Re: [LARTC] SMB traffic routing/blocking...

[Don Gould <don@bowenvale.co.nz>]

On 5/05/2011 9:45 a.m., Grant Taylor wrote:
> On 05/04/11 16:30, Don Gould wrote:
>> However I don't want people on 2.0 to be able to see computers in 3.0 or
>> 4.0, etc.
>
> What about 3.0 and 4.0 being able to see other subnets 2.0 / 4.0 and 
> 2.0 / 3.0 (respectively)?

Sorry, my bad.

I want to block, drop, what ever, Microsoft networking...  wins? but I 
do want to permit internet networking (for what of some better terms.

I don't want users on the 2.0 network to see the 'shares' on the 3.0 
networks in 'network neighbourhood'.

I know this could be achieved by simply putting everyone in different 
work groups rather than the default of 'workgroup' (or 'home' depending 
on what version of windows you're using).  But I don't control the 
computers, so I can't do that.

If user 2.35 sets up WAMP on their PC, I do want 3.45 to be able to see 
that. http://192.168.2.35/ ... blar :)

>> So I need to drop some traffic unless it's heading to my NAS IP
>> (192.168.1.2 for sake of argument).
>
> Do you want to single out the NAS IP (192.168.1.2) specifically, or is 
> the entire 1.0 network ok?  (This makes little difference, just asking 
> for clarify.)

What I want is...  When a user browses the "network" (windows term), I 
want them to see DonsNAS\192.168.x.0_Share  That's where I eventually 
want to end up.

Everyone on the x.0/24 network gets access to 1.xGb  of shared space 
where they can put stuff they want to share with everyone else on their 
network.  People on y.0/24 will have their share on the same NAS (which 
is actually a nice Debian box running samaba).  The share is to be fully 
open to everyone in x.0 but not visible to people in y.0 etc.

Think in terms of a block of apartments where each apartment is getting 
a x.0/24.  I'm wanting to give all the users in apartment 1 a network 
and some shared space so they can transfer files etc but I don't want 
the people in apartment 2 seeing the files of apartment 1.  However I 
don't have control of the computers, so I can't do stuff like ACLs etc.


>
>> I do want users in 192.168.x.0/24 to be able to see each other though.
>
> Please elaborate on what you mean by "see each other".  What services 
> do you want to allow to communicate?

I don't want them to be able to 'browse the network', errr... I don't 
want them to be able to "browse" the other networks.


>
> Shooting from the hip, I'd say that you want a default of DROP (or 
> REJECT at your preference) and allow traffic from 1.0 to the other 
> networks 2.0 / 3.0 / 4.0 and stateful replies to said traffic.
>
> This would isolate the 2.0 / 3.0 / 4.0 networks from each other but 
> still allow them to communicate with the 1.0 network.
>
Ya, that's not what I want.  I only want to drop the smb traffic.  Is 
that port 137? or do I need to drop more than that?

If I do what you just said then skype between networks will break won't 
it?  or it will travel out the public IP and transit to another peer?

Thanks for the help man :)

D


-- 
Don Gould
31 Acheson Ave
Mairehau
Christchurch, New Zealand
Ph: + 64 3 348 7235
Mobile: + 64 21 114 0699


_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc