Hiding Samba behind a firewall
Guillaume Lécroart
dummy.goug at free.fr
Thu Oct 4 07:31:51 GMT 2001
Hi,
I'm trying to hide a samba server behind a netfilter firewall.
Hiding means that the "external" machines should reach the "internal"
samba server using the firewall's external address.
I'm using DNAT to forward packets to port 139 of the firewall to port
139 of samba server, as well as SNAT to make packets coming from the
samba server get the firewall's external source address. For SMB
traffic, it works fine.
For nmbd it becomes a little harder: machines on network A are using a
wins server. I can't get control on the WINS server to add static
mapping nor change machines ins/LMHOST configuration. My only solution
is to have the samba server register against the external wins server.
The problem is that even if the 137/udp packet is SNATed by the
firewall, the samba server appears with its private address in the WINS
server because the NBNS Ucast packet includes the registrar's address.
As a workaround, I can decide to run nmb -n <samba_server_nb_name> only
on the firewall, and let him annouce itself with the correct address and
forward smb traffic to the other box. But except sshd, I do not want
any listening service to run on the firewall (I guess any real
security-involved people can understand that).
My question are the following :
Is there a way to make nmbd use a specific address in the Addr: field of
the Registration Request it sends to a WINS server?
Is there any project regarding a masquerading module for this kind of
traffic in the netfilter community?
Thanks in advance and regards,
Guillaume
-------------- next part --------------
HTML attachment scrubbed and removed
More information about the samba-technical
mailing list