/* HINT: Search archives @ http://www.indyramp.com/masq/ before posting! /* ALSO: Don't quote this header. It makes you look lame :-) */ Hello all, We have recently encountered a problem that seems to be indirectly related to IP MASQ. We have a Debian box running kernel 2.2.17 which connects to the Internet through a cable modem. Internally we use IP masquerading with private addresses. We routinely connect to our Web servers over the Internet through Windows Networking (SMB) (... I know... It isn't very secure.). Until a few weeks ago the servers were running NT 4.0 and everything was fine. However, over the holidays, we upgraded our server to Win2K and the problems began. The problem only occurs when connecting to a Win2K machine from a Win2K machine. I will provide a little bit of background, since this is a *nix oriented mailing list... Microsoft, in all of their wisdom (sarcasm implied...), has decided to change how Windows networking will work with Win2K. No longer will Windows use netbios over TCP... gone are the familiar ports 137, 138 & 139 (netbios-ns, netbios-dgm & netbios-ssn). Win2K is now dual-mode and will first try to connect using SMB directly on TCP on port 445 as well as the old for backward compatibility. See MS KB Article Q204279 (http://support.microsoft.com/support/kb/articles/Q204/2/79.ASP) for more details. The problem is basically a random loss of connection for the network shares in use... The developers will be making changes or copy a few files over only to have it fail after the first few. It does work as it should periodically. This problem only exists while the sessions are being masqueraded. I have given several of the developers public IP's and connected them directly to the cable modem and the problem goes away. I should also note that I have no problems with Masquerading itself, it works great for everything else. I fear that this problem may need a radical solution, such as a new module being created, but I would appreciate any suggestions. All hope is not lost however... While writing this I realized I could force Win2K to use the backward compatibility mode by blocking port 445. I have added the following line to my init script: /sbin/ipchains -A input -p TCP -s 192.168.3.0/24 -d 0/0 445 -j DENY So far so good... It seems to be working, but we haven't really tested it yet. Here's what I *was* running to initiate Masquerading: echo "1" > /proc/sys/net/ipv4/ip_forward /sbin/ipchains -M -S 7200 10 160 /sbin/ipchains -P forward DENY /sbin/ipchains -A forward -s 192.168.1.0/24 -j MASQ # Head Office Employees /sbin/ipchains -A forward -s 192.168.2.0/24 -j MASQ # Remote Office Employees /sbin/ipchains -A forward -s 192.168.3.0/24 -j MASQ # Developers # Set up transparent Proxy /sbin/ipchains -A input -p TCP -d 127.0.0.1/32 www -j ACCEPT /sbin/ipchains -A input -p TCP -s 192.168.1.0/24 -d 0/0 www -j REDIRECT 8080 # Redirect users to SQUID /sbin/ipchains -A input -p TCP -s 192.168.2.0/24 -d 0/0 www -j REDIRECT 8080 # Redirect users to SQUID # Set up port forwarding /usr/sbin/ipmasqadm portfw -a -P tcp -L x.x.x.x 80 -R 192.168.3.109 80 # Production Web Server /usr/sbin/ipmasqadm portfw -a -P tcp -L x.x.x.x 2000 -R 192.168.3.109 2000 # RA for Production Web Server /usr/sbin/ipmasqadm portfw -a -P tcp -L x.x.x.x 5631 -R 192.168.3.13 5631 # Orion PCAnywhere /usr/sbin/ipmasqadm portfw -a -P udp -L x.x.x.x 5631 -R 192.168.3.13 5631 # Orion PCAnywhere /usr/sbin/ipmasqadm portfw -a -P tcp -L x.x.x.x 5632 -R 192.168.3.13 5632 # Orion PCAnywhere /usr/sbin/ipmasqadm portfw -a -P udp -L x.x.x.x 5632 -R 192.168.3.13 5632 # Orion PCAnywhere Thanks, Bob. _______________________________________________ Masq maillist - [EMAIL PROTECTED] Admin requests can be handled at http://www.indyramp.com/masq-list/ -- THIS INCLUDES UNSUBSCRIBING! or email to [EMAIL PROTECTED] PLEASE read the HOWTO and search the archives before posting. You can start your search at http://www.indyramp.com/masq/ Please keep general linux/unix/pc/internet questions off the list.
