0

I have an Ubuntu box with IP forwarding enabled and a very simple iptables configuration to allow all packets from within the LAN to be forwarded:

echo 1 > /proc/sys/net/ipv4/ip_forward
/sbin/iptables -I FORWARD -s 192.168.4.0/24 -j ACCEPT

This works fine, except the SMB shares on the box no longer work, presumably because the packets that end with the box itself as a destination are also being forwarded.

Is there a simple solution so that any TCP connection requests to the box itself will not be forwarded, only requests to external IP addresses?

Adam J. Kessel
  • 1
  • 1
  • Apply only if the destination address (`-d`) is the modem/router? Something like `/sbin/iptables -I FORWARD -s 192.168.4.0/24 -d 192.168.4.1 -j ACCEPT` maybe? https://serverfault.com/a/140626/486251 – SHawarden May 21 '23 at 23:42

1 Answers1

2

The FORWARD chain is only called for traffic that was forwarded, IE - the local machine is not its destination, so your rule doesn't have any effect on this kind of traffic, the place you should be looking for the problem is the INPUT chain, which handles traffic that is aimed for the local machine itself.

use the -S command or -L to query the INPUT chain:

iptables -S INPUT

look for the chain policy (starts with -P) and see if this is a drop or accept policy, if this is a drop policy you may need to change it or add an explicit rule to allow SAMBA in. This rule would probably do the work:

iptables -A INPUT -p tcp --dport 445 -j ACCEPT

see this guide for a few examples how to do it

Gal Weiss
  • 131
  • 4
  • Thanks! On further testing, it appears this must be a problem with the Apple TV app that is attempting to access the SMB share. I switched my iPhone to use this Linux box as a router and it is able to access both the Internet via forwarding packets and files on the Linux box SMB share. The same thing isn't working on Apple TV on the same LAN, so it seems the problem must be with the Apple TV device or app, rather than with the Linux box. – Adam J. Kessel May 22 '23 at 18:40
  • @AdamJ.Kessel my guess would be that the apple tv using using some discovery protocol that is currently blocked, as a test, just try to let any traffic from it access the linux box and see if that solves the problem. if it does - you can use tcpdump to see what kind of traffic is sent from the apple tv to the linux box – Gal Weiss May 23 '23 at 11:59