Re: NetBIOS? problem
I use NAT with a number of SMB machines successfully.
I was not able to get all services behind the firewall.
There must be a WINS service that provides the munged addresses.
If you want it to respond to broadcasts (proxy) then it should be
on the same network.
You will probably want a WINS server inside too to provide real addresses to
the NAT'd network.
On one network (where I control the DHCP) I set the windows boxes to
only use WINS, and assigned a WINS service, otherwise you'll need to
manually set a WINS server on the box.
The domain authentication ended up being separate from the WINS
service (this was because of some domains authentication being NT and
some being Linux), even the NT domains use SAMBA WINS service.
I found I could not use Microsoft's WINS services because
of its promiscuous nature, use the SAMBA NG 2.2+ stuff instead, it is stable
and doesn't overwrite static settings on whim of the owner of the name.
Announces from inside the NAT'd net to the outside WINS service can still
screw it up, so don't do that.
One of the problems with authentication is it always uses a broadcast,
which I never successfully NAT'd to the inside, and even then the perspective
inside was wrong, so the embedded addresses didn't make sense to the asker
(as Joerg Wendland noted).
A piece of /var/state/samba/wins.dat outside the NAT.
(a bare bones samba only box)
"^A^B__MSBROWSE__^B#01" 1005304692 255.255.255.255 84R
"SMBDOMAIN#00" 0 255.255.255.255 c4R
"SMBDOMAIN#1b" 0 10.3.0.88 44R
"SMBDOMAIN#1c" 0 10.3.0.89 e4R
"SMBDOMAIN#1e" 0 255.255.255.255 c4R
You can also do
"SMBDOMAIN#00" 0 10.3.0.88 255.255.255.255 c4R
10.3.0.88 is the public wins server giving NAT'd addresses.
1c is the domain authentication
10.3.0.89 is a sacrificial (bare bones) backup domain server (NT) to the domain
server on the NAT'd network, they keep synchronized fine, as long as they
use their local wins servers to locate each other.
If you have a choice, I'd use the samba domain authentication instead.
I really need to write more of this down. I'd be glad to help with
with writing the code for IP-tables modules to fix some of these kludges,
although I don't think it can overcome all the issues.
P.S. I don't read the list in anything close to real time if you
expect a prompt answer, sorry.
On Fri, Nov 02, 2001 at 10:29:01AM +0100, Joerg Wendland wrote:
> On Fri, Nov 02, 2001 at 01:52:39PM +0500, Antropov Anton wrote:
> > iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE
> You are using NAT with NetBIOS, that's the Problem. I am currently
> working on conntrack and nat_helper modules to circumvent the problems
> you are experiencing, but I am still in early planning phase.
> The actual problem is, that some NetBIOS packets carry IP addresses in their
> payload that is not taken care of in the netfilter code. Examples are WINS
> messages via NetBIOS-ns (137/udp) and Domain-Logon via NetBIOS-dgm (138/udp).
> I recommend using routing for these purposes instead of NAT until some
> solution like my netfilter modules is available.
> HTH, Joerg
> | Joerg Wendland (system management) | Debian Developer |
> | Network Operation Center Scan-Plus GmbH | fon +49-731-92013-21 |
> | Moerikestrasse 5, D-89077 Ulm, Germany | fax +49-731-6027146 |
> | PGP-key: 51CF8417 (FP: 79C0 7671 AFC7 315E 657A F318 57A3 7FBD 51CF 8417) |
"He who fights with monsters should look to it that he himself does not
become a monster...when you gaze long into the abyss the abyss also gazes
into you." -Friedrich Nietzsche