Iptables and SMB/CIFS share don't work well togheter [need some help]

    • Resolved
    • OMV 3.x

    This site uses cookies. By continuing to browse this site, you are agreeing to our Cookie Policy.

    • Iptables and SMB/CIFS share don't work well togheter [need some help]

      I set up my OMV 3 pretty straight forward and everything seems to works fine since the beginning.

      Smb shares worked fine from the start, then I decided to use iptables rules from the browser interface to make my server more secure.

      I followed @tekkb instructions for firewall settings to permit samba shares and other services I need.

      To be more specific for samba I added:

      • INPUT ACCEPT IPv4 192.168.1.0/24 - 192.168.1.25 137 UDP
      • INPUT ACCEPT IPv4 192.168.1.0/24 - 192.168.1.25 138 UDP
      • INPUT ACCEPT IPv4 192.168.1.0/24 - 192.168.1.25 139 TCP
      • INPUT ACCEPT IPv4 192.168.1.0/24 - 192.168.1.25 445 TCP


      and added a couple of my own to allow outbound traffic originated locally from the server.

      The equivalent to those two rules:


      Source Code

      1. iptables -I OUTPUT -o eth0 -d 0.0.0.0/0 -j ACCEPT
      2. iptables -I INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
      Everything seemed to work just fine, except then now every time the server reboot samba got disconnected from the network and I cannot access it through my windows machine.
      Every other services is working just fine with the firewall rules, so it's just samba acting weird.

      As a workaround I have to disable iptables rules and then everything shows up again, then enable them again and everything works fine until next reboot and so on (that's really strange).

      I thought those 4 rules where enough for samba to work...am I missing some other ones?
      Did anybody have the same problem ever?I would like to solve this problem rather than have iptables disabled.
    • Sure! my bad..

      here is the full ruleset


      Source Code

      1. # Generated by iptables-save v1.4.21 on Mon Aug 21 19:43:20 2017
      2. *nat
      3. :PREROUTING ACCEPT [1061:311024]
      4. :INPUT ACCEPT [25:1290]
      5. :OUTPUT ACCEPT [831:53479]
      6. :POSTROUTING ACCEPT [830:53419]
      7. -A POSTROUTING -s 10.8.0.0/24 -j SNAT --to-source 192.168.1.25
      8. -A POSTROUTING -s 10.8.0.0/24 -j SNAT --to-source 192.168.1.25
      9. -A POSTROUTING -s 10.8.0.0/24 -j SNAT --to-source 192.168.1.25
      10. COMMIT
      11. # Completed on Mon Aug 21 19:43:20 2017
      12. # Generated by iptables-save v1.4.21 on Mon Aug 21 19:43:20 2017
      13. *filter
      14. :INPUT ACCEPT [0:0]
      15. :FORWARD ACCEPT [0:0]
      16. :OUTPUT ACCEPT [0:0]
      17. -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
      18. -A INPUT -i lo -j ACCEPT
      19. -A INPUT -s 192.168.1.0/24 -d 192.168.1.25/32 -p icmp -j ACCEPT
      20. -A INPUT -d 192.168.1.25/32 -p udp -m udp --dport 9 -j ACCEPT
      21. -A INPUT -d 192.168.1.25/32 -p tcp -m tcp --dport 22 -j ACCEPT
      22. -A INPUT -s 192.168.1.0/24 -d 192.168.1.25/32 -p tcp -m tcp --dport 80 -j ACCEPT
      23. -A INPUT -s 192.168.1.0/24 -d 192.168.1.25/32 -p udp -m udp --dport 137 -j ACCEPT
      24. -A INPUT -s 192.168.1.0/24 -d 192.168.1.25/32 -p udp -m udp --dport 138 -j ACCEPT
      25. -A INPUT -s 192.168.1.0/24 -d 192.168.1.25/32 -p tcp -m tcp --dport 139 -j ACCEPT
      26. -A INPUT -d 192.168.1.25/32 -p tcp -m tcp --dport 443 -j ACCEPT
      27. -A INPUT -s 192.168.1.0/24 -d 192.168.1.25/32 -p tcp -m tcp --dport 445 -j ACCEPT
      28. -A INPUT -p udp -m udp --dport 1194 -j ACCEPT
      29. -A INPUT -s 192.168.1.0/24 -d 192.168.1.25/32 -p tcp -m tcp --dport 8096 -j ACCEPT
      30. -A INPUT -s 192.168.1.0/24 -d 192.168.1.25/32 -p tcp -m tcp --dport 8920 -j ACCEPT
      31. -A INPUT -s 192.168.1.0/24 -d 192.168.1.25/32 -p tcp -m tcp --dport 9091 -j ACCEPT
      32. -A INPUT -s 192.168.1.0/24 -d 192.168.1.25/32 -p tcp -m tcp --dport 55413:55414 -j ACCEPT
      33. -A INPUT -j REJECT --reject-with icmp-port-unreachable
      34. -A OUTPUT -j ACCEPT
      35. COMMIT
      36. # Completed on Mon Aug 21 19:43:20 2017
      Display All

      Can't see why it shouldn't work ?(
    • Lines number 22 to 25 are restricted to destination IP of the server, the netbios daemon traffic is broadcast, so is 192.168.1.255. Delete the destination restriction.
      Next time to debug this use the packet counters on first column and add a log entry before rejecting all traffic. You can do it right now and you'll see in dmesg this, this is the broadcast packet being logged before getting rejected

      [118790.732521] IN=ens18 OUT= MAC=ff:ff:ff:ff:ff:ff:1e:51:4f:f8:6c:fb:08:00 SRC=10.10.7.2 DST=10.10.7.255 LEN=240 TOS=0x00 PREC=0x00 TTL=128 ID=21193 PROTO=UDP SPT=138 DPT=138 LEN=220

      While the counters on lines 22 to 25 remain in zero while i press refresh in windows network.

      No expert on this, but pretty sure you can find could just find this using google. Better is to understand how netbios work, which honestly i have no idea, but there must be some explanation at samba wiki
      chat support at #openmediavault@freenode IRC | Spanish & English | GMT+10
      telegram.me/openmediavault broadcast channel
      openmediavault discord server
    • Samba has smbd which is the server daemon, obviously not broadcast. And nmbd which is the netbios daemon which is used for broadcast announce traffic which shows in network section for windows computer. In Linux desktop and OS X the daemon that does this is avahi.
      chat support at #openmediavault@freenode IRC | Spanish & English | GMT+10
      telegram.me/openmediavault broadcast channel
      openmediavault discord server
    • That's really interesting, I'm wondering though, why didn't the samba share disconnected as soon as the rules were built instead of wait for reboot? I mean if I was blocking it with the destination ip, why does it kept working anyway until next reboot?! just out of curiosity.


      In the meanwhile, you were right everything worked well after removed the destination ip and now I'm playing around with iptables LOG rules to see the messages that's fun to do :) despite the fact sometimes iptables gives me headaches, by the way thank you for the heads up man :)