Iptables/netfilter rules for samba/netbios access

Which iptables-rules do I have to set to allow clients to access a samba server with working netbios (i.e. being able to use \MyServer instead of \192.168.0.1 to access the server from Windows)?

I've got a small office server which is doing NAT/masquerading between the internal and external net and serves dns (forwarding), dhcp and samba with netbios server to the internal net.

My current iptables configuration:

    # Loeschen aller vorhandener Regeln
    $IPT -F

    # Default Policy setzen
    $IPT -P INPUT DROP
    $IPT -P OUTPUT DROP
    $IPT -P FORWARD DROP

    # Loopback komplett freischalten
    $IPT -A INPUT -i $LO -j ACCEPT
    $IPT -A OUTPUT -o $LO -j ACCEPT

    # Bestehende Verbindungen auf allen Interfaces erlauben
    $IPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
    $IPT -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

    # Ping auf allen Interfaces erlauben
    $IPT -A INPUT -p icmp -j ACCEPT

    # Eingehende Verbindungen aus dem internen Netz erlauben
    # SSH, HTTP, HTTPS, Squid
    $IPT -A INPUT -i $INT -m state --state NEW -m multiport -p tcp --dport 22,80,443,8080  -j ACCEPT
    # DNS
    $IPT -A INPUT -i $INT -m state --state NEW -p tcp --dport domain -j ACCEPT
    $IPT -A INPUT -i $INT -m state --state NEW -p udp --dport domain -j ACCEPT
    # Samba
    $IPT -A INPUT -i $INT -m state --state NEW -p udp --dport 137 -j ACCEPT
    $IPT -A INPUT -i $INT -m state --state NEW -p udp --dport 138 -j ACCEPT
    $IPT -A INPUT -i $INT -m state --state NEW -p tcp --dport 139 -j ACCEPT
    $IPT -A INPUT -i $INT -m state --state NEW -p tcp --dport 445 -j ACCEPT

    # Ausgehende Verbindungen ins interne Netz erlauben
    # Samba
    $IPT -A OUTPUT -o $INT -m state --state NEW -p udp --sport 137 -j ACCEPT
    $IPT -A OUTPUT -o $INT -m state --state NEW -p udp --sport 138 -j ACCEPT
    $IPT -A OUTPUT -o $INT -m state --state NEW -p tcp --sport 139 -j ACCEPT
    $IPT -A OUTPUT -o $INT -m state --state NEW -p tcp --sport 445 -j ACCEPT

    # Eingehende Verbindungen aus dem externen Netz erlauben
    # SSH vom Sprungserver
    $IPT -A INPUT -i $EXT -p tcp -s 1.2.3.4 --dport 22 -j ACCEPT

    # Ausgehende Verbindungen ins externe Netz erlauben
    # HTTP
    $IPT -A OUTPUT -o $EXT -m state --state NEW -p tcp --dport http -j ACCEPT
    # DNS
    $IPT -A OUTPUT -o $EXT -m state --state NEW -p udp --dport domain -j ACCEPT
    $IPT -A OUTPUT -o $EXT -m state --state NEW -p tcp --dport domain -j ACCEPT

    # Transparenter Proxy für HTTP über Squid
    $IPT -t nat -A PREROUTING -i $INT -p tcp --dport 80 -j REDIRECT --to-port 8080

    # Routing
    # Forwarding
    $IPT -A FORWARD -i $INT -o $EXT -j ACCEPT
    $IPT -A FORWARD -i $EXT -o $INT -m state --state RELATED,ESTABLISHED -j ACCEPT
    # NAT
    $IPT -t nat -A POSTROUTING -o $EXT -j MASQUERADE

With this ruleset the access via ip-address functions well but there is no working name resolution. Which ports do I have to allow?

I checked the functionality with smbclient both from the server itself and from the client:

root@client:~# smbclient -L //192.168.40.254/
Enter root's password:
Domain=[WORKGROUP] OS=[Unix] Server=[Samba 3.6.6]

    Sharename       Type      Comment
    ---------       ----      -------
    IPC$            IPC       IPC Service (samba-debian)
    lehrer          Disk      Lehrer
    print$          Disk      Printer Drivers
Domain=[WORKGROUP] OS=[Unix] Server=[Samba 3.6.6]

    Server               Comment
    ---------            -------
    SAMBA-DEBIAN         samba-debian

    Workgroup            Master
    ---------            -------
    WORKGROUP            SAMBA-DEBIAN



root@client:~# smbclient -L //samba-debian/
Enter root's password:
Connection to samba-debian failed (Error NT_STATUS_CONNECTION_REFUSED)



root@samba-debian:~# smbclient -L //192.168.40.254/
Enter root's password:
Domain=[WORKGROUP] OS=[Unix] Server=[Samba 3.6.6]

    Sharename       Type      Comment
    ---------       ----      -------
    IPC$            IPC       IPC Service (samba-debian)
    lehrer          Disk      Lehrer
    print$          Disk      Printer Drivers
Domain=[WORKGROUP] OS=[Unix] Server=[Samba 3.6.6]

    Server               Comment
    ---------            -------
    SAMBA-DEBIAN         samba-debian

    Workgroup            Master
    ---------            -------
    WORKGROUP            SAMBA-DEBIAN



root@samba-debian:~# smbclient -L //samba-debian/
Enter root's password:
Domain=[WORKGROUP] OS=[Unix] Server=[Samba 3.6.6]

    Sharename       Type      Comment
    ---------       ----      -------
    IPC$            IPC       IPC Service (samba-debian)
    lehrer          Disk      Lehrer
    print$          Disk      Printer Drivers
Domain=[WORKGROUP] OS=[Unix] Server=[Samba 3.6.6]

    Server               Comment
    ---------            -------
    SAMBA-DEBIAN         samba-debian

    Workgroup            Master
    ---------            -------
    WORKGROUP            SAMBA-DEBIAN

Besides it works when I disable the firewalling completely – therefore the reason should be in the iptables-code.

Doing a tcpdump on the server on port 53 on the internal interface – there is nothing:

root@samba-debian:~# tcpdump -i eth1 port 53
listening on eth1, link-type EN10MB (Ethernet), capture size 65535 bytes
^C
0 packets captured
0 packets recieved by filter
0 packets recieved by kernel