[Samba] How to advertise the smb server only on selected interface(s)?

Hi,
I have a smb server on manjaro architect.
I’d want the smb server:
1- to be accessible only on specific interfaces
2- to be advertised only on specific interfaces

For n.1 it’s quite simple, I just added to global configuration:
interfaces = lo br1
bind interfaces only = yes

br1 is a bridge without internet access (192.168.2.x)

I have also br0 (192.168.1.x), another bridge with internet access.
If from another computer I connect to the 192.168.1.x network I can see the smb server available (but obviously not accessible because of n.1).
Is it possible to prevent the server to be shown on br0 network and more in general on all the other networks different from lo and br1 for this specific case?

Thank you

For that kind you would need a firewall rule, check your firewall configurator how to do that.

1 Like

Thanks, I was looking into iptables but I can’t figure out myself :frowning:

This is what I would want:
samba is at 192.168.2.1
samba accessible only from 192.168.2.x address
samba advertised only to 192.168.2.255

Block advertising on any other .255

iptables -S shows:
# iptables -S
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT

and I try to add these rules:
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
iptables -A INPUT -p udp -s 192.168.2.0/24 -d 192.168.2.1 -m multiport --dports 137,138 -j ACCEPT
iptables -A INPUT -p tcp -s 192.168.2.0/24 -d 192.168.2.1 -m multiport --dports 139,445 -j ACCEPT
iptables -A INPUT -p udp -s 192.168.2.0/24 -d 192.168.2.255 --dport 137 -j ACCEPT
iptables -A INPUT -p udp -d 192.168.2.1 -m multiport --dports 137,138 -j DROP
iptables -A INPUT -p tcp -d 192.168.2.1 -m multiport --dports 139,445 -j DROP
iptables -A OUTPUT -s 192.168.2.1 -d 192.168.2.0/24 -m state --state ESTABLISHED,RELATED -j ACCEPT

But they are added after:
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT

So I think totally useless…

Why not use the ufw GUI that is installed by default IIRC: Uncomplicated Firewall - ArchWiki

1 Like

I don’t have any DE on architect, I’m using manjaro only as a base system :frowning:

You could still make use of the functionality by using it’s CLI, see the link i gave :wink:

1 Like

Thank you for pointing me to ufw.
That was easier to setup, here are my rules that do what I want:

ufw default deny incoming
ufw default deny outgoing

ufw allow from 192.168.2.0/24
ufw allow out from any to 192.168.2.0/24
ufw allow out 53
ufw allow out http
ufw allow out https
ufw allow out from 192.168.2.1 to 224.0.0.251

I had also to add:
# ok icmp codes for OUTPUT
-A ufw-before-output -p icmp --icmp-type echo-request -j ACCEPT

to before.rules file to make ping to work properly

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.