Re: [Samba] Not another SAMBA through a firewall post
Thanks, I will look into the bonding approach. Randall Svancara Systems Administrator/DBA/Developer Main Bioinformatics Laboratory - Original Message - From: "Brother Railgun of Reason" To: randa...@bioinfo.wsu.edu Cc: "Kevin Keane" , samba@lists.samba.org Sent: Monday, March 8, 2010 4:49:02 AM Subject: Re: [Samba] Not another SAMBA through a firewall post On Fri, Mar 05, 2010 at 08:44:00PM -0800, randa...@bioinfo.wsu.edu wrote: > Kevin, > > Thanks for the response. I was kind of thinking along the same lines > as what you described. I disabled the second NIC and every samba > started working through the firewall. I even wrote a simple perl > socket server and made the same observations as I did with Samba. > > Thanks, > > Randall Svancara It's always been a pretty good rule of thumb that you should not have two active interfaces on the same subnet in the same machine unless either they're bonded together on a single IP, or one is a listen-only monitoring interface. It will almost invariably cause problems. Even a machine dual-homed on two different but connected subnets will sometimes create issues. -- Phil Stracchino, CDK#2 DoD#299792458 ICBM: 43.5607, -71.355 ala...@caerllewys.net ala...@metrocast.net p...@co.ordinate.org Renaissance Man, Unix ronin, Perl hacker, Free Stater It's not the years, it's the mileage. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Not another SAMBA through a firewall post
On Fri, Mar 05, 2010 at 08:44:00PM -0800, randa...@bioinfo.wsu.edu wrote: > Kevin, > > Thanks for the response. I was kind of thinking along the same lines > as what you described. I disabled the second NIC and every samba > started working through the firewall. I even wrote a simple perl > socket server and made the same observations as I did with Samba. > > Thanks, > > Randall Svancara It's always been a pretty good rule of thumb that you should not have two active interfaces on the same subnet in the same machine unless either they're bonded together on a single IP, or one is a listen-only monitoring interface. It will almost invariably cause problems. Even a machine dual-homed on two different but connected subnets will sometimes create issues. -- Phil Stracchino, CDK#2 DoD#299792458 ICBM: 43.5607, -71.355 ala...@caerllewys.net ala...@metrocast.net p...@co.ordinate.org Renaissance Man, Unix ronin, Perl hacker, Free Stater It's not the years, it's the mileage. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Not another SAMBA through a firewall post
Kevin, Thanks for the response. I was kind of thinking along the same lines as what you described. I disabled the second NIC and every samba started working through the firewall. I even wrote a simple perl socket server and made the same observations as I did with Samba. Thanks, Randall Svancara - Original Message - From: "Kevin Keane" To: samba@lists.samba.org Sent: Friday, March 5, 2010 7:18:06 PM Subject: Re: [Samba] Not another SAMBA through a firewall post I think part of your problem is that both of your NICs are on the same subnet. That will usually cause headaches; it confuses the routing table. It is entirely possible that Samba responds from IP 10.0.0.246 even when the connection goes to .245 - and you don't have firewall rules for that. Note that the interfaces statement isn't necessarily going to help - you should actually shut down the second NIC (ifdown eth1) to have it completely removed from Linux. Also, at least for testing, I would also simplify the setup - only use port 445, and only tcp. That way, you only have to debug one rule instead of eight. Use telnet to test if you can reach the Samba server from the outside world. Also, only use UDP and TCP, not both. 137 and 138 should be UDP; 139 and 445 should be TCP. > -Original Message- > From: samba-boun...@lists.samba.org [mailto:samba- > boun...@lists.samba.org] On Behalf Of randa...@bioinfo.wsu.edu > Sent: Friday, March 05, 2010 1:42 PM > To: samba@lists.samba.org > Subject: [Samba] Not another SAMBA through a firewall post > > I suppose a few questions pop up on this list about access Samba > through a firewall. I have been very successful running Samba through > a firewall, until today. I hit a stumbling block. > > I have a Linux Firewall with the public IP Address of 134.x.x.140 is not the exact ip address, but close>. I am using NAT and port > forwarding to send traffic destined for 137, 138,139, and 445 for BOTH > TCP and IP to an internal host of 10.0.0.245. This internal host has > two network interface cards, 10.0.0.245 and 10.0.0.246. > > Here are my firewall rules: > > $IPTABLES -A PREROUTING -t nat -i $EXTIF -p tcp --dport 137 -d > 134.x.x.140 -j DNAT --to-destination 10.0.0.245:137 > $IPTABLES -A PREROUTING -t nat -i $EXTIF -p udp --dport 137 -d > 134.x.x.140 -j DNAT --to-destination 10.0.0.245:137 > > $IPTABLES -A PREROUTING -t nat -i $EXTIF -p tcp --dport 138 -d > 134.x.x.140 -j DNAT --to-destination 10.0.0.245:138 > $IPTABLES -A PREROUTING -t nat -i $EXTIF -p udp --dport 138 -d > 134.x.x.140 -j DNAT --to-destination 10.0.0.245:138 > > $IPTABLES -A PREROUTING -t nat -i $EXTIF -p tcp --dport 139 -d > 134.x.x.140 -j DNAT --to-destination 10.0.0.245:139 > $IPTABLES -A PREROUTING -t nat -i $EXTIF -p udp --dport 139 -d > 134.x.x.140 -j DNAT --to-destination 10.0.0.245:139 > > $IPTABLES -A PREROUTING -t nat -i $EXTIF -p tcp --dport 445 -d > 134.x.x.140 -j DNAT --to-destination 10.0.0.245:445 > $IPTABLES -A PREROUTING -t nat -i $EXTIF -p udp --dport 445 -d > 134.x.x.140 -j DNAT --to-destination 10.0.0.245:445 > > $IPTABLES -t nat -A POSTROUTING -o eth0 -p tcp -s 10.0.0.245 -j SNAT > --to-source 134.x.x.140 > $IPTABLES -t nat -A POSTROUTING -o eth0 -p udp -s 10.0.0.245 -j SNAT > --to-source 134.x.x.140 > $IPTABLES -t nat -A POSTROUTING -o eth0 -p tcp -s 10.0.0.245 -j SNAT > --to-source 134.x.x.140 > $IPTABLES -t nat -A POSTROUTING -o eth0 -p udp -s 10.0.0.245 -j SNAT > --to-source 134.x.x.140 > > When I have both network cards activated, I am unable to access SAMBA > through the firewall. However, I can access them on the local LAN. I > try to tell Samba to use eth0 and lo using: > > interfaces = lo eth0 > bind interfaces only = yes > > Still does not work. I can use tcpdump -i eth0 and I can packets going > through the firewall: > 13:36:10.904331 IP 134.x.x.19.34251 > 10.0.0.245.139: S > 2273296206:2273296206(0) win 5840 0,nop,wscale 7> > > And also I can see the requests arriving on eth0 on the Samba server: > 13:35:55.777985 IP 134.x.x.19.34251 > 10.0.0.245.139: Flags [S], seq > 2273296206, win 5840, options [mss 1460,sackOK,TS val 4731872 ecr > 0,nop,wscale 7], length 0 > > I am at a loss as to why this is happening. Anyone care to enlighten > me? > > Randall Svancara > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Not another SAMBA through a firewall post
I think part of your problem is that both of your NICs are on the same subnet. That will usually cause headaches; it confuses the routing table. It is entirely possible that Samba responds from IP 10.0.0.246 even when the connection goes to .245 - and you don't have firewall rules for that. Note that the interfaces statement isn't necessarily going to help - you should actually shut down the second NIC (ifdown eth1) to have it completely removed from Linux. Also, at least for testing, I would also simplify the setup - only use port 445, and only tcp. That way, you only have to debug one rule instead of eight. Use telnet to test if you can reach the Samba server from the outside world. Also, only use UDP and TCP, not both. 137 and 138 should be UDP; 139 and 445 should be TCP. > -Original Message- > From: samba-boun...@lists.samba.org [mailto:samba- > boun...@lists.samba.org] On Behalf Of randa...@bioinfo.wsu.edu > Sent: Friday, March 05, 2010 1:42 PM > To: samba@lists.samba.org > Subject: [Samba] Not another SAMBA through a firewall post > > I suppose a few questions pop up on this list about access Samba > through a firewall. I have been very successful running Samba through > a firewall, until today. I hit a stumbling block. > > I have a Linux Firewall with the public IP Address of 134.x.x.140 is not the exact ip address, but close>. I am using NAT and port > forwarding to send traffic destined for 137, 138,139, and 445 for BOTH > TCP and IP to an internal host of 10.0.0.245. This internal host has > two network interface cards, 10.0.0.245 and 10.0.0.246. > > Here are my firewall rules: > > $IPTABLES -A PREROUTING -t nat -i $EXTIF -p tcp --dport 137 -d > 134.x.x.140 -j DNAT --to-destination 10.0.0.245:137 > $IPTABLES -A PREROUTING -t nat -i $EXTIF -p udp --dport 137 -d > 134.x.x.140 -j DNAT --to-destination 10.0.0.245:137 > > $IPTABLES -A PREROUTING -t nat -i $EXTIF -p tcp --dport 138 -d > 134.x.x.140 -j DNAT --to-destination 10.0.0.245:138 > $IPTABLES -A PREROUTING -t nat -i $EXTIF -p udp --dport 138 -d > 134.x.x.140 -j DNAT --to-destination 10.0.0.245:138 > > $IPTABLES -A PREROUTING -t nat -i $EXTIF -p tcp --dport 139 -d > 134.x.x.140 -j DNAT --to-destination 10.0.0.245:139 > $IPTABLES -A PREROUTING -t nat -i $EXTIF -p udp --dport 139 -d > 134.x.x.140 -j DNAT --to-destination 10.0.0.245:139 > > $IPTABLES -A PREROUTING -t nat -i $EXTIF -p tcp --dport 445 -d > 134.x.x.140 -j DNAT --to-destination 10.0.0.245:445 > $IPTABLES -A PREROUTING -t nat -i $EXTIF -p udp --dport 445 -d > 134.x.x.140 -j DNAT --to-destination 10.0.0.245:445 > > $IPTABLES -t nat -A POSTROUTING -o eth0 -p tcp -s 10.0.0.245 -j SNAT > --to-source 134.x.x.140 > $IPTABLES -t nat -A POSTROUTING -o eth0 -p udp -s 10.0.0.245 -j SNAT > --to-source 134.x.x.140 > $IPTABLES -t nat -A POSTROUTING -o eth0 -p tcp -s 10.0.0.245 -j SNAT > --to-source 134.x.x.140 > $IPTABLES -t nat -A POSTROUTING -o eth0 -p udp -s 10.0.0.245 -j SNAT > --to-source 134.x.x.140 > > When I have both network cards activated, I am unable to access SAMBA > through the firewall. However, I can access them on the local LAN. I > try to tell Samba to use eth0 and lo using: > > interfaces = lo eth0 > bind interfaces only = yes > > Still does not work. I can use tcpdump -i eth0 and I can packets going > through the firewall: > 13:36:10.904331 IP 134.x.x.19.34251 > 10.0.0.245.139: S > 2273296206:2273296206(0) win 5840 0,nop,wscale 7> > > And also I can see the requests arriving on eth0 on the Samba server: > 13:35:55.777985 IP 134.x.x.19.34251 > 10.0.0.245.139: Flags [S], seq > 2273296206, win 5840, options [mss 1460,sackOK,TS val 4731872 ecr > 0,nop,wscale 7], length 0 > > I am at a loss as to why this is happening. Anyone care to enlighten > me? > > Randall Svancara > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Not another SAMBA through a firewall post
NAT relies on port forwarding. To do pre/post routing, I believe you must indicate FORWARDING rules for incoming and outgoing traffic on that port: $IPT -t filter -A FORWARD -i $INTIF -o $EXTIF -p tcp --dport 137 --syn -m state --state NEW -j ACCEPT $IPT -t filter -A FORWARD -o $INTIF -i $EXTIF -p tcp --dport 137 --syn -m state --state NEW -j ACCEPT $IPT -t filter -A FORWARD -i $INTIF -o $EXTIF -p tcp --dport 138 --syn -m state --state NEW -j ACCEPT $IPT -t filter -A FORWARD -o $INTIF -i $EXTIF -p tcp --dport 138 --syn -m state --state NEW -j ACCEPT $IPT -t filter -A FORWARD -i $INTIF -o $EXTIF -p tcp --dport 139 --syn -m state --state NEW -j ACCEPT $IPT -t filter -A FORWARD -o $INTIF -i $EXTIF -p tcp --dport 139 --syn -m state --state NEW -j ACCEPT $IPT -t filter -A FORWARD -i $INTIF -o $EXTIF -p tcp --dport 445 --syn -m state --state NEW -j ACCEPT $IPT -t filter -A FORWARD -o $INTIF -i $EXTIF -p tcp --dport 445 --syn -m state --state NEW -j ACCEPT Do you have similar forwarding rules? HTH, Mike -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Not another SAMBA through a firewall post
I suppose a few questions pop up on this list about access Samba through a firewall. I have been very successful running Samba through a firewall, until today. I hit a stumbling block. I have a Linux Firewall with the public IP Address of 134.x.x.140 . I am using NAT and port forwarding to send traffic destined for 137, 138,139, and 445 for BOTH TCP and IP to an internal host of 10.0.0.245. This internal host has two network interface cards, 10.0.0.245 and 10.0.0.246. Here are my firewall rules: $IPTABLES -A PREROUTING -t nat -i $EXTIF -p tcp --dport 137 -d 134.x.x.140 -j DNAT --to-destination 10.0.0.245:137 $IPTABLES -A PREROUTING -t nat -i $EXTIF -p udp --dport 137 -d 134.x.x.140 -j DNAT --to-destination 10.0.0.245:137 $IPTABLES -A PREROUTING -t nat -i $EXTIF -p tcp --dport 138 -d 134.x.x.140 -j DNAT --to-destination 10.0.0.245:138 $IPTABLES -A PREROUTING -t nat -i $EXTIF -p udp --dport 138 -d 134.x.x.140 -j DNAT --to-destination 10.0.0.245:138 $IPTABLES -A PREROUTING -t nat -i $EXTIF -p tcp --dport 139 -d 134.x.x.140 -j DNAT --to-destination 10.0.0.245:139 $IPTABLES -A PREROUTING -t nat -i $EXTIF -p udp --dport 139 -d 134.x.x.140 -j DNAT --to-destination 10.0.0.245:139 $IPTABLES -A PREROUTING -t nat -i $EXTIF -p tcp --dport 445 -d 134.x.x.140 -j DNAT --to-destination 10.0.0.245:445 $IPTABLES -A PREROUTING -t nat -i $EXTIF -p udp --dport 445 -d 134.x.x.140 -j DNAT --to-destination 10.0.0.245:445 $IPTABLES -t nat -A POSTROUTING -o eth0 -p tcp -s 10.0.0.245 -j SNAT --to-source 134.x.x.140 $IPTABLES -t nat -A POSTROUTING -o eth0 -p udp -s 10.0.0.245 -j SNAT --to-source 134.x.x.140 $IPTABLES -t nat -A POSTROUTING -o eth0 -p tcp -s 10.0.0.245 -j SNAT --to-source 134.x.x.140 $IPTABLES -t nat -A POSTROUTING -o eth0 -p udp -s 10.0.0.245 -j SNAT --to-source 134.x.x.140 When I have both network cards activated, I am unable to access SAMBA through the firewall. However, I can access them on the local LAN. I try to tell Samba to use eth0 and lo using: interfaces = lo eth0 bind interfaces only = yes Still does not work. I can use tcpdump -i eth0 and I can packets going through the firewall: 13:36:10.904331 IP 134.x.x.19.34251 > 10.0.0.245.139: S 2273296206:2273296206(0) win 5840 And also I can see the requests arriving on eth0 on the Samba server: 13:35:55.777985 IP 134.x.x.19.34251 > 10.0.0.245.139: Flags [S], seq 2273296206, win 5840, options [mss 1460,sackOK,TS val 4731872 ecr 0,nop,wscale 7], length 0 I am at a loss as to why this is happening. Anyone care to enlighten me? Randall Svancara -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba