[Last Call] Learn how to a build a cloud-first strategyRegister Now


IP Masquearding.  TALK and SAMBA

Posted on 1998-10-23
Medium Priority
Last Modified: 2010-04-20
I've got IP Masquearding set up pretty throughly on my linux box.
It's had its kernal downgraded so that ipmasq works again (none of that ipchains stuff - I didn't understand that)

Any how - how do I get the following working?

1.  Talk.  Dammit - it's TALK! People _must_ know the answer to this - EVERYONE has talk.
Sorry - rant over.
Basically skulk (thats the firewall box) seems to route ALL talk packets to the inner net - even those that should be outgoing.
How do I get talk to ork transparently through it?

2.  SAMBA.
The local net gets entirely isolated from the rest of the outer net.
The windows machines on the inside can't see out, they can't even see the samba running on skulk.

And the outside world doesn't acknowledge the sub-nets existence.
What I'd _really_ like is...
The inner net sees skulk as a samba server on its net.
The outer world passes straight through to the inner net.
(It's only one machine, actually)
The inner net can also see out past skulk.

I'd also like to be able to toggle this to flip it so that the outside world can only see skulk.
I've already got that working for http and ftp - but samba and talk don't seem to want to cooperate.
Question by:Vitenka
  • 5
  • 5
LVL 19

Expert Comment

ID: 1638328
The IP_Masquerading mini-HOWTO quite plainly states that talk
will not work.

As far as samba, my proxy users don't see anything in their
"Network Neighborhoods", but they can still map network drives
on the "real" LAN.  (I'm not running any samba services on the
Masqing host either...)

And what do you mean the outer net passes right through to the
inner net?  You shouldn't be able to see a thing on the private
network (except from the proxy box itself, of course).

Author Comment

ID: 1638329
Yes, I know the HOWTO says that TALK won't work, I'm wondeirng if anyone out here has fixed that bug.

Can you?  I'll try - but I really need to be able to browse servers, 'cos the network is very jumpy - lots of hosts arriving and vanishing.

No, I want al lthe services of the inner net visible to the outside world - especially the MS networking server.

LVL 19

Expert Comment

ID: 1638330
Its not a bug that talk doesn't work - its a feature that has
never been implemented.

My NT users on the proxy can do a "net view" and see all the
hosts on the network, so the netbios broadcasts are visible.

As far as wanting the outside world to see your inner hosts,
you're completely losing me here - that defeats the whole
purpose of a proxy.  Are you running real IP addresses behind
the masq'ing machine?  If thats the case, it sounds like the
linux box needs to be set up as a router, not a Masqing host.

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!


Author Comment

ID: 1638331
I'm not trying to firewall people out of my inner network
I just want to run several real IP's off of one IP (eternet) connection.
I only have one IP address to it - and want to have multiple hosts.
I don't mine if only one of the hosts shares are visible to the outside world - but I want at least one - and it should be from a specific machine on the inner net.

Talk:  Fine, call it what you want.
Its broken, and since its a common enough program, I thought _someone_ out there must have fixed it (fiona?)
Anyone else?
LVL 19

Expert Comment

ID: 1638332
You say you want to run "several real IPs off of one IP
(ethernet) connection." but that you "only have one IP address".
I'm _assuming_ that you mean that you would like to run
several PRIVATE (ie. 192.168.x.x, or designated non-routable)
IP addresses behind that one machine with a real (ie. Internet
routable) IP address hooked up to the net.

This being the case, there is NO way that a machine with the
192.168.x.x (or "inner") address can be visible from the net.
The only possible way to see one of the inner machines would
be by connecting to the proxy first (telnet, ssh?) & then
using smbclient to access the shares on the internal network.

Alternatively, you could use smbmount to permanently mount
one of the internal shares on the proxy server in a subdirectory
of your webserver so that people could at least view that share
from the outside world.


Author Comment

ID: 1638333
Yes - I'm talking about some machines on a private 192.168. network; I only have one ip address inside the overall IP address space.

Are you sure?
I mean, I've got FTP and HTTP to work, by redirecting the ports...

Can't I get the proxy to advertise iteself, but then pass the actual requests on to shares on the inner net for example?

Could I smbmount a directory, and then offer that as a share to the outside world?
(proxy server for samba?)

The samba mount idea - yes, that could work.
Would you give us some example config for that?

Author Comment

ID: 1638334
Urm - my local machines goto network neighbourhood and don't see anything.
How's yours setup for this bit if ipmasq?
LVL 19

Accepted Solution

xterm earned 140 total points
ID: 1638335
I'm one hundred percent positive nobody can see your
internal machines directly.  The port redirector that
you have for ftp & http is pretty ingenious, and a good
hack around it, but it all comes back to the same thing -
all accesses to the inside have to be as a direct result
of the proxy forwarding the connection.

From the samba documentation (smbmount.8) man page:

smbmount "\\server\tmp" -c 'mount /mnt -u 123 -g 456'

(to  mount  the  tmp  share  of server on /mnt, giving it a
local uid 123 and a local gid 456.)

Instead of using /mnt, you'd just replace it with the new
directory you created in your web server tree.

Once you have mounted the remote directory, I see no reason
you couldn't just create a new samba share using that very
directory, ie:

# in /etc/smb.conf
   comment = share for the world to see
   path = /home/httpd/html/webshare
   read only = no
   public = yes

Then just HUP smbd & you're in business.

Of course, this mount point could be anywhere you
want, not necessarily in the web server tree.  Also,
if anybody connects to your new share using NT, they
will be using encrypted passwords, and it won't work
without creating a /etc/smbpasswd (and a few other
small mods if I recall), so test it from a Win 95 box.

LVL 19

Expert Comment

ID: 1638336
Yes, my users don't see anything in network neighborhood (of
course - I _want_ it this way in my setup...)   They can still
map any share they want to though from Explorer (tools, map
network drive)  Then if they click "connect automatically at
boot time" or whatever, they'll get to permanently keep that

At one point I thought about setting up nmbd/smbd on the proxy
as a backup domain controller to broadcast netbios information
about the domain on the proxy side so that the network neighbor-
hoods would be populated internally, but I blew off that idea -
didn't want my techs to be able to run around my servers.

Author Comment

ID: 1638337

The samba fix sounds workable.

Anyone with a talk feature implementation?


Featured Post

Prepare for your VMware VCP6-DCV exam.

Josh Coen and Jason Langer have prepared the latest edition of VCP study guide. Both authors have been working in the IT field for more than a decade, and both hold VMware certifications. This 163-page guide covers all 10 of the exam blueprint sections.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Google Drive is extremely cheap offsite storage, and it's even possible to get extra storage for free for two years.  You can use the free account 15GB, and if you have an Android device..when you install Google Drive for the first time it will give…
This article will show you step-by-step instructions to build your own NTP CentOS server.  The network diagram shows the best practice to setup the NTP server farm for redundancy.  This article also serves as your NTP server documentation.
Learn several ways to interact with files and get file information from the bash shell. ls lists the contents of a directory: Using the -a flag displays hidden files: Using the -l flag formats the output in a long list: The file command gives us mor…
Learn how to get help with Linux/Unix bash shell commands. Use help to read help documents for built in bash shell commands.: Use man to interface with the online reference manuals for shell commands.: Use man to search man pages for unknown command…
Suggested Courses
Course of the Month18 days, 14 hours left to enroll

834 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question