[LARTC] SMB traffic routing/blocking...

[LARTC] SMB traffic routing/blocking...

[Don Gould]

[-- Attachment #1.1: Type: text/plain, Size: 1235 bytes --]

Dear Spammers,

Thanks for waking everyone on the list up last night. ;)

Dear List,

Now that you're all awake, and following the number of requests for some 
technical discussion, here's my current challenge on my little research 
project...

Yes, I'm wanting to figure out the following for a Mikrotik RB750G 
router, but AIUI the mkt runs a Linux core, so my request is on topic ;)

I've got a number of networks on my router....

192.168.1.0/24
192.168.2.0/24
192.168.3.0/24
192.168.4.0/24

192.168.1.2 can ping 192.168.2.2, 192.168.3.2, 192.168.4.2

That's cool.

However I don't want people on 2.0 to be able to see computers in 3.0 or 
4.0, etc.

I also don't want them to be able to establish windows networking 
connections -- so basically samba/smb connections.

However I do what 192.168.2.0/24, 192.168.3.0/24, 192.168.4.0/24 to be 
able to use a NAS in 192.168.1.0/24.

So I need to drop some traffic unless it's heading to my NAS IP 
(192.168.1.2 for sake of argument).

I do want users in 192.168.x.0/24 to be able to see each other though.

I'm using a Mikrotik 750G with router OS5 on it, lic 4.

TIA


D

-- 
Don Gould
31 Acheson Ave
Mairehau
Christchurch, New Zealand
Ph: + 64 3 348 7235
Mobile: + 64 21 114 0699



[-- Attachment #1.2: Type: text/html, Size: 1852 bytes --]

[-- Attachment #2: Type: text/plain, Size: 143 bytes --]

_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

Re: [LARTC] SMB traffic routing/blocking...

[Grant Taylor]

On 05/04/11 16:30, Don Gould wrote:
> However I don't want people on 2.0 to be able to see computers in 3.0 or
> 4.0, etc.

What about 3.0 and 4.0 being able to see other subnets 2.0 / 4.0 and 2.0 
/ 3.0 (respectively)?

> I also don't want them to be able to establish windows networking
> connections -- so basically samba/smb connections.

Ok.

> However I do what 192.168.2.0/24, 192.168.3.0/24, 192.168.4.0/24 to be
> able to use a NAS in 192.168.1.0/24.

Ok.

> So I need to drop some traffic unless it's heading to my NAS IP
> (192.168.1.2 for sake of argument).

Do you want to single out the NAS IP (192.168.1.2) specifically, or is 
the entire 1.0 network ok?  (This makes little difference, just asking 
for clarify.)

> I do want users in 192.168.x.0/24 to be able to see each other though.

Please elaborate on what you mean by "see each other".  What services do 
you want to allow to communicate?

Shooting from the hip, I'd say that you want a default of DROP (or 
REJECT at your preference) and allow traffic from 1.0 to the other 
networks 2.0 / 3.0 / 4.0 and stateful replies to said traffic.

This would isolate the 2.0 / 3.0 / 4.0 networks from each other but 
still allow them to communicate with the 1.0 network.



Grant. . . .
_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

Re: [LARTC] SMB traffic routing/blocking...

[Don Gould]

On 5/05/2011 9:45 a.m., Grant Taylor wrote:
> On 05/04/11 16:30, Don Gould wrote:
>> However I don't want people on 2.0 to be able to see computers in 3.0 or
>> 4.0, etc.
>
> What about 3.0 and 4.0 being able to see other subnets 2.0 / 4.0 and 
> 2.0 / 3.0 (respectively)?

Sorry, my bad.

I want to block, drop, what ever, Microsoft networking...  wins? but I 
do want to permit internet networking (for what of some better terms.

I don't want users on the 2.0 network to see the 'shares' on the 3.0 
networks in 'network neighbourhood'.

I know this could be achieved by simply putting everyone in different 
work groups rather than the default of 'workgroup' (or 'home' depending 
on what version of windows you're using).  But I don't control the 
computers, so I can't do that.

If user 2.35 sets up WAMP on their PC, I do want 3.45 to be able to see 
that. http://192.168.2.35/ ... blar :)

>> So I need to drop some traffic unless it's heading to my NAS IP
>> (192.168.1.2 for sake of argument).
>
> Do you want to single out the NAS IP (192.168.1.2) specifically, or is 
> the entire 1.0 network ok?  (This makes little difference, just asking 
> for clarify.)

What I want is...  When a user browses the "network" (windows term), I 
want them to see DonsNAS\192.168.x.0_Share  That's where I eventually 
want to end up.

Everyone on the x.0/24 network gets access to 1.xGb  of shared space 
where they can put stuff they want to share with everyone else on their 
network.  People on y.0/24 will have their share on the same NAS (which 
is actually a nice Debian box running samaba).  The share is to be fully 
open to everyone in x.0 but not visible to people in y.0 etc.

Think in terms of a block of apartments where each apartment is getting 
a x.0/24.  I'm wanting to give all the users in apartment 1 a network 
and some shared space so they can transfer files etc but I don't want 
the people in apartment 2 seeing the files of apartment 1.  However I 
don't have control of the computers, so I can't do stuff like ACLs etc.


>
>> I do want users in 192.168.x.0/24 to be able to see each other though.
>
> Please elaborate on what you mean by "see each other".  What services 
> do you want to allow to communicate?

I don't want them to be able to 'browse the network', errr... I don't 
want them to be able to "browse" the other networks.


>
> Shooting from the hip, I'd say that you want a default of DROP (or 
> REJECT at your preference) and allow traffic from 1.0 to the other 
> networks 2.0 / 3.0 / 4.0 and stateful replies to said traffic.
>
> This would isolate the 2.0 / 3.0 / 4.0 networks from each other but 
> still allow them to communicate with the 1.0 network.
>
Ya, that's not what I want.  I only want to drop the smb traffic.  Is 
that port 137? or do I need to drop more than that?

If I do what you just said then skype between networks will break won't 
it?  or it will travel out the public IP and transit to another peer?

Thanks for the help man :)

D


-- 
Don Gould
31 Acheson Ave
Mairehau
Christchurch, New Zealand
Ph: + 64 3 348 7235
Mobile: + 64 21 114 0699


_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

Re: [LARTC] SMB traffic routing/blocking...

[Grant Taylor]

On 05/04/11 17:11, Don Gould wrote:
> Sorry, my bad.

No problem.  We are all human.

> I want to block, drop, what ever, Microsoft networking... wins? but I do
> want to permit internet networking (for what of some better terms.

Ok.

So we are only talking about filtering TCP / UDP ports 137, 138, 139 and 
445.  (Isn't M$ networking fun...)

> I don't want users on the 2.0 network to see the 'shares' on the 3.0
> networks in 'network neighbourhood'.

I think I know what you are after.

> I know this could be achieved by simply putting everyone in different
> work groups rather than the default of 'workgroup' (or 'home' depending
> on what version of windows you're using). But I don't control the
> computers, so I can't do that.

Now we are getting in to some M$ networking issues.

I think the proper term (as I (mis)understand it) that you are after is 
"browse".

Just because the computers are in a different workgroup does not mean 
that they won't be able to see each other.  In fact, workgroups mean 
little any more.  If any thing, the "workgroup" is sort of (very rough 
analogy) like your local subnet in that it takes marginally more effort 
to go out side of it, but still very possible to do.  -  In short, using 
different workgroups would not suffice for what you are wanting.

> If user 2.35 sets up WAMP on their PC, I do want 3.45 to be able to see
> that. http://192.168.2.35/ ... blar :)

*nod*  TCP / UDP ports 137, 138, 139 and 445

> What I want is... When a user browses the "network" (windows term), I
> want them to see DonsNAS\192.168.x.0_Share That's where I eventually
> want to end up.

Heh.  Now more M$ networking fun.

I think you are about to run in to the network visibility vs 
accessibility issue.

Specifically, if you want computers to be able to "browse" the network 
(neighborhood) and find computers to access, you are going to have to 
have a functional browse master list.  Complicating this is the fact 
that you have multiple networks (subnets) trying to tie together.

In the end I think you are going to end up with a single unified browse 
maser list that all the computers are on.  Now, that does not mean that 
the computers will be accessible, just that they are on a list.

> Everyone on the x.0/24 network gets access to 1.xGb of shared space
> where they can put stuff they want to share with everyone else on their
> network. People on y.0/24 will have their share on the same NAS (which
> is actually a nice Debian box running samaba). The share is to be fully
> open to everyone in x.0 but not visible to people in y.0 etc.

Ok.

So you are exploiting some of Samba's features as a central file server.

> Think in terms of a block of apartments where each apartment is getting
> a x.0/24. I'm wanting to give all the users in apartment 1 a network and
> some shared space so they can transfer files etc but I don't want the
> people in apartment 2 seeing the files of apartment 1. However I don't
> have control of the computers, so I can't do stuff like ACLs etc.

Heh.

Isn't multi-tenancy networking fun?

> I don't want them to be able to 'browse the network', errr... I don't
> want them to be able to "browse" the other networks.

Here "browse" can mean multiple things: 1) see the computers on a list 
that are connected to the network and 2) access a given computer and see 
the contents there on.

I think you are going to have to live with #1 and use IPTables to 
control #2 via firewalling.

> Ya, that's not what I want. I only want to drop the smb traffic. Is that
> port 137? or do I need to drop more than that?

To be save, I drop both TCP and UDP for ports 137, 138, 139 and 445.

(We actually only need to block a subset of those ports, but I don't 
bother to remember exactly what is needed and just block those 8 ports 
and have been fine for the past decade.)

> If I do what you just said then skype between networks will break won't
> it? or it will travel out the public IP and transit to another peer?

As I broadly said it, yes.  However, if we refine it to be for the 8 
ports in question, no.

Question:  Do you want to control the 2., 3. and 4. network's access to 
the the 1. network so that they can only get to the servers IP, or can 
they access the entire 1. network?

At this point, I think your firewall rules will be such that you first 
allow SMB/CIFS traffic (from any network) to the 1. network -and- from 
the 1. network (to any network). and then you drop / reject any other 
SMB/CIFS traffic.  (You may want to refine "1. network" to be "the NAS 
server's IP".)

> Thanks for the help man :)

You are welcome.



Grant. . . .


P.S.  For the record, you really are crossing two completely different 
network layers.  One is the TCP/IP & routing layer and the other is the 
M$ Windows Networking layer.  Doing this can be interesting (and I don't 
mean in a good way), somewhat difficult, and sometimes prone to 
compromise (as in I don't like it but it works, not the security breach) 
and failure.
_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc