samba - Mar 2002 - force Samba bind to internal IP only

Hello everybody,

We need to configure Samba (recent cvs) on our Linux (SuSE 7.2) box
(iptables/FreeSwan) acting as firewall, router and VPN gateway. Whenever
nmbd or smbclient try to connect to our Samba PDC (WINS ok, IP
192.168.0.5) packets are sent with a source address of the external
interface x.y.46.70 and will of course be blocked by iptables and never
be routable to subnet 192.168.0.0 .
I tried :
- interfaces = localhost 192.168.1.1/24
- bind interfaces only = Yes (and No also)
all to no avail.
Samba obviously needs to be "taught" (by whatever means, be it
smb.conf
or source code modification) to generate outgoing packets having the
internal IP 192.168.1.1 set only. Is this a known bug or feature ?
I'm shure the problem is not caused by iptables or ipsec configurations,
since ports were open for testing purpose and VPN works.

Any advice or pointers are very much appreciated,
Thanks a lot in advance
Uli


Netstat -an output:
------------------------
tcp  0  0  127.0.0.1:139     0.0.0.0:*       LISTEN      
tcp  0  0  192.168.1.1:139   0.0.0.0:*       LISTEN      
tcp  0  0  0.0.0.0:22        0.0.0.0:*       LISTEN      
tcp  0  0  0.0.0.0:3128      0.0.0.0:*       LISTEN      
tcp  0  0  0.0.0.0:25        0.0.0.0:*       LISTEN      
tcp  0  1  x.y.46.70:4837    192.168.0.5:139 SYN_SENT    
tcp  0 96  x.y.46.70:22      x.y.174.74:2433 CONNECT   
udp  0  0  192.168.1.1:137   0.0.0.0:*
udp  0  0  0.0.0.0:137       0.0.0.0:*
udp  0  0  192.168.1.1:138   0.0.0.0:*
udp  0  0  0.0.0.0:138       0.0.0.0:*
udp  0  0  0.0.0.0:111       0.0.0.0:*
udp  0  0  x.y.46.70:500     0.0.0.0:*

relevant smb.conf stuff:
-------------------------
interfaces = localhost 192.168.1.1/24
bind interfaces only = Yes 
domain master = no
local master = yes
remote announce = 192.168.0.5
remote browse sync = 192.168.0.5
os level = 65
wins server = 192.168.0.5 
name resolve order = wins hosts lmhosts
hosts allow = localhost, 192.168.
guest ok = Yes

This works for me:

[global]
	netbios name = HAMMER2
	netbios aliases = gateway
	interfaces = 192.168.0.2 
	security = SHARE
	log level = 3 
	hosts allow = 192.168. 127.0.0.1 127.0.0.2 192.168.

Here is ifconfig.

Maybe samba uses eth0 by default.

eth0      Link encap:Ethernet  HWaddr 00:C0:F0:37:FC:31  
          inet addr:192.168.0.2  Bcast:192.168.0.255  Mask:255.255.255.0

eth1      Link encap:Ethernet  HWaddr 00:E0:29:27:6C:FD  
          inet addr:68.47.5.06  Bcast:68.47.5.255  Mask:255.255.248.0
> 
> We need to configure Samba (recent cvs) on our Linux (SuSE 7.2) box
> (iptables/FreeSwan) acting as firewall, router and VPN gateway. Whenever
> nmbd or smbclient try to connect to our Samba PDC (WINS ok, IP
> 192.168.0.5) packets are sent with a source address of the external
> interface x.y.46.70 and will of course be blocked by iptables and never
> be routable to subnet 192.168.0.0 .
> I tried :
> - interfaces = localhost 192.168.1.1/24
> - bind interfaces only = Yes (and No also)
> all to no avail.
> Samba obviously needs to be "taught" (by whatever means, be it
smb.conf
> or source code modification) to generate outgoing packets having the
> internal IP 192.168.1.1 set only. Is this a known bug or feature ?
> I'm shure the problem is not caused by iptables or ipsec
configurations,
> since ports were open for testing purpose and VPN works.
> 
> Any advice or pointers are very much appreciated,
> Thanks a lot in advance
> Uli
> 
> 
> Netstat -an output:
> ------------------------
> tcp  0  0  127.0.0.1:139     0.0.0.0:*       LISTEN      
> tcp  0  0  192.168.1.1:139   0.0.0.0:*       LISTEN      
> tcp  0  0  0.0.0.0:22        0.0.0.0:*       LISTEN      
> tcp  0  0  0.0.0.0:3128      0.0.0.0:*       LISTEN      
> tcp  0  0  0.0.0.0:25        0.0.0.0:*       LISTEN      
> tcp  0  1  x.y.46.70:4837    192.168.0.5:139 SYN_SENT    
> tcp  0 96  x.y.46.70:22      x.y.174.74:2433 CONNECT   
> udp  0  0  192.168.1.1:137   0.0.0.0:*
> udp  0  0  0.0.0.0:137       0.0.0.0:*
> udp  0  0  192.168.1.1:138   0.0.0.0:*
> udp  0  0  0.0.0.0:138       0.0.0.0:*
> udp  0  0  0.0.0.0:111       0.0.0.0:*
> udp  0  0  x.y.46.70:500     0.0.0.0:*
> 
> relevant smb.conf stuff:
> -------------------------
> interfaces = localhost 192.168.1.1/24
> bind interfaces only = Yes 
> domain master = no
> local master = yes
> remote announce = 192.168.0.5
> remote browse sync = 192.168.0.5
> os level = 65
> wins server = 192.168.0.5 
> name resolve order = wins hosts lmhosts
> hosts allow = localhost, 192.168.
> guest ok = Yes
> 
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  http://lists.samba.org/mailman/listinfo/samba

I am doing what you want. Here is my smb.conf:


[global]
	netbios name = HAMMER2
	netbios aliases = gateway
	interfaces = 192.168.0.2 
	hosts allow = 192.168.  127.0.0.1 

Output of ifconfig:


eth0      Link encap:Ethernet  HWaddr 00:A0:F0:37:FC:31  
          inet addr:192.168.0.2  Bcast:192.168.0.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1

eth1      Link encap:Ethernet  HWaddr 00:B0:29:27:6C:FD  
          inet addr:68.32.3.82  Bcast:68.32.3.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1

Maybe you need to make your internal NIC eth0?


Joel




On Tue, Mar 12, 2002 at 06:02:18PM +0100, Ulrich Kohlhase
wrote:
> Hello everybody,
> 
> We need to configure Samba (recent cvs) on our Linux (SuSE 7.2) box
> (iptables/FreeSwan) acting as firewall, router and VPN gateway. Whenever
> nmbd or smbclient try to connect to our Samba PDC (WINS ok, IP
> 192.168.0.5) packets are sent with a source address of the external
> interface x.y.46.70 and will of course be blocked by iptables and never
> be routable to subnet 192.168.0.0 .
> I tried :
> - interfaces = localhost 192.168.1.1/24
> - bind interfaces only = Yes (and No also)
> all to no avail.
> Samba obviously needs to be "taught" (by whatever means, be it
smb.conf
> or source code modification) to generate outgoing packets having the
> internal IP 192.168.1.1 set only. Is this a known bug or feature ?
> I'm shure the problem is not caused by iptables or ipsec
configurations,
> since ports were open for testing purpose and VPN works.
> 
> Any advice or pointers are very much appreciated,
> Thanks a lot in advance
> Uli
> 
> 
> Netstat -an output:
> ------------------------
> tcp  0  0  127.0.0.1:139     0.0.0.0:*       LISTEN      
> tcp  0  0  192.168.1.1:139   0.0.0.0:*       LISTEN      
> tcp  0  0  0.0.0.0:22        0.0.0.0:*       LISTEN      
> tcp  0  0  0.0.0.0:3128      0.0.0.0:*       LISTEN      
> tcp  0  0  0.0.0.0:25        0.0.0.0:*       LISTEN      
> tcp  0  1  x.y.46.70:4837    192.168.0.5:139 SYN_SENT    
> tcp  0 96  x.y.46.70:22      x.y.174.74:2433 CONNECT   
> udp  0  0  192.168.1.1:137   0.0.0.0:*
> udp  0  0  0.0.0.0:137       0.0.0.0:*
> udp  0  0  192.168.1.1:138   0.0.0.0:*
> udp  0  0  0.0.0.0:138       0.0.0.0:*
> udp  0  0  0.0.0.0:111       0.0.0.0:*
> udp  0  0  x.y.46.70:500     0.0.0.0:*
> 
> relevant smb.conf stuff:
> -------------------------
> interfaces = localhost 192.168.1.1/24
> bind interfaces only = Yes 
> domain master = no
> local master = yes
> remote announce = 192.168.0.5
> remote browse sync = 192.168.0.5
> os level = 65
> wins server = 192.168.0.5 
> name resolve order = wins hosts lmhosts
> hosts allow = localhost, 192.168.
> guest ok = Yes
> 
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  http://lists.samba.org/mailman/listinfo/samba