Network Place (Samba) Share on LAN only

[EronRackzak]

Hi all,

It looks like whenever enabling the SMB service, it opens port 445 on both LAN and WAN interfaces.

I haven't gotten across a way to limit this behavior and keep the SMB service to my local LAN only, which is my objective.

In fact I migrated to RMerlin's firmware (Firmware:3.0.0.4.374.37 on RT-AC68U) with the hope that the ability to introduce IPTABLES rules on a startup script would allow me to manually block this port but all attempts have been unsuccessful.

What is curious, is the fact that through IPTABLES I'm able to successfully enable the FTP service - which shows the same behavior as enabling SMB -and then simply through a couple of rules (taken from another post) make it work on the LAN and block it on the WAN:

iptables -I INPUT -p tcp --destination-port 21 -j DROP
iptables -I INPUT -p tcp --destination-port 21 --source `nvram get lan_ipaddr`/`nvram get lan_netmask` -j ACCEPT

Adding four more rules identical to the above but referencing port 445 and tcp/udp don't do the trick.

Has anybody else come across the same requirement and have been successful at this? I'd appreciate your kind support.

Hugo

 

[RMerlin]

This is something I reported to Asus a few days ago, it is specific to the AC56/AC68U. I'm waiting to hear back from them, as this issue is quite odd - there's no way to properly block that port in iptables. It's as if it was somehow bypassing Netfilter.

 

[sinshiva]

have you tried a port forward?

[edit/] not that you should need it, but i did this for a couple things

sshd and ident, gonna add ftp just in case

and 445 lol

and 137:139 lol

and 88, jeez

http://i1067.photobucket.com/albums/u429/avihsnis/ugly_filter_zpsf8ac9b9f.jpg < not pretty, but it works

 

[EronRackzak]

@RMerlin

Thanks for your kind reply. So it looks like a bug which needs to be addressed. I'm glad to hear I'm not alone in this... I was going crazy going through all of the options and then thankfully found the forum.

@sinshiva

Now that's clever! Let me try it out and will report back. Thanks so much for the hint.

 

[EronRackzak]

@sinshiva

Well, unfortunately port forwarding didn't work either. Scanned through ShieldsUP! and the port 445 still looks OPEN no matter what.

As RMerlin suggested, this issue appears to be particular to the AC56/AC68U models. That might be the reason why on yours it worked flawlessly.

I'll 'patiently' wait until Asus provides a fix for this.

Thank you all again.

 

[sinshiva]

damn, sorry to hear that. i'm about to be picking up an ac56, myself, too.

 

[sinshiva]

bumpage;

hi merlin

sorry, but i'm still concerned about this issue. has there been any news?

thanks in advance

 

[RMerlin]

bumpage;

hi merlin

sorry, but i'm still concerned about this issue. has there been any news?

thanks in advance

No, which isn't surprising considering I posted on Friday, and this was the weekend.

When I have news to share, I will post them.

 

[sinshiva]

ah, you're right, of course. sorry about being impatient. weekdays and weekends blend together for me

 

[EronRackzak]

Thanks Merlin, I think the safest thing to do for RT-AC68U users at this moment would be to just disable SMB services until this gets fixed by ASUS or if this open WAN port is not a desired feature.

Users who've enabled FTP should also be aware that this also opens a port on the WAN side although for this, an addition of a couple of IPTABLES rules seem to fix it if they don't want it that way.


Enviado desde mi iPhone con Tapatalk

 

[mtrains]

On my AC68R I have Samba Share enabled and when I run ShieldsUP it says my 445 port is in stealth mode. Is there a different way to check whether the port is open?

 

[sinshiva]

what firmware, exactly, are you on?

 

[mtrains]

what firmware, exactly, are you on?

I have tried it on both on 374.37_2 and 374.38_1. On both ShieldsUP says 445 is stealth.

 

[EronRackzak]

@mtrains

Thanks for your report. Hopefully we could get a few more from other RT-AC68 users to double check and confirm whether this is an issue affecting all or part of these routers.

I've done the same tests as you on ShieldsUp. Mine shows open whenever enabling SMB. Apparently RMerlin had the same issue. Let's wait for what Asus has to say.



Enviado desde mi iPhone con Tapatalk

 

[RMerlin]

I have tried it on both on 374.37_2 and 374.38_1. On both ShieldsUP says 445 is stealth.

Some ISPs will block that port for you.

 

[753951]

I just tested mine. SMB disabled in UI. grc.com test shows port as closed, but never as stealth. That's on AC68U.

 

[wangjunabc]

does the new firmware fix that?

Version 3.0.0.4.374.583
Description ASUS RT-AC68U Firmware version 3.0.0.4.374.583
(Formal released version of 3.0.0.4.374.573)
Modified:
1. Modified AiDisk setup wizard to prevent a potential security issue.
2. Modified USB LED behavior.
3. Improved openVPN performance.

Fixes:
1. Fixed some UI issues.
2. Fixed parental control schedule issues.
3. Fixed openVPN related issues.
4. Fixed CFE nvram check issue.
5. Fixed samba security issue.

Additions:
1. Add support USB hub.
2. Add wireless watchdog.


I updated but I don't know how the check that port.

 

[sinshiva]

nice! https://www.grc.com/shieldsup

look for port 445

that looks like the update many are looking for, particularly for parental control

 

[RMerlin]

does the new firmware fix that?

Version 3.0.0.4.374.583
Description ASUS RT-AC68U Firmware version 3.0.0.4.374.583
(Formal released version of 3.0.0.4.374.573)
Modified:
1. Modified AiDisk setup wizard to prevent a potential security issue.
2. Modified USB LED behavior.
3. Improved openVPN performance.

Fixes:
1. Fixed some UI issues.
2. Fixed parental control schedule issues.
3. Fixed openVPN related issues.
4. Fixed CFE nvram check issue.
5. Fixed samba security issue.

Additions:
1. Add support USB hub.
2. Add wireless watchdog.


I updated but I don't know how the check that port.

I tested it and it doesn't resolve that issue unfortunately.

 

[RMerlin]

Actually... Did they reupload it? The original changelog didn't mention anything about a Samba security issue being resolved. I might have to redownload it and compare it with the download I tested. If anyone has recently flashed this version please let me know what a port scan shows on 445.