Talk:Samba
From Christoph's Personal Wiki
NETBIOS/CIFS outgoing client request
Note: The following is just an example of what you could add to your iptables.
iptables -A OUTPUT -p udp -s 202.54.1.13 –sport 137 -d 0/0 –dport 137 -j ACCEPT iptables -A OUTPUT -p udp -s 202.54.1.13 –sport 138 -d 0/0 –dport 138 -j ACCEPT iptables -A OUTPUT -p tcp -s 202.54.1.13 \ –sport 1024:65535 -d 202.54.20.111 –dport 139 -m state –state NEW,ESTABLISHED -j ACCEPT iptables -A INPUT -p udp -s 202.54.20.111 –sport 137 -d 202.54.1.13 –dport 137 -j ACCEPT iptables -A INPUT -p udp -s 202.54.20.111 –sport 138 -d 202.54.1.13 –dport 138 -j ACCEPT iptables -A INPUT -p tcp -s 202.54.20.111 \ –sport 139 -d 202.54.1.13 –dport 1024:65535 -m state –state ESTABLISHED -j ACCEPT
Or,
# NetBIOS/Samba/CIFS (depending on which direction you are going, --sport might be used instead iptables -A FORWARD -p TCP --dport 135:139 -j ACCEPT iptables -A FORWARD -p UDP --dport 135:139 -j ACCEPT
# SMB/CIFS/NMB iptables -A FORWARD -p tcp --sport 135:139 -j DROP iptables -A FORWARD -p udp --sport 135:139 -j DROP iptables -A FORWARD -p tcp --dport 135:139 -j DROP iptables -A FORWARD -p udp --dport 135:139 -j DROP # and for W2K/XP iptables -A FORWARD -p tcp --sport 445 -j DROP iptables -A FORWARD -p udp --sport 445 -j DROP iptables -A FORWARD -p tcp --dport 445 -j DROP iptables -A FORWARD -p udp --dport 445 -j DROP iptables -t nat -A PREROUTING -p tcp --dport 445 -j REDIRECT --to-ports 1445 iptables -t nat -A PREROUTING -p tcp --dport 139 -j REDIRECT --to-ports 1139 iptables -t nat -A PREROUTING -p udp --dport 137 -j REDIRECT --to-ports 1137 iptables -t nat -A PREROUTING -p udp --dport 138 -j REDIRECT --to-ports 1138 iptables -A OUTPUT -p udp -s 202.54.1.13 –sport 137 -d 0/0 –dport 137 -j ACCEPT iptables -A OUTPUT -p udp -s 202.54.1.13 –sport 138 -d 0/0 –dport 138 -j ACCEPT iptables -A OUTPUT -p tcp -s 202.54.1.13 –sport 1024:65535 -d 202.54.20.111 –dport 139 -m state –state NEW,ESTABLISHED -j ACCEPT iptables -A INPUT -p udp -s 202.54.20.111 –sport 137 -d 202.54.1.13 –dport 137 -j ACCEPT iptables -A INPUT -p udp -s 202.54.20.111 –sport 138 -d 202.54.1.13 –dport 138 -j ACCEPT iptables -A INPUT -p tcp -s 202.54.20.111 –sport 139 -d 202.54.1.13 –dport 1024:65535 -m state –state ESTABLISHED -j ACCEPT