IP Masquearding.  TALK and SAMBA

Posted on 1998-10-23
Last Modified: 2010-04-20
I've got IP Masquearding set up pretty throughly on my linux box.
It's had its kernal downgraded so that ipmasq works again (none of that ipchains stuff - I didn't understand that)

Any how - how do I get the following working?

1.  Talk.  Dammit - it's TALK! People _must_ know the answer to this - EVERYONE has talk.
Sorry - rant over.
Basically skulk (thats the firewall box) seems to route ALL talk packets to the inner net - even those that should be outgoing.
How do I get talk to ork transparently through it?

2.  SAMBA.
The local net gets entirely isolated from the rest of the outer net.
The windows machines on the inside can't see out, they can't even see the samba running on skulk.

And the outside world doesn't acknowledge the sub-nets existence.
What I'd _really_ like is...
The inner net sees skulk as a samba server on its net.
The outer world passes straight through to the inner net.
(It's only one machine, actually)
The inner net can also see out past skulk.

I'd also like to be able to toggle this to flip it so that the outside world can only see skulk.
I've already got that working for http and ftp - but samba and talk don't seem to want to cooperate.
Question by:Vitenka
  • 5
  • 5
LVL 19

Expert Comment

ID: 1638328
The IP_Masquerading mini-HOWTO quite plainly states that talk
will not work.

As far as samba, my proxy users don't see anything in their
"Network Neighborhoods", but they can still map network drives
on the "real" LAN.  (I'm not running any samba services on the
Masqing host either...)

And what do you mean the outer net passes right through to the
inner net?  You shouldn't be able to see a thing on the private
network (except from the proxy box itself, of course).

Author Comment

ID: 1638329
Yes, I know the HOWTO says that TALK won't work, I'm wondeirng if anyone out here has fixed that bug.

Can you?  I'll try - but I really need to be able to browse servers, 'cos the network is very jumpy - lots of hosts arriving and vanishing.

No, I want al lthe services of the inner net visible to the outside world - especially the MS networking server.

LVL 19

Expert Comment

ID: 1638330
Its not a bug that talk doesn't work - its a feature that has
never been implemented.

My NT users on the proxy can do a "net view" and see all the
hosts on the network, so the netbios broadcasts are visible.

As far as wanting the outside world to see your inner hosts,
you're completely losing me here - that defeats the whole
purpose of a proxy.  Are you running real IP addresses behind
the masq'ing machine?  If thats the case, it sounds like the
linux box needs to be set up as a router, not a Masqing host.

Master Your Team's Linux and Cloud Stack

Come see why top tech companies like Mailchimp and Media Temple use Linux Academy to build their employee training programs.


Author Comment

ID: 1638331
I'm not trying to firewall people out of my inner network
I just want to run several real IP's off of one IP (eternet) connection.
I only have one IP address to it - and want to have multiple hosts.
I don't mine if only one of the hosts shares are visible to the outside world - but I want at least one - and it should be from a specific machine on the inner net.

Talk:  Fine, call it what you want.
Its broken, and since its a common enough program, I thought _someone_ out there must have fixed it (fiona?)
Anyone else?
LVL 19

Expert Comment

ID: 1638332
You say you want to run "several real IPs off of one IP
(ethernet) connection." but that you "only have one IP address".
I'm _assuming_ that you mean that you would like to run
several PRIVATE (ie. 192.168.x.x, or designated non-routable)
IP addresses behind that one machine with a real (ie. Internet
routable) IP address hooked up to the net.

This being the case, there is NO way that a machine with the
192.168.x.x (or "inner") address can be visible from the net.
The only possible way to see one of the inner machines would
be by connecting to the proxy first (telnet, ssh?) & then
using smbclient to access the shares on the internal network.

Alternatively, you could use smbmount to permanently mount
one of the internal shares on the proxy server in a subdirectory
of your webserver so that people could at least view that share
from the outside world.


Author Comment

ID: 1638333
Yes - I'm talking about some machines on a private 192.168. network; I only have one ip address inside the overall IP address space.

Are you sure?
I mean, I've got FTP and HTTP to work, by redirecting the ports...

Can't I get the proxy to advertise iteself, but then pass the actual requests on to shares on the inner net for example?

Could I smbmount a directory, and then offer that as a share to the outside world?
(proxy server for samba?)

The samba mount idea - yes, that could work.
Would you give us some example config for that?

Author Comment

ID: 1638334
Urm - my local machines goto network neighbourhood and don't see anything.
How's yours setup for this bit if ipmasq?
LVL 19

Accepted Solution

xterm earned 70 total points
ID: 1638335
I'm one hundred percent positive nobody can see your
internal machines directly.  The port redirector that
you have for ftp & http is pretty ingenious, and a good
hack around it, but it all comes back to the same thing -
all accesses to the inside have to be as a direct result
of the proxy forwarding the connection.

From the samba documentation (smbmount.8) man page:

smbmount "\\server\tmp" -c 'mount /mnt -u 123 -g 456'

(to  mount  the  tmp  share  of server on /mnt, giving it a
local uid 123 and a local gid 456.)

Instead of using /mnt, you'd just replace it with the new
directory you created in your web server tree.

Once you have mounted the remote directory, I see no reason
you couldn't just create a new samba share using that very
directory, ie:

# in /etc/smb.conf
   comment = share for the world to see
   path = /home/httpd/html/webshare
   read only = no
   public = yes

Then just HUP smbd & you're in business.

Of course, this mount point could be anywhere you
want, not necessarily in the web server tree.  Also,
if anybody connects to your new share using NT, they
will be using encrypted passwords, and it won't work
without creating a /etc/smbpasswd (and a few other
small mods if I recall), so test it from a Win 95 box.

LVL 19

Expert Comment

ID: 1638336
Yes, my users don't see anything in network neighborhood (of
course - I _want_ it this way in my setup...)   They can still
map any share they want to though from Explorer (tools, map
network drive)  Then if they click "connect automatically at
boot time" or whatever, they'll get to permanently keep that

At one point I thought about setting up nmbd/smbd on the proxy
as a backup domain controller to broadcast netbios information
about the domain on the proxy side so that the network neighbor-
hoods would be populated internally, but I blew off that idea -
didn't want my techs to be able to run around my servers.

Author Comment

ID: 1638337

The samba fix sounds workable.

Anyone with a talk feature implementation?


Featured Post

Ransomware-A Revenue Bonanza for Service Providers

Ransomware – malware that gets on your customers’ computers, encrypts their data, and extorts a hefty ransom for the decryption keys – is a surging new threat.  The purpose of this eBook is to educate the reader about ransomware attacks.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Remove a folder in Linux 9 104
Virtualizing very old guest OS 4 95
Securing Azure Oracle instance of Linux VM 4 57
How to mount nfs share on this CentOS server? 6 26
Daily system administration tasks often require administrators to connect remote systems. But allowing these remote systems to accept passwords makes these systems vulnerable to the risk of brute-force password guessing attacks. Furthermore there ar…
This is the error message I got (CODE) Error caused by incompatible libmp3lame 3.98-2 with ffmpeg I've googled this error message and found out sometimes it attaches this note "can be treated with downgrade libmp3lame to version 3.97 or 3.98" …
Learn how to get help with Linux/Unix bash shell commands. Use help to read help documents for built in bash shell commands.: Use man to interface with the online reference manuals for shell commands.: Use man to search man pages for unknown command…
Learn how to find files with the shell using the find and locate commands. Use locate to find a needle in a haystack.: With locate, check if the file still exists.: Use find to get the actual location of the file.:

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question