Hi all,
I'm having problems with Samba connectivity over an IPsec connection.
Here is my setup:
Subnet 1(192.168.10.0/24)
^
|
V
Firewall 1/Gateway/IPSEC
^
|
V
[INTERNET]
^
|
Firewall2 /Gateway/IPSEC
^
|
V
Subnet 2(192.168.20.0/24)
I am currently able to ping a machine on Subnet1 from Subnet2, Which is
good. I am not however able to do any sort of samba stuff.
Ex. smbclient -L 192.168.10.20 (From 192.168.20.20) should list all the
shares available on that x.x.10.20 box, but it doesn't seem to work. I
am pretty sure that this is an issue in my firewall configuration
somewhere, but I can seem to find it. My firewall config is below. Any
help in this matter would be greatly appreciated.
Thanks much
-Da Punk
########################################################################
#!/bin/sh
# IPTables FireWall Setup
#-----------------------------------------------------------------
# Rules not set, we should disable forwarding in the kernel.
echo "0" > /proc/sys/net/ipv4/ip_forward
#-----------------------------------------------------------------
# Flushing the chains.
iptables -F
iptables -t nat -F
iptables -X
iptables -Z # zero all counters
#-----------------------------------------------------------------
# Policy for chains DROP everything
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
# Allow local device trafic
iptables -A OUTPUT -p ALL -o lo -j ACCEPT
iptables -A OUTPUT -p ALL -o eth0 -j ACCEPT
iptables -A OUTPUT -p ALL -o ipec+ -j ACCEPT
# NAT Stuff
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
# Accept anything from the inside. (needed for DHCP)
iptables -A INPUT -i eth1 -j ACCEPT
iptables -A OUTPUT -o eth1 -j ACCEPT
# Forward Packets (needed to ping outside networks)
iptables -A FORWARD -i eth1 -j ACCEPT
iptables -A FORWARD -o eth1 -j ACCEPT
# Allow Ipsec Interfaces through
iptables -A FORWARD -i ipsec+ -j ACCEPT
iptables -A FORWARD -o ipsec+ -j ACCEPT
# Some Logging
iptables -A OUTPUT -m limit --limit 3/minute --limit-burst 3 -j LOG
--log-level DEBUG --log-prefix "IPT OUTPUT packet died: "
# We would like to ask for names from our box
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
# And, some attempt to get interactive sesions a bit more interactive
under load:
iptables -A PREROUTING -t mangle -p tcp --sport ssh -j TOS --set-tos
Minimize-Delay
iptables -A PREROUTING -t mangle -p tcp --sport ftp -j TOS --set-tos
Minimize-Delay
iptables -A PREROUTING -t mangle -p tcp --sport ftp-data -j TOS
--set-tos Maximize-Throughput
# Keep state.
iptables -A FORWARD -m state --state NEW -i eth1 -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -m state --state NEW,INVALID -i eth0 -j DROP
#-----------------------------------------------------------------
# Allow IPsec
# IKE negotiations
iptables -A INPUT -p udp -i eth0 --sport 500 --dport 500 -j ACCEPT
iptables -A OUTPUT -p udp -o eth0 --sport 500 --dport 500 -j ACCEPT
# ESP encrypton and authentication
iptables -A INPUT -p 50 -i eth0 -j ACCEPT
iptables -A OUTPUT -p 50 -o eth0 -j ACCEPT
# AH authentication header
iptables -A INPUT -p 51 -j ACCEPT
iptables -A OUTPUT -p 51 -j ACCEPT
#-----------------------------------------------------------------
# This enables dynamic IP address following
echo 7 > /proc/sys/net/ipv4/ip_dynaddr
# Rules set, we can enable forwarding in the kernel.
echo "Enabling IP forwarding."
echo "1" > /proc/sys/net/ipv4/ip_forward
echo "Enabling TCP SynCookies"
echo "1" > /proc/sys/net/ipv4/tcp_syncookies
echo "Firewall Init: Done"
########################################################################
_______________________________________________
Users mailing list
Users_at_lists.freeswan.org
http://lists.freeswan.org/mailman/listinfo/users
This archive was generated by hypermail 2.1.3 : Mon Jul 29 2002 - 05:20:08 CEST