4.6. Networking Options with Samba
By default, both smbd and nmbd bind to all available broadcast-capable network interfaces on a system. There are times when you may wish to restrict this behavior, such as on a multihomed host that acts as a gateway from the internal network to the Internet, or perhaps on a laptop that has both a local network connection and a dial-up VPN connection.
Here's a simple example. Assume that our Samba server can access two subnets. The device eth0 is is bound to the 192.168.1.0/24 network and 192.168.2.0/24 is available on etH1. If Samba is not supposed to advertise itself on the 192.168.1.0/24 network, we must instruct it to use a subset of available network interfaces and bind only to those listed:
[global] interfaces = eth1 bind interfaces only = yes
These two parameters, which are always used together, work in combination to restrict smbd and nmbd to the specified networks. The interfaces parameter can accept a device name (eth1), an IP address or hostname, a network/netmask pair (192.168.2.0/24), or a broadcast/netmask (192.168.2.255/255.255.255.0). The bind interfaces only option limits the behavior of smbd and nmbd to the subnets represented by the interfaces list. nmbd does not accept any broadcast messages that originate outside these subnets and smbd binds to only the specified interfaces.
It is important to realize, however, that if packets can be routed between the two networks in our example, a client on the 192.168.1.0/24 network can still access the Samba server using its 192.168.2.0/24 address.
A second alternative to restricting traffic is the hosts allow and hosts deny options. Unlike the previous two global parameters, these new options can be used on a per-service basis. If these options sound familiar, you're probably thinking of the hosts.allow and hosts.deny files found in the /etc directories of many Unix systems. The purpose of these options is identical to those files; they provide security by allowing or denying the connections of other hosts based on their IP addresses. However, Samba includes its own internal implementation of the TCP Wrappers functionality, so there is no need for additional external libraries or configuration files.
Here's a simple example that allows a portion of the hosts on the 192.168.1.0/24 network to connect to our server. Notice that we have removed the interfaces and bind interfaces only lines to ensure that smbd and nmbd bind to both eth0 and eth1 :
[global] hosts allow = 192.168.2. 192.168.1.100 hosts deny = 192.168.1.
With the hosts allow option, we've specified a 192.168.2. IP address, which is equivalent to saying: "All hosts on the 192.168.2.0/24 subnet." The trailing period is very important. Without this ending puncutation, Samba does not correctly interpret the address as a network. We have also added a single host from the 192.168.1.0/24 network to the access list. However, we've explicitly specified in a hosts deny line that hosts on the 192.168.1.0/24 network cannot connect.
It is important to understand how Samba sorts out the rules specified by hosts allow and hosts deny :
Let's look at another example of that final item. Consider the following options:
hosts allow = 111.222. hosts deny = 111.222.333.
In this case, hosts that belong to the subnet 111.222.*.* will be allowed access to the Samba shares. The deny list in the case is completely disregarded because it is a subset of the allow list. To allow all hosts in the 18.104.22.168/16 network except those on the 111.222.333.0/24 network, we can specify the following hosts allow shorthand notation:
hosts allow = 111.222. EXCEPT 111.222.333.
4.6.1. Networking Options
The networking options introduced earlier are summarized in Table 4-6.
22.214.171.124. hosts allow
The hosts allow option (sometimes written as allow hosts) specifies the clients that have permission to access shares on the Samba server, written as a comma- or space-separated list of hostnames of systems or their IP addresses. You can gain quite a bit of security simply by placing your LAN's subnet address in this option.
You can specify any of the following formats for the option:
The hostname localhost, for the loopback address 127.0.0.1, is included in the hosts allow list by default and does not need to be listed explicitly unless you have specified it in the hosts deny list (probably as part of a subnet). This address is required for Samba to work properly.
Other than that, there is no default value for the hosts allow configuration option. The default course of action, in the event that neither the hosts allow or hosts deny option is specified in smb.conf, is to allow access from all sources.
126.96.36.199. hosts deny
The hosts deny option (synonymous with deny hosts) specifies client systems that do not have permission to access a share, written as a comma- or space-separated list of hostnames or their IP addresses. Use the same format for specifying clients as the hosts allow option earlier. For example, to restrict access to the server from everywhere but the subnet example.com, you could write:
hosts deny = ALL EXCEPT .example.com
There is no default value for the hosts deny configuration option, although the default course of action in the event that neither option is specified is to allow access from all sources.
The interfaces option specifies the networks that you want the Samba server to recognize and respond to. This option is handy if you have a computer that resides on more than one network subnet and want to restrict the networks that Samba will serve. If this option is not set, Samba searches out and utilizes all broadcast-capable network interfaces on the server, including loopback devices. The loopback interface (lo) is automatically added to this list.
The value of this option is specified as one or more sets of IP address/netmask pairs, device names, or broadcast/netmask pairs, as in the following example:
interfaces = eth0 192.168.2.30
You can optionally specify a numeric bitmask, like this:
interfaces = 192.168.220.100/24 192.168.210.30/24
Make sure to specify the device name in the interfaces list if your Samba host is configured to use DHCP, because the server's IP address and netmask may change.
188.8.131.52. bind interfaces only
The bind interfaces only option can be used to force the smbd and nmbd processes to respond only to those addresses specified by the interfaces option and to loopback network devices. To prevent Samba from processing any packets (including broadcast packets) whose source address does not correspond to any of the network interfaces specified by the interfaces option, define the following line in addition to a list of interfaces:
bind interfaces only = yes