Samba "bind interfaces only = yes" does not seem to work

hyukjaepark · June 26, 2021, 10:25pm

Hello, everyone
First, thank you for this great router software and community.
I really appreciate it.
I installed openwrt on rasp pi 4 and this replaced the fios router.
It has been working great!

I have a question though regarding Samba
I configured samba to be bound to certain interfaces( in my case, lo, br-lan, eth1.1 ), but I can still access the samba share from other interfaces( my case eth1.107 - network for iot ).
There is no forward rule betwen interface eth1.1 and eth1.107 in /etc/config/firewall and computers on eth1.107 could not reach computers on eth1.1.
The only exception seems to be samba service hosted on the router.

Here is the snippet of the smb.conf:

[global]
        ....
        interfaces = lo eth1.1
        ....
        bind interfaces only = yes

here is the outcome from smbstatus:

# smbstatus

Samba version 4.13.8
PID     Username     Group        Machine                                   Protocol Version  Encryption           Signing              
----------------------------------------------------------------------------------------------------------------------------------------
...
...
3547   xxxxxx     nogroup      192.168.107.xxx (ipv4:192.168.107.xxx:52756) SMB3_11           -                    partial(AES-128-CMAC)

Service      pid     Machine       Connected at                     Encryption   Signing     
---------------------------------------------------------------------------------------------
IPC$         3547    192.168.107.xxx Sat Jun 26 18:12:09 2021 EDT     -            -           
xxxxxx      3547    192.168.107.xxx Sat Jun 26 18:12:09 2021 EDT     -            -

Please let me know what setup I did incorrectly?
Appreciate your help on this.

Thanks,

HP

trendy · June 26, 2021, 10:53pm

It's better to limit the access using the firewall. If the iot firewall zone has accept in INPUT, then it will be able to access any service running on the router, on any address the router might have. Therefore use reject on INPUT for iot zone and allow only the necessary, like dns and dhcp.

anon50098793 · June 27, 2021, 5:13am

works ok...

### grep interfaces /etc/samba/smb.conf.template 
	interfaces = usb0

### lsof -i -nP | grep smb
smbd      1041    root   41u  IPv4 235099      0t0  TCP 10.11.12.3:445 (LISTEN)
smbd      1041    root   42u  IPv4 235100      0t0  TCP 10.11.12.3:139 (LISTEN

pavelgl · June 27, 2021, 3:55pm

1.Try using IP/mask (bit lenght) instead of interface names.

interfaces = lo 192.168.1.1/24

2.If you don't want to play with the firewall, use option hosts allow to allow access to the samba server only from a specific range of hosts.

hosts allow = 127.0.0.1 192.168.1.

hyukjaepark · June 28, 2021, 4:03am

thank you for your suggestions, I will try it later.
I did netstat -tapn and got following:

# netstat -tapn
...
tcp        0      0 192.168.1.1:445         192.168.107.xxx:52756   ESTABLISHED 3547/smbd
...

so, it seems that my issue is firewall issue actually..
I know I have option input ACCEPT on the interface 192.168.107. However there is no forwarding rule between 192.168.1 and 192.168.107.
Not sure how traffic thru 192.168.107 is connected 192.168.1.
quite confused now.
any help would be appreciated.

HP

trendy · June 28, 2021, 10:20am

Forward policy applies to interfaces of the same zone.
Forwarding policy applies to traffic between zones.
Any traffic destined to the OpenWrt is regulated from the input policy of the zone.
I hope this clears things out.

hyukjaepark · June 28, 2021, 2:23pm

Sorry, let me clarify. So, eth1.1(192.168.1.xxx) and etth1.107(191.168.107.xxx) belong to different firewall zones and there is no forwarding policy between them.
So, I expected computers on 192.168.107 won't be able to connect on services bound to eth1.1(192.168.1.xxx)

Thanks, HP

trendy · June 28, 2021, 2:33pm

I think you have a typo there, as both are 192.168.1.X
However you get the point. No forwarding means 192.168.1.x hosts cannot reach 192.168.107.x hosts and vice versa. If you have INPUT policy as accept, then the lan host can reach the OpenWrt router on any IP, 192.168.1.1 or 192.168.107.1

hyukjaepark · June 28, 2021, 4:39pm

yup.. that was my typo. understood that input accept means computers on lan can reach the router on any ip's.
thanks, HP

system · July 8, 2021, 4:39pm

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.