Here is my setup. I am on a LAN and my IP is obtained via DHCP, which my linux box then routes to my own little lan. Is there a way for Netbois connections to get trough the firewall and have access to all the PC''s on my little lan connection? Or can i just route port 139 to the desired ip on my own lan? --- Aaron Axelsen AIM: AAAK2 Email: axelseaa@amadmax.com URL: www.amadmax.com <http://www.amadmax.com/> "It said, ""Insert disk #3,"" but only two will fit!" "One picture is worth 128K words."
On Mon, 22 Apr 2002, Aaron Axelsen wrote:> Here is my setup. > > I am on a LAN and my IP is obtained via DHCP, which my linux box then > routes to my own little lan. Is there a way for Netbois connections to > get trough the firewall and have access to all the PC''s on my little lan > connection? Or can i just route port 139 to the desired ip on my own > lan? >If you want to allow certain Windoze users outside of your local lan to access your local systems, set up a VPN. I recommend running PoPToP on your firewall system (http://www.shorewall.net/PPTP.htm). -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net
MessageDrew (who posted a few days ago) is my partner in crime in a setup not dissimilar to this. If I shout loudly enough he might hear me and chip in with some info on how we accomplished a successful ipsec/samba/nat combination for the Windows machines on our networks. This permits SMB share browsing across the different workgroups hosted on servers that are quite some distance apart. As Tom said, you really need to do this using a VPN. Any other way is jolly insecure and will definitely lead you to the dark side (as well as pollute your cable segment with hugely annoying NETBIOS traffic). Drew! Are you there?! Simon ----- Original Message ----- From: Aaron Axelsen To: shorewall-users@shorewall.net Sent: Monday, April 22, 2002 2:10 PM Subject: [Shorewall-users] Netbios I am on a LAN and my IP is obtained via DHCP, which my linux box then routes to my own little lan. Is there a way for Netbois connections to get trough the firewall and have access to all the PC''s on my little lan connection? Or can i just route port 139 to the desired ip on my own lan?
Any information as to how you accomplished this would be more than welcome. --- Aaron Axelsen AIM: AAAK2 Email: axelseaa@amadmax.com URL: www.amadmax.com "It said, ""Insert disk #3,"" but only two will fit!" "One picture is worth 128K words." -----Original Message----- From: Simon Turvey [mailto:turveysp@ntlworld.com] Sent: Monday, April 22, 2002 4:53 PM To: Aaron Axelsen; shorewall-users@shorewall.net Subject: Re: [Shorewall-users] Netbios MessageDrew (who posted a few days ago) is my partner in crime in a setup not dissimilar to this. If I shout loudly enough he might hear me and chip in with some info on how we accomplished a successful ipsec/samba/nat combination for the Windows machines on our networks. This permits SMB share browsing across the different workgroups hosted on servers that are quite some distance apart. As Tom said, you really need to do this using a VPN. Any other way is jolly insecure and will definitely lead you to the dark side (as well as pollute your cable segment with hugely annoying NETBIOS traffic). Drew! Are you there?! Simon ----- Original Message ----- From: Aaron Axelsen To: shorewall-users@shorewall.net Sent: Monday, April 22, 2002 2:10 PM Subject: [Shorewall-users] Netbios I am on a LAN and my IP is obtained via DHCP, which my linux box then routes to my own little lan. Is there a way for Netbois connections to get trough the firewall and have access to all the PC''s on my little lan connection? Or can i just route port 139 to the desired ip on my own lan?
----- Original Message ----- From: "Tom Eastep" <teastep@shorewall.net>> > If you want to allow certain Windoze users outside of your local lan to > access your local systems, set up a VPN. I recommend running PoPToP on > your firewall system (http://www.shorewall.net/PPTP.htm). >About VPN on RedHat 7.2, this link it could interest to someone ... http://spenneberg.org/VPN/ ------- Dario Lesca (d.lesca@osra.it)
Hi
Sorry this took so long. Simon read on and chech this could you.
Ok our setup is as follows.
My subnet uses the following address range 192.168.0.0/24 and simons is
192.168.11.0/24 we both have these subnets on our eth1 interface and our
eth0 in our internet connection. Next we setup samba to be both wins
servers and domain servers for our local subnets. (See the samba doc on how
to do this or simon could post one of our configs). Next we setup ipsec
between us using freeswan. This is a bit tricky so I''ll detail this a
bit.
First off we both run debian and the debian config od freeswan includes
x509 certificate support.
When you install freeswan on debian testing it will also create a self
signed certificate for you and create 3 files.
/etc/x509cert.der - Binary encripted cert and key
/etc/ipsec.d/<hostname>Cert.pem - your public Certificate
/etc/ipsec.d/private/<hostname>Key.pem - your private key (Keep this
safe)
Next swap <hostname>Cert.pem files with the other person and place there
file in your /etc/ipsec.d/ directory.
Now to configure freeswan
the default config should look like this
# basic configuration
config setup
# THIS SETTING MUST BE CORRECT or almost nothing will work;
# %defaultroute is okay for most simple cases.
interfaces=%defaultroute
# Debug-logging controls: "none" for (almost) none,
"all" for lots.
klipsdebug=none
plutodebug=none
# plutodebug="parsing emitting control"
# Use auto= parameters in conn descriptions to control startup
actions.
plutoload=%search
plutostart=%search
# Close down old connection when new one using same ID shows up.
uniqueids=yes
overridemtu=1500
# defaults for subsequent connection descriptions
# (mostly to fix internal defaults which, in retrospect, were badly chosen)
conn %default
keyingtries=0
disablearrivalcheck=no
authby=rsasig
#use certificates
leftcert=icemanCert.pem
#freeswan security gateway
left=%defaultroute
The overridemtu line is important.
now to add mappings for the tunnel to simon
# Connections to simons
conn simon
# type=transport
# Right security gateway, subnet behind it, next hop toward left.
right=catandsimon.com
rightcert=chinookCert.pem
# To authorize this connection, but not actually start it, at
startup,
# uncomment this.
auto=start
conn simon-nettonet
leftsubnet=192.168.0.0/24
# Right security gateway, subnet behind it, next hop toward left.
right=catandsimon.com
rightsubnet=192.168.11.0/24
rightcert=chinookCert.pem
# To authorize this connection, but not actually start it, at
startup,
# uncomment this.
auto=start
conn simon-nettohost
leftsubnet=192.168.0.0/24
# Right security gateway, subnet behind it, next hop toward left.
right=catandsimon.com
rightcert=chinookCert.pem
# To authorize this connection, but not actually start it, at
startup,
# uncomment this.
auto=start
conn simon-hosttonet
# Right security gateway, subnet behind it, next hop toward left.
right=catandsimon.com
rightsubnet=192.168.11.0/24
rightcert=chinookCert.pem
# To authorize this connection, but not actually start it, at
startup,
# uncomment this.
auto=start
You need 4 as the each allow different connections
The first is host-host only using the internet addresses
The second is subnet-subnet using the private addresses
The third is subnet-host using my private address range to his public
address
The last is host-subnet using my public address to his private address
This should bring up a complete tunnel.
Now to configure shorewall
The inportant things to do are to allow all traffic on the ipsec0 interface
and not masq stuff from my subnet to his.
the masq file contains just
#INTERFACE SUBNET ADDRESS
eth0 eth1
So we don''t masq traffic going out on ipsec0
Simon could you add your policy and rules and interfaces and zone files as
my are a bit more complex than yours.
This enable unhindered traffic between the subnets and our hosts on the
ipsec0 interface but only allows ipsec traffic on the external interface
eth0.
Lastly and the follow to both smb.conf files for samba.
remote announce = 192.168.11.1
remote browse sync = 192.168.11.1
This replicates all browse information between the subnets. Just for extra
info simon and I both use different workgroup names but I don''t think
this
is necessory.
Sorry it''s not a complete walk through but it should get you started.
Simon Turvey said:> MessageDrew (who posted a few days ago) is my partner in crime in a
> setup not dissimilar to this. If I shout loudly enough he might hear
> me and chip in with some info on how we accomplished a successful
> ipsec/samba/nat combination for the Windows machines on our networks.
> This permits SMB share browsing across the different workgroups hosted
> on servers that are quite some distance apart.
>
> As Tom said, you really need to do this using a VPN. Any other way is
> jolly insecure and will definitely lead you to the dark side (as well
> as pollute your cable segment with hugely annoying NETBIOS traffic).
>
> Drew! Are you there?!
>
> Simon
>
> ----- Original Message -----
> From: Aaron Axelsen
> To: shorewall-users@shorewall.net
> Sent: Monday, April 22, 2002 2:10 PM
> Subject: [Shorewall-users] Netbios
>
> I am on a LAN and my IP is obtained via DHCP, which my linux box then
> routes to my own little lan. Is there a way for Netbois connections to
> get trough the firewall and have access to all the PC''s on my
little
> lan connection? Or can i just route port 139 to the desired ip on my
> own lan?
>
>
> _______________________________________________
> Shorewall-users mailing list
> Shorewall-users@shorewall.net
> http://www.shorewall.net/mailman/listinfo/shorewall-users
--
Drew Alexander Reed
http://www.c-hacker.co.uk
ICQ: 47205581
> Simon could you add your policy and rules and interfaces and zone filesas> my are a bit more complex than yours.Yup, here goes: Policy file: Iceman is the name of the server at the remote end of the tunnel and if defined in zones. #SOURCE DESTINATION POLICY LOG LEVEL loc net ACCEPT loc fw ACCEPT loc iceman ACCEPT # # If you want open access to the internet from your firewall, uncomment the # following line fw net ACCEPT fw iceman ACCEPT iceman fw ACCEPT iceman loc ACCEPT net all DROP info all all REJECT info #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE Rules file: ACCEPT fw net tcp 53 ACCEPT fw net udp 53 # Make ping work ACCEPT fw loc icmp 8 ACCEPT fw net icmp 8 # Allow web traffic in to firewall ACCEPT net fw tcp www # Allow ssh to firewall for admin ACCEPT net fw tcp ssh # Allow ftp to firewall from net ACCEPT net fw tcp ftp #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE Zones file: net Net Internet loc Local Local networks iceman iceman Drew''s network #LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE Interfaces file: Had to switch off route filtering in here, not sure what it does though. net eth0 detect dhcp,norfc1918 loc eth1 detect routestopped iceman ipsec0 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
On Wed, 24 Apr 2002, Simon Turvey wrote:> > Simon could you add your policy and rules and interfaces and zone files > as > > my are a bit more complex than yours. >There''s also an example at http://www.shorewall.net/myfiles.htm#Old but it''s also a bit complex. -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net