IP Masquearding.  TALK and SAMBA

Posted on 1998-10-23
Last Modified: 2010-04-20
I've got IP Masquearding set up pretty throughly on my linux box.
It's had its kernal downgraded so that ipmasq works again (none of that ipchains stuff - I didn't understand that)

Any how - how do I get the following working?

1.  Talk.  Dammit - it's TALK! People _must_ know the answer to this - EVERYONE has talk.
Sorry - rant over.
Basically skulk (thats the firewall box) seems to route ALL talk packets to the inner net - even those that should be outgoing.
How do I get talk to ork transparently through it?

2.  SAMBA.
The local net gets entirely isolated from the rest of the outer net.
The windows machines on the inside can't see out, they can't even see the samba running on skulk.

And the outside world doesn't acknowledge the sub-nets existence.
What I'd _really_ like is...
The inner net sees skulk as a samba server on its net.
The outer world passes straight through to the inner net.
(It's only one machine, actually)
The inner net can also see out past skulk.

I'd also like to be able to toggle this to flip it so that the outside world can only see skulk.
I've already got that working for http and ftp - but samba and talk don't seem to want to cooperate.
Question by:Vitenka
  • 5
  • 5
LVL 19

Expert Comment

Comment Utility
The IP_Masquerading mini-HOWTO quite plainly states that talk
will not work.

As far as samba, my proxy users don't see anything in their
"Network Neighborhoods", but they can still map network drives
on the "real" LAN.  (I'm not running any samba services on the
Masqing host either...)

And what do you mean the outer net passes right through to the
inner net?  You shouldn't be able to see a thing on the private
network (except from the proxy box itself, of course).

Author Comment

Comment Utility
Yes, I know the HOWTO says that TALK won't work, I'm wondeirng if anyone out here has fixed that bug.

Can you?  I'll try - but I really need to be able to browse servers, 'cos the network is very jumpy - lots of hosts arriving and vanishing.

No, I want al lthe services of the inner net visible to the outside world - especially the MS networking server.

LVL 19

Expert Comment

Comment Utility
Its not a bug that talk doesn't work - its a feature that has
never been implemented.

My NT users on the proxy can do a "net view" and see all the
hosts on the network, so the netbios broadcasts are visible.

As far as wanting the outside world to see your inner hosts,
you're completely losing me here - that defeats the whole
purpose of a proxy.  Are you running real IP addresses behind
the masq'ing machine?  If thats the case, it sounds like the
linux box needs to be set up as a router, not a Masqing host.


Author Comment

Comment Utility
I'm not trying to firewall people out of my inner network
I just want to run several real IP's off of one IP (eternet) connection.
I only have one IP address to it - and want to have multiple hosts.
I don't mine if only one of the hosts shares are visible to the outside world - but I want at least one - and it should be from a specific machine on the inner net.

Talk:  Fine, call it what you want.
Its broken, and since its a common enough program, I thought _someone_ out there must have fixed it (fiona?)
Anyone else?
LVL 19

Expert Comment

Comment Utility
You say you want to run "several real IPs off of one IP
(ethernet) connection." but that you "only have one IP address".
I'm _assuming_ that you mean that you would like to run
several PRIVATE (ie. 192.168.x.x, or designated non-routable)
IP addresses behind that one machine with a real (ie. Internet
routable) IP address hooked up to the net.

This being the case, there is NO way that a machine with the
192.168.x.x (or "inner") address can be visible from the net.
The only possible way to see one of the inner machines would
be by connecting to the proxy first (telnet, ssh?) & then
using smbclient to access the shares on the internal network.

Alternatively, you could use smbmount to permanently mount
one of the internal shares on the proxy server in a subdirectory
of your webserver so that people could at least view that share
from the outside world.

Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.


Author Comment

Comment Utility
Yes - I'm talking about some machines on a private 192.168. network; I only have one ip address inside the overall IP address space.

Are you sure?
I mean, I've got FTP and HTTP to work, by redirecting the ports...

Can't I get the proxy to advertise iteself, but then pass the actual requests on to shares on the inner net for example?

Could I smbmount a directory, and then offer that as a share to the outside world?
(proxy server for samba?)

The samba mount idea - yes, that could work.
Would you give us some example config for that?

Author Comment

Comment Utility
Urm - my local machines goto network neighbourhood and don't see anything.
How's yours setup for this bit if ipmasq?
LVL 19

Accepted Solution

xterm earned 70 total points
Comment Utility
I'm one hundred percent positive nobody can see your
internal machines directly.  The port redirector that
you have for ftp & http is pretty ingenious, and a good
hack around it, but it all comes back to the same thing -
all accesses to the inside have to be as a direct result
of the proxy forwarding the connection.

From the samba documentation (smbmount.8) man page:

smbmount "\\server\tmp" -c 'mount /mnt -u 123 -g 456'

(to  mount  the  tmp  share  of server on /mnt, giving it a
local uid 123 and a local gid 456.)

Instead of using /mnt, you'd just replace it with the new
directory you created in your web server tree.

Once you have mounted the remote directory, I see no reason
you couldn't just create a new samba share using that very
directory, ie:

# in /etc/smb.conf
   comment = share for the world to see
   path = /home/httpd/html/webshare
   read only = no
   public = yes

Then just HUP smbd & you're in business.

Of course, this mount point could be anywhere you
want, not necessarily in the web server tree.  Also,
if anybody connects to your new share using NT, they
will be using encrypted passwords, and it won't work
without creating a /etc/smbpasswd (and a few other
small mods if I recall), so test it from a Win 95 box.

LVL 19

Expert Comment

Comment Utility
Yes, my users don't see anything in network neighborhood (of
course - I _want_ it this way in my setup...)   They can still
map any share they want to though from Explorer (tools, map
network drive)  Then if they click "connect automatically at
boot time" or whatever, they'll get to permanently keep that

At one point I thought about setting up nmbd/smbd on the proxy
as a backup domain controller to broadcast netbios information
about the domain on the proxy side so that the network neighbor-
hoods would be populated internally, but I blew off that idea -
didn't want my techs to be able to run around my servers.

Author Comment

Comment Utility

The samba fix sounds workable.

Anyone with a talk feature implementation?


Featured Post

Backup Your Microsoft Windows Server®

Backup all your Microsoft Windows Server – on-premises, in remote locations, in private and hybrid clouds. Your entire Windows Server will be backed up in one easy step with patented, block-level disk imaging. We achieve RTOs (recovery time objectives) as low as 15 seconds.

Join & Write a Comment

Over the last ten+ years I have seen Linux configuration tools come and go. In the early days there was the tried-and-true, all-powerful linuxconf that many thought would remain the one and only Linux configuration tool until the end of times. Well,…
Linux users are sometimes dumbfounded by the severe lack of documentation on a topic. Sometimes, the documentation is copious, but other times, you end up with some obscure "it varies depending on your distribution" over and over when searching for …
Learn several ways to interact with files and get file information from the bash shell. ls lists the contents of a directory: Using the -a flag displays hidden files: Using the -l flag formats the output in a long list: The file command gives us mor…
Learn how to get help with Linux/Unix bash shell commands. Use help to read help documents for built in bash shell commands.: Use man to interface with the online reference manuals for shell commands.: Use man to search man pages for unknown command…

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now