ipchains & samba ports

Mike O'Neill mikeo at redhillstudios.com
Wed Jan 3 18:27:11 GMT 2001


I want to thank those of you who replied and add my own comments for the
record.  I found that on our network we need to open ports 137:139 for input
and 135:139 for output.  I'm not sure why the extra ports were needed for
the output, but I do know that the "path to the (server share)" could not be
found without the extra output ports open.  -mike

>> Can someone please share their ipchains for samba?  Do all the netbios ports
>> (135:139) need to be open?  Are they all that's needed?  -mike
> 
> Yep - 137 through 139 need to be open to the local network, and closed
> to the outside world.
> 
> You can do that with the following script (of course, there are many
> wasy to do this):
> 
> localaddress=192.168.1.0/24
> remoteport=eth1
> for protocol in tcp udp
> do
> for port in 137 138 139
> do
> /sbin/ipchains -A input -p $protocol --dport $port -s $localaddress
> -j ACCEPT
> /sbin/ipchains -A input -p $protocol --dport $port -i $remoteport -j
> DENY             
> done
> done
> 
> Obviously, change the localaddress and remoteport to suit your needs
> (like ppp0 for the typical dial-up connection).
> 
> Calvin
> 
> -- 
> Calvin Dodge
> Certified Linux Bigot (tm)
> http://www.caldodge.fpcc.net





More information about the samba mailing list