Hello all,
I have successfully setup a network<->network Vpn. I can now ping machines
on Network B from Network A, and vice versa.
Now the only problem I have now, is that I cannot seem to get samba
services to work. I've read previous posts about setting
up wins servers and all that fun stuff. I don't need to get that
complex. What I need to be able to do is the following:
Network A: Has 2 windows machines behind them. 192.168.10.20 and
192.168.10.21. Both of these machines have shares
called something like \\DataStorage, and \\CompanyStuff. Or something like
that.
Network B: has 2 machines, one is win2k, and the other is linux.
I need to be able to see both shares from Network A on Network B. I DO NOT
need to see the computer names
inside "Network Neighborhood". From windows I simply need to be able to
type in \\192.168.10.21\ShareName.
This does not seem to work though. I get the following error from windows:
"network path not found"
When I try to do a : smbclient -L 192.168.10.21 from the linux machine I
get the
following error message:
added interface ip=192.168.20.20 bcast=192.168.20.255 nmask=255.255.255.0
added interface ip=192.168.1.1 bcast=192.168.1.255 nmask=255.255.255.0
session request to 192.168.10.21 failed (Called name not present)
session request to 192 failed (Called name not preset)
session request to *SMBSERVER failed (Called name not present).
I am pretty sure that this is a problem within my firewall configuration,
although I am at a loss as to where it might be.
I've been struggling with this problem for about 3 weeks now. Any help
would be greatly appreciated. I've included my firewall
script below. It is the same on both Gateways. I am still new to IPTables
and firewalls so any examples would be most helpful.
Thanks in advance.
-Da Punk
--------------------------------------------------------------------------------------------------------------------------------------------------------
#!/bin/sh
# IPTables FireWall Setup
#-----------------------------------------------------------------
# Rules not set, we should disable forwarding in the kernel.
echo "0" > /proc/sys/net/ipv4/ip_forward
#-----------------------------------------------------------------
# Flushing the chains.
iptables -F
iptables -t nat -F
iptables -X
iptables -Z # zero all counters
#-----------------------------------------------------------------
# Policy for chains DROP everything
# Note: Turning this on, causes: "ping: sendto: operation not permitted" bug
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
# Allow local device trafic
iptables -A OUTPUT -p ALL -o lo -j ACCEPT
iptables -A OUTPUT -p ALL -o eth0 -j ACCEPT
iptables -A OUTPUT -p ALL -o ipec+ -j ACCEPT
# NAT Stuff
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
# Accept anything from the inside. (needed for DHCP)
iptables -A INPUT -i eth1 -j ACCEPT
iptables -A OUTPUT -o eth1 -j ACCEPT
# Forward Packets (needed to ping outside networks)
iptables -A FORWARD -i eth1 -j ACCEPT
iptables -A FORWARD -o eth1 -j ACCEPT
# Allow Ipsec Interfaces through
iptables -A FORWARD -i ipsec+ -j ACCEPT
iptables -A FORWARD -o ipsec+ -j ACCEPT
# Some Logging
iptables -A OUTPUT -m limit --limit 3/minute --limit-burst 3 -j LOG
--log-level DEBUG --log-prefix "IPT OUTPUT packet died: "
# We would like to ask for names from our box
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
# And, some attempt to get interactive sesions a bit more interactive under
load:
iptables -A PREROUTING -t mangle -p tcp --sport ssh -j TOS --set-tos
Minimize-Delay
iptables -A PREROUTING -t mangle -p tcp --sport ftp -j TOS --set-tos
Minimize-Delay
iptables -A PREROUTING -t mangle -p tcp --sport ftp-data -j TOS --set-tos
Maximize-Throughput
# Keep state.
iptables -A FORWARD -m state --state NEW -i eth1 -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -m state --state NEW,INVALID -i eth0 -j DROP
#We don't like the NetBIOS and Samba leaking..
iptables -t nat -A PREROUTING -p TCP -i eth1 --dport 137 -j ACCEPT
iptables -t nat -A PREROUTING -p UDP -i eth1 --dport 137 -j ACCEPT
iptables -t nat -A PREROUTING -p TCP -i eth1 --dport 137 -j ACCEPT
iptables -t nat -A PREROUTING -p UDP -i eth1 --dport 138 -j ACCEPT
iptables -t nat -A PREROUTING -p TCP -i eth1 --dport 139 -j ACCEPT
iptables -t nat -A PREROUTING -p UDP -i eth1 --dport 139 -j ACCEPT
iptables -t nat -A PREROUTING -p TCP -i eth1 --dport 445 -j ACCEPT
iptables -t nat -A PREROUTING -p UDP -i eth1 --dport 445 -j ACCEPT
#iptables -t nat -A PREROUTING -p TCP -i eth1 --dport 135:139 -j DROP
#iptables -t nat -A PREROUTING -p UDP -i eth1 --dport 137:139 -j DROP
#iptables -t nat -A PREROUTING -p TCP -i eth1 --dport 445 -j DROP
#iptables -t nat -A PREROUTING -p UDP -i eth1 --dport 445 -j DROP
#-----------------------------------------------------------------
# Allow IPsec
# IKE negotiations
iptables -A INPUT -p udp -i eth0 --sport 500 --dport 500 -j ACCEPT
iptables -A OUTPUT -p udp -o eth0 --sport 500 --dport 500 -j ACCEPT
# ESP encrypton and authentication
iptables -A INPUT -p 50 -i eth0 -j ACCEPT
iptables -A OUTPUT -p 50 -o eth0 -j ACCEPT
# AH authentication header
iptables -A INPUT -p 51 -j ACCEPT
iptables -A OUTPUT -p 51 -j ACCEPT
#-----------------------------------------------------------------
# This enables dynamic IP address following
echo 7 > /proc/sys/net/ipv4/ip_dynaddr
# Rules set, we can enable forwarding in the kernel.
echo "Enabling IP forwarding."
echo "1" > /proc/sys/net/ipv4/ip_forward
echo "Enabling TCP SynCookies"
echo "1" > /proc/sys/net/ipv4/tcp_syncookies
echo "Firewall Init: Done"
_______________________________________________
Users mailing list
Users_at_lists.freeswan.org
http://lists.freeswan.org/mailman/listinfo/users
This archive was generated by hypermail 2.1.3 : Mon Jul 29 2002 - 05:20:13 CEST