I am able to ping all the machines on the subnets. Pinging the machines
is not the problem. The machine I am trying to connect to is a win98
machine (192.168.10.21, Gateway1), and the machine I am connecting from
is a linux box (192.168.20.20, Gateway2). I know that both machines work
fine, because I can connect to a samba server that has an external IP
(209.123.xxx.xxx). This leads me to believe that it is something in my
Firewall configuration. I've tried several different rules, on both
gateways, none of which seem to work. I guess I'm really just stuck on
what iptables rules to put into my firewall config. I know that I need
to allow TCP/UDP ports 137,138, and 139 through. But do I add them to
the "-t nat -A PREROUTING" ruleset or do I have to allow the ports
through on the ipsec+ interface. I don't know. And documentation on the
subject seems to be scarce.
-Da Punk
On Wed, 2002-05-29 at 14:38, Brock Nanson wrote:
> Are you able to ping the Samba server or just other machines? Just
> wondering if the route table on the Samba server is configured for the
> VPN gateway.
>
> Are netbios packets being blocked by firewall rules anywhere?
>
> Brock
>
> > -----Original Message-----
> > From: users-admin_at_lists.freeswan.org
> > [mailto:users-admin_at_lists.freeswan.org] On Behalf Of dapunk
> > Sent: May 29, 2002 11:04 AM
> > To: users_at_lists.freeswan.org
> > Subject: [Users] IPTables Samba Help.
> >
> >
> > Hi all,
> >
> > I'm having problems with Samba connectivity over an IPsec
> > connection. Here is my setup:
> >
> > Subnet 1(192.168.10.0/24)
> > ^
> > |
> > V
> > Firewall 1/Gateway/IPSEC
> > ^
> > |
> > V
> > [INTERNET]
> > ^
> > |
> > Firewall2 /Gateway/IPSEC
> > ^
> > |
> > V
> > Subnet 2(192.168.20.0/24)
> >
> >
> > I am currently able to ping a machine on Subnet1 from
> > Subnet2, Which is good. I am not however able to do any sort
> > of samba stuff.
> > Ex. smbclient -L 192.168.10.20 (From 192.168.20.20) should
> > list all the shares available on that x.x.10.20 box, but it
> > doesn't seem to work. I am pretty sure that this is an issue
> > in my firewall configuration somewhere, but I can seem to
> > find it. My firewall config is below. Any help in this matter
> > would be greatly appreciated.
> >
> > Thanks much
> >
> > -Da Punk
> >
> > ##############################################################
> > ##########
> >
> > #!/bin/sh
> > # IPTables FireWall Setup
> >
> > #-----------------------------------------------------------------
> > # Rules not set, we should disable forwarding in the kernel.
> > echo "0" > /proc/sys/net/ipv4/ip_forward
> >
> > #-----------------------------------------------------------------
> > # Flushing the chains.
> > iptables -F
> > iptables -t nat -F
> > iptables -X
> > iptables -Z # zero all counters
> >
> > #-----------------------------------------------------------------
> > # Policy for chains DROP everything
> > iptables -P INPUT DROP
> > iptables -P OUTPUT DROP
> > iptables -P FORWARD DROP
> >
> > # Allow local device trafic
> > iptables -A OUTPUT -p ALL -o lo -j ACCEPT
> > iptables -A OUTPUT -p ALL -o eth0 -j ACCEPT
> > iptables -A OUTPUT -p ALL -o ipec+ -j ACCEPT
> >
> > # NAT Stuff
> > iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
> > iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
> >
> > # Accept anything from the inside. (needed for DHCP)
> > iptables -A INPUT -i eth1 -j ACCEPT
> > iptables -A OUTPUT -o eth1 -j ACCEPT
> >
> > # Forward Packets (needed to ping outside networks)
> > iptables -A FORWARD -i eth1 -j ACCEPT
> > iptables -A FORWARD -o eth1 -j ACCEPT
> >
> > # Allow Ipsec Interfaces through
> > iptables -A FORWARD -i ipsec+ -j ACCEPT
> > iptables -A FORWARD -o ipsec+ -j ACCEPT
> >
> > # Some Logging
> > iptables -A OUTPUT -m limit --limit 3/minute --limit-burst 3
> > -j LOG --log-level DEBUG --log-prefix "IPT OUTPUT packet died: "
> >
> > # We would like to ask for names from our box
> > iptables -A INPUT -m state --state ESTABLISHED,RELATED -j
> > ACCEPT iptables -A OUTPUT -m state --state
> > NEW,ESTABLISHED,RELATED -j ACCEPT
> >
> > # And, some attempt to get interactive sesions a bit more
> > interactive under load: iptables -A PREROUTING -t mangle -p
> > tcp --sport ssh -j TOS --set-tos Minimize-Delay iptables -A
> > PREROUTING -t mangle -p tcp --sport ftp -j TOS --set-tos
> > Minimize-Delay iptables -A PREROUTING -t mangle -p tcp
> > --sport ftp-data -j TOS --set-tos Maximize-Throughput
> >
> > # Keep state.
> > iptables -A FORWARD -m state --state NEW -i eth1 -j ACCEPT
> > iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j
> > ACCEPT iptables -A FORWARD -m state --state NEW,INVALID -i
> > eth0 -j DROP
> >
> > #-----------------------------------------------------------------
> > # Allow IPsec
> > # IKE negotiations
> > iptables -A INPUT -p udp -i eth0 --sport 500 --dport 500 -j
> > ACCEPT iptables -A OUTPUT -p udp -o eth0 --sport 500 --dport
> > 500 -j ACCEPT
> >
> > # ESP encrypton and authentication
> > iptables -A INPUT -p 50 -i eth0 -j ACCEPT
> > iptables -A OUTPUT -p 50 -o eth0 -j ACCEPT
> >
> > # AH authentication header
> > iptables -A INPUT -p 51 -j ACCEPT
> > iptables -A OUTPUT -p 51 -j ACCEPT
> >
> >
> > #-----------------------------------------------------------------
> > # This enables dynamic IP address following
> > echo 7 > /proc/sys/net/ipv4/ip_dynaddr
> >
> > # Rules set, we can enable forwarding in the kernel.
> > echo "Enabling IP forwarding."
> > echo "1" > /proc/sys/net/ipv4/ip_forward
> >
> > echo "Enabling TCP SynCookies"
> > echo "1" > /proc/sys/net/ipv4/tcp_syncookies
> >
> > echo "Firewall Init: Done"
> > ##############################################################
> > ##########
>
>
_______________________________________________
Users mailing list
Users_at_lists.freeswan.org
http://lists.freeswan.org/mailman/listinfo/users
This archive was generated by hypermail 2.1.3 : Mon Jul 29 2002 - 05:20:08 CEST