From mboxrd@z Thu Jan 1 00:00:00 1970 From: Don Gould Date: Wed, 04 May 2011 22:11:31 +0000 Subject: Re: [LARTC] SMB traffic routing/blocking... Message-Id: <4DC1CF13.2070400@bowenvale.co.nz> List-Id: References: <4DC1C569.3040705@bowenvale.co.nz> In-Reply-To: <4DC1C569.3040705@bowenvale.co.nz> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit To: lartc@vger.kernel.org On 5/05/2011 9:45 a.m., Grant Taylor wrote: > On 05/04/11 16:30, Don Gould wrote: >> However I don't want people on 2.0 to be able to see computers in 3.0 or >> 4.0, etc. > > What about 3.0 and 4.0 being able to see other subnets 2.0 / 4.0 and > 2.0 / 3.0 (respectively)? Sorry, my bad. I want to block, drop, what ever, Microsoft networking... wins? but I do want to permit internet networking (for what of some better terms. I don't want users on the 2.0 network to see the 'shares' on the 3.0 networks in 'network neighbourhood'. I know this could be achieved by simply putting everyone in different work groups rather than the default of 'workgroup' (or 'home' depending on what version of windows you're using). But I don't control the computers, so I can't do that. If user 2.35 sets up WAMP on their PC, I do want 3.45 to be able to see that. http://192.168.2.35/ ... blar :) >> So I need to drop some traffic unless it's heading to my NAS IP >> (192.168.1.2 for sake of argument). > > Do you want to single out the NAS IP (192.168.1.2) specifically, or is > the entire 1.0 network ok? (This makes little difference, just asking > for clarify.) What I want is... When a user browses the "network" (windows term), I want them to see DonsNAS\192.168.x.0_Share That's where I eventually want to end up. Everyone on the x.0/24 network gets access to 1.xGb of shared space where they can put stuff they want to share with everyone else on their network. People on y.0/24 will have their share on the same NAS (which is actually a nice Debian box running samaba). The share is to be fully open to everyone in x.0 but not visible to people in y.0 etc. Think in terms of a block of apartments where each apartment is getting a x.0/24. I'm wanting to give all the users in apartment 1 a network and some shared space so they can transfer files etc but I don't want the people in apartment 2 seeing the files of apartment 1. However I don't have control of the computers, so I can't do stuff like ACLs etc. > >> I do want users in 192.168.x.0/24 to be able to see each other though. > > Please elaborate on what you mean by "see each other". What services > do you want to allow to communicate? I don't want them to be able to 'browse the network', errr... I don't want them to be able to "browse" the other networks. > > Shooting from the hip, I'd say that you want a default of DROP (or > REJECT at your preference) and allow traffic from 1.0 to the other > networks 2.0 / 3.0 / 4.0 and stateful replies to said traffic. > > This would isolate the 2.0 / 3.0 / 4.0 networks from each other but > still allow them to communicate with the 1.0 network. > Ya, that's not what I want. I only want to drop the smb traffic. Is that port 137? or do I need to drop more than that? If I do what you just said then skype between networks will break won't it? or it will travel out the public IP and transit to another peer? Thanks for the help man :) D -- Don Gould 31 Acheson Ave Mairehau Christchurch, New Zealand Ph: + 64 3 348 7235 Mobile: + 64 21 114 0699 _______________________________________________ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc