diff --git a/roles/network/templates/gateway/iiab-gen-iptables b/roles/network/templates/gateway/iiab-gen-iptables
index 858786a14..9c6585e61 100755
--- a/roles/network/templates/gateway/iiab-gen-iptables
+++ b/roles/network/templates/gateway/iiab-gen-iptables
@@ -70,6 +70,10 @@ pbx_signaling_ports_chan_sip={{ pbx_signaling_ports_chan_sip }}
 pbx_signaling_ports_chan_pjsip={{ pbx_signaling_ports_chan_pjsip }}
 pbx_data_ports={{ pbx_data_ports }}
 pbx_enabled={{ pbx_enabled }}
+samba_enabled={{ samba_enabled }}
+samba_udp_ports={{ samba_udp_ports }}
+samba_tcp_mports={{ samba_tcp_mports }}
+
 block_DNS={{ block_DNS }}
 
 echo "LAN is $lan and WAN is $wan"
@@ -116,6 +120,11 @@ if [ "$services_externally_visible" == "True" ]; then
         $IPTABLES -A INPUT -p udp --dport $pbx_signaling_ports_chan_pjsip -m state --state NEW -i $wan -j ACCEPT
         $IPTABLES -A INPUT -p udp --dport $pbx_data_ports -m state --state NEW -i $wan -j ACCEPT
     fi
+
+    if [ "$samba_enabled" == "True" ]; then
+        $IPTABLES -A INPUT -p udp --dport $samba_udp_ports -m state --state NEW -i $wan -j ACCEPT
+        $IPTABLES -A INPUT -p tcp -m multiport --dports $samba_tcp_mports -m state --state NEW -i $wan -j ACCEPT
+    fi
 fi
 
 if [ "$iiab_gateway_enabled" == "True" ]; then
diff --git a/vars/default_vars.yml b/vars/default_vars.yml
index 1a1d150ca..1838114aa 100644
--- a/vars/default_vars.yml
+++ b/vars/default_vars.yml
@@ -165,7 +165,7 @@ sshd_enabled: True
 openvpn_install: True
 openvpn_enabled: False
 # For /etc/iiab/openvpn_handle
-openvpn_handle: 
+openvpn_handle:
 # cron seems necessary on CentOS:
 openvpn_cron_enabled: False
 # General OpenVPN settings
@@ -229,6 +229,8 @@ cups_port: 631
 # Samba.  Do a security audit seriously before deploying this.
 samba_install: False
 samba_enabled: False
+samba_udp_ports: "137:138"
+samba_tcp_mports: "139,445"
 shared_dir : "{{ content_base }}/public"    # /library/public
 
 # usb-lib