Adam Skogman wrote:
>
> > Some of my users have windows in dual boot situations but the NetBIOS ports are
> > dead locally (yep, no Samba) and onto the internet, so their windows are without
> > network services locally and without support as well (and for that matter,
> > their Network Neighborhoods aren't loaded with the info for the system) So if
> > they want to get beyond their boxes, they need to use the friendly linux
> > installations on their desktops.
>
> Ok, but I do want to use the network neighborhood, so this is not a good solution.
>Can't I simply put the windows machine behind the linux machine and enable IP
>forwarding? Ok, I don't get more protection for the win machine, but so what. I
>really need filesharing.
>
> /Adam
Sure, that will work, just as I said. You will be protected
against some of the nasties like winnuke which floods 139,
because it can be closed externally (on eth1 which goes out to
the internet). Your netBIOS business doesn't need to go to the
internet anyway, and if it did it would go out on a masquerade
port and come back that way. In order to enforce the policy of
no Windows from/to here, I was forced to disable local Network
Neighborhoods and close NetBIOS ports to all traffic. The three
line masquerading I gave you will work just fine with Windows
To enable windows for it you do this....
Method 1: dhcpd on the linux box and let Network neighborhood
find your IP. Set the gateway on the winbox to the local (eth0)
IP of the linux box, not to the external one because windows has
very little routing ability. Similarly, the host there should be
the hostname of the linux box.
Method 2: Say the address of the linux box eth0 is
192.168.0.10--then make the windows box 192.168.0.11 and its
linux boot say 192.168.0.12 and any other machine
192.168.0.13,-14,-15 and so on. Set Network
Neighborhood->Properties->TCP/IP->Properties so that it has that
address as a static IP with netmask 255.255.255.0 and Gateway
192.168.0.10 Put in the DNS servers you will use explicitly. If
you don't know them, then from the linux box do this
# host -a <an IP or fqdn of a server in the network you are
connected to>.
Note the ENDING period so you don't get searched first
Part of the return you get will say for authoritative answers
contact the following
(usually three IPs and two of them are DNS servers, almost always
with NS1. and NS2. in their fqdns).
In some circumstances you will need the DNS servers in both
situations.
Remember to set whatever ftp client you use from the nodes behind
the firewall to PASSIVE, else the port commands issued will be
malformed and will break FTP dialogues.
And no, masquerading is not forwarding. Forwarding is a whole
lot more dangerous and the only thing it will permit is the use
of active FTP commands which are unnecessary unless you are a
hacker using an FTP bounce or perhaps a few other rare
situations. The linux box is taking your forwarded stuff from
your boxes and sending it out with itself as return address and
with a port number for the return packet that it associates with
your machine and the correct port number. On return, the
demasquerade sends the reply packet to the proper machine and
port.
>From the outside, if you are forwarded and on IRC in windows, and
I am a 14-year-old script kiddie acting like a 14-year old, here
comes winnuke, and it is sent to port 139 on your machine ....
Boom, you are booted.
>From the outside, if you are masqueraded, and winnuke comes at
the IP the kiddie sees, it splashes harmlessly against the linux
box, because to get to your windows port 139 he would have had to
send the exploit against some port in the range 1024-65535 and in
fact the one that matches up to demasquerading to 139 for your
machine. Moreover, your windows box would have had to initiate
some communication to the internet from that port, or using that
as a return port or there is not likely to be an entry in the
masquerade table for it.
For more information on the IP masquerade, use a search engine
for web sites that mention it--there are a couple of really
well-written ones out there. The authoritative info is of course
the source of the linux kernel since masquerading is implemented
there.
Neither forwarding nor masquerading is likely to do much about
your bandwidth situation, of course. Strangely, I found a 56K
modem adequate for a masquerade of 17 business users onto the
internet, and most had some sort of webmail that they checked,
but that is not a bunch of students downloading anything they
find interesting.
Civileme
--
experimentation involving more than 500 trials with an
ordinary slice of bread and a tablespoon of peanut butter
has determined that the probability a random toss will
land sticky side down (SSD) is approximately .98
