Novell is now a part of Micro Focus

Basics: How to use SMB without turning off the firewall

Novell Cool Solutions: Feature
By Stomfi

Digg This - Slashdot This

Updated: 16 Jun 2005

Question: I am new to SUSE and Linux but I am enjoying trying to set up my systems. I have SUSE 9.2 running on 2 laptops, a Dell c400 and d600. I have set both systems up to be wireless only (the built-in ethernet cards are not configured).

When I first set up the computers I pinged and pinged but got nothing. In frustration I opened my browser and low and behold I discovered that in order for ping to work After much searching on the internet I discovered I had to set my external interface in the firewall to the wireless card (wlan-bus-pcmcia). Once I did that ping worked but I could not see my home windows network.

On doing some more research I found much cursing on the internet about this and everyone saying the only way to get SMB to work was turn off the firewall. I turned off the firewall and lo and behold smb worked and I could see all my windows computers.

Now I don't particularly like the idea of turning off the firewall so tried and tried but all I could find was to open ports 137-139 and 445. I opened both of these (TCP and UDP) in the firewall but still no joy.

So my question - how do you get SMB to work with the SUSE firewall.

It would be great if you did a piece of networking laptops?

Many thanks and keep the Cool Solutions going. I have used several of them.

Answer: For SUSE

First the guesses.

Where is the Internet connection? Is it on a Windows machine or a broadband router, or do you have a Linux box with firewall between it and your LAN.

Since you got onto the Internet before you could ping from your laptops, I suppose you have the connection on to your Windows box with a wireless router to your laptops.

Not a good security policy. A major difference between Linux and Windows is that Linux's biggest priority is security, whereas Window's is ease of use, not a good policy in a developing a secure technology, but one that sells systems. Better to put a Linux firewall in between the Internet and the rest of the network. There is a reference to a Shorewall setup at the end of this answer that is well worth a read, even if you just look at the pictures.

I think a picture from you would also have been a great help in answering this question.

The simple answer.

To get Samba to work in a Windows network neighbourhood, there has to be at least one domain controller. This can be on a Windows machine (At least Windows NT), but it is just as easy to switch on the Linux server as well. You can do this at boot up or manually.

Use Yast for this task as it also sets the firewall permissions and ports for you. Here is the Yast page for setting up the Samba server.

And this is what you see when you click on the Samba Server icon:

Read the help panel, change anything you need to and click next to take you to this screen , where you make the first important decision.

Here is where you tell the service to start on boot or manually, and where you open the firewall to samba traffic.

The other tabs on this page are self explanatory. Actually I use that great application Webmin to set up Samba. You can see my Howto on the subject on my Cool Solutions HowTo pages.

OK if that didn't solve the problem, so you are going to become a real super user now and get down to the command line and the editor.

This is really not newbie user stuff any more so be warned.

Before you start, carefully take a look at:

/usr/share/doc/packages/SUSEfirewall2/EXAMPLES !

/usr/share/doc/packages/SUSEfirewall2/FAQ !


Also have a look at the KDE help system on security.

The following command line instructions will not be part of the SUSE Firewall as the script in /etc/sysconfig writes the rules for you. If you find these rules do set things up and you cannot configure the script to do the same, then you should save them to your own firewall script and run it from rc.local in /etc/init.d.

Another alternative is to bypass the SUSE firewall by turning it off and use WebMin or GuardDog or Shorewall to set up the rules, although I think it is better to do these as tests which can discover the underlying problem, and go back and reconfigure your network, samba and firewall using Yast, especially since any changes or add-ons you make will have to be remembered for future upgrades and new machines.

A technical solution

Presuming that Samba is working, from the information that has been provided here, the most likely scenario is a miss configuration of the firewall. This is probably due to the fact that Yast detected 2 network interfaces and configured the firewall for a multi-homed system (more than one network card). By setting the wireless interface to external means that the firewall thinks the wireless interface is connected directly to the Internet or a WAN (Wide Area Network). To fix it I would suggest the following.

NOTE: This solution assumes that the Internet connection is running a broadband router or a Linux box with a wireless card. Also the not configured Ethernet device is not used.

  1. Set the internal interface for the firewall to the wireless device.

  2. Set the firewall to allow ICMP (Internet Control Message Protocol) with following types.

    1. 0 (Echo request)
    2. 8 (Echo Reply)
    3. 3 (Destination unreachable)(This one is optional but useful)

    You can set these rules using Webmin.

    A rule like the following should appear in the resulting firewall output which you can see on the command line with:

    iptables -L

    Or, you can use iptables to input these commands temporarily by just typing them, as is, on the console terminal. See the iptables man or info pages for more details.

    iptables -A INPUT -p icmp -s <wireless_card_ipaddress> --icmp-type 3 -j ACCEPT
    iptables -A OUTPUT -p icmp -d <wireless_card_ipaddress> --icmp-type 3 - ACCEPT

    iptables -A INPUT -p icmp -s <wireless_card_ipaddress> --icmp-type 0/0 -j ACCEPT
    iptables -A OUTPUT -p icmp -d <wireless_card_ipaddress> --icmp-type 0/0 - ACCEPT

    iptables -A INPUT -p icmp -s <wireless_card_ipaddress> --icmp-type 8/0 -j ACCEPT
    iptables -A OUTPUT -p icmp -d <wireless_card_ipaddress> --icmp-type 8/0 - ACCEPT

  3. Allow Traffic for the Windows network by opening the following ports for SMB both TCP and UDP
  4. Port Number Traffic Type
    445 Microsoft-DS
    135 DCE endpoint resolution
    137 NETBIOS Name Service
    138 NETBIOS Datagram Service
    139 NETBIOS session service

    (You can see these services as names in the /etc/sysconfig script if you performed the simple solution first.)

    These are the rules to input:

    iptables -A INPUT -p tcp -m multiport -s --destination-ports 445,135,136,137,138,139 -j ACCEPT
    iptables -A OUTPUT -p tcp -m multiport -d --destination-ports 445,135,136,137,138,139 -j ACCEPT
    iptables -A INPUT -p udp -m multiport -s --destination-ports 445,135,136,137,138,139 -j ACCEPT
    iptables -A OUTPUT -p udp -m multiport -d --destination-ports 445,135,136,137,138,139 -j ACCEPT

    NOTE: The above rules are examples only and need to be modified to work with your system.

  5. Shorewall is an excellent program (Shell script) for setting up Linux firewalls. This good reference page will show you a system including pictures with wireless laptops.

This Newbie answer has covered:

How to set up a Samba server on a SUSE Linux machine and punch through the firewall using Yast.
How to create technical iptables rules to test the same thing.
Other alternatives to SUSE to setup firewall rules under Linux.
A robust solution for fire walling a Windows/Linux LAN.

Novell Cool Solutions (corporate web communities) are produced by WebWise Solutions.

© Copyright Micro Focus or one of its affiliates