Re: Validating NT thought a natting firewall

To: Leonardo Boselli <leo@dicea.unifi.it>, debian-firewall@lists.debian.org
Subject: Re: Validating NT thought a natting firewall
From: Mike Mestnik <cheako911@yahoo.com>
Date: Wed, 26 May 2004 13:42:44 -0700 (PDT)
Message-id: <[🔎] 20040526204244.90903.qmail@web11906.mail.yahoo.com>
In-reply-to: <[🔎] 40B50DDC.8960.ED39FB@localhost>

There are the old SMB protocol rules that say one authenticated conection
for one IP, these could be hanging you up.  I would bypass winblows
alltogether with samba and have it forward(by resharing mounted shares)
all the shares/authentication.

Another thing you could try is using tcpdump or iptraf to see what if any
connections your not allowing.  Also giving the nat box one IP for each IP
it's nating for might fix the problem, but defeat the purpose of the nat.

--- Leonardo Boselli <leo@dicea.unifi.it> wrote:
> his is not a strictly debian problem, but i hope someone could help me:
> I
> have two NT4 server (PDC and BDC) on a subnet a.b.c.0/24 . I have a 
> number of win2000 with some NT4, XP clients and some win2k and 
> samba servers. All are happy whitin the subnet. For local policy i have 
> four  in an area that have some security concern so these are behind a 
> linux (sarge with 2.4.25) gateway acting as a natting firewall. So this 
> firewall is set that every host "inside the area" get a number by dhcp
> in 
> 192.168.19.20 to 150.217.19.188 Only four machines (one NT4 and 
> three win2k) have fixed address 192.168.19.194 to .197 . on the gateway 
> there is an iptables as: 
> -A PREROUTING -s a.b.c.0/255.255.255.0 -d a.b.c.194 -j DNAT --to- 
> destination
> 192.168.19.194 -A POSTROUTING -s 192.168.19.194 -j SNAT --to-
> source a.b.c.194
> 
> I have added to the domain the four administrators` hosts [by just 
> plugghing diretly to main network with a temporary number) 
> This way for that 4 machines all ports are open.
> All service run smoothly except that if I try from one of such machines
> to
> login as a non local user or try to add permission for an user on the
> server the machines invariantly say that thy cannot access main server.
> i
> have also added in lmhosts the address of the PDC and BDC with #PRE
> #DOMLMYDOMAIN but no success. It seem that thse machines cannot 
> validate
> to the server throught the natting firewall (that incidentally, does not
> firewall anything for those 4 address, jst shift the addresses both way
> !)
> Can you help me ???? --
> 
> --
> Leonardo Boselli
> Nucleo Informatico e Telematico del Dipartimento Ingegneria Civile
> Universita` di Firenze , V. S. Marta 3 - I-50139 Firenze
> tel +39 0554796431 cell +39 3488605348 fax +39 055495333
> http://www.dicea.unifi.it/~leo
> 
> 
> -- 
> To UNSUBSCRIBE, email to debian-firewall-REQUEST@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact
> listmaster@lists.debian.org
> 



	
		
__________________________________
Do you Yahoo!?
Friends.  Fun.  Try the all-new Yahoo! Messenger.
http://messenger.yahoo.com/

Reply to:

Follow-Ups:
- Re: Validating NT thought a natting firewall
  - From: "Leonardo Boselli" <leo@dicea.unifi.it>

References:
- Validating NT thought a natting firewall
  - From: "Leonardo Boselli" <leo@dicea.unifi.it>

Prev by Date: Validating NT thought a natting firewall
Next by Date: Re: Validating NT thought a natting firewall
Previous by thread: Validating NT thought a natting firewall
Next by thread: Re: Validating NT thought a natting firewall
Index(es):
- Date
- Thread