Skip to main content

Filtering Share Access by Network Address

It is possible to limit access to SMB share based on client’s IP address.

For this purpose two options can be used:

  • hosts_allow – Specifies the list of hosts for which access to the share is allowed.
  • hosts_deny – Specifies the list of hosts for which access to the share is denied.

The following rules of filtering applied for clients:

  • If there is no hosts_deny, nor hosts_allow list specified, no filtering is done, so all the clients are allowed to connect to the share.
  • If there is no hosts_deny list, then the only clients listed in hosts_allow list will be able to connect to the share.
  • If there is no hosts_allow list, then the only clients not listed in hosts_deny list will be able to connect to the share.
  • If both lists are specified, then the clients listed in hosts_allow list and not listed in hosts_deny list will be able to connect to the share.

Hosts Allow

Controls which hosts to allow access to the share. The value is a comma separated list of IP addresses or IP address plus slash separated prefix length that forms the range of IP addresses.

For example to define a subnet of C type you should use:

hosts_allow = 192.168.2.0/24

If you want to specify a subnet plus some fixed IP address you can list them as:

hosts_allow = 192.168.0.0/16,1.1.1.1

Hosts Deny

Controls which hosts to deny access to the share. The value is a comma separated list of IP addresses or IP address plus slash separated prefix length that forms the range of IP addresses.

For example to deny access to the share from a subnet of C type you should use:

hosts_deny = 192.168.2.0/24

If you want to specify a subnet plus some fixed IP address you can list them as:

hosts_deny = 192.168.0.0/16,1.1.1.1