Prevent Linux firewalls interfering with Samba commands in a home network that uses broadcast NetBIOS name resolution
August 11, 2017 27 Comments
Or “How come devices in a home network can browse SMB shares but Linux Samba commands and Windows nbtstat commands do not work properly?”
Introduction
In a previous post I explained how it is possible to browse SMB shares when using broadcast NetBIOS name resolution in a home network consisting of machines running Linux, Windows and other operating systems. Browsing SMB/Samba shares will work as expected, but Samba commands such as ‘smbtree‘, ‘smbclient‘ and ‘nmblookup‘ will not work properly if the Linux machines use a firewall that has not been configured for broadcast NetBIOS name resolution. This post is to explain how to do that.
If broadcast NetBIOS name resolution is being used and none of the Linux machines has a firewall enabled, or if their firewalls have been correctly configured, the output of e.g. the ‘smbtree‘ command on one of those machines would look something like the example below.
anne@akhanaten:~$ smbtree
Enter anne's password:
HOME
\\AKHANATEN Samba 4.3.11-Ubuntu
\\AKHANATEN\IPC$ IPC Service (Samba 4.3.11-Ubuntu)
\\AKHANATEN\guest guest account
\\AKHANATEN\matthew matthew share
\\AKHANATEN\marilla marilla share
\\AKHANATEN\anne anne share
\\TUTANKHAMUN Samba 4.5.10
\\TUTANKHAMUN\Samsung_Xpress_C460FW Samsung Xpress C460FW
\\TUTANKHAMUN\Canon_MP560_Printer Canon PIXMA MP560
\\TUTANKHAMUN\Canon_MP510_Printer Canon PIXMA MP510
\\TUTANKHAMUN\Virtual_PDF_Printer Virtual PDF Printer
\\TUTANKHAMUN\IPC$ IPC Service (Samba 4.2.11)
\\TUTANKHAMUN\Public
\\TUTANKHAMUN\anne-share
\\TUTANKHAMUN\print$
\\TUTANKHAMUN\netlogon Network Logon Service
\\BTHUB5 BT Home Hub 5.0A File Server
\\BTHUB5\IPC$ IPC Service (BT Home Hub 5.0A File Server)
\\THUTMOSEIII Windows 10 computer
If Linux firewalls have not been correctly configured, the output would be missing some information about other machines in the network. For example, compare the output above with the output below from the same network, this time with the Linux firewalls configured using typical rules for Samba specified in Web articles, blog posts and forums.
anne@akhanaten:~$ smbtree
Enter anne's password:
HOME
\\AKHANATEN Samba 4.3.11-Ubuntu
\\AKHANATEN\IPC$ IPC Service (Samba 4.3.11-Ubuntu)
\\AKHANATEN\guest guest account
\\AKHANATEN\matthew matthew share
\\AKHANATEN\marilla marilla share
\\AKHANATEN\anne anne share
\\TUTANKHAMUN Samba 4.5.10
\\BTHUB5 BT Home Hub 5.0A File Server
\\THUTMOSEIII Windows 10 computer
To avoid this problem you need to add a further Linux firewall rule to the set of rules usually used for Samba. Below I first list the usual firewall rules for Samba, then I give the additional rule necessary if using broadcast NetBIOS name resolution. In each case I give the applicable rules for a pure IPTABLES firewall and for UFW (Uncomplicated Firewall). The rules listed here assume the IP address range of the home network is 192.168.1.0/24, so change the range to suit the specific network.
Firewall rules typically specified for machines using Samba
IPTABLES
The rules listed below assume the machine uses interface eth0, so change the interface to suit the specific machine.
# NetBIOS Name Service (name resolution) iptables -A INPUT -i eth0 -p udp --dport 137 -s 192.168.1.0/24 -j ACCEPT # NetBIOS Datagram Service (BROWSER service) iptables -A INPUT -i eth0 -p udp --dport 138 -s 192.168.1.0/24 -j ACCEPT # NetBIOS Session Service (data transfer legacy SMB/NetBIOS/TCP) iptables -A INPUT -i eth0 -p tcp --dport 139 -s 192.168.1.0/24 -j ACCEPT # Microsoft Directory Service (data transfer SMB/TCP) iptables -A INPUT -i eth0 -p tcp --dport 445 -s 192.168.1.0/24 -j ACCEPT
UFW
In some Linux distributions the ufw application allows a single command to add Samba support, such as:
user $ sudo ufw allow Samba
or
user $ sudo ufw allow CIFS
These ‘application profiles’ are specified in files in the directory /etc/ufw/applications.d/, so you could add application profiles or modify existing ones if you wish. In one of my installations the file /etc/ufw/applications.d/ufw-fileserver includes the following application profile for Samba, for example:
[CIFS] title=SMB/CIFS server description=SMB/CIFS server ports=137,138/udp|139,445/tcp
If such an application profile does not exist in your installation, typical Samba rules can be added in UFW using the following two commands:
user $ sudo ufw allow from 192.168.1.0/24 to any port 137,138 proto udp
user $ sudo ufw allow from 192.168.1.0/24 to any port 139,445 proto tcp
The correct addition of the rules can be checked using the following command:
user $ sudo ufw status verbose
Password:
Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing), disabled (routed)
New profiles: skip
To Action From
-- ------ ----
137,138/udp (CIFS) ALLOW IN 192.168.1.0/24
139,445/tcp (CIFS) ALLOW IN 192.168.1.0/24
The extra rule required when using broadcast NetBIOS name resolution
The reason why an extra rule is required when using broadcast NetBIOS name resolution is because UFW (which is based on IPTABLES) is ‘stateful’, as is a purely IPTABLES firewall (unless explicitly configured not to be stateful). The firewall does not consider packets it receives in response to its broadcast to be ESTABLISHED or RELATED, and therefore drops those packets. So, despite the IPTABLES and UFW rules listed above including a rule to accept incoming UDP packets on Port 137, any UDP packets received on Port 137 that do not constitute a one-to-one, two-way communication flow are dropped by the firewall. The extra rule below overrules this and makes the firewall accept packets coming from other devices’ Port 137 in response to broadcast NetBIOS Name Service packets. To do this, the extra rule uses a CT (Connection Tracking) helper named ‘netbios-ns‘ (obviously meaning ‘NetBIOS Name Service’). In order to use this rule the kernel must have been configured to use the IPTABLES ‘raw‘ table and to use CT (see the section ‘Kernel configuration’ further on).
IPTABLES
# All NetBIOS clients must have the netbios-ns helper enabled for broadcast name resolution to work iptables -t raw -A OUTPUT -p udp -m udp --dport 137 -j CT --helper netbios-ns
By the way, in addition to flushing the usual tables, flush the ‘raw‘ table too when you restart the firewall:
iptables -t raw -F OUTPUT
UFW
Add the following lines to the end of the file /etc/ufw/before.rules
# The following is needed to enable Samba commands to # work properly for broadcast NetBIOS name resolution # # raw table rules *raw :OUTPUT ACCEPT [0:0] -F OUTPUT -A OUTPUT -p udp -m udp --dport 137 -j CT --helper netbios-ns COMMIT
Note that the output of the command ‘ufw status verbose‘ will not include the above rule. This is not a bug.
Kernel configuration
If you are using a binary-based distribution such as Ubuntu Linux, the kernel will probably have been configured to include the needed modules (CONFIG_IP_NF_RAW=m, CONFIG_IP6_NF_RAW=m and CONFIG_NETFILTER_XT_TARGET_CT=m), and the installation configured to load the modules automatically. However, if you are using a source-based distribution such as Gentoo Linux make sure the kernel configuration includes these three options before you build the kernel, and also add the module names ‘iptable_raw‘ and ‘xt_CT‘ to the module list in the file /etc/conf.d/modules as shown in the example below, so that the modules are loaded at boot:
modules="r8169 nvidia agpgart fuse bnep rfcomm hidp uvcvideo cifs mmc_block rtsx_pci snd-seq-midi vboxdrv vboxnetadp vboxnetflt iptable_raw xt_CT"
You can use the following two commands to check if the two modules are loaded:
user $ sudo lsmod | grep iptable_raw
user $ sudo lsmod | grep xt_CT
How to check the additional rule is active
You can use the command below whether you are using pure IPTABLES or UFW.
user $ sudo iptables -nvL -t raw
Password:
Chain PREROUTING (policy ACCEPT 2613 packets, 1115K bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 2773 packets, 475K bytes)
pkts bytes target prot opt in out source destination
16 1248 CT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:137 CT helper netbios-ns
The packet and byte counts will increase whenever you use a Samba command.
Bibliography
Fitzcarraldo's Blog 