What Ports Need To Be Open For Samba To Communicate With Other Windows/Linux Systems?

What ports need to be open for Samba to communicate with other windows/linux systems? I need to configure Linux firewall so I need the exact port TCP and UDP port numbers for SMB/CIFS networking protocol. Can you provide me a list of ports along with sample iptables rules?

You can get list of ports from file called /etc/services. For your ease of use here are ports you need to open for two-way samba communication with Windows and Linux desktop systems.

netbios-ns – 137/tcp # NETBIOS Name Service
netbios-dgm – 138/tcp # NETBIOS Datagram Service
netbios-ssn – 139/tcp # NETBIOS session service
microsoft-ds – 445/tcp # if you are using Active Directory

Other ports:

Port 389 (TCP) – for LDAP (Active Directory Mode)
Port 445 (TCP) – NetBIOS was moved to 445 after 2000 and beyond, (CIFS)
Port 901 (TCP) – for SWAT service (not related to client communication)

Command To Find Out Required TCP/UDP Ports For SMB/CIFS Networking Protocol

Type the following command:
$ grep -i NETBIOS /etc/services
Sample outputs:

netbios-ns	137/tcp				# NETBIOS Name Service
netbios-ns	137/udp
netbios-dgm	138/tcp				# NETBIOS Datagram Service
netbios-dgm	138/udp
netbios-ssn	139/tcp				# NETBIOS session service
netbios-ssn	139/udp

Sample iptables Rules for CentOS/RHEL 5.x and older

To open Samba communication between 192.168.1.0/24 subnet representing the machines on your network which should operate as clients of the Samba server. Edit /etc/sysconfig/iptables under RHEL/CentOS server. Add the following lines, before the final LOG and ROP lines for the RH-Firewall-1-INPUT chain:

-A RH-Firewall-1-INPUT -s 192.168.1.0/24 -m state --state NEW -p tcp --dport 137 -j ACCEPT
-A RH-Firewall-1-INPUT -s 192.168.1.0/24 -m state --state NEW -p tcp --dport 138 -j ACCEPT
-A RH-Firewall-1-INPUT -s 192.168.1.0/24 -m state --state NEW -p tcp --dport 139 -j ACCEPT
-A RH-Firewall-1-INPUT -s 192.168.1.0/24 -m state --state NEW -p tcp --dport 445 -j ACCEPT

Feel free to change rules as per your setup. Save and close the file. Restart firewall service, enter:
# /sbin/services iptables restart

Sample iptables Rules for CentOS/RHEL 6.x only

-A INPUT -s 192.168.1.0/24 -m state –state NEW -p udp –dport 137 -j ACCEPT
-A INPUT -s 192.168.1.0/24 -m state –state NEW -p udp –dport 138 -j ACCEPT
-A INPUT -s 192.168.1.0/24 -m state –state NEW -p tcp –dport 139 -j ACCEPT
-A INPUT -s 192.168.1.0/24 -m state –state NEW -p tcp –dport 445 -j ACCEPT

Save and close the file. Type the following command to restart the firewall:
# service iptables restart

Sample iptables Rules for CentOS/RHEL 7.x only

You need to use the following commands:
# firewall-cmd --permanent --zone=public --add-service=samba # firewall-cmd --reload
OR
# firewall-cmd --permanent --add-port=137/tcp # firewall-cmd --permanent --add-port=138/tcp # firewall-cmd --permanent --add-port=139/tcp # firewall-cmd --permanent --add-port=445/tcp

Posted by: Vivek Gite

The author is the creator of nixCraft and a seasoned sysadmin, DevOps engineer, and a trainer for the Linux operating system/Unix shell scripting. Get the latest tutorials on SysAdmin, Linux/Unix and open source topics via RSS/XML feed or weekly email newsletter.

11 comment

Thx. very much, nice overview :)

One note:

Ports 137 and 138 are UDP for samba. Cheers,

Please explain why $ grep -i NETBIOS /etc/services shows:
netbios-ns 137/tcp # NETBIOS Name Service
netbios-ns 137/udp
netbios-dgm 138/tcp # NETBIOS Datagram Service
netbios-dgm 138/udp
netbios-ssn 139/tcp # NETBIOS session service
netbios-ssn 139/udp
I.e. does above mean that 137/udp etc is not used?

Brilliant, thank you.

I believe the only ports that are actually used are the ones listed at the top of the article:
netbios-ns – 137/tcp # NETBIOS Name Service
netbios-dgm – 138/tcp # NETBIOS Datagram Service
netbios-ssn – 139/tcp # NETBIOS session service
microsoft-ds – 445/tcp # if you are using Active Directory

The other ports are superfluous.

Sorry, I made a mistake. The required ports are actually:

TCP 139 445
UDP 137 138

paul vixie says:
August 2, 2014 at 5:16 am
yes, it’s tcp 139 and udp 137,138. for samba, 445 isn’t used.
root@mm1:/var/log/samba # netstat -an|egrep ‘\.(137|138|139)’
tcp4 0 0 *.139 *.* LISTEN
tcp6 0 0 *.139 *.* LISTEN
udp4 0 0 *.138 *.*
udp4 0 0 *.137 *.*

to AUTHOR:

can you please update the article to match correct information?

-A INPUT -p udp -m state –state NEW -m udp –dport 137 -j ACCEPT
-A INPUT -p udp -m state –state NEW -m udp –dport 138 -j ACCEPT
-A INPUT -p tcp -m state –state NEW -m tcp –dport 139 -j ACCEPT
-A INPUT -p tcp -m state –state NEW -m tcp –dport 445 -j ACCEPT

TCP: 139, 445
UDP: 137, 138

Vivek Gite says:
March 31, 2017 at 3:22 pm
Updated for centos/rhel 6.x and 7.x.

Would it be the firewall rules syntax apply for Fedora 23?

Vivek Gite says:
March 31, 2017 at 3:23 pm
Yes, centos/rhel 7.x rules should work with Fedora 23 or above.

ZeldoR says:
December 7, 2009 at 5:06 pm
Thx. very much, nice overview :)
Scott says:
February 22, 2011 at 11:42 pm
One note:
Ports 137 and 138 are UDP for samba. Cheers,
John Rose says:
April 5, 2013 at 10:06 am
Please explain why $ grep -i NETBIOS /etc/services shows:
netbios-ns 137/tcp # NETBIOS Name Service
netbios-ns 137/udp
netbios-dgm 138/tcp # NETBIOS Datagram Service
netbios-dgm 138/udp
netbios-ssn 139/tcp # NETBIOS session service
netbios-ssn 139/udp
I.e. does above mean that 137/udp etc is not used?
Ben Watson says:
May 3, 2013 at 2:24 pm
Brilliant, thank you.
Fu says:
October 28, 2013 at 9:46 pm
I believe the only ports that are actually used are the ones listed at the top of the article:
netbios-ns – 137/tcp # NETBIOS Name Service
netbios-dgm – 138/tcp # NETBIOS Datagram Service
netbios-ssn – 139/tcp # NETBIOS session service
microsoft-ds – 445/tcp # if you are using Active Directory
The other ports are superfluous.
Fu says:
October 28, 2013 at 9:48 pm
Sorry, I made a mistake. The required ports are actually:
TCP 139 445
UDP 137 138
1. paul vixie says:
  August 2, 2014 at 5:16 am
  yes, it’s tcp 139 and udp 137,138. for samba, 445 isn’t used.
  root@mm1:/var/log/samba # netstat -an|egrep ‘\.(137|138|139)’
  tcp4 0 0 *.139 *.* LISTEN
  tcp6 0 0 *.139 *.* LISTEN
  udp4 0 0 *.138 *.*
  udp4 0 0 *.137 *.*
Giedrius says:
July 22, 2014 at 3:11 pm
to AUTHOR:
can you please update the article to match correct information?
-A INPUT -p udp -m state –state NEW -m udp –dport 137 -j ACCEPT
-A INPUT -p udp -m state –state NEW -m udp –dport 138 -j ACCEPT
-A INPUT -p tcp -m state –state NEW -m tcp –dport 139 -j ACCEPT
-A INPUT -p tcp -m state –state NEW -m tcp –dport 445 -j ACCEPT
TCP: 139, 445
UDP: 137, 138
1. Vivek Gite says:
  March 31, 2017 at 3:22 pm
  Updated for centos/rhel 6.x and 7.x.
Claudio says:
April 25, 2016 at 2:49 pm
Would it be the firewall rules syntax apply for Fedora 23?
1. Vivek Gite says:
  March 31, 2017 at 3:23 pm
  Yes, centos/rhel 7.x rules should work with Fedora 23 or above.

Have a question? Post it on our forum!