02/05/13 05:47:57, "Luciano Macedo Rodrigues" <[EMAIL PROTECTED]> wrote:
>Hi, > >In my case. >1. yes >2. about 10 >3. because i need outside access to my machine. > >My problem, that i think is very similar to other related here (and i'm >sorry for this cross-posting) is that i have a PDC on the same server of the >ADSL connection. People edits, for example, files in the apache directory >through samba and i want that a client access outside my office. But, if i >have a strong firewall in this machine, the win2k workstations doesn't find >the domain controller. So i don't have any rules configured, just enabled >all to anywhere from anywhere. > >I allowed 'netbios-ns,netbios-dgm,netbios-ssn,isakmp,wins,microsoft-ds' for >the LAN but still not worked... I think i'll have to open more ports. > >So, any guess? > M$ 'netbios' is encapsulated in IP packets and therefore your router will not route the 'netbios' packet. Also M$ uses UDP broadcasting to find the domain server. Broadcasts are never routed. There are articles on technet on how to modify the hosts files on the workstations so that they know where to find the domain server. This works (almost). Ray >Luciano > >> -----Mensagem original----- >> De: [EMAIL PROTECTED] >> [mailto:[EMAIL PROTECTED]]Em nome de Daniel Elias Robles >> Enviada em: segunda-feira, 13 de maio de 2002 09:55 >> Cc: [EMAIL PROTECTED] >> Assunto: Re: MS Windows domain logon via netfilter NAT >> >> >> I do not see why you need to go back to win2k for firewalling. >> >> 1.- Is the domain controller on the Internet? >> 2.- How many machines will be accessing this server? >> 3.- Why do you need to NAT? >> >> >> Daniel >> >> >> On Mon, 2002-05-13 at 08:10, Kramer wrote: >> > Thanks to all for the replies. I did find all the postings on the web >> > about NAT and NBT. I am just very surprised that nothing has already >> > been done about it. There are probably very few networks that don't >> > have at least some MS windows presense. It seems as thought this would >> > have gotten some attention by someone on the netfilter team. An >> > ip_conntrack_NBT is really needed to translate the internal >> addresses in >> > the NATed packets. I have Samba running successfully on other >> boxes but >> > don't want it on the firewall or inside. In this case I really >> wanted to >> > set up the private NAT subnet for many reasons. I guess I either drop >> > the NAT requirement or am very reluctantly back to using Win2K as the >> > firewall server ( or saving for a Cisco and all the license fees ). >> > >> > Jack >> > >> > Daniel El�as Robles wrote: >> > >> > > This issue have been addressed several times, the correct way >> to handle this >> > > is not to NAT netbios traficc, due the fact that there is not helper >> > > available -- at least at the time of this writing --, this >> does not mean you >> > > can not route via iptbles, you still can use it, just do not NAT it. >> > > >> > > I have some large installation, several hundred computers use >> iptables to >> > > log into the PDC. >> > > >> > > Just expand the range of the private side of your firewall -- >> in case you >> > > have more that 254 hosts on your lan -- , make sure you >> packets can find >> > > their way back to your lan -- router issues --, forward as needed, >> > > remember -- don't Masquerade this traffic --"everything gonna >> be allright". >> > > >> > > Regards, >> > > >> > > >> > > Daniel >> > > Dominican Republic >> > > ----- Original Message ----- >> > > From: "AUDEMARD Patrick" <[EMAIL PROTECTED]> >> > > To: "Kramer" <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]> >> > > Sent: Monday, May 13, 2002 3:55 AM >> > > Subject: RE: MS Windows domain logon via netfilter NAT >> > > >> > > >> > > IPtable doesn't fully support Netbios over IP. >> > > >> > > Check this article for more information. >> > > >> > > http://support.microsoft.com/default.aspx?scid=kb;en-us;Q172227 >> > > >> > > Patrick AUDEMARD >> > > >> > > -----Message d'origine----- >> > > De : Kramer [mailto:[EMAIL PROTECTED]] >> > > Envoy� : dimanche 12 mai 2002 19:29 >> > > � : [EMAIL PROTECTED] >> > > Objet : MS Windows domain logon via netfilter NAT >> > > >> > > >> > > I have gotten a RedHat 7.3 box operating as a router/filter >> to a private >> > > (192.168.132.0/24) with dhcp without too much trouble. One major >> > > problem remains that I can't find any info on. The fixes for the NAT >> > > public address reverse routing and the broadcast address fixes are >> > > already applied. >> > > >> > > Windows client hosts on the NATed LAN can't find the NT4 Domain for >> > > logon. Therefore Network Neighborhood browsing doesn't work. >> Strangely >> > > direct UNC connections will work if logon credentials are not >> required. >> > > >> > > I am sure I am not the first to run into this. Can anyone help? >> > > >> > > Jack Kramer >> > > University of Florida >> > > Fort Lauderdale >> > > >> > > >> > > >> > > >> > > >> > > >> > >> > >> > >> >> >> > >Luciano Macedo Rodrigues >Analista/Construtor >OpenSoft - Porto Alegre/RS > > ---------------------------------------- Ray Leach (Technical Network Specialist) Knowledge Factory www: http://www.knowledgefactory.co.za Tel: +27-11-445-8100 Direct: 445-8263 Fax: +27-11-445-8101 "No matter where you go, there you are." ----------------------------------------
