Configuring SAMBA for WAN access

Okay, so I've eliminated the router as the problem.. when I run nmap from the server I get:

Starting Nmap 4.62 ( http://nmap.org ) at 2009-05-07 03:04 CDT
Interesting ports on localhost (127.0.0.1):
Not shown: 1695 closed ports
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
25/tcp open smtp
80/tcp open http
110/tcp open pop3
111/tcp open rpcbind
139/tcp open netbios-ssn
445/tcp open microsoft-ds
631/tcp open ipp
901/tcp open samba-swat
2049/tcp open nfs
3306/tcp open mysql
5901/tcp open vnc-1
6001/tcp open X11:1
6667/tcp open irc
8118/tcp open privoxy
8888/tcp open sun-answerbook
9050/tcp open tor-socks
10000/tcp open snet-sensor-mgmt
50000/tcp open iiimsf

Nmap done: 1 IP address (1 host up) scanned in 0.232 seconds

When I disconnected my router and ran nmap from a machine outside the LAN I got:

Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2009-05-07 02:03 CDT
Interesting ports on cpe-70-112-6-216.austin.res.rr.com (70.112.6.216):
Not shown: 1657 closed ports
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
25/tcp filtered smtp
80/tcp open http
110/tcp open pop3
111/tcp open rpcbind
135/tcp filtered msrpc
136/tcp filtered profile
137/tcp filtered netbios-ns
138/tcp filtered netbios-dgm
139/tcp filtered netbios-ssn
445/tcp filtered microsoft-ds
593/tcp filtered http-rpc-epmap
901/tcp open samba-swat
1720/tcp filtered H.323/Q.931
1723/tcp filtered pptp
2049/tcp open nfs
5901/tcp open vnc-1
6001/tcp open X11:1
6667/tcp open irc
8888/tcp open sun-answerbook
10000/tcp open snet-sensor-mgmt
50000/tcp open iiimsf

Nmap finished: 1 IP address (1 host up) scanned in 5.173 seconds

So, what does this mean? Why is port 445 "filtered" and how can I open it?

don't think you can simply "share" files to the Internet. do you have an server (e.g. apache) or something to allow this type of access?

Hi!

It's most likely filtered by your ISP. They generally do this to help prevent old, unpatched Windows machines that are directly connected to the internet from being cracked. In general, this isn't a great idea.

If you absolutely have to access these files over the internet, I'd recommend using VPN to connect to the local network, and you should be able to access the files from there with no problem. You also might want to look into using something more secure, like sftp or something instead of samba for sharing files over the internet.

Hope this helps!
-G

do you have an server (e.g. apache) or something to allow this type of access?

Yes. It's called "samba"... Nothing else should be necessary.. and yes, apache is also installed.

Hi!

It's most likely filtered by your ISP. They generally do this to help prevent old, unpatched Windows machines that are directly connected to the internet from being cracked. In general, this isn't a great idea.

mm Yes, I actually contacted my ISP, and they *claim* that they are not blocking any ports at all.. I've no idea how to test if this is true or not, aside from taking their word for it.

If you absolutely have to access these files over the internet, I'd recommend using VPN to connect to the local network, and you should be able to access the files from there with no problem. You also might want to look into using something more secure, like sftp or something instead of samba for sharing files over the internet.

Hmm.. Let me clear it up a bit: These shares are also accessible via ftp and ssh and nfs... The reason I want samba is to simply make it easier for windows users to access the data. The users such as myself, who will be using linux can easily access the shares by mounting them via ssh. However, I was hoping samba would be an easy alternative for the typical windows user.

That's cool,

I think the main problem that you're having is that the ports required to connect to samba are filtered. Whether it's at your ISP, your router, or the machine itself. Perhaps you've to iptables running and/or samba only configured to allow connecitons from the local network?

Your first nmap was to localhost? What happens if you do it from another box on the network? Try dropping iptables (/etc/init.d/iptables stop)

Seriously, making SMB shares visible to the Internet is not a good idea. The security in that protocol is inadequate. If having the SMB-connected users' data trashed just-because isn't worrisome, having the other users' data trashed, and having your server used to store the kinds of things people don't want to get caught having on their own machines, should be. The Windows users can install PuTTY, and then they've got ssh/scp access, or wsftp for ftp if they don't mind having their passwords transmitted in cleartext; you've made it as convenient as is practical for them already. I wouldn't expose an NFS share to the Internet either, any more than I'd open a telnet port on a Net-facing interface.

if you have ssh mounts available, what stops you from mounting on windows as well? while winscp is the obvious way to go, there are alternatives even to that

That's cool,

I think the main problem that you're having is that the ports required to connect to samba are filtered. Whether it's at your ISP, your router, or the machine itself. Perhaps you've to iptables running and/or samba only configured to allow connecitons from the local network?

Your first nmap was to localhost? What happens if you do it from another box on the network? Try dropping iptables (/etc/init.d/iptables stop)

Seriously, making SMB shares visible to the Internet is not a good idea. The security in that protocol is inadequate. If having the SMB-connected users' data trashed just-because isn't worrisome, having the other users' data trashed, and having your server used to store the kinds of things people don't want to get caught having on their own machines, should be. The Windows users can install PuTTY, and then they've got ssh/scp access, or wsftp for ftp if they don't mind having their passwords transmitted in cleartext; you've made it as convenient as is practical for them already. I wouldn't expose an NFS share to the Internet either, any more than I'd open a telnet port on a Net-facing interface.

if you have ssh mounts available, what stops you from mounting on windows as well? while winscp is the obvious way to go, there are alternatives even to that

Thanks for all your responses. The primary reason I wanted samba is because the files are videos, and I want them to have streaming access. Using ftp via your browser is somewhat adequate, but the users cant FF/RW the video.

What do you suggest is an easier way to allow a windows user to have streaming, yet controlled access to these videos? I suppose they could mount files in windows, but what would require less work for the user? Assuming a customer environment, we dont want said customer to have to call in for support.

The most user-friendly method I can think of is grabbing a generic Flash video player (or Silverlight, if Microsoft is more your style), then plugging in parameters for each video. Host the object over HTTP/FTP using a web server daemon, and you're all set.

video will not be easily controllable over WAN no matter what protocol you use