Linux – How to enable windows shares with iptables

centosfirewalliptableslinuxwindows

I have an OpenVPN server on CentOS5, where I would like to enable Windows shares through the VPN.

When I try to access a Windows share then noting happens. No errors or anything.

My iptables rules are the default ones plus these:

iptables -I INPUT -i eth0 -p udp --dport 1194 -j ACCEPT
iptables -I FORWARD -i eth0 -o tun0 -j ACCEPT
iptables -I FORWARD -i tun0 -o eth0 -j ACCEPT
iptables -t nat -I POSTROUTING -o eth0 -j MASQUERADE

modprobe ip_conntrack
modprobe ip_conntrack_ftp

I have tried to add these, but didn't enable Windows shares through the VPN.

IPTABLES="/sbin/iptables"
LAN="eth0"

$IPTABLES -A INPUT -i $LAN -p tcp --dport 137 -j ACCEPT  # NetBIOS name service tcp
$IPTABLES -A INPUT -i $LAN -p udp --dport 137 -j ACCEPT  # NetBIOS name service udp
$IPTABLES -A INPUT -i $LAN -p udp --dport 138 -j ACCEPT  # NetBIOS datagram service
$IPTABLES -A INPUT -i $LAN -p tcp --dport 139 -j ACCEPT  # NetBIOS session service File/printer sharing and other operations
$IPTABLES -A INPUT -i $LAN -p tcp --dport 445 -j ACCEPT  # Used by Win2k/xp when NetBIOS over TCP/IP is disabled - Microsoft Common Internet File System
$IPTABLES -A INPUT -i $LAN -p udp --dport 445 -j ACCEPT
#$IPTABLES -A INPUT -i $LAN -p tcp --dport 901 -j ACCEPT  # used by SWAT (GUI configuration tool for samba)

Does anyone know what could be wrong, and perhaps how to solve it?

Update

My setup looks likes this. The OpenVPN server routes all the private subnets, so when I am connected, I can SSH and ping servers I normally doesn't have access to without the OpenVPN connection.

I have tested the VPN on Windows, Mac and Linux clients.

On the private network is there a samba server. I would very much like to access these shares, when I connect with the VPN using a Windows computer.

From what I can Google, when netbios is a bit like getting FTP to work on a NAT'ed firewall in the sense, that something has to be done of the firewall to make this work.

In order for FTP to work through a NAT'ed firewall I had to load

modprobe ip_conntrack
modprobe ip_conntrack_ftp

so the connections that FTP server wants to make with the client are coupled.

Is it correct that netbios needs a similar treatment to work?

Best Answer

Can you check basic network connectivity? From the Windows openvpn client, can you ping the Samba server? Can the Samba server ping the Windows openvpn client? By IP address? By name?

You may also need to push WINS information out from openvpn, something along the lines of:

push "dhcp-option WINS 192.168.1.2"

or whatever acts as the WINS server in your network. In that case, your clients should be able to resolve the Samba server by name.

I have not had to load in extra modules like ip_conntrack for Netbios.

You may also want to post the (redacted) output from "iptables -L -n" and "iptables -L -n -t nat" so we can see what the actual firewall rules are.

Related Topic