 |  |  |  |  |  |  |  |
Configuring SAMBA for WAN access
 |
Hello, I've recently setup samba to run on my server, and it works perfectly well within my LAN. I can access all the shares.. However, I cannot access the shares over the internet.
I've tried connecting by IP and by name, but it fails either way. The ports are forwarded correctly through my router... BUT, when I run port scans from outside the LAN, they always return claiming the ports (137, 138, 139, 445) are inaccessible. When I check the logs in my router, it shows blocking other ports which are not forwarded, but it is not blocking these. I've even called my ISP, and they say that no ports are blocked... So.. what the hell?
I assume there is a problem with my configuration file.. Anyone have an idea as to what the problem may be?
In my config file, I have "hosts allow = all" and no firewall installed, aside from the router. Thanks for any help!
I've tried connecting by IP and by name, but it fails either way. The ports are forwarded correctly through my router... BUT, when I run port scans from outside the LAN, they always return claiming the ports (137, 138, 139, 445) are inaccessible. When I check the logs in my router, it shows blocking other ports which are not forwarded, but it is not blocking these. I've even called my ISP, and they say that no ports are blocked... So.. what the hell?
I assume there is a problem with my configuration file.. Anyone have an idea as to what the problem may be?
In my config file, I have "hosts allow = all" and no firewall installed, aside from the router. Thanks for any help!
Okay, so I've eliminated the router as the problem.. when I run nmap from the server I get:
Starting Nmap 4.62 ( http://nmap.org ) at 2009-05-07 03:04 CDT
Interesting ports on localhost (127.0.0.1):
Not shown: 1695 closed ports
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
25/tcp open smtp
80/tcp open http
110/tcp open pop3
111/tcp open rpcbind
139/tcp open netbios-ssn
445/tcp open microsoft-ds
631/tcp open ipp
901/tcp open samba-swat
2049/tcp open nfs
3306/tcp open mysql
5901/tcp open vnc-1
6001/tcp open X11:1
6667/tcp open irc
8118/tcp open privoxy
8888/tcp open sun-answerbook
9050/tcp open tor-socks
10000/tcp open snet-sensor-mgmt
50000/tcp open iiimsf
Nmap done: 1 IP address (1 host up) scanned in 0.232 seconds
When I disconnected my router and ran nmap from a machine outside the LAN I got:
Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2009-05-07 02:03 CDT
Interesting ports on cpe-70-112-6-216.austin.res.rr.com (70.112.6.216):
Not shown: 1657 closed ports
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
25/tcp filtered smtp
80/tcp open http
110/tcp open pop3
111/tcp open rpcbind
135/tcp filtered msrpc
136/tcp filtered profile
137/tcp filtered netbios-ns
138/tcp filtered netbios-dgm
139/tcp filtered netbios-ssn
445/tcp filtered microsoft-ds
593/tcp filtered http-rpc-epmap
901/tcp open samba-swat
1720/tcp filtered H.323/Q.931
1723/tcp filtered pptp
2049/tcp open nfs
5901/tcp open vnc-1
6001/tcp open X11:1
6667/tcp open irc
8888/tcp open sun-answerbook
10000/tcp open snet-sensor-mgmt
50000/tcp open iiimsf
Nmap finished: 1 IP address (1 host up) scanned in 5.173 seconds
So, what does this mean? Why is port 445 "filtered" and how can I open it?
Starting Nmap 4.62 ( http://nmap.org ) at 2009-05-07 03:04 CDT
Interesting ports on localhost (127.0.0.1):
Not shown: 1695 closed ports
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
25/tcp open smtp
80/tcp open http
110/tcp open pop3
111/tcp open rpcbind
139/tcp open netbios-ssn
445/tcp open microsoft-ds
631/tcp open ipp
901/tcp open samba-swat
2049/tcp open nfs
3306/tcp open mysql
5901/tcp open vnc-1
6001/tcp open X11:1
6667/tcp open irc
8118/tcp open privoxy
8888/tcp open sun-answerbook
9050/tcp open tor-socks
10000/tcp open snet-sensor-mgmt
50000/tcp open iiimsf
Nmap done: 1 IP address (1 host up) scanned in 0.232 seconds
When I disconnected my router and ran nmap from a machine outside the LAN I got:
Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2009-05-07 02:03 CDT
Interesting ports on cpe-70-112-6-216.austin.res.rr.com (70.112.6.216):
Not shown: 1657 closed ports
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
25/tcp filtered smtp
80/tcp open http
110/tcp open pop3
111/tcp open rpcbind
135/tcp filtered msrpc
136/tcp filtered profile
137/tcp filtered netbios-ns
138/tcp filtered netbios-dgm
139/tcp filtered netbios-ssn
445/tcp filtered microsoft-ds
593/tcp filtered http-rpc-epmap
901/tcp open samba-swat
1720/tcp filtered H.323/Q.931
1723/tcp filtered pptp
2049/tcp open nfs
5901/tcp open vnc-1
6001/tcp open X11:1
6667/tcp open irc
8888/tcp open sun-answerbook
10000/tcp open snet-sensor-mgmt
50000/tcp open iiimsf
Nmap finished: 1 IP address (1 host up) scanned in 5.173 seconds
So, what does this mean? Why is port 445 "filtered" and how can I open it?
•
•
Join Date: Mar 2007
Posts: 686
Reputation: 
Solved Threads: 61
Practically a Master Poster
don't think you can simply "share" files to the Internet. do you have an server (e.g. apache) or something to allow this type of access?
•
•
Join Date: Sep 2008
Posts: 61
Reputation:
Solved Threads: 7
Junior Poster in Training
Hi!
It's most likely filtered by your ISP. They generally do this to help prevent old, unpatched Windows machines that are directly connected to the internet from being cracked. In general, this isn't a great idea.
If you absolutely have to access these files over the internet, I'd recommend using VPN to connect to the local network, and you should be able to access the files from there with no problem. You also might want to look into using something more secure, like sftp or something instead of samba for sharing files over the internet.
Hope this helps!
-G
It's most likely filtered by your ISP. They generally do this to help prevent old, unpatched Windows machines that are directly connected to the internet from being cracked. In general, this isn't a great idea.
If you absolutely have to access these files over the internet, I'd recommend using VPN to connect to the local network, and you should be able to access the files from there with no problem. You also might want to look into using something more secure, like sftp or something instead of samba for sharing files over the internet.
Hope this helps!
-G
•
•
•
•
Originally Posted by sillyboy 
do you have an server (e.g. apache) or something to allow this type of access?
•
•
•
•
Originally Posted by Gromit
Hi!
It's most likely filtered by your ISP. They generally do this to help prevent old, unpatched Windows machines that are directly connected to the internet from being cracked. In general, this isn't a great idea.
•
•
•
•
Originally Posted by Gromit
If you absolutely have to access these files over the internet, I'd recommend using VPN to connect to the local network, and you should be able to access the files from there with no problem. You also might want to look into using something more secure, like sftp or something instead of samba for sharing files over the internet.
Last edited by josh2; May 11th, 2009 at 7:51 pm.
•
•
Join Date: Sep 2008
Posts: 61
Reputation:
Solved Threads: 7
Junior Poster in Training
That's cool,
I think the main problem that you're having is that the ports required to connect to samba are filtered. Whether it's at your ISP, your router, or the machine itself. Perhaps you've to iptables running and/or samba only configured to allow connecitons from the local network?
Your first nmap was to localhost? What happens if you do it from another box on the network? Try dropping iptables (/etc/init.d/iptables stop)
I think the main problem that you're having is that the ports required to connect to samba are filtered. Whether it's at your ISP, your router, or the machine itself. Perhaps you've to iptables running and/or samba only configured to allow connecitons from the local network?
Your first nmap was to localhost? What happens if you do it from another box on the network? Try dropping iptables (/etc/init.d/iptables stop)
Seriously, making SMB shares visible to the Internet is not a good idea. The security in that protocol is inadequate. If having the SMB-connected users' data trashed just-because isn't worrisome, having the other users' data trashed, and having your server used to store the kinds of things people don't want to get caught having on their own machines, should be. The Windows users can install PuTTY, and then they've got ssh/scp access, or wsftp for ftp if they don't mind having their passwords transmitted in cleartext; you've made it as convenient as is practical for them already. I wouldn't expose an NFS share to the Internet either, any more than I'd open a telnet port on a Net-facing interface.
•
•
Join Date: Jan 2007
Posts: 1,763
Reputation:
Solved Threads: 85
if you have ssh mounts available, what stops you from mounting on windows as well? while winscp is the obvious way to go, there are alternatives even to that
Real stupidity always beats Artificial Intelligence. (Terry Pratchett)
BA BizMg, MCSE, DCSE, Linux+, Network+
BA BizMg, MCSE, DCSE, Linux+, Network+
•
•
•
•
Originally Posted by Gromit
That's cool,
I think the main problem that you're having is that the ports required to connect to samba are filtered. Whether it's at your ISP, your router, or the machine itself. Perhaps you've to iptables running and/or samba only configured to allow connecitons from the local network?
Your first nmap was to localhost? What happens if you do it from another box on the network? Try dropping iptables (/etc/init.d/iptables stop)
•
•
•
•
Originally Posted by crb3
Seriously, making SMB shares visible to the Internet is not a good idea. The security in that protocol is inadequate. If having the SMB-connected users' data trashed just-because isn't worrisome, having the other users' data trashed, and having your server used to store the kinds of things people don't want to get caught having on their own machines, should be. The Windows users can install PuTTY, and then they've got ssh/scp access, or wsftp for ftp if they don't mind having their passwords transmitted in cleartext; you've made it as convenient as is practical for them already. I wouldn't expose an NFS share to the Internet either, any more than I'd open a telnet port on a Net-facing interface.
•
•
•
•
Originally Posted by DimaYasny
if you have ssh mounts available, what stops you from mounting on windows as well? while winscp is the obvious way to go, there are alternatives even to that
What do you suggest is an easier way to allow a windows user to have streaming, yet controlled access to these videos? I suppose they could mount files in windows, but what would require less work for the user? Assuming a customer environment, we dont want said customer to have to call in for support.
•
•
Join Date: Apr 2006
Posts: 5,051
Reputation: 
Solved Threads: 332
The most user-friendly method I can think of is grabbing a generic Flash video player (or Silverlight, if Microsoft is more your style), then plugging in parameters for each video. Host the object over HTTP/FTP using a web server daemon, and you're all set.
"Technological progress is like an axe in the hands of a pathological criminal."
|
Other Threads in the *nix Software Forum
- Previous Thread: Ubuntu: opening ports for connection (port scanner)
- Next Thread: Complete Debian Linux Server Setup Tutorial
| Thread Tools | Search this Thread |
You need to join our community in order to build your list of favorite forums. You can visit the forum index for a listing of all forums.
Related Forum Features
Latest *nix Software Posts
- Today's Posts
- Unanswered Threads
