What Ports Need To Be Open For Samba To Communicate With Other Windows/Linux Systems?

What ports need to be open for Samba to communicate with other windows/linux systems? I need to configure Linux firewall so I need the exact port TCP and UDP port numbers for SMB/CIFS networking protocol. Can you provide me a list of ports along with sample iptables rules?

You can get list of ports from file called /etc/services. For your ease of use here are ports you need to open for two-way samba communication with Windows and Linux desktop systems.

netbios-ns – 137/tcp # NETBIOS Name Service
netbios-dgm – 138/tcp # NETBIOS Datagram Service
netbios-ssn – 139/tcp # NETBIOS session service
microsoft-ds – 445/tcp # if you are using Active Directory

Other ports:

Port 389 (TCP) – for LDAP (Active Directory Mode)
Port 445 (TCP) – NetBIOS was moved to 445 after 2000 and beyond, (CIFS)
Port 901 (TCP) – for SWAT service (not related to client communication)

Command To Find Out Required TCP/UDP Ports For SMB/CIFS Networking Protocol

Type the following command:
$ grep -i NETBIOS /etc/services
Sample outputs:

netbios-ns	137/tcp				# NETBIOS Name Service
netbios-ns	137/udp
netbios-dgm	138/tcp				# NETBIOS Datagram Service
netbios-dgm	138/udp
netbios-ssn	139/tcp				# NETBIOS session service
netbios-ssn	139/udp

Sample iptables Rules for CentOS/RHEL 5.x and older

To open Samba communication between 192.168.1.0/24 subnet representing the machines on your network which should operate as clients of the Samba server. Edit /etc/sysconfig/iptables under RHEL/CentOS server. Add the following lines, before the final LOG and ROP lines for the RH-Firewall-1-INPUT chain:

-A RH-Firewall-1-INPUT -s 192.168.1.0/24 -m state --state NEW -p tcp --dport 137 -j ACCEPT
-A RH-Firewall-1-INPUT -s 192.168.1.0/24 -m state --state NEW -p tcp --dport 138 -j ACCEPT
-A RH-Firewall-1-INPUT -s 192.168.1.0/24 -m state --state NEW -p tcp --dport 139 -j ACCEPT
-A RH-Firewall-1-INPUT -s 192.168.1.0/24 -m state --state NEW -p tcp --dport 445 -j ACCEPT

Feel free to change rules as per your setup. Save and close the file. Restart firewall service, enter:
# /sbin/services iptables restart

Sample iptables Rules for CentOS/RHEL 6.x only

-A INPUT -s 192.168.1.0/24 -m state –state NEW -p udp –dport 137 -j ACCEPT
-A INPUT -s 192.168.1.0/24 -m state –state NEW -p udp –dport 138 -j ACCEPT
-A INPUT -s 192.168.1.0/24 -m state –state NEW -p tcp –dport 139 -j ACCEPT
-A INPUT -s 192.168.1.0/24 -m state –state NEW -p tcp –dport 445 -j ACCEPT

Save and close the file. Type the following command to restart the firewall:
# service iptables restart

Sample iptables Rules for CentOS/RHEL 7.x only

You need to use the following commands:
# firewall-cmd --permanent --zone=public --add-service=samba # firewall-cmd --reload
OR
# firewall-cmd --permanent --add-port=137/tcp # firewall-cmd --permanent --add-port=138/tcp # firewall-cmd --permanent --add-port=139/tcp # firewall-cmd --permanent --add-port=445/tcp

Posted by: Vivek Gite

The author is the creator of nixCraft and a seasoned sysadmin, DevOps engineer, and a trainer for the Linux operating system/Unix shell scripting. Get the latest tutorials on SysAdmin, Linux/Unix and open source topics via RSS/XML feed or weekly email newsletter.

Your support makes a big difference:

I have a small favor to ask. More people are reading the nixCraft. Many of you block advertising which is your right, and advertising revenues are not sufficient to cover my operating costs. So you can see why I need to ask for your help. The nixCraft takes a lot of my time and hard work to produce. If everyone who reads nixCraft, who likes it, helps fund it, my future would be more secure. You can donate as little as $1 to support nixCraft:

11 comment

Thx. very much, nice overview :)

One note:

Ports 137 and 138 are UDP for samba. Cheers,

Please explain why $ grep -i NETBIOS /etc/services shows:
netbios-ns 137/tcp # NETBIOS Name Service
netbios-ns 137/udp
netbios-dgm 138/tcp # NETBIOS Datagram Service
netbios-dgm 138/udp
netbios-ssn 139/tcp # NETBIOS session service
netbios-ssn 139/udp
I.e. does above mean that 137/udp etc is not used?

Brilliant, thank you.

I believe the only ports that are actually used are the ones listed at the top of the article:
netbios-ns – 137/tcp # NETBIOS Name Service
netbios-dgm – 138/tcp # NETBIOS Datagram Service
netbios-ssn – 139/tcp # NETBIOS session service
microsoft-ds – 445/tcp # if you are using Active Directory

The other ports are superfluous.

Sorry, I made a mistake. The required ports are actually:

TCP 139 445
UDP 137 138

paul vixie says:
August 2, 2014 at 5:16 am
yes, it’s tcp 139 and udp 137,138. for samba, 445 isn’t used.
root@mm1:/var/log/samba # netstat -an|egrep ‘\.(137|138|139)’
tcp4 0 0 *.139 *.* LISTEN
tcp6 0 0 *.139 *.* LISTEN
udp4 0 0 *.138 *.*
udp4 0 0 *.137 *.*

to AUTHOR:

can you please update the article to match correct information?

-A INPUT -p udp -m state –state NEW -m udp –dport 137 -j ACCEPT
-A INPUT -p udp -m state –state NEW -m udp –dport 138 -j ACCEPT
-A INPUT -p tcp -m state –state NEW -m tcp –dport 139 -j ACCEPT
-A INPUT -p tcp -m state –state NEW -m tcp –dport 445 -j ACCEPT

TCP: 139, 445
UDP: 137, 138

Vivek Gite says:
March 31, 2017 at 3:22 pm
Updated for centos/rhel 6.x and 7.x.

Would it be the firewall rules syntax apply for Fedora 23?

Vivek Gite says:
March 31, 2017 at 3:23 pm
Yes, centos/rhel 7.x rules should work with Fedora 23 or above.

ZeldoR says:
December 7, 2009 at 5:06 pm
Thx. very much, nice overview :)
Scott says:
February 22, 2011 at 11:42 pm
One note:
Ports 137 and 138 are UDP for samba. Cheers,
John Rose says:
April 5, 2013 at 10:06 am
Please explain why $ grep -i NETBIOS /etc/services shows:
netbios-ns 137/tcp # NETBIOS Name Service
netbios-ns 137/udp
netbios-dgm 138/tcp # NETBIOS Datagram Service
netbios-dgm 138/udp
netbios-ssn 139/tcp # NETBIOS session service
netbios-ssn 139/udp
I.e. does above mean that 137/udp etc is not used?
Ben Watson says:
May 3, 2013 at 2:24 pm
Brilliant, thank you.
Fu says:
October 28, 2013 at 9:46 pm
I believe the only ports that are actually used are the ones listed at the top of the article:
netbios-ns – 137/tcp # NETBIOS Name Service
netbios-dgm – 138/tcp # NETBIOS Datagram Service
netbios-ssn – 139/tcp # NETBIOS session service
microsoft-ds – 445/tcp # if you are using Active Directory
The other ports are superfluous.
Fu says:
October 28, 2013 at 9:48 pm
Sorry, I made a mistake. The required ports are actually:
TCP 139 445
UDP 137 138
1. paul vixie says:
  August 2, 2014 at 5:16 am
  yes, it’s tcp 139 and udp 137,138. for samba, 445 isn’t used.
  root@mm1:/var/log/samba # netstat -an|egrep ‘\.(137|138|139)’
  tcp4 0 0 *.139 *.* LISTEN
  tcp6 0 0 *.139 *.* LISTEN
  udp4 0 0 *.138 *.*
  udp4 0 0 *.137 *.*
Giedrius says:
July 22, 2014 at 3:11 pm
to AUTHOR:
can you please update the article to match correct information?
-A INPUT -p udp -m state –state NEW -m udp –dport 137 -j ACCEPT
-A INPUT -p udp -m state –state NEW -m udp –dport 138 -j ACCEPT
-A INPUT -p tcp -m state –state NEW -m tcp –dport 139 -j ACCEPT
-A INPUT -p tcp -m state –state NEW -m tcp –dport 445 -j ACCEPT
TCP: 139, 445
UDP: 137, 138
1. Vivek Gite says:
  March 31, 2017 at 3:22 pm
  Updated for centos/rhel 6.x and 7.x.
Claudio says:
April 25, 2016 at 2:49 pm
Would it be the firewall rules syntax apply for Fedora 23?
1. Vivek Gite says:
  March 31, 2017 at 3:23 pm
  Yes, centos/rhel 7.x rules should work with Fedora 23 or above.

Have a question? Post it on our forum!