What Ports Need To Be Open For Samba To Communicate With Other Windows/Linux Systems?

What ports need to be open for Samba to communicate with other windows/linux systems? I need to configure Linux firewall so I need the exact port TCP and UDP port numbers for SMB/CIFS networking protocol. Can you provide me a list of ports along with sample iptables rules?

You can get list of ports from file called /etc/services. For your ease of use here are ports you need to open for two-way samba communication with Windows and Linux desktop systems.

netbios-ns – 137/tcp # NETBIOS Name Service
netbios-dgm – 138/tcp # NETBIOS Datagram Service
netbios-ssn – 139/tcp # NETBIOS session service
microsoft-ds – 445/tcp # if you are using Active Directory

Other ports:

Port 389 (TCP) – for LDAP (Active Directory Mode)
Port 445 (TCP) – NetBIOS was moved to 445 after 2000 and beyond, (CIFS)
Port 901 (TCP) – for SWAT service (not related to client communication)

Command To Find Out Required TCP/UDP Ports For SMB/CIFS Networking Protocol

Type the following command:
$ grep -i NETBIOS /etc/services
Sample outputs:

netbios-ns	137/tcp				# NETBIOS Name Service
netbios-ns	137/udp
netbios-dgm	138/tcp				# NETBIOS Datagram Service
netbios-dgm	138/udp
netbios-ssn	139/tcp				# NETBIOS session service
netbios-ssn	139/udp

Sample iptables Rules for CentOS/RHEL 5.x and older

To open Samba communication between 192.168.1.0/24 subnet representing the machines on your network which should operate as clients of the Samba server. Edit /etc/sysconfig/iptables under RHEL/CentOS server. Add the following lines, before the final LOG and ROP lines for the RH-Firewall-1-INPUT chain:

-A RH-Firewall-1-INPUT -s 192.168.1.0/24 -m state --state NEW -p tcp --dport 137 -j ACCEPT
-A RH-Firewall-1-INPUT -s 192.168.1.0/24 -m state --state NEW -p tcp --dport 138 -j ACCEPT
-A RH-Firewall-1-INPUT -s 192.168.1.0/24 -m state --state NEW -p tcp --dport 139 -j ACCEPT
-A RH-Firewall-1-INPUT -s 192.168.1.0/24 -m state --state NEW -p tcp --dport 445 -j ACCEPT

Feel free to change rules as per your setup. Save and close the file. Restart firewall service, enter:
# /sbin/services iptables restart

Sample iptables Rules for CentOS/RHEL 6.x only

-A INPUT -s 192.168.1.0/24 -m state –state NEW -p udp –dport 137 -j ACCEPT
-A INPUT -s 192.168.1.0/24 -m state –state NEW -p udp –dport 138 -j ACCEPT
-A INPUT -s 192.168.1.0/24 -m state –state NEW -p tcp –dport 139 -j ACCEPT
-A INPUT -s 192.168.1.0/24 -m state –state NEW -p tcp –dport 445 -j ACCEPT

Save and close the file. Type the following command to restart the firewall:
# service iptables restart

Sample iptables Rules for CentOS/RHEL 7.x only

You need to use the following commands:
# firewall-cmd --permanent --zone=public --add-service=samba # firewall-cmd --reload
OR
# firewall-cmd --permanent --add-port=137/tcp # firewall-cmd --permanent --add-port=138/tcp # firewall-cmd --permanent --add-port=139/tcp # firewall-cmd --permanent --add-port=445/tcp

Posted by: Vivek Gite

The author is the creator of nixCraft and a seasoned sysadmin and a trainer for the Linux operating system/Unix shell scripting. He has worked with global clients and in various industries, including IT, education, defense and space research, and the nonprofit sector. Follow him on Twitter, Facebook, Google+.

11 comment

Thx. very much, nice overview :)

Reply Report comment

One note:

Ports 137 and 138 are UDP for samba. Cheers,

Reply Report comment

Please explain why $ grep -i NETBIOS /etc/services shows:
netbios-ns 137/tcp # NETBIOS Name Service
netbios-ns 137/udp
netbios-dgm 138/tcp # NETBIOS Datagram Service
netbios-dgm 138/udp
netbios-ssn 139/tcp # NETBIOS session service
netbios-ssn 139/udp
I.e. does above mean that 137/udp etc is not used?

Reply Report comment

Brilliant, thank you.

Reply Report comment

I believe the only ports that are actually used are the ones listed at the top of the article:
netbios-ns – 137/tcp # NETBIOS Name Service
netbios-dgm – 138/tcp # NETBIOS Datagram Service
netbios-ssn – 139/tcp # NETBIOS session service
microsoft-ds – 445/tcp # if you are using Active Directory

The other ports are superfluous.

Reply Report comment

Sorry, I made a mistake. The required ports are actually:

TCP 139 445
UDP 137 138

Reply Report comment

paul vixie says:
August 2, 2014 at 5:16 am
yes, it’s tcp 139 and udp 137,138. for samba, 445 isn’t used.
[email protected]:/var/log/samba # netstat -an|egrep ‘\.(137|138|139)’
tcp4 0 0 *.139 *.* LISTEN
tcp6 0 0 *.139 *.* LISTEN
udp4 0 0 *.138 *.*
udp4 0 0 *.137 *.*
Reply Report comment

to AUTHOR:

can you please update the article to match correct information?

-A INPUT -p udp -m state –state NEW -m udp –dport 137 -j ACCEPT
-A INPUT -p udp -m state –state NEW -m udp –dport 138 -j ACCEPT
-A INPUT -p tcp -m state –state NEW -m tcp –dport 139 -j ACCEPT
-A INPUT -p tcp -m state –state NEW -m tcp –dport 445 -j ACCEPT

TCP: 139, 445
UDP: 137, 138

Reply Report comment

Vivek Gite says:
March 31, 2017 at 3:22 pm
Updated for centos/rhel 6.x and 7.x.
Reply Report comment

Would it be the firewall rules syntax apply for Fedora 23?

Reply Report comment

Vivek Gite says:
March 31, 2017 at 3:23 pm
Yes, centos/rhel 7.x rules should work with Fedora 23 or above.
Reply Report comment

nixCraft

nixCraft

Share this on (or read 11 comments/add one below):

11 comment

Leave a Comment Cancel reply

Command To Find Out Required TCP/UDP Ports For SMB/CIFS Networking Protocol

Sample iptables Rules for CentOS/RHEL 5.x and older

Sample iptables Rules for CentOS/RHEL 6.x only

Sample iptables Rules for CentOS/RHEL 7.x only

See also

Posted by: Vivek Gite

Share this on (or read 11 comments/add one below):

11 comment

Leave a Comment Cancel reply