Firewalling Samba

Tim Potter

Revision History
Revision 0.12005-11-27
Initial version.

Abstract

A question that often comes up on the mailing lists and on IRC is how to block or enable network access to Samba via a firewall. The information in this article also applies to Windows servers.


Samba TCP Ports

Most SMB/CIFS network traffic by volume occurs over TCP. This includes copying files, directory listings and printer related operations. For Windows NT4 and below, all this traffic occured over TCP port 139. This has been allocated the network service name netbios-ssn by the Internet Assigned Numbers Authority (IANA). This name appears in the output of netstat. Interestingly enough, they also assigned the same name for UDP port 139. I think this is probably a mistake as some ancient Unix services operated over TCP and UDP on the same port number.

Starting with Windows 2000, Microsoft introduced "NetBIOS-less SMB" or direct hosting of SMB over TCP/IP. This is essentially identical to SMB over TCP/IP on port 139 except for some minor details at the network level. Microsoft describe this in KB article Q204279. Interestingly, they describe direct hosted SMB as operating over TCP and UDP port 445.

So, in order to block the bulk of file and print sharing traffic, we need to block TCP ports 139 and 445.

Samba UDP Ports

The purpose of UDP traffic in SMB/CIFS is to enable fast broadcast lookups on a local network. UDP traffic is used to look up workstation and server names, maintain browse lists, and other broadcast and directed lookups of workstation, server and domain names. The NetBIOS Name service operates on UDP port 137. When you use the Samba nmblookup utility or the Windows nbtlookup utility to look up names, you are generating traffic on port 137.

UDP port 138 carries what is called the NetBIOS Datagram Service. The exact nature of this service isn't well understood, owing to a lack of documentation, and the fact that Samba can operate well without implementing very much of it. Samba only implements enough to allow workgroup browsing and master browser elections to operate.

To block traffic over the NetBIOS Name Service and the NetBIOS Datagram Service, we need to block UDP ports 137 and 138.

iptables Configuration

The following configuration, on the Samba server machine or on a Linux-based router, can be used to block all network traffic to the SMB/CIFS network ports. The IP address of the server is 10.1.1.1.

# iptables -A INPUT -d 10.1.1.1 -p udp --dport 137 -j DROP
# iptables -A INPUT -d 10.1.1.1 -p udp --dport 138 -j DROP
# iptables -A INPUT -d 10.1.1.1 -p tcp --dport 139 -j DROP
# iptables -A INPUT -d 10.1.1.1 -p tcp --dport 445 -j DROP

Of course the input chain and jump target (the arguments to the -A and -j parameters) should be adjusted to suit your configuration.