Filtering Share Access by Network Address
It is possible to limit access to SMB share based on client’s IP address.
For this purpose two options can be used:
- hosts_allow – Specifies the list of hosts for which access to the share is allowed.
- hosts_deny – Specifies the list of hosts for which access to the share is denied.
The following rules of filtering applied for clients:
- If there is no hosts_deny, nor hosts_allow list specified, no filtering is done, so all the clients are allowed to connect to the share.
- If there is no hosts_deny list, then the only clients listed in hosts_allow list will be able to connect to the share.
- If there is no hosts_allow list, then the only clients not listed in hosts_deny list will be able to connect to the share.
- If both lists are specified, then the clients listed in hosts_allow list and not listed in hosts_deny list will be able to connect to the share.
Hosts Allow
Controls which hosts to allow access to the share. The value is a comma separated list of IP addresses or IP address plus slash separated prefix length that forms the range of IP addresses.
For example to define a subnet of C type you should use:
hosts_allow = 192.168.2.0/24
If you want to specify a subnet plus some fixed IP address you can list them as:
hosts_allow = 192.168.0.0/16,1.1.1.1
Hosts Deny
Controls which hosts to deny access to the share. The value is a comma separated list of IP addresses or IP address plus slash separated prefix length that forms the range of IP addresses.
For example to deny access to the share from a subnet of C type you should use:
hosts_deny = 192.168.2.0/24
If you want to specify a subnet plus some fixed IP address you can list them as:
hosts_deny = 192.168.0.0/16,1.1.1.1