Note: This archive passes through spamassassin. Every mail marked with the subject "*****SPAM*****" has exceed a certain threshold of spam-like behaviour.

RE: [Users] IPTables Samba Help.

From: Brock Nanson (bnanson_at_true.bc.ca)
Date: Wed May 29 2002 - 20:38:16 CEST

Next message: Sam Sgro: "Re: [Users] Re: No suitable connection for peer remains unresolved"
Previous message: Sam Sgro: "Re: [Users] Help with Contivity client"
In reply to: dapunk: "[Users] IPTables Samba Help."
Next in thread: dapunk: "RE: [Users] IPTables Samba Help."
Reply: dapunk: "RE: [Users] IPTables Samba Help."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Are you able to ping the Samba server or just other machines? Just
wondering if the route table on the Samba server is configured for the
VPN gateway.

Are netbios packets being blocked by firewall rules anywhere?

Brock

> -----Original Message-----
> From: users-admin_at_lists.freeswan.org
> [mailto:users-admin_at_lists.freeswan.org] On Behalf Of dapunk
> Sent: May 29, 2002 11:04 AM
> To: users_at_lists.freeswan.org
> Subject: [Users] IPTables Samba Help.
>
>
> Hi all,
>
> I'm having problems with Samba connectivity over an IPsec
> connection. Here is my setup:
>
> Subnet 1(192.168.10.0/24)
> ^
> |
> V
> Firewall 1/Gateway/IPSEC
> ^
> |
> V
> [INTERNET]
> ^
> |
> Firewall2 /Gateway/IPSEC
> ^
> |
> V
> Subnet 2(192.168.20.0/24)
>
>
> I am currently able to ping a machine on Subnet1 from
> Subnet2, Which is good. I am not however able to do any sort
> of samba stuff.
> Ex. smbclient -L 192.168.10.20 (From 192.168.20.20) should
> list all the shares available on that x.x.10.20 box, but it
> doesn't seem to work. I am pretty sure that this is an issue
> in my firewall configuration somewhere, but I can seem to
> find it. My firewall config is below. Any help in this matter
> would be greatly appreciated.
>
> Thanks much
>
> -Da Punk
>
> ##############################################################
> ##########
>
> #!/bin/sh
> # IPTables FireWall Setup
>
> #-----------------------------------------------------------------
> # Rules not set, we should disable forwarding in the kernel.
> echo "0" > /proc/sys/net/ipv4/ip_forward
>
> #-----------------------------------------------------------------
> # Flushing the chains.
> iptables -F
> iptables -t nat -F
> iptables -X
> iptables -Z # zero all counters
>
> #-----------------------------------------------------------------
> # Policy for chains DROP everything
> iptables -P INPUT DROP
> iptables -P OUTPUT DROP
> iptables -P FORWARD DROP
>
> # Allow local device trafic
> iptables -A OUTPUT -p ALL -o lo -j ACCEPT
> iptables -A OUTPUT -p ALL -o eth0 -j ACCEPT
> iptables -A OUTPUT -p ALL -o ipec+ -j ACCEPT
>
> # NAT Stuff
> iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
> iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
>
> # Accept anything from the inside. (needed for DHCP)
> iptables -A INPUT -i eth1 -j ACCEPT
> iptables -A OUTPUT -o eth1 -j ACCEPT
>
> # Forward Packets (needed to ping outside networks)
> iptables -A FORWARD -i eth1 -j ACCEPT
> iptables -A FORWARD -o eth1 -j ACCEPT
>
> # Allow Ipsec Interfaces through
> iptables -A FORWARD -i ipsec+ -j ACCEPT
> iptables -A FORWARD -o ipsec+ -j ACCEPT
>
> # Some Logging
> iptables -A OUTPUT -m limit --limit 3/minute --limit-burst 3
> -j LOG --log-level DEBUG --log-prefix "IPT OUTPUT packet died: "
>
> # We would like to ask for names from our box
> iptables -A INPUT -m state --state ESTABLISHED,RELATED -j
> ACCEPT iptables -A OUTPUT -m state --state
> NEW,ESTABLISHED,RELATED -j ACCEPT
>
> # And, some attempt to get interactive sesions a bit more
> interactive under load: iptables -A PREROUTING -t mangle -p
> tcp --sport ssh -j TOS --set-tos Minimize-Delay iptables -A
> PREROUTING -t mangle -p tcp --sport ftp -j TOS --set-tos
> Minimize-Delay iptables -A PREROUTING -t mangle -p tcp
> --sport ftp-data -j TOS --set-tos Maximize-Throughput
>
> # Keep state.
> iptables -A FORWARD -m state --state NEW -i eth1 -j ACCEPT
> iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j
> ACCEPT iptables -A FORWARD -m state --state NEW,INVALID -i
> eth0 -j DROP
>
> #-----------------------------------------------------------------
> # Allow IPsec
> # IKE negotiations
> iptables -A INPUT -p udp -i eth0 --sport 500 --dport 500 -j
> ACCEPT iptables -A OUTPUT -p udp -o eth0 --sport 500 --dport
> 500 -j ACCEPT
>
> # ESP encrypton and authentication
> iptables -A INPUT -p 50 -i eth0 -j ACCEPT
> iptables -A OUTPUT -p 50 -o eth0 -j ACCEPT
>
> # AH authentication header
> iptables -A INPUT -p 51 -j ACCEPT
> iptables -A OUTPUT -p 51 -j ACCEPT
>
>
> #-----------------------------------------------------------------
> # This enables dynamic IP address following
> echo 7 > /proc/sys/net/ipv4/ip_dynaddr
>
> # Rules set, we can enable forwarding in the kernel.
> echo "Enabling IP forwarding."
> echo "1" > /proc/sys/net/ipv4/ip_forward
>
> echo "Enabling TCP SynCookies"
> echo "1" > /proc/sys/net/ipv4/tcp_syncookies
>
> echo "Firewall Init: Done"
> ##############################################################
> ##########

_______________________________________________
Users mailing list
Users_at_lists.freeswan.org
http://lists.freeswan.org/mailman/listinfo/users

Next message: Sam Sgro: "Re: [Users] Re: No suitable connection for peer remains unresolved"
Previous message: Sam Sgro: "Re: [Users] Help with Contivity client"
In reply to: dapunk: "[Users] IPTables Samba Help."
Next in thread: dapunk: "RE: [Users] IPTables Samba Help."
Reply: dapunk: "RE: [Users] IPTables Samba Help."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.3 : Mon Jul 29 2002 - 05:20:08 CEST