[Shorewall-users] Netbios

Drew Alexander Reed D.A.Reed@c-hacker.co.uk
Wed, 24 Apr 2002 11:01:36 +0100 (BST)


Hi
Sorry this took so long.  Simon read on and chech this could you.

Ok our setup is as follows.

My subnet uses the following address range 192.168.0.0/24 and simons is
192.168.11.0/24 we both have these subnets on our eth1 interface and our
eth0 in our internet connection.  Next we setup samba to be both wins
servers and domain servers for our local subnets. (See the samba doc on how
to do this or simon could post one of our configs).  Next we setup ipsec
between us using freeswan.  This is a bit tricky so I'll detail this a bit.

First off we both run debian and the debian config od freeswan includes
x509 certificate support.

When you install freeswan on debian testing it will also create a self
signed certificate for you and create 3 files.
    /etc/x509cert.der  - Binary encripted cert and key
    /etc/ipsec.d/<hostname>Cert.pem  - your public Certificate
    /etc/ipsec.d/private/<hostname>Key.pem  - your private key (Keep this
safe)

Next swap <hostname>Cert.pem files with the other person and place there
file in your /etc/ipsec.d/ directory.

Now to configure freeswan
the default config should look like this
# basic configuration
config setup
        # THIS SETTING MUST BE CORRECT or almost nothing will work;
        # %defaultroute is okay for most simple cases.
        interfaces=%defaultroute
        # Debug-logging controls:  "none" for (almost) none, "all" for lots.
        klipsdebug=none
        plutodebug=none
        # plutodebug="parsing emitting control"
        # Use auto= parameters in conn descriptions to control startup
actions.
        plutoload=%search
        plutostart=%search
        # Close down old connection when new one using same ID shows up.
        uniqueids=yes
        overridemtu=1500



# defaults for subsequent connection descriptions
# (mostly to fix internal defaults which, in retrospect, were badly chosen)
conn %default
        keyingtries=0
        disablearrivalcheck=no
        authby=rsasig
        #use certificates
        leftcert=icemanCert.pem
        #freeswan security gateway
        left=%defaultroute

The overridemtu line is important.

now to add mappings for the tunnel to simon
# Connections to simons
conn simon
        # type=transport
        # Right security gateway, subnet behind it, next hop toward left.
        right=catandsimon.com
        rightcert=chinookCert.pem
        # To authorize this connection, but not actually start it, at
startup,
        # uncomment this.
        auto=start

conn simon-nettonet
        leftsubnet=192.168.0.0/24
        # Right security gateway, subnet behind it, next hop toward left.
        right=catandsimon.com
        rightsubnet=192.168.11.0/24
        rightcert=chinookCert.pem
        # To authorize this connection, but not actually start it, at
startup,
        # uncomment this.
        auto=start

conn simon-nettohost
        leftsubnet=192.168.0.0/24
        # Right security gateway, subnet behind it, next hop toward left.
        right=catandsimon.com
        rightcert=chinookCert.pem
        # To authorize this connection, but not actually start it, at
startup,
        # uncomment this.
        auto=start

conn simon-hosttonet
        # Right security gateway, subnet behind it, next hop toward left.
        right=catandsimon.com
        rightsubnet=192.168.11.0/24
        rightcert=chinookCert.pem
        # To authorize this connection, but not actually start it, at
startup,
        # uncomment this.
        auto=start

You need 4 as the each allow different connections
The first is host-host only using the internet addresses
The second is subnet-subnet using the private addresses
The third is subnet-host using my private address range to his public
address
The last is host-subnet using my public address to his private address


This should bring up a complete tunnel.

Now to configure shorewall
The inportant things to do are to allow all traffic on the ipsec0 interface
and not masq stuff from my subnet to his.
the masq file contains just
#INTERFACE              SUBNET          ADDRESS
eth0                    eth1

So we don't masq traffic going out on ipsec0

Simon could you add your policy and rules and interfaces and zone files as
my are a bit more complex than yours.

This enable unhindered traffic between the subnets and our hosts on the
ipsec0 interface but only allows ipsec traffic on the external interface
eth0.


Lastly and the follow to both smb.conf files for samba.
   remote announce = 192.168.11.1
   remote browse sync = 192.168.11.1

This replicates all browse information between the subnets.  Just for extra
info simon and I both use different workgroup names but I don't think this
is necessory.


Sorry it's not a complete walk through but it should get you started.

Simon Turvey said:
> MessageDrew (who posted a few days ago) is my partner in crime in a
> setup not dissimilar to this.  If I shout loudly enough he might hear
> me and chip in with some info on how we accomplished a successful
> ipsec/samba/nat combination for the Windows machines on our networks.
> This permits SMB share browsing across the different workgroups hosted
> on servers that are quite some distance apart.
>
> As Tom said, you really need to do this using a VPN.  Any other way is
> jolly insecure and will definitely lead you to the dark side (as well
> as pollute your cable segment with hugely annoying NETBIOS traffic).
>
> Drew!  Are you there?!
>
> Simon
>
> ----- Original Message -----
> From: Aaron Axelsen
> To: shorewall-users@shorewall.net
> Sent: Monday, April 22, 2002 2:10 PM
> Subject: [Shorewall-users] Netbios
>
> I am on a LAN and my IP is obtained via DHCP, which my linux box then
> routes to my own little lan.  Is there a way for Netbois connections to
> get trough the firewall and have access to all the PC's on my little
> lan connection? Or can i just route port 139 to the desired ip on my
> own lan?
>
>
> _______________________________________________
> Shorewall-users mailing list
> Shorewall-users@shorewall.net
> http://www.shorewall.net/mailman/listinfo/shorewall-users


-- 
Drew Alexander Reed
http://www.c-hacker.co.uk
ICQ: 47205581