I will have two machines:

  • A server at:
  • A desktop at:

I will configure the server to function as a CIFS server with the following:

  • Workgroup: CIFSERVER
  • Linux group: sambagroup
  • CIFS Share Name: uni
  • Directory: /cifs/uni
  • No printers shared
  • User "stine" has read/write access
  • User "hans" has read-only access

On the server, run the following commands:

$ service iptables start
$ iptables-save
$ vi /etc/sysconfig/iptables
-A INPUT -p tcp -m state --state NEW -m tcp --dport 445 -j ACCEPT
-A INPUT -p udp -m state --state NEW -m udp --dport 137 -j ACCEPT
-A INPUT -p udp -m state --state NEW -m udp --dport 138 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 139 -j ACCEPT
$ service iptables restart
$ iptables-save  # double-check the rules
$ yum install -y samba
$ vi /etc/samba/smb.conf
       workgroup = CIFSERVER
       interfaces = lo eth0
       hosts allow = 127. 192.168.0.
       comment = University shares
       path = /cifs/uni
  ;     valid users = @sambagroup # only users of this group can access the share
       public = yes
       writable = yes
       printable = no
       write list = +sambagroup # allow others read-only access
$ mkdir -p /cifs/uni
$ groupadd -r sambagroup
$ chgrp sambagroup /cifs/uni
$ chmod 2775 /cifs/uni
$ chcon -t samba_share_t /cifs/uni  # Or, to make persistent (the following 3 commands):
$ semanage fcontext -a -t public_content_t '/cifs(/.*)?'
$ semanage fcontext -a -t samba_share_t '/cifs/uni(/.*)?'
$ restorecon -FRvv /cifs
$ ls -laZ /cifs
$ ls -laZ /cifs/uni
$ chkconfig smb on
$ service smb start
$ useradd -G sambagroup stine
$ useradd hans
$ smbpasswd -a stine
$ smbclient -L s3 -U stine
Enter stine's password:
Domain=[BUTLER] OS=[Unix] Server=[Samba 3.5.10-125.el6]

    Sharename       Type      Comment
    ---------       ----      -------
    uni             Disk      University shares
    IPC$            IPC       IPC Service (Samba Server Version 3.5.10-125.el6)
    stine           Disk      Home Directories
Domain=[CIFSERVER] OS=[Unix] Server=[Samba 3.5.10-125.el6]

    Server               Comment
    ---------            -------

    Workgroup            Master
    ---------            -------

Now, on the desktop, run:

$ mount -t cifs -o user=stine // /mnt

External links