Setting up the UFW firewall with Samba
Tue, 2008-06-03 18:32 — bram
The extra module is needed to make sure that the samba traffic is seen as valid before it is put into the user input queue (see sudo iptables -L after enabling ufw for more information on that).
Which do the following: show the status of the firewall, enable the firewall, disable the firewall, and delete the allow rule which is the last of the examples.
There is a new firewall, which is probably going to become the Ubuntu standard firewall configuration system. It's called ufw, which stand's for uncomplicated firewall. The script allows you to easily add rules to the already in kernel iptables firewall system and makes sure rules are saved and restored on reboot.
First install the firewall with:
sudo aptitude install ufw
sudo ufw enableYou might also want to change /etc/default/ufw and add add the netbios_ns line so you can use samba:
# The nf_contrack_netbios_ns has been added
IPT_MODULES="nf_conntrack_ftp nf_nat_ftp nf_conntrack_irc nf_nat_irc nf_conntrack_netbios_ns"The extra module is needed to make sure that the samba traffic is seen as valid before it is put into the user input queue (see sudo iptables -L after enabling ufw for more information on that).
Some of the possible modules you can use in IPT_MODULES:
nf_conntrack_amanda
nf_conntrack_ftp
nf_conntrack_h323 (audio/video conferencing)
nf_conntrack_irc
nf_conntrack_netbios_ns (samba)
nf_conntrack_netlink
nf_conntrack_pptp
nf_conntrack_proto_gre
nf_conntrack_proto_sctp
nf_conntrack_proto_udplite
nf_conntrack_sip (audio/video with SIP addresses)
nf_conntrack_tftpAfter that, make sure you get make sure all the rules are added that you need, here are some of the examples I use:
#Samba sharing [1]
sudo ufw allow proto tcp to any port 135 from 192.168.0.0/16
sudo ufw allow proto udp to any port 137 from 192.168.0.0/16
sudo ufw allow proto udp to any port 138 from 192.168.0.0/16
sudo ufw allow proto tcp to any port 139 from 192.168.0.0/16
sudo ufw allow proto tcp to any port 445 from 192.168.0.0/16
#Allow avahi/bonjour/zeroconf [2]
sudo ufw allow proto udp to any port 5353 from 192.168.0.0/16
#Allow ssh from local network
sudo ufw allow proto tcp to any port 22 from 192.168.0.0/16Any other ports are the same kind of rule, it's easy to see the results. The 192.168.0.0/16 allow anybody with a 192.168.*.* to access the given port. If you live on a A class network you can use 10.0.0.0/8, for 10.*.*.* addresses.
Some other commands to keep in mind are:
sudo ufw status
sudo ufw enable
sudo ufw disable
sudo ufw delete allow proto tcp to any port 22 from 192.168.0.0/16Which do the following: show the status of the firewall, enable the firewall, disable the firewall, and delete the allow rule which is the last of the examples.
References:
[1] http://us4.samba.org/samba/docs/man/Samba-HOWTO-Collection/securing-samb...
[2] http://avahi.org/wiki/Avah4users and http://en.wikipedia.org/wiki/Bonjour_(software)