SAMBA and NFT

[SquigglyDog]

I have Geo-NFT set up and working on my PC (Mint22) and works as it should. However I have not been able to run SAMBA with another Mint PC but SAMBA works with the NFT Firewall stopped. Any help creating the correct rule set for the firewall would be appreciated. So far I have these rules:

`# Accept SAMBA on port 137
udp dport 137 counter accept comment "Accept SAMBA on port 137"

# Accept SAMBA on port 138
 udp dport 138 counter accept comment "Accept SAMBA on port 138"

# Accept SAMBA on port 139
 tcp dport 139 counter accept comment "Accept SAMBA on port 139"

# Accept SAMBA on port 445
 tcp dport 445 counter accept comment "Accept SAMBA on port 445"` 

[jedi-nz]

Maybe the rules need to be positioned earlier in your rule set? If a rule blocks a subsequent rule allowing access will not work.

[wirefalls]

I don't have a lot of experience running Samba, but I saw a few things online that you can try. Try accepting both TCP and UDP packets on port 445. Check to see which ports that your Samba server is listening on. sudo netstat -tuln | grep -E '137|138|139|445' or sudo nmap -p 137,138,139,445 localhost. Also check to make sure that you don't have any restrictive outgoing rules that may prevent Samba from talking to the client. I hope that helps; let us know how it goes.

[jedi-nz]

Try adding this rule before any drop rules to your rule set, see if Samba works:

ip saddr 192.168.1.0/24 accept

[SquigglyDog]

nftables.conf.zip
$ sudo netstat -tuln | grep -E '137|138|139|445' tcp 0 0 0.0.0.0:139 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:445 0.0.0.0:* LISTEN tcp6 0 0 :::139 :::* LISTEN tcp6 0 0 :::445 :::* LISTEN udp 0 0 192.168.122.255:137 0.0.0.0:* udp 0 0 192.168.122.1:137 0.0.0.0:* udp 0 0 192.168.50.255:137 0.0.0.0:* udp 0 0 192.168.50.159:137 0.0.0.0:* udp 0 0 0.0.0.0:137 0.0.0.0:* udp 0 0 192.168.122.255:138 0.0.0.0:* udp 0 0 192.168.122.1:138 0.0.0.0:* udp 0 0 192.168.50.255:138 0.0.0.0:* udp 0 0 192.168.50.159:138 0.0.0.0:* udp 0 0 0.0.0.0:138 0.0.0.0:*

Appears I need rules for accepting tcp 139 and tcp 445 which I do.

@jedzi-nz I added the rule but it had no effect.

Here is my entire nftables.conf file (attached)

[SquigglyDog]

I stopped the nft service sudo systemctl stop nftables

and SAMBA worked. I then started nft ,sudo systemctl start nftables and SAMBA still worked even after rebooting the client PC. However when I rebooted the server SAMBA no longer worked. Get message "No route to host"

[SquigglyDog]

Infact stopping and starting nftables on server gives access from client to server

[jedi-nz]

I would try re-ordering your rules:

chain input {
type filter hook input priority 0; policy drop;

# Accept localhost traffic.
iif lo counter accept comment "Accept localhost traffic"

# Accept incoming traffic from connections we originated.
ct state established,related counter accept comment "Accept established and related traffic"

# Accept IP
  ip saddr 192.168.1.0/24 accept 

# Accept SAMBA on port 137
 udp dport 137 counter accept comment "Accept SAMBA on port 137"

# Accept SAMBA on port 138
 udp dport 138 counter accept comment "Accept SAMBA on port 138"

# Accept SAMBA on port 139
 tcp dport 139 counter accept comment "Accept SAMBA on port 139"

# Accept SAMBA on port 445
 tcp dport 445 counter accept comment "Accept SAMBA on port 445"

# Drop invalid state packets.
  ct state invalid counter drop comment "Drop invalid state packets"

# Accept SSH on port 22.
tcp dport 22 counter accept comment "Accept SSH on port 22"

# Accept LMS on port 9000.
 tcp dport 9000 counter accept comment "Accept LMS on port 9000"

# Accept LMS on port 9090.
 tcp dport 9090 counter accept comment "Accept LMS on port 9090"

# Accept LMS on port 3483.
 tcp dport 3483 counter accept comment "Accept LMS on port 3483"

# Accept LMS on port 3483.
 udp dport 3483 counter accept comment "Accept LMS on port 3483"

# Accept Printer on port 54921.
 tcp dport 54921 counter accept comment "Accept Printer on port 54921"

# Accept Printer on port 631.
 tcp dport 631 counter accept comment "Accept Printer on port 631"

# Accept Printer on port 54925.
  udp dport 54925 counter accept comment "Accept Printer on port 54925"


# Accept ICMP traffic.
ip protocol icmp limit rate 5/second counter accept comment "Accept ICMP traffic"

# Accept IGMP traffic.
ip protocol igmp limit rate 5/second counter accept comment "Accept IGMP traffic"

   
# Drop all other incoming traffic.
  counter drop comment "Drop all other incoming traffic"
}

[SquigglyDog]

Thanks @jedi-nz. I will test that out tomorrow.

[SquigglyDog]

I re-ordered the code for rules as suggested but it didn't make a difference. As before SAMBA works if I stop and start nftables but ceases on reboot of server

[jedi-nz]

I don't think this is anything to do with your ruleset.

Have you disabled IP tables?

sudo iptables -F

Have you enabled nftables.service on boot?

systemctl enable nftables

[SquigglyDog]

If I issue the command sudo iptables -F on the server then it no longer connects to the internet.nftables.service is enabled at boot

[jedi-nz]

After reboot and before restarting nftables what is the output of

sudo ufw status

[SquigglyDog]

sudo ufw status
[sudo] password for ####:
Status: active

To Action From

---

Samba ALLOW Anywhere
Samba (v6) ALLOW Anywhere (v6)

``

[jedi-nz]

Well I think that's your problem. You can't have ufw and nftables at the same time. Run

sudo ufw disable

then reboot and see if Samba works.

[SquigglyDog]

Same result

[jedi-nz]

After you reboot and before you restart nftables what is the output of

service nftables status

[SquigglyDog]

`$ service nftables status
● nftables.service - nftables
Loaded: loaded (/usr/lib/systemd/system/nftables.service; enabled; preset:>
Active: active (exited) since Thu 2024-10-31 19:47:37 EDT; 41s ago
Docs: man:nft(8)
http://wiki.nftables.org
Main PID: 929 (code=exited, status=0/SUCCESS)
CPU: 576ms

Oct 31 19:47:35 MainSqueeze systemd[1]: Starting nftables.service - nftables...
Oct 31 19:47:37 MainSqueeze systemd[1]: Finished nftables.service - nftables.
lines 1-10/10 (END)
`

[jedi-nz]

So nftables activates on boot but Samba does not work. After restarting nftables Samba works.

I can not think of an explanation for this but I doubt Geolocation for nftables is the cause.

After rebooting instead of restarting nftables just try running the geo-nft.sh script.

sudo /etc/nftables/geo-nft/geo-nft.sh

If Samba still not working then Geolocation for nftables likely not the cause.

[SquigglyDog]

Samba is still no working. Not sure why but I guess my workaround is to stop and start NFTables on the server if I need SAMBA on the client