Opening the Firewall Ports and Configuring SELinux for a Samba Server on GNU/Linux
By default, client machine will not be able to connect to a Samba server running on GNU/Linux, for two reasons:
- The GNU/Linux firewall will block incoming connections to the Samba server by default.
- SELinux will block client access to the Samba shares by default.
To work around this, you must configure the GNU/Linux firewall to accept incoming connections through the ports commonly used by Samba. You must also configure SELinux to allow client machines to access the Samba shares.
-
Add the ports used by the Samba service to the list of open ports with the following commands:
$ sudo iptables -I INPUT -m state --state NEW -p tcp -m tcp --dport 137 -j ACCEPT
$ sudo iptables -I INPUT -m state --state NEW -p tcp -m tcp --dport 138 -j ACCEPT
$ sudo iptables -I INPUT -m state --state NEW -p tcp -m tcp --dport 139 -j ACCEPT
$ sudo iptables -I INPUT -m state --state NEW -p tcp -m tcp --dport 445 -j ACCEPT
$ sudo service iptables save
$ sudo service iptables restart
The GNU/Linux firewall should now allow other machines to connect to the NFS shares.
-
Add the Samba service to the list of allowed services with the following commands:
$ sudo firewall-cmd --permanent --zone=public --add-service=samba
$ sudo firewall-cmd --reload
The GNU/Linux firewall should now allow other machines to connect to the NFS shares.
-
Allow connections to Samba to go through SELinux by entering the following command:
$ sudo setsebool -P samba_export_all_ro=1 samba_export_all_rw=1
-
Allow connections to each of your shared folders to go through SELinux by entering the following command for each share:
$ sudo chcon -t samba_share_t <path to share>
For example, if you are configuring a database server with the database file structure, the Harmony binaries and configuration files and one scene data storage space labeled usadata000, you would have to run the following command to allow access to each share:
$ sudo chcon -t samba_share_t /usr/local/ToonBoomAnimation/harmony[Edition]_17
$ sudo chcon -t samba_share_t /USA_DB
$ sudo chcon -t samba_share_t /usadata000
-
Now, refresh the security context of each of your shared folders by entering the following command for each share:
$ sudo restorecon -R <path to share>
For example:
$ sudo restorecon -R /usr/local/ToonBoomAnimation/harmony[Edition]_17
$ sudo restorecon -R /USA_DB
$ sudo restorecon -R /usadata000
At this point, SELinux should allow other machines to connect to your Samba shares without issue.