≡ Menu

Samba: Linux Iptables Firewall Configuration

How do I configure iptables firewall under CentOS / Fedora / RHEL / Redhat Linux to allow access to the Samba server? How do I open TCP ports # 137, 138, 139 and 445 under Linux so that all Microsoft Windows machine can access files and printer on a Linux host?

The Samba server can be configured to allow access to certain hosts. However, iptables prevent the access over the Internet. You must allow only the systems on your network as clients of the Samba Linux server.

Iptables Open Port 137, 138, 139 and 445

Edit /etc/sysconfig/iptables file, enter:
# vi /etc/sysconfig/iptables
To allow access to 192.168.1.0/24 network only add the following before the final LOG & DROP statements:

-A RH-Firewall-1-INPUT -s 192.168.1.0/24 -m state --state NEW -p tcp --dport 137 -j ACCEPT
-A RH-Firewall-1-INPUT -s 192.168.1.0/24 -m state --state NEW -p tcp --dport 138 -j ACCEPT
-A RH-Firewall-1-INPUT -s 192.168.1.0/24 -m state --state NEW -p tcp --dport 139 -j ACCEPT
-A RH-Firewall-1-INPUT -s 192.168.1.0/24 -m state --state NEW -p tcp --dport 445 -j ACCEPT

Save and close the file.

Restart Firewall

Type the following command:
azlon October 17, 2009, 1:21 pm

  • nixCraft October 17, 2009, 2:41 pm

    You can use GUI tool called Firestarter (package is included with Ubuntu) is quite popular and easy to use.

    OR UFW

    • Mac December 31, 2012, 2:44 pm

      Is there a UFW package for CentOS ?

  • rigidkitchen February 26, 2012, 7:16 am

    This is incorrect.

    Should be:

    UDP/137,138
    TCP/139,445

  • Jim April 2, 2012, 5:21 am

    I cannot restart my samba after applying the iptables rules

  • rigidkitchen April 2, 2012, 2:38 pm

    Jim –

    The original post is over two years old. Here are the correct firewall commands. Change 192.168.1.0/24 to your internal LAN subnet if different. After executing, use the command ‘service iptables save’, or edit /etc/sysconfig/iptables directly.

    -A INPUT -s 192.168.1.0/24 -m state –state NEW -p udp –dport 137 -j ACCEPT
    -A INPUT -s 192.168.1.0/24 -m state –state NEW -p udp –dport 138 -j ACCEPT
    -A INPUT -s 192.168.1.0/24 -m state –state NEW -p tcp –dport 139 -j ACCEPT
    -A INPUT -s 192.168.1.0/24 -m state –state NEW -p tcp –dport 445 -j ACCEPT

    Additionally, firewall rules should not affect the functionality of the samba service… recheck your configuration and logs (/var/log/samba/*.log) for relevant error messages and repost any errors you see here.

  • Oldan Strange May 26, 2012, 7:57 pm

    Depending on how your browser renders fonts, the firewall rules shown above may not work. In my browser (Firefox 3.6.24 on CentOS 6.2) the characters before ‘state NEW’ and ‘dport nnn” parameters render as a single long dash (somtimes called an ’em’ dash). In order to work correctly the long dash must be changed to 2 consecutive short dashes, then everything is fine. I discovered this doing a copy & paste of the above to modify /etc/sysconfig/iptables.

    Hope this helps!

    Oldan

  • Guzenkov April 18, 2013, 11:09 am

    You can put it all in one line:
    iptables -I INPUT 1 -p tcp -m conntrack –ctstate=NEW -m multiport –dports 137,138,139,445 -j ACCEPT

  • Rajesh July 15, 2016, 3:45 pm

    The above commands are not worked, i need to open port no 139, plz help me

  • Security: Are you a robot or human?

    Leave a Comment

    You can use these HTML tags and attributes: <strong> <em> <pre> <code> <a href="" title="">