Re: SMB traffic routing/blocking...

Linux Advanced Routing and Traffic Control

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 5/05/2011 9:45 a.m., Grant Taylor wrote:
On 05/04/11 16:30, Don Gould wrote:
However I don't want people on 2.0 to be able to see computers in 3.0 or
4.0, etc.

What about 3.0 and 4.0 being able to see other subnets 2.0 / 4.0 and 2.0 / 3.0 (respectively)?

Sorry, my bad.

I want to block, drop, what ever, Microsoft networking... wins? but I do want to permit internet networking (for what of some better terms.

I don't want users on the 2.0 network to see the 'shares' on the 3.0 networks in 'network neighbourhood'.

I know this could be achieved by simply putting everyone in different work groups rather than the default of 'workgroup' (or 'home' depending on what version of windows you're using). But I don't control the computers, so I can't do that.

If user 2.35 sets up WAMP on their PC, I do want 3.45 to be able to see that. http://192.168.2.35/ ... blar :)

So I need to drop some traffic unless it's heading to my NAS IP
(192.168.1.2 for sake of argument).

Do you want to single out the NAS IP (192.168.1.2) specifically, or is the entire 1.0 network ok? (This makes little difference, just asking for clarify.)

What I want is... When a user browses the "network" (windows term), I want them to see DonsNAS\192.168.x.0_Share That's where I eventually want to end up.

Everyone on the x.0/24 network gets access to 1.xGb of shared space where they can put stuff they want to share with everyone else on their network. People on y.0/24 will have their share on the same NAS (which is actually a nice Debian box running samaba). The share is to be fully open to everyone in x.0 but not visible to people in y.0 etc.

Think in terms of a block of apartments where each apartment is getting a x.0/24. I'm wanting to give all the users in apartment 1 a network and some shared space so they can transfer files etc but I don't want the people in apartment 2 seeing the files of apartment 1. However I don't have control of the computers, so I can't do stuff like ACLs etc.



I do want users in 192.168.x.0/24 to be able to see each other though.

Please elaborate on what you mean by "see each other". What services do you want to allow to communicate?

I don't want them to be able to 'browse the network', errr... I don't want them to be able to "browse" the other networks.



Shooting from the hip, I'd say that you want a default of DROP (or REJECT at your preference) and allow traffic from 1.0 to the other networks 2.0 / 3.0 / 4.0 and stateful replies to said traffic.

This would isolate the 2.0 / 3.0 / 4.0 networks from each other but still allow them to communicate with the 1.0 network.

Ya, that's not what I want. I only want to drop the smb traffic. Is that port 137? or do I need to drop more than that?

If I do what you just said then skype between networks will break won't it? or it will travel out the public IP and transit to another peer?

Thanks for the help man :)

D


--
Don Gould
31 Acheson Ave
Mairehau
Christchurch, New Zealand
Ph: + 64 3 348 7235
Mobile: + 64 21 114 0699


_______________________________________________
LARTC mailing list
LARTC@xxxxxxxxxxxxxxx
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc


[Index of Archives]     [LARTC Home Page]     [Netfilter]     [Netfilter Development]     [Network Development]     [Bugtraq]     [GCC Help]     [Yosemite News]     [Linux Kernel]     [Fedora Users]
  Powered by Linux