IP Masquearding. TALK and SAMBA

I've got IP Masquearding set up pretty throughly on my linux box.
It's had its kernal downgraded so that ipmasq works again (none of that ipchains stuff - I didn't understand that)

Any how - how do I get the following working?

1.  Talk.  Dammit - it's TALK! People _must_ know the answer to this - EVERYONE has talk.
Sorry - rant over.
Basically skulk (thats the firewall box) seems to route ALL talk packets to the inner net - even those that should be outgoing.
How do I get talk to ork transparently through it?

2.  SAMBA.
The local net gets entirely isolated from the rest of the outer net.
The windows machines on the inside can't see out, they can't even see the samba running on skulk.

And the outside world doesn't acknowledge the sub-nets existence.
What I'd _really_ like is...
The inner net sees skulk as a samba server on its net.
The outer world passes straight through to the inner net.
(It's only one machine, actually)
The inner net can also see out past skulk.

I'd also like to be able to toggle this to flip it so that the outside world can only see skulk.
I've already got that working for http and ftp - but samba and talk don't seem to want to cooperate.
Who is Participating?
xtermConnect With a Mentor Commented:
I'm one hundred percent positive nobody can see your
internal machines directly.  The port redirector that
you have for ftp & http is pretty ingenious, and a good
hack around it, but it all comes back to the same thing -
all accesses to the inside have to be as a direct result
of the proxy forwarding the connection.

From the samba documentation (smbmount.8) man page:

smbmount "\\server\tmp" -c 'mount /mnt -u 123 -g 456'

(to  mount  the  tmp  share  of server on /mnt, giving it a
local uid 123 and a local gid 456.)

Instead of using /mnt, you'd just replace it with the new
directory you created in your web server tree.

Once you have mounted the remote directory, I see no reason
you couldn't just create a new samba share using that very
directory, ie:

# in /etc/smb.conf
   comment = share for the world to see
   path = /home/httpd/html/webshare
   read only = no
   public = yes

Then just HUP smbd & you're in business.

Of course, this mount point could be anywhere you
want, not necessarily in the web server tree.  Also,
if anybody connects to your new share using NT, they
will be using encrypted passwords, and it won't work
without creating a /etc/smbpasswd (and a few other
small mods if I recall), so test it from a Win 95 box.

The IP_Masquerading mini-HOWTO quite plainly states that talk
will not work.

As far as samba, my proxy users don't see anything in their
"Network Neighborhoods", but they can still map network drives
on the "real" LAN.  (I'm not running any samba services on the
Masqing host either...)

And what do you mean the outer net passes right through to the
inner net?  You shouldn't be able to see a thing on the private
network (except from the proxy box itself, of course).
VitenkaAuthor Commented:
Yes, I know the HOWTO says that TALK won't work, I'm wondeirng if anyone out here has fixed that bug.

Can you?  I'll try - but I really need to be able to browse servers, 'cos the network is very jumpy - lots of hosts arriving and vanishing.

No, I want al lthe services of the inner net visible to the outside world - especially the MS networking server.

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

Its not a bug that talk doesn't work - its a feature that has
never been implemented.

My NT users on the proxy can do a "net view" and see all the
hosts on the network, so the netbios broadcasts are visible.

As far as wanting the outside world to see your inner hosts,
you're completely losing me here - that defeats the whole
purpose of a proxy.  Are you running real IP addresses behind
the masq'ing machine?  If thats the case, it sounds like the
linux box needs to be set up as a router, not a Masqing host.

VitenkaAuthor Commented:
I'm not trying to firewall people out of my inner network
I just want to run several real IP's off of one IP (eternet) connection.
I only have one IP address to it - and want to have multiple hosts.
I don't mine if only one of the hosts shares are visible to the outside world - but I want at least one - and it should be from a specific machine on the inner net.

Talk:  Fine, call it what you want.
Its broken, and since its a common enough program, I thought _someone_ out there must have fixed it (fiona?)
Anyone else?
You say you want to run "several real IPs off of one IP
(ethernet) connection." but that you "only have one IP address".
I'm _assuming_ that you mean that you would like to run
several PRIVATE (ie. 192.168.x.x, or designated non-routable)
IP addresses behind that one machine with a real (ie. Internet
routable) IP address hooked up to the net.

This being the case, there is NO way that a machine with the
192.168.x.x (or "inner") address can be visible from the net.
The only possible way to see one of the inner machines would
be by connecting to the proxy first (telnet, ssh?) & then
using smbclient to access the shares on the internal network.

Alternatively, you could use smbmount to permanently mount
one of the internal shares on the proxy server in a subdirectory
of your webserver so that people could at least view that share
from the outside world.

VitenkaAuthor Commented:
Yes - I'm talking about some machines on a private 192.168. network; I only have one ip address inside the overall IP address space.

Are you sure?
I mean, I've got FTP and HTTP to work, by redirecting the ports...

Can't I get the proxy to advertise iteself, but then pass the actual requests on to shares on the inner net for example?

Could I smbmount a directory, and then offer that as a share to the outside world?
(proxy server for samba?)

The samba mount idea - yes, that could work.
Would you give us some example config for that?
VitenkaAuthor Commented:
Urm - my local machines goto network neighbourhood and don't see anything.
How's yours setup for this bit if ipmasq?
Yes, my users don't see anything in network neighborhood (of
course - I _want_ it this way in my setup...)   They can still
map any share they want to though from Explorer (tools, map
network drive)  Then if they click "connect automatically at
boot time" or whatever, they'll get to permanently keep that

At one point I thought about setting up nmbd/smbd on the proxy
as a backup domain controller to broadcast netbios information
about the domain on the proxy side so that the network neighbor-
hoods would be populated internally, but I blew off that idea -
didn't want my techs to be able to run around my servers.
VitenkaAuthor Commented:

The samba fix sounds workable.

Anyone with a talk feature implementation?

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.