Yan Seiner wrote: > Maciej Soltysiak wrote: > > > > > > 2 iptables -A INPUT -p tcp --dport 137:139 -m state --state NEW -j > > > > ACCEPT > > > > 3 iptables -A INPUT -p udp --dport 137:139 -m state --state NEW -j > > > > ACCEPT > > > > SMB uses UDP on ports 137,138, and TCP on port 139. > > > > I solved my SMB problems using tcpdump > > like: > > tcpdump -i eth1 host q.w.e.r and \(port 137 or port 138 or port 139\) > > > > and looked what happens when host q.w.e.r tries to access a resource via > > eth1. > > Right. But at least with my network, not all hosts do the same thing. > The MS KB says you have to allow both UDP and TCP on 138; some hosts > apparently connect back to high port with netbios source ports, etc. I > have not been able to find any reason for this. I have two identically > configured win98 boxes from the same vendor; each connects a different > way. > >
You are absolutely right !!! Some hosts connect back to high port And is probably difficult for netfilter to keep the state for that situation, because that "back"connections are in fact new connections and UDP is stateless anyway. A rule like this iptables -A INPUT -p udp --sport 137:139 -m state --state NEW -j ACCEPT is working. Is that the reverse rule you are talking about ? If so, I found there is not necesary to add such a reverse rule for TCP !!! Corect me again if I'm wrong ! This rule say that any host may connect to ANY UDP port only if they are originating that conection from ports 137:139. That is better than my original rule which open higher udp anyway. Marius
