What Ports Need To Be Open For Samba To Communicate With Other Windows/Linux Systems?

Author: Last updated: March 31, 2017 11 comments
What ports need to be open for Samba to communicate with other windows/linux systems? I need to configure Linux firewall so I need the exact port TCP and UDP port numbers for SMB/CIFS networking protocol. Can you provide me a list of ports along with sample iptables rules?

You can get list of ports from file called /etc/services. For your ease of use here are ports you need to open for two-way samba communication with Windows and Linux desktop systems.

ADVERTISEMENTS

  • netbios-ns – 137/tcp # NETBIOS Name Service
  • netbios-dgm – 138/tcp # NETBIOS Datagram Service
  • netbios-ssn – 139/tcp # NETBIOS session service
  • microsoft-ds – 445/tcp # if you are using Active Directory

Other ports:

  • Port 389 (TCP) – for LDAP (Active Directory Mode)
  • Port 445 (TCP) – NetBIOS was moved to 445 after 2000 and beyond, (CIFS)
  • Port 901 (TCP) – for SWAT service (not related to client communication)

Command To Find Out Required TCP/UDP Ports For SMB/CIFS Networking Protocol

Type the following command:
$ grep -i NETBIOS /etc/services
Sample outputs:

netbios-ns	137/tcp				# NETBIOS Name Service
netbios-ns	137/udp
netbios-dgm	138/tcp				# NETBIOS Datagram Service
netbios-dgm	138/udp
netbios-ssn	139/tcp				# NETBIOS session service
netbios-ssn	139/udp

Sample iptables Rules for CentOS/RHEL 5.x and older

To open Samba communication between 192.168.1.0/24 subnet representing the machines on your network which should operate as clients of the Samba server. Edit /etc/sysconfig/iptables under RHEL/CentOS server. Add the following lines, before the final LOG and ROP lines for the RH-Firewall-1-INPUT chain:

-A RH-Firewall-1-INPUT -s 192.168.1.0/24 -m state --state NEW -p tcp --dport 137 -j ACCEPT
-A RH-Firewall-1-INPUT -s 192.168.1.0/24 -m state --state NEW -p tcp --dport 138 -j ACCEPT
-A RH-Firewall-1-INPUT -s 192.168.1.0/24 -m state --state NEW -p tcp --dport 139 -j ACCEPT
-A RH-Firewall-1-INPUT -s 192.168.1.0/24 -m state --state NEW -p tcp --dport 445 -j ACCEPT

Feel free to change rules as per your setup. Save and close the file. Restart firewall service, enter:
# /sbin/services iptables restart

Sample iptables Rules for CentOS/RHEL 6.x only

-A INPUT -s 192.168.1.0/24 -m state –state NEW -p udp –dport 137 -j ACCEPT
-A INPUT -s 192.168.1.0/24 -m state –state NEW -p udp –dport 138 -j ACCEPT
-A INPUT -s 192.168.1.0/24 -m state –state NEW -p tcp –dport 139 -j ACCEPT
-A INPUT -s 192.168.1.0/24 -m state –state NEW -p tcp –dport 445 -j ACCEPT

Save and close the file. Type the following command to restart the firewall:
# service iptables restart

Sample iptables Rules for CentOS/RHEL 7.x only

You need to use the following commands:
# firewall-cmd --permanent --zone=public --add-service=samba
# firewall-cmd --reload
OR
# firewall-cmd --permanent --add-port=137/tcp
# firewall-cmd --permanent --add-port=138/tcp
# firewall-cmd --permanent --add-port=139/tcp
# firewall-cmd --permanent --add-port=445/tcp

See also

🐧 Get the latest tutorials on SysAdmin, Linux/Unix, Open Source/DevOps topics:
UP NEXT
CategoryList of Unix and Linux commands
File Managementcat
FirewallCentOS 8 OpenSUSE RHEL 8 Ubuntu 16.04 Ubuntu 18.04 Ubuntu 20.04
Network Utilitiesdig host ip nmap
OpenVPNCentOS 7 CentOS 8 Debian 10 Debian 8/9 Ubuntu 18.04 Ubuntu 20.04
Package Managerapk apt
Processes Managementbg chroot cron disown fg jobs killall kill pidof pstree pwdx time
Searchinggrep whereis which
User Informationgroups id lastcomm last lid/libuser-lid logname members users whoami who w
WireGuard VPNCentOS 8 Debian 10 Firewall Ubuntu 20.04

ADVERTISEMENTS
11 comments… add one
  • ZeldoR Dec 7, 2009 @ 17:06

    Thx. very much, nice overview :)

    Reply Link
  • Scott Feb 22, 2011 @ 23:42

    One note:

    Ports 137 and 138 are UDP for samba. Cheers,

    Reply Link
  • John Rose Apr 5, 2013 @ 10:06

    Please explain why $ grep -i NETBIOS /etc/services shows:
    netbios-ns 137/tcp # NETBIOS Name Service
    netbios-ns 137/udp
    netbios-dgm 138/tcp # NETBIOS Datagram Service
    netbios-dgm 138/udp
    netbios-ssn 139/tcp # NETBIOS session service
    netbios-ssn 139/udp
    I.e. does above mean that 137/udp etc is not used?

    Reply Link
  • Ben Watson May 3, 2013 @ 14:24

    Brilliant, thank you.

    Reply Link
  • Fu Oct 28, 2013 @ 21:46

    I believe the only ports that are actually used are the ones listed at the top of the article:
    netbios-ns – 137/tcp # NETBIOS Name Service
    netbios-dgm – 138/tcp # NETBIOS Datagram Service
    netbios-ssn – 139/tcp # NETBIOS session service
    microsoft-ds – 445/tcp # if you are using Active Directory

    The other ports are superfluous.

    Reply Link
  • Fu Oct 28, 2013 @ 21:48

    Sorry, I made a mistake. The required ports are actually:

    TCP 139 445
    UDP 137 138

    Reply Link
    • paul vixie Aug 2, 2014 @ 5:16

      yes, it’s tcp 139 and udp 137,138. for samba, 445 isn’t used.

      root@mm1:/var/log/samba # netstat -an|egrep ‘\.(137|138|139)’
      tcp4 0 0 *.139 *.* LISTEN
      tcp6 0 0 *.139 *.* LISTEN
      udp4 0 0 *.138 *.*
      udp4 0 0 *.137 *.*

      Reply Link
  • Giedrius Jul 22, 2014 @ 15:11

    to AUTHOR:

    can you please update the article to match correct information?

    -A INPUT -p udp -m state –state NEW -m udp –dport 137 -j ACCEPT
    -A INPUT -p udp -m state –state NEW -m udp –dport 138 -j ACCEPT
    -A INPUT -p tcp -m state –state NEW -m tcp –dport 139 -j ACCEPT
    -A INPUT -p tcp -m state –state NEW -m tcp –dport 445 -j ACCEPT

    TCP: 139, 445
    UDP: 137, 138

    Reply Link
  • Claudio Apr 25, 2016 @ 14:49

    Would it be the firewall rules syntax apply for Fedora 23?

    Reply Link
    • 🐧 Vivek Gite Mar 31, 2017 @ 15:23

      Yes, centos/rhel 7.x rules should work with Fedora 23 or above.

      Reply Link

Leave a Reply

Your email address will not be published.

Use HTML <pre>...</pre>, <code>...</code> and <kbd>...</kbd> for code samples.

Next FAQ:

Previous FAQ: