Yunohost firewall and custom iptables rules, ports on networks, samba behind vpn

#en

I would love to get some help.

I have already read and checked this other posts:

My goal is to put samba behind a vpn. This should work with smb.conf or/and firewall for security reasons.

I am trying to get samba to work only on a behind a vpn/wireguard sub network but the firewall rules neither smb.conf networking restriction rules such as host allow, host deny and interfaces do apply.

[global]
   log file = /var/log/samba/log.%m
   max log size = 1000
   logging = file
   panic action = /usr/share/samba/panic-action %d
   server role = standalone server
   obey pam restrictions = yes
   unix password sync = yes
   passwd program = /usr/bin/passwd %u
   passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
   pam password change = yes
   map to guest = bad user
   usershare allow guests = yes
   idmap config * : backend = tdb
   workgroup = WORKGROUP
   interfaces = lo enp2s0 127.0.0.0/8 10.22.10.0/24
   bind interfaces only = yes
   host allow = 127.0.0.1 10.22.10.0/24
   host deny = 0.0.0.0/0

[sambashared]
   comment = SAMBASHAREFOLDER
   read only = no
   path = /home/shared/server
   browsable = yes
   valid users = <UNICUSERNAME>
   force create mode = 0775
   force directory mode = 0775
   guest ok = no
   guest only = no

If I opent ports with yunohost firewall allow TCP 445 i get samba working, but on all IP range. It is no applying host deny = 0.0.0.0/0

I can see the rules applied running iptables -nvL

Chain INPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
   12   836 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:25
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:53
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:80
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:443
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:587
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:993
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:2222
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:445
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:53
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:5353
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:8096
    0     0 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

After doing:
yunohost firewall disallow Both 445

Uncomenting the custom rules that are written in:

/etc/yunohost/hooks.d/post_iptable_rules/99-samba_custom

#!/bin/bash
iptables -A INPUT -s 10.22.10.0/24 -p udp -m udp --dport 137 -j ACCEPT
iptables -A INPUT -s 10.22.10.0/24 -p udp -m udp --dport 138 -j ACCEPT
iptables -A INPUT -s 10.22.10.0/24 -p tcp -m tcp --dport 139 -j ACCEPT
iptables -A INPUT -s 10.22.10.0/24 -p tcp -m tcp --dport 445 -j ACCEPT

Appling new filters either with
yunohost firewall reload
or
systemctl restart yunohost-firewall.service

Checking changes in iptables:

iptables -nvL
Chain INPUT (policy DROP 12 packets, 522 bytes)
 pkts bytes target     prot opt in     out     source               destination         
  286 37978 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:25
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:53
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:80
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:443
    1    52 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:587
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:993
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:2222
    6   445 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:53
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:5353
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:8096
    8   480 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     udp  --  *      *       10.22.10.0/24        0.0.0.0/0            udp dpt:137
    0     0 ACCEPT     udp  --  *      *       10.22.10.0/24        0.0.0.0/0            udp dpt:138
    0     0 ACCEPT     tcp  --  *      *       10.22.10.0/24        0.0.0.0/0            tcp dpt:139
    0     0 ACCEPT     tcp  --  *      *       10.22.10.0/24        0.0.0.0/0            tcp dpt:445

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

And samba will not succeed. With this error

do_connect: Connection to oficina.biciclot.coop failed (Error NT_STATUS_IO_TIMEOUT)