Iptables and SMB/CIFS share don't work well togheter [need some help]

  • I set up my OMV 3 pretty straight forward and everything seems to works fine since the beginning.


    Smb shares worked fine from the start, then I decided to use iptables rules from the browser interface to make my server more secure.


    I followed @tekkb instructions for firewall settings to permit samba shares and other services I need.


    To be more specific for samba I added:


    • INPUT ACCEPT IPv4 192.168.1.0/24 - 192.168.1.25 137 UDP
    • INPUT ACCEPT IPv4 192.168.1.0/24 - 192.168.1.25 138 UDP
    • INPUT ACCEPT IPv4 192.168.1.0/24 - 192.168.1.25 139 TCP
    • INPUT ACCEPT IPv4 192.168.1.0/24 - 192.168.1.25 445 TCP


    and added a couple of my own to allow outbound traffic originated locally from the server.


    The equivalent to those two rules:



    Code
    iptables -I OUTPUT -o eth0 -d 0.0.0.0/0 -j ACCEPT
    iptables -I INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT

    Everything seemed to work just fine, except then now every time the server reboot samba got disconnected from the network and I cannot access it through my windows machine.
    Every other services is working just fine with the firewall rules, so it's just samba acting weird.


    As a workaround I have to disable iptables rules and then everything shows up again, then enable them again and everything works fine until next reboot and so on (that's really strange).


    I thought those 4 rules where enough for samba to work...am I missing some other ones?
    Did anybody have the same problem ever?I would like to solve this problem rather than have iptables disabled.

  • Sure! my bad..


    here is the full ruleset




    Can't see why it shouldn't work ?(

  • Lines number 22 to 25 are restricted to destination IP of the server, the netbios daemon traffic is broadcast, so is 192.168.1.255. Delete the destination restriction.
    Next time to debug this use the packet counters on first column and add a log entry before rejecting all traffic. You can do it right now and you'll see in dmesg this, this is the broadcast packet being logged before getting rejected


    [118790.732521] IN=ens18 OUT= MAC=ff:ff:ff:ff:ff:ff:1e:51:4f:f8:6c:fb:08:00 SRC=10.10.7.2 DST=10.10.7.255 LEN=240 TOS=0x00 PREC=0x00 TTL=128 ID=21193 PROTO=UDP SPT=138 DPT=138 LEN=220


    While the counters on lines 22 to 25 remain in zero while i press refresh in windows network.


    No expert on this, but pretty sure you can find could just find this using google. Better is to understand how netbios work, which honestly i have no idea, but there must be some explanation at samba wiki

  • Samba has smbd which is the server daemon, obviously not broadcast. And nmbd which is the netbios daemon which is used for broadcast announce traffic which shows in network section for windows computer. In Linux desktop and OS X the daemon that does this is avahi.

  • That's really interesting, I'm wondering though, why didn't the samba share disconnected as soon as the rules were built instead of wait for reboot? I mean if I was blocking it with the destination ip, why does it kept working anyway until next reboot?! just out of curiosity.



    In the meanwhile, you were right everything worked well after removed the destination ip and now I'm playing around with iptables LOG rules to see the messages that's fun to do :) despite the fact sometimes iptables gives me headaches, by the way thank you for the heads up man :)

Participate now!

Don’t have an account yet? Register yourself now and be a part of our community!