Firewall on simple samba LAN

From openSUSE

HowTo: Really Quick Personal Firewall on a Linux host in a Simple Samba LAN.

Author: [Swerdna]

Summary: This HowTo uses iptables in Suse 10.0, 10.1, openSUSE 10.2 to set up a personal firewall, i.e. a firewall on an individual host/workstation. The method is to edit the file /etc/sysconfig/SuSEfirewall2 to permit the ports that Samba uses and/or to allow your (soho) Lan through via its IP address range.

Prerequisites/assumptions: This HowTo is for hosts on a LAN using Samba sharing. First the LAN must be up and functional. If the LAN uses simple broadcast name resolution, sharing won't work properly through an iptables firewall on a Linux host. You need to install additional support from one of these: a Local Master Browser, a WINS server or the lmhosts file. Here are some Recipes to Configure Stable Network Browsing on a SOHO LAN∞

Samba Ports: You need to open some ports for Samba communications.

These you should open

135/TCP: epmap [DCE endpoint resolution] 
137/UDP: netbios-ns [NETBIOS Name Service] 
138/UDP: netbios-dgm [NETBIOS Datagram Service] 
139/TCP: netbios-ssn [NETBIOS Session Service]

Here are some optional extras - open them if circumstances require

445/TCP: SMB over TCPIP - Use this if NetBT turned off
515/TCP: LPD - Line PrinterDaemon - LDP windows/Unix printing
515/UDP: LPD - Line PrinterDaemon - LDP windows/Unix printing
631/TCP: IPP - Internet Printing Protocol of CUPS
631/UDP: IPP - Internet Printing Protocol of CUPS
6881/TCP: KTorrent
4444/UDP: KTorrent

Broadcast Packets: You must allow "Samba server" [by allowing passage of broadcast packets to facilitate communication on open ports].

• Note1: I see suggestions on the Internet to allow outgoing services like "microsoft-ds netbios-ssn" for TCP or like "netbios-ns netbios-dgm" for UDP and less frequently for broadcasts of form "netbios-ns netbios-dgm". This is unnecessary/redundant if you open the ports above.

• Note2: Some people allow either duplex traffic or incoming traffic on all high ports. There's little point in having a firewall if all high ports are opened. You open ports for extra services like BitTorrent, ssh, aMule etc by including them specifically in the list above.

• Note3: Port 1024 is sometimes recommended. This is essentially a way to allow broadcast name resolution and it works in a flaky and unreliable fashion for personal firewalls on LANs. IMHO don't use it. Samba server is already accommodated above.

• Note4: Port 445 was implemented by Microsoft for Windows machines that have NetBIOS ove TCPIP (NBT) turned off. NBT is on for the typical SOHO LAN. So there is no pressing reason to have port 445 open. I choose not to use 445 for two reasons: for administrative simplicity and because the fewer ports open the better from a secutrity standpoint. I've included mention of 445 for clarity, rather than simply not mentioning it. The SOHO LAN will work with it or without it. You decide. If you leave 445 out, as I have in my iptables "make it happen" segment, you should also include the line "smb ports = 139" in smb.conf/global. This will disable Samba's use of 445 altogether. Thanks broch.

Trusted Nets [Allow IP Ranges]: Iptables can allow ranges of IP addresses through the firewall. These are so-called "trusted nets" to accommodate Lans like the soho Lan we're discussing here. The range to allow typically looks like/is written as 192.168.2.1/24 ("/24" denotes the entire range. Use your subnet as appropriate).

• Note5: It might seem that allowing traffic two different ways; i.e. by allowing certain ports and by by allowing certain IP ranges is unnecessary. "Why not use one or the other?" you ask. Well you can - try it out. I need both. Otherwise I have to manually start the firewall each time I boot, and that would be un-cool.

Iptables - make it happen: You can use the GUI approach in either of two ways with YAST. The GUI for "firewall" at Yast --> Security and Users --> Firewall --> Allowed Services is there to set open ports and to allow passage of broadcast packets (i.e. to allow Samba server). But I found it to be unreliable. Entering data there can stop my firewall from working. An alternative GUI is at Yast --> System --> /etc/sysconfig Editor, where everything mentioned above can be set in one go.

Open Yast --> System --> /etc/sysconfig Editor --> Network --> Firewall --> SuseFirewall2 --> + (expand) --> then locate the entries in the list below. You'll find them in the left hand column of the GUI. Change them using the right hand column of the GUI to include the settings in the list below:

FW_DEV_EXT <--entry--> any eth-id-00:13:d4:fe:36:59 modem0 [notice I've firewalled "any" device not listed, the ethernet card and my modem. If you can't figure out what to put here for the NIC then use this GUI in YAST: Firewall --> Interfaces --> Zones, but only for the NIC]

FW_SERVICES_EXT_TCP <--entry--> 135 139 6881 [notice I've included a port for KTorrent just as an example. This is where you add ports/TCP for your additional services. I've also left port 445 out as explained above. It is not safe in my experience to set these using Yast Firewall Allowed Services]

FW_SERVICES_EXT_UDP <--entry--> 137 138 4444 [notice I've included a port for KTorrent just as an example. This is where you add ports/UDP for your additional services. It is not safe in my experience to set these using Yast Firewall Allowed Services]

FW_ALLOW_FW_BROADCAST_EXT <--entry--> yes [This enables broadcasts from Samba Server. It is not safe in my experience to set this using Yast Firewall Allowed Services]

FW_TRUSTED_NETS <--entry--> 192.168.2.1/24 [This allows the Lan through]

At this stage you can switch the firewall on using Yast --> Security and Users --> Firewall --> Start/stop/save-and-start firewall.

This is pretty abbreviated. If you're a new bee and having trouble, or you want also to see how this all works in a LAN [the fuller picture] inevitably with Windoows workstations, maybe see a fuller article by me here: Linux Networking: [HowTo Secure a SOHO Samba Lan]