Connecting to a Win Computer with Samba

Rick Stevens rstevens at vitalstream.com
Tue Apr 26 18:47:52 UTC 2005 

Temlakos wrote:
> Basil Copeland wrote:
> 
>>> I am too having this problem my network consists of Windows XP.I can
>>> see the linux shares from Windows but not the windows share from the
>>> Linux.
>>>
>>> Any help would be appreciate.
>>>
>>> Thanks & Regards
>>
>>
>>
>> Do you have IPTABLES blocking the ports needed by smb?
>> Basil
>>
> 
> An excellent point. Running Samba without opening the ports on IPTABLES 
> is a common-enough error. I've made it myself. WinXP/SP2, of course, now 
> has its own firewall that recognizes local shares--and Zone Labs has a 
> firewall that lets you define "trusted zones" consisting of whatever 
> subnets you care to define. But when you're working with IPTABLES, you 
> have to get your hands dirty.
> 
> Here's a solution I developed, in consultation with a networking expert 
> who uses Fedora extensively at our church. Make sure your file 
> /etc/sysconfig/iptables has the following lines in the appropriate place 
> in the sequence:
> 
>> -A RH-Firewall-1-INPUT -p udp -m udp -s 192.168.1.0/24 --dport 137 -j 
>> ACCEPT
>> -A RH-Firewall-1-INPUT -p udp -m udp -s 192.168.1.0/24 --sport 137 -j 
>> ACCEPT
>> -A RH-Firewall-1-INPUT -p tcp -m tcp -s 192.168.1.0/24 --dport 139 -j 
>> ACCEPT
>> -A RH-Firewall-1-INPUT -p tcp -m tcp -s 192.168.1.0/24 --sport 139 -j 
>> ACCEPT
>> -A RH-Firewall-1-INPUT -p tcp -m tcp -s 192.168.1.0/24 --dport 445 -j 
>> ACCEPT
>> -A RH-Firewall-1-INPUT -p tcp -m tcp -s 192.168.1.0/24 --sport 445 -j 
>> ACCEPT
> 
> 
> Depending on what sort of router you use, you need to open each port as 
> /both/ a source port /and/ a destination port, each on a separate line. 
> That will make /sure/ that IPTABLES will not drop your Samba packets.
> 
> Just to be clear, the ports you need to open are UDP port 137 and TCP 
> ports 139 and 445. I use that setup right now to connect to and from a 
> machine running WinXP/SP2.
> 
> The "-s 192.168.1.0/24" means "make this good only for subnet 
> 192.168.1.0/255.255.255.0." That's the typical "down network" that most 
> SO/HO routers define. To sniff these out and verify them, I used 
> Ethereal while making a Samba connection. By limiting it to this subnet, 
> I make sure that my box is not open to any old hacker anywhere else on 
> the Internet who wants to "connect" to my Samba shares--or anything else 
> on my box--through those ports.

It'd be best if you verify that those ports are closed on the WAN side
of your router as well.  Your Linux box may be protected by iptables,
the rest of your network ain't.
----------------------------------------------------------------------
- Rick Stevens, Senior Systems Engineer     rstevens at vitalstream.com -
- VitalStream, Inc.                       http://www.vitalstream.com -
-                                                                    -
-                    Do you know where _your_ towel is?              -
----------------------------------------------------------------------

More information about the fedora-list mailing list