Samba: Linux Iptables Firewall Configuration

Author: Vivek Gite Last updated: March 31, 2017 10 comments

How do I configure iptables firewall under CentOS / Fedora / RHEL / Redhat Linux to allow access to the Samba server? How do I open TCP ports # 137, 138, 139 and 445 under Linux so that all Microsoft Windows machine can access files and printer on a Linux host?

Iptables Open Port 137, 138, 139 and 445

Edit /etc/sysconfig/iptables file, enter:
# vi /etc/sysconfig/iptables
To allow access to 192.168.1.0/24 network only add the following before the final LOG & DROP statements. The syntax for RHEL/CentOS 5.x/4.x and older is as follows:

-A RH-Firewall-1-INPUT -s 192.168.1.0/24 -m state --state NEW -p tcp --dport 137 -j ACCEPT
-A RH-Firewall-1-INPUT -s 192.168.1.0/24 -m state --state NEW -p tcp --dport 138 -j ACCEPT
-A RH-Firewall-1-INPUT -s 192.168.1.0/24 -m state --state NEW -p tcp --dport 139 -j ACCEPT
-A RH-Firewall-1-INPUT -s 192.168.1.0/24 -m state --state NEW -p tcp --dport 445 -j ACCEPT

For CentOS/RHEL 6.x syntax is as follows:

-A INPUT -s 192.168.1.0/24 -m state �state NEW -p udp �dport 137 -j ACCEPT
-A INPUT -s 192.168.1.0/24 -m state �state NEW -p udp �dport 138 -j ACCEPT
-A INPUT -s 192.168.1.0/24 -m state �state NEW -p tcp �dport 139 -j ACCEPT
-A INPUT -s 192.168.1.0/24 -m state �state NEW -p tcp �dport 445 -j ACCEPT

Save and close the file.

Restart Firewall

Type the following command:
service iptables restart

A note about CentOS/RHEL 7 users for opening up Samba ports

You need to use the following commands:
# firewall-cmd --permanent --zone=public --add-service=samba # firewall-cmd --reload
OR
# firewall-cmd --permanent --add-port=137/tcp # firewall-cmd --permanent --add-port=138/tcp # firewall-cmd --permanent --add-port=139/tcp # firewall-cmd --permanent --add-port=445/tcp

🐧 Get the latest tutorials on SysAdmin, Linux/Unix, Open Source/DevOps topics:

RSS feed or Weekly email newsletter
Share to Twitter • Facebook • 10 comments... add one ↓

UP NEXT

Category	List of Unix and Linux commands
File Management	cat
Firewall	CentOS 8 • OpenSUSE • RHEL 8 • Ubuntu 16.04 • Ubuntu 18.04 • Ubuntu 20.04
Network Utilities	dig • host • ip • nmap
OpenVPN	CentOS 7 • CentOS 8 • Debian 10 • Debian 8/9 • Ubuntu 18.04 • Ubuntu 20.04
Package Manager	apk • apt
Processes Management	bg • chroot • disown • fg • jobs • killall • kill • pidof • pstree • pwdx • time
Searching	grep • whereis • which
User Information	groups • id • lastcomm • last • lid/libuser-lid • logname • members • users • whoami • who • w
WireGuard VPN	CentOS 8 • Debian 10 • Firewall • Ubuntu 20.04

ADVERTISEMENTS

10 comments… add one

azlon Oct 17, 2009 @ 13:21
Great writeup! I think this may put me on the right track to figuring out my system at home.
I am running Ubuntu 9.04 and recently enabled connection sharing for my 3G USB modem. My problem is that when I enabled ICS I was no long able to access my shared folders from my Windows machines. At first I thought it had to do with my routing tables but after I read this I figured it was my iptables.
Is there a similar article for this on Ubuntu? I’m sure I can work through it and get it running but it would be nice if there were something to walk me through it (I’m very new).
Reply Link
🐧 nixCraft Oct 17, 2009 @ 14:41
You can use GUI tool called Firestarter (package is included with Ubuntu) is quite popular and easy to use.
OR UFW
Reply Link
- Mac Dec 31, 2012 @ 14:44
  Is there a UFW package for CentOS ?
  Reply Link
rigidkitchen Feb 26, 2012 @ 7:16
This is incorrect.
Should be:
UDP/137,138
TCP/139,445
Reply Link
Jim Apr 2, 2012 @ 5:21
I cannot restart my samba after applying the iptables rules
Reply Link
rigidkitchen Apr 2, 2012 @ 14:38
Jim –
The original post is over two years old. Here are the correct firewall commands. Change 192.168.1.0/24 to your internal LAN subnet if different. After executing, use the command ‘service iptables save’, or edit /etc/sysconfig/iptables directly.
-A INPUT -s 192.168.1.0/24 -m state –state NEW -p udp –dport 137 -j ACCEPT
-A INPUT -s 192.168.1.0/24 -m state –state NEW -p udp –dport 138 -j ACCEPT
-A INPUT -s 192.168.1.0/24 -m state –state NEW -p tcp –dport 139 -j ACCEPT
-A INPUT -s 192.168.1.0/24 -m state –state NEW -p tcp –dport 445 -j ACCEPT
Additionally, firewall rules should not affect the functionality of the samba service… recheck your configuration and logs (/var/log/samba/*.log) for relevant error messages and repost any errors you see here.
Reply Link
Oldan Strange May 26, 2012 @ 19:57
Depending on how your browser renders fonts, the firewall rules shown above may not work. In my browser (Firefox 3.6.24 on CentOS 6.2) the characters before ‘state NEW’ and ‘dport nnn” parameters render as a single long dash (somtimes called an ’em’ dash). In order to work correctly the long dash must be changed to 2 consecutive short dashes, then everything is fine. I discovered this doing a copy & paste of the above to modify /etc/sysconfig/iptables.
Hope this helps!
Oldan
Reply Link
Guzenkov Apr 18, 2013 @ 11:09
You can put it all in one line:
iptables -I INPUT 1 -p tcp -m conntrack –ctstate=NEW -m multiport –dports 137,138,139,445 -j ACCEPT
Reply Link
Rajesh Jul 15, 2016 @ 15:45
The above commands are not worked, i need to open port no 139, plz help me
Reply Link

john Sep 10, 2016 @ 10:08

Today,this configuration is incorrect nowadays,the grammer is wrong,I use following config,you should replace “RH-Firewall-1-INPUT” with “INPUT”:


-A INPUT -s 192.168.1.0/24 -m state --state NEW -p tcp --dport 137 -j ACCEPT
-A INPUT -s 192.168.1.0/24 -m state --state NEW -p tcp --dport 138 -j ACCEPT
-A INPUT  -s 192.168.1.0/24 -m state --state NEW -p tcp --dport 139 -j ACCEPT
-A INPUT  -s 192.168.1.0/24 -m state --state NEW -p tcp --dport 445 -j ACCEPT

Reply Link