Prevent Linux firewalls interfering with Samba commands in a home network that uses broadcast NetBIOS name resolution

Or “How come devices in a home network can browse SMB shares but Linux Samba commands and Windows nbtstat commands do not work properly?”


In a previous post I explained how it is possible to browse SMB shares when using broadcast NetBIOS name resolution in a home network consisting of machines running Linux, Windows and other operating systems. Browsing SMB/Samba shares will work as expected, but Samba commands such as ‘smbtree‘, ‘smbclient‘ and ‘nmblookup‘ will not work properly if the Linux machines use a firewall that has not been configured for broadcast NetBIOS name resolution. This post is to explain how to do that.

If broadcast NetBIOS name resolution is being used and none of the Linux machines has a firewall enabled, or if their firewalls have been correctly configured, the output of e.g. the ‘smbtree‘ command on one of those machines would look something like the example below.

anne@akhanaten:~$ smbtree
Enter anne's password: 
        \\AKHANATEN                     Samba 4.3.11-Ubuntu
                \\AKHANATEN\IPC$                IPC Service (Samba 4.3.11-Ubuntu)
                \\AKHANATEN\guest               guest account
                \\AKHANATEN\matthew             matthew share
                \\AKHANATEN\marilla             marilla share
                \\AKHANATEN\anne                anne share
        \\TUTANKHAMUN                   Samba 4.5.10
                \\TUTANKHAMUN\Samsung_Xpress_C460FW     Samsung Xpress C460FW
                \\TUTANKHAMUN\Canon_MP560_Printer       Canon PIXMA MP560
                \\TUTANKHAMUN\Canon_MP510_Printer       Canon PIXMA MP510
                \\TUTANKHAMUN\Virtual_PDF_Printer       Virtual PDF Printer
                \\TUTANKHAMUN\IPC$              IPC Service (Samba 4.2.11)
                \\TUTANKHAMUN\netlogon          Network Logon Service
        \\BTHUB5                        BT Home Hub 5.0A File Server
                \\BTHUB5\IPC$                   IPC Service (BT Home Hub 5.0A File Server)
        \\THUTMOSEIII                   Windows 10 computer

If Linux firewalls have not been correctly configured, the output would be missing some information about other machines in the network. For example, compare the output above with the output below from the same network, this time with the Linux firewalls configured using typical rules for Samba specified in Web articles, blog posts and forums.

anne@akhanaten:~$ smbtree
Enter anne's password: 
        \\AKHANATEN                     Samba 4.3.11-Ubuntu
                \\AKHANATEN\IPC$                IPC Service (Samba 4.3.11-Ubuntu)
                \\AKHANATEN\guest               guest account
                \\AKHANATEN\matthew             matthew share
                \\AKHANATEN\marilla             marilla share
                \\AKHANATEN\anne                anne share
        \\TUTANKHAMUN                   Samba 4.5.10
        \\BTHUB5                        BT Home Hub 5.0A File Server
        \\THUTMOSEIII                   Windows 10 computer

To avoid this problem you need to add a further Linux firewall rule to the set of rules usually used for Samba. Below I first list the usual firewall rules for Samba, then I give the additional rule necessary if using broadcast NetBIOS name resolution. In each case I give the applicable rules for a pure IPTABLES firewall and for UFW (Uncomplicated Firewall). The rules listed here assume the IP address range of the home network is, so change the range to suit the specific network.

Firewall rules typically specified for machines using Samba


The rules listed below assume the machine uses interface eth0, so change the interface to suit the specific machine.

# NetBIOS Name Service (name resolution)
iptables -A INPUT -i eth0 -p udp --dport 137 -s -j ACCEPT

# NetBIOS Datagram Service (BROWSER service)
iptables -A INPUT -i eth0 -p udp --dport 138 -s -j ACCEPT

# NetBIOS Session Service (data transfer legacy SMB/NetBIOS/TCP)
iptables -A INPUT -i eth0 -p tcp --dport 139 -s -j ACCEPT

# Microsoft Directory Service (data transfer SMB/TCP)
iptables -A INPUT -i eth0 -p tcp --dport 445 -s -j ACCEPT


In some Linux distributions the ufw application allows a single command to add Samba support, such as:

user $ sudo ufw allow Samba


user $ sudo ufw allow CIFS

These ‘application profiles’ are specified in files in the directory /etc/ufw/applications.d/, so you could add application profiles or modify existing ones if you wish. In one of my installations the file /etc/ufw/applications.d/ufw-fileserver includes the following application profile for Samba, for example:

title=SMB/CIFS server
description=SMB/CIFS server

If such an application profile does not exist in your installation, typical Samba rules can be added in UFW using the following two commands:

user $ sudo ufw allow from to any port 137,138 proto udp
user $ sudo ufw allow from to any port 139,445 proto tcp

The correct addition of the rules can be checked using the following command:

user $ sudo ufw status verbose
Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing), disabled (routed)
New profiles: skip

To                         Action      From
--                         ------      ----
137,138/udp (CIFS)         ALLOW IN
139,445/tcp (CIFS)         ALLOW IN

The extra rule required when using broadcast NetBIOS name resolution

The reason why an extra rule is required when using broadcast NetBIOS name resolution is because UFW (which is based on IPTABLES) is ‘stateful’, as is a purely IPTABLES firewall (unless explicitly configured not to be stateful). The firewall does not consider packets it receives in response to its broadcast to be ESTABLISHED or RELATED, and therefore drops those packets. So, despite the IPTABLES and UFW rules listed above including a rule to accept incoming UDP packets on Port 137, any UDP packets received on Port 137 that do not constitute a one-to-one, two-way communication flow are dropped by the firewall. The extra rule below overrules this and makes the firewall accept packets coming from other devices’ Port 137 in response to broadcast NetBIOS Name Service packets. To do this, the extra rule uses a CT (Connection Tracking) helper named ‘netbios-ns‘ (obviously meaning ‘NetBIOS Name Service’). In order to use this rule the kernel must have been configured to use the IPTABLES ‘raw‘ table and to use CT (see the section ‘Kernel configuration’ further on).


# All NetBIOS clients must have the netbios-ns helper enabled for broadcast name resolution to work
iptables -t raw -A OUTPUT -p udp -m udp --dport 137 -j CT --helper netbios-ns

By the way, in addition to flushing the usual tables, flush the ‘raw‘ table too when you restart the firewall:

iptables -t raw -F OUTPUT


Add the following lines to the end of the file /etc/ufw/before.rules

# The following is needed to enable Samba commands to
# work properly for broadcast NetBIOS name resolution
# raw table rules
-A OUTPUT -p udp -m udp --dport 137 -j CT --helper netbios-ns

Note that the output of the command ‘ufw status verbose‘ will not include the above rule. This is not a bug.

Kernel configuration

If you are using a binary-based distribution such as Ubuntu Linux, the kernel will probably have been configured to include the needed modules (CONFIG_IP_NF_RAW=m, CONFIG_IP6_NF_RAW=m and CONFIG_NETFILTER_XT_TARGET_CT=m), and the installation configured to load the modules automatically. However, if you are using a source-based distribution such as Gentoo Linux make sure the kernel configuration includes these three options before you build the kernel, and also add the module names ‘iptable_raw‘ and ‘xt_CT‘ to the module list in the file /etc/conf.d/modules as shown in the example below, so that the modules are loaded at boot:

modules="r8169 nvidia agpgart fuse bnep rfcomm hidp uvcvideo cifs mmc_block rtsx_pci snd-seq-midi vboxdrv vboxnetadp vboxnetflt iptable_raw xt_CT"

You can use the following two commands to check if the two modules are loaded:

user $ sudo lsmod | grep iptable_raw
user $ sudo lsmod | grep xt_CT

How to check the additional rule is active

You can use the command below whether you are using pure IPTABLES or UFW.

user $ sudo iptables -nvL -t raw
Chain PREROUTING (policy ACCEPT 2613 packets, 1115K bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 2773 packets, 475K bytes)
 pkts bytes target     prot opt in     out     source               destination         
   16  1248 CT         udp  --  *      *              udp dpt:137 CT helper netbios-ns

The packet and byte counts will increase whenever you use a Samba command.


  1. The "iptables" project
  2. Iptables Tutorial
  3. Introduction to IPTables
  4. Gentoo Wiki : iptables
  5. Arch Linux Wiki : Samba : "Browsing" network fails with "Failed to retrieve share list from server"
  6. Ubuntu : Manpage : ufw-framework
  7. Gentoo Wiki : UFW

About Fitzcarraldo
A Linux user with an interest in all things technical.

11 Responses to Prevent Linux firewalls interfering with Samba commands in a home network that uses broadcast NetBIOS name resolution

  1. Fitzcarraldo says:

    Those of you who also read my earlier post on Samba/SMB may have noticed that all the machines in the home network in the example above are now in the Windows Workgroup ‘HOME‘ instead of ‘GREENGABLES‘, i.e. they are now in the same workgroup as the BT Home Hub (router + broadband modem) which is fixed as ‘HOME‘ and cannot be changed by the user. There were no problems using the original setup with the BT Home Hub in a separate Windows Workgroup to everything else in the network, but it is tidier to have everything in a single Windows Workgroup.

  2. mumblingfumbler says:

    Your snippet to add to /etc/ufw/before. rules doesn’t work for latest Debian (9.1.0) release of ufw. Here’s the error:

    ERROR: problem running ufw-init
    Bad argument `*raw’
    Error occurred at line: 82
    Try `iptables-restore -h’ or ‘iptables-restore –help’ for more information.

    Problem running ‘/etc/ufw/before.rules’

    • Fitzcarraldo says:

      Is the module iptable_raw loaded?

      • mumblingfumbler says:

        Thanks for replying:
        sudo modinfo iptable_raw
        [sudo] password for dheintz:
        filename: /lib/modules/4.9.0-3-amd64/kernel/net/ipv4/netfilter/iptable_raw.ko
        license: GPL
        depends: x_tables,ip_tables
        intree: Y
        vermagic: 4.9.0-3-amd64 SMP mod_unload modversions
        I found another way. I took your iptables rule:
        iptables -t raw -A OUTPUT -p udp -m udp –dport 137 -j CT –helper netbios-ns

        shoved it in a script, and dropped the script in:

        That did the trick for making the rule persist across boots.

        I’d still like to know what is wrong with the ufw solution.

        There was a BROADCAST,….RETURN rule in:
        I commented it out–no change.

        Without the iptables rule, smbtree fails to resolve the workgroup and shares and I get nada.

  3. mumblingfumbler says:

    Thanks. It looks like that was the problem. I need a commit both before and after raw rule? Why is that?
    Thanks for your help,

    • Fitzcarraldo says:

      The COMMIT before pertains to the operations on the other table. That’s why my article specified to add the additional lines at the end of the file (i.e. after the existing COMMIT statement).

  4. quicktrick says:

    Hello! Could you please add the rules needed for SuSEfirewall2 and maybe some other and openSUSE settings (I’ve read your article here I can see the share in Windows but I cannot browse it.

  5. mumblingfumbler says:

    Well, your raw rule fixed smbtree not showing anything, but my debian firewall is still not allowing server access by netbios name via windows network. It is a name resolution problem, since I can access the server via ip address no problem. Server name shows up in network, but windows can’t access it. When I do ufw disable, it works. Any ideas? Shouldn’t ‘ufw Samba allow’ opened up the appropriate ports? Thanks for your help.

  6. mumblingfumbler says:

    Sorry, never mind. I figured out what was wrong. I had commented out the line:
    -A ufw-not-local -m addrtype –dst-type BROADCAST -j RETURN
    in before.rules, and that broke NetBIOS name service.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: