What Ports Need To Be Open For Samba To Communicate With Other Windows/Linux Systems?

Posted on in Categories , , , , last updated March 31, 2017

What ports need to be open for Samba to communicate with other windows/linux systems? I need to configure Linux firewall so I need the exact port TCP and UDP port numbers for SMB/CIFS networking protocol. Can you provide me a list of ports along with sample iptables rules?

You can get list of ports from file called /etc/services. For your ease of use here are ports you need to open for two-way samba communication with Windows and Linux desktop systems.

  • netbios-ns – 137/tcp # NETBIOS Name Service
  • netbios-dgm – 138/tcp # NETBIOS Datagram Service
  • netbios-ssn – 139/tcp # NETBIOS session service
  • microsoft-ds – 445/tcp # if you are using Active Directory

Other ports:

  • Port 389 (TCP) – for LDAP (Active Directory Mode)
  • Port 445 (TCP) – NetBIOS was moved to 445 after 2000 and beyond, (CIFS)
  • Port 901 (TCP) – for SWAT service (not related to client communication)

Command To Find Out Required TCP/UDP Ports For SMB/CIFS Networking Protocol

Type the following command:
$ grep -i NETBIOS /etc/services
Sample outputs:

netbios-ns	137/tcp				# NETBIOS Name Service
netbios-ns	137/udp
netbios-dgm	138/tcp				# NETBIOS Datagram Service
netbios-dgm	138/udp
netbios-ssn	139/tcp				# NETBIOS session service
netbios-ssn	139/udp

Sample iptables Rules for CentOS/RHEL 5.x and older

To open Samba communication between 192.168.1.0/24 subnet representing the machines on your network which should operate as clients of the Samba server. Edit /etc/sysconfig/iptables under RHEL/CentOS server. Add the following lines, before the final LOG and ROP lines for the RH-Firewall-1-INPUT chain:

-A RH-Firewall-1-INPUT -s 192.168.1.0/24 -m state --state NEW -p tcp --dport 137 -j ACCEPT
-A RH-Firewall-1-INPUT -s 192.168.1.0/24 -m state --state NEW -p tcp --dport 138 -j ACCEPT
-A RH-Firewall-1-INPUT -s 192.168.1.0/24 -m state --state NEW -p tcp --dport 139 -j ACCEPT
-A RH-Firewall-1-INPUT -s 192.168.1.0/24 -m state --state NEW -p tcp --dport 445 -j ACCEPT

Feel free to change rules as per your setup. Save and close the file. Restart firewall service, enter:
# /sbin/services iptables restart

Sample iptables Rules for CentOS/RHEL 6.x only

-A INPUT -s 192.168.1.0/24 -m state –state NEW -p udp –dport 137 -j ACCEPT
-A INPUT -s 192.168.1.0/24 -m state –state NEW -p udp –dport 138 -j ACCEPT
-A INPUT -s 192.168.1.0/24 -m state –state NEW -p tcp –dport 139 -j ACCEPT
-A INPUT -s 192.168.1.0/24 -m state –state NEW -p tcp –dport 445 -j ACCEPT

Save and close the file. Type the following command to restart the firewall:
# service iptables restart

Sample iptables Rules for CentOS/RHEL 7.x only

You need to use the following commands:
# firewall-cmd --permanent --zone=public --add-service=samba
# firewall-cmd --reload

OR
# firewall-cmd --permanent --add-port=137/tcp
# firewall-cmd --permanent --add-port=138/tcp
# firewall-cmd --permanent --add-port=139/tcp
# firewall-cmd --permanent --add-port=445/tcp

See also

Posted by: Vivek Gite

The author is the creator of nixCraft and a seasoned sysadmin and a trainer for the Linux operating system/Unix shell scripting. He has worked with global clients and in various industries, including IT, education, defense and space research, and the nonprofit sector. Follow him on Twitter, Facebook, Google+.

11 comment

  1. Please explain why $ grep -i NETBIOS /etc/services shows:
    netbios-ns 137/tcp # NETBIOS Name Service
    netbios-ns 137/udp
    netbios-dgm 138/tcp # NETBIOS Datagram Service
    netbios-dgm 138/udp
    netbios-ssn 139/tcp # NETBIOS session service
    netbios-ssn 139/udp
    I.e. does above mean that 137/udp etc is not used?

  2. I believe the only ports that are actually used are the ones listed at the top of the article:
    netbios-ns – 137/tcp # NETBIOS Name Service
    netbios-dgm – 138/tcp # NETBIOS Datagram Service
    netbios-ssn – 139/tcp # NETBIOS session service
    microsoft-ds – 445/tcp # if you are using Active Directory

    The other ports are superfluous.

  3. to AUTHOR:

    can you please update the article to match correct information?

    -A INPUT -p udp -m state –state NEW -m udp –dport 137 -j ACCEPT
    -A INPUT -p udp -m state –state NEW -m udp –dport 138 -j ACCEPT
    -A INPUT -p tcp -m state –state NEW -m tcp –dport 139 -j ACCEPT
    -A INPUT -p tcp -m state –state NEW -m tcp –dport 445 -j ACCEPT

    TCP: 139, 445
    UDP: 137, 138

Leave a Comment