What ports need to be open for Samba to communicate with other windows/linux systems? I need to configure Linux firewall so I need the exact port TCP and UDP port numbers for SMB/CIFS networking protocol. Can you provide me a list of ports along with sample iptables rules?
You can get list of ports from file called /etc/services. For your ease of use here are ports you need to open for two-way samba communication with Windows and Linux desktop systems.
- netbios-ns – 137/tcp # NETBIOS Name Service
- netbios-dgm – 138/tcp # NETBIOS Datagram Service
- netbios-ssn – 139/tcp # NETBIOS session service
- microsoft-ds – 445/tcp # if you are using Active Directory
Other ports:
- Port 389 (TCP) – for LDAP (Active Directory Mode)
- Port 445 (TCP) – NetBIOS was moved to 445 after 2000 and beyond, (CIFS)
- Port 901 (TCP) – for SWAT service (not related to client communication)
Command To Find Out Required TCP/UDP Ports For SMB/CIFS Networking Protocol
Type the following command:
$ grep -i NETBIOS /etc/services
Sample outputs:
netbios-ns 137/tcp # NETBIOS Name Service netbios-ns 137/udp netbios-dgm 138/tcp # NETBIOS Datagram Service netbios-dgm 138/udp netbios-ssn 139/tcp # NETBIOS session service netbios-ssn 139/udp
Sample iptables Rules for CentOS/RHEL 5.x and older
To open Samba communication between 192.168.1.0/24 subnet representing the machines on your network which should operate as clients of the Samba server. Edit /etc/sysconfig/iptables under RHEL/CentOS server. Add the following lines, before the final LOG and ROP lines for the RH-Firewall-1-INPUT chain:
-A RH-Firewall-1-INPUT -s 192.168.1.0/24 -m state --state NEW -p tcp --dport 137 -j ACCEPT -A RH-Firewall-1-INPUT -s 192.168.1.0/24 -m state --state NEW -p tcp --dport 138 -j ACCEPT -A RH-Firewall-1-INPUT -s 192.168.1.0/24 -m state --state NEW -p tcp --dport 139 -j ACCEPT -A RH-Firewall-1-INPUT -s 192.168.1.0/24 -m state --state NEW -p tcp --dport 445 -j ACCEPT
Feel free to change rules as per your setup. Save and close the file. Restart firewall service, enter:
# /sbin/services iptables restart
Sample iptables Rules for CentOS/RHEL 6.x only
-A INPUT -s 192.168.1.0/24 -m state –state NEW -p udp –dport 137 -j ACCEPT -A INPUT -s 192.168.1.0/24 -m state –state NEW -p udp –dport 138 -j ACCEPT -A INPUT -s 192.168.1.0/24 -m state –state NEW -p tcp –dport 139 -j ACCEPT -A INPUT -s 192.168.1.0/24 -m state –state NEW -p tcp –dport 445 -j ACCEPT |
Save and close the file. Type the following command to restart the firewall:
# service iptables restart
Sample iptables Rules for CentOS/RHEL 7.x only
You need to use the following commands:
# firewall-cmd --permanent --zone=public --add-service=samba
# firewall-cmd --reload
OR
# firewall-cmd --permanent --add-port=137/tcp
# firewall-cmd --permanent --add-port=138/tcp
# firewall-cmd --permanent --add-port=139/tcp
# firewall-cmd --permanent --add-port=445/tcp
See also
- Samba: Linux Iptables Firewall Configuration
- Connecting Linux or UNIX system to Network attached storage device
Thx. very much, nice overview :)
One note:
Ports 137 and 138 are UDP for samba. Cheers,
Please explain why $ grep -i NETBIOS /etc/services shows:
netbios-ns 137/tcp # NETBIOS Name Service
netbios-ns 137/udp
netbios-dgm 138/tcp # NETBIOS Datagram Service
netbios-dgm 138/udp
netbios-ssn 139/tcp # NETBIOS session service
netbios-ssn 139/udp
I.e. does above mean that 137/udp etc is not used?
Brilliant, thank you.
I believe the only ports that are actually used are the ones listed at the top of the article:
netbios-ns – 137/tcp # NETBIOS Name Service
netbios-dgm – 138/tcp # NETBIOS Datagram Service
netbios-ssn – 139/tcp # NETBIOS session service
microsoft-ds – 445/tcp # if you are using Active Directory
The other ports are superfluous.
Sorry, I made a mistake. The required ports are actually:
TCP 139 445
UDP 137 138
yes, it’s tcp 139 and udp 137,138. for samba, 445 isn’t used.
root@mm1:/var/log/samba # netstat -an|egrep ‘\.(137|138|139)’
tcp4 0 0 *.139 *.* LISTEN
tcp6 0 0 *.139 *.* LISTEN
udp4 0 0 *.138 *.*
udp4 0 0 *.137 *.*
to AUTHOR:
can you please update the article to match correct information?
-A INPUT -p udp -m state –state NEW -m udp –dport 137 -j ACCEPT
-A INPUT -p udp -m state –state NEW -m udp –dport 138 -j ACCEPT
-A INPUT -p tcp -m state –state NEW -m tcp –dport 139 -j ACCEPT
-A INPUT -p tcp -m state –state NEW -m tcp –dport 445 -j ACCEPT
TCP: 139, 445
UDP: 137, 138
Updated for centos/rhel 6.x and 7.x.
Would it be the firewall rules syntax apply for Fedora 23?
Yes, centos/rhel 7.x rules should work with Fedora 23 or above.