TCP/IP ports necessary for CIFS/SMB operation
Solution 1:
Ports 137-139 are for NetBios/Name resolution. Without it you will have to access machines by IP address opposed to NetBIOS name. Example \\192.168.1.100\share_name
opposed to \\my_file_server\share_name
So port 445 is sufficient if you can work with IP addresses only.
Solution 2:
This configuration worked for me: 137/UDP, 138/UDP, 139/TCP and 445/TCP. Source and additional information at: http://www.icir.org/gregor/tools/ms-smb-protocols.html.
So these are the iptables rules for my Samba server:
# The router doesn't need SMB access.
-A INPUT -s 192.168.1.1 -p udp --dport 137 -j REJECT
-A INPUT -s 192.168.1.1 -p udp --dport 138 -j REJECT
-A INPUT -s 192.168.1.1 -p tcp --dport 139 -j REJECT
-A INPUT -s 192.168.1.1 -p tcp --dport 445 -j REJECT
# Actual Samba ports
-A INPUT -s 192.168.1.0/24 -m state --state NEW -p udp --dport 137 -j ACCEPT
-A INPUT -s 192.168.1.0/24 -m state --state NEW -p udp --dport 138 -j ACCEPT
-A INPUT -s 192.168.1.0/24 -m state --state NEW -p tcp --dport 139 -j ACCEPT
-A INPUT -s 192.168.1.0/24 -m state --state NEW -p tcp --dport 445 -j ACCEPT