How to use SMB without turning off the firewall
Posted: 24 Mar 2005
When I first set up the computers I pinged and pinged but got nothing. In
frustration I opened my browser and low and behold I discovered that in order
for ping to work After much searching on the internet I discovered I had to set
my external interface in the firewall to the wireless card (wlan-bus-pcmcia).
Once I did that ping worked but I could not see my home windows network.
On doing some more research I found much cursing on the internet about this
and everyone saying the only way to get SMB to work was turn off the firewall. I
turned off the firewall and lo and behold smb worked and I could see all my
windows computers.
Now I don't particularly like the idea of turning off the firewall so tried
and tried but all I could find was to open ports 137-139 and 445. I opened both
of these (TCP and UDP) in the firewall but still no joy.
So my question - how do you get SMB to work with the SUSE firewall.
It would be great if you did a piece of networking laptops?
Many thanks and keep the Cool Solutions going. I have used several of
them.
Answer: For SUSE
First the guesses.
Where is the Internet connection? Is it on a Windows machine or a broadband
router, or do you have a Linux box with firewall between it and your LAN.
Since you got onto the Internet before you could ping from your laptops, I
suppose you have the connection on to your Windows box with a wireless router to
your laptops.
Not a good security policy. A major difference between Linux and Windows is
that Linux's biggest priority is security, whereas Window's is ease of use, not
a good policy in a developing a secure technology, but one that sells systems.
Better to put a Linux firewall in between the Internet and the rest of the
network. There is a reference
to a Shorewall setup at the end of this answer that is well worth a read,
even if you just look at the pictures.
I think a picture from you would also have been a great help in answering
this question.
The simple answer.
To get Samba to work in a Windows network neighbourhood, there has to be at
least one domain controller. This can be on a Windows machine (At least Windows
NT), but it is just as easy to switch on the Linux server as well. You can do
this at boot up or manually.
Use Yast for this task as it also sets the firewall permissions and ports for
you. Here is the Yast page for setting up the Samba server.
And this is what you see when you click on the Samba Server icon:
Read the help panel, change anything you need to and click next to take you
to this screen , where you make the first important decision.
Here is where you tell the service to start on boot or manually, and where
you open the firewall to samba traffic.
The other tabs on this page are self explanatory. Actually I use that great
application Webmin to set up Samba. You can see my Howto on the
subject on my
Cool Solutions HowTo pages.
OK if that didn't solve the problem, so you are going to become a real super
user now and get down to the command line and the editor.
This is really not dumb user stuff any more so be warned.
Before you start, carefully take a look at:
/usr/share/doc/packages/SUSEfirewall2/EXAMPLES
!
/usr/share/doc/packages/SUSEfirewall2/FAQ
!
/etc/sysconfig/SUSEfirewall2
Also have a look at the KDE help system on security.
The following command line instructions will not be part of the SUSE Firewall
as the script in /etc/sysconfig writes the rules for you. If you find these
rules do set things up and you cannot configure the script to do the same, then
you should save them to your own firewall script and run it from rc.local in
/etc/init.d.
Another alternative is to bypass the SUSE firewall by turning it off and use
WebMin or GuardDog or Shorewall to set up the rules, although I think it is
better to do these as tests which can discover the underlying problem, and go
back and reconfigure your network, samba and firewall using Yast, especially
since any changes or add-ons you make will have to be remembered for future
upgrades and new machines.
A technical solution
Presuming that Samba is working, from the information that has been provided
here, the most likely scenario is a miss configuration of the firewall. This is
probably due to the fact that Yast detected 2 network interfaces and configured
the firewall for a multi-homed system (more than one network card). By setting
the wireless interface to external means that the firewall thinks the wireless
interface is connected directly to the Internet or a WAN (Wide Area Network). To
fix it I would suggest the following.
NOTE: This solution assumes that the Internet connection is running a
broadband router or a Linux box with a wireless card. Also the not configured
Ethernet device is not used.
- Set the internal interface for the firewall to the wireless device.
- Set the firewall to allow ICMP (Internet Control Message Protocol) with
following types.
- 0 (Echo request)
- 8 (Echo Reply)
- 3 (Destination unreachable)(This one is optional but useful)
You can set these rules using Webmin.
A rule like the following should appear in the resulting firewall output
which you can see on the command line with:
iptables -L
Or, you can use iptables to input these commands temporarily by just typing
them, as is, on the console terminal. See the iptables man or info pages for
more details.
iptables -A INPUT -p icmp -s
<wireless_card_ipaddress> --icmp-type 3 -j ACCEPT iptables -A
OUTPUT -p icmp -d <wireless_card_ipaddress> --icmp-type 3 - ACCEPT
iptables -A INPUT -p icmp -s <wireless_card_ipaddress>
--icmp-type 0/0 -j ACCEPT iptables -A OUTPUT -p icmp -d
<wireless_card_ipaddress> --icmp-type 0/0 - ACCEPT
iptables -A
INPUT -p icmp -s <wireless_card_ipaddress> --icmp-type 8/0 -j ACCEPT
iptables -A OUTPUT -p icmp -d <wireless_card_ipaddress>
--icmp-type 8/0 - ACCEPT
- Allow Traffic for the Windows network by opening the following ports for
SMB both TCP and UDP
Port Number Traffic Type 445 Microsoft-DS 135 DCE endpoint
resolution 136 137 NETBIOS Name Service 138 NETBIOS Datagram
Service 139 NETBIOS session service
(You can see these services as names in the /etc/sysconfig script if you
performed the simple solution first.)
These are the rules to input:
iptables -A INTPUT -p tcp -m
multiport -s 10.0.0.1 --destination-ports 445,135,136,137,138,139 -j
ACCEPT iptables -A OUTPUT -p tcp -m multiport -d 10.0.0.1
--destination-ports 445,135,136,137,138,139 -j ACCEPT iptables -A INTPUT
-p udp -m multiport -s 10.0.0.1 --destination-ports 445,135,136,137,138,139
-j ACCEPT iptables -A OUTPUT -p udp -m multiport -d 10.0.0.1
--destination-ports 445,135,136,137,138,139 -j ACCEPT
NOTE: The above rules are examples only and need to be modified to
work with your system.
- Shorewall is an excellent program (Shell script) for setting
up Linux firewalls. This good reference page will show you a system including
pictures with wireless laptops.
This Newbie answer has covered:
How to set up a Samba server on a SUSE Linux machine and punch through the
firewall using Yast.
How to create technical iptables rules to test the same thing.
Other alternatives to SUSE to setup firewall rules under Linux.
A robust solution for fire walling a Windows/Linux LAN.
|