DNATing Windows File Sharing

DNATing Windows File Sharing

[Sadus .]

Hello,
I would like to enable the right ports and DNAT the requests for File
Sharing on a internal windows box. The win2k3 has Active Directory
enabled and i want users to type \\domainname.com which will popup a
user/pass dialog and let them access the file server.

I did the following, but it doesn't seem to work:
iptables -t nat -A PREROUTING -j DNAT -i eth0 -p tcp --dport 139 --to
192.168.1.2:139 
assuming "139" is NetBios

thanks
-- 
Sadus . <sadus@swiftbin.net>
Swiftbin.net

Re: DNATing Windows File Sharing

[Jan Engelhardt]

>Hello,
>I would like to enable the right ports and DNAT the requests for File
>Sharing on a internal windows box. The win2k3 has Active Directory
>enabled and i want users to type \\domainname.com which will popup a
>user/pass dialog and let them access the file server.
>
>I did the following, but it doesn't seem to work:
>iptables -t nat -A PREROUTING -j DNAT -i eth0 -p tcp --dport 139 --to
>192.168.1.2:139 
>assuming "139" is NetBios

Also try 445 instead of 139.

Then, if that still does not work, you maybe need to forward UDP 137.



Jan Engelhardt
-- 

Re: DNATing Windows File Sharing

[Robert Vangel]

[-- Attachment #1: Type: text/plain, Size: 859 bytes --]

Jan Engelhardt wrote:
>>Hello,
>>I would like to enable the right ports and DNAT the requests for File
>>Sharing on a internal windows box. The win2k3 has Active Directory
>>enabled and i want users to type \\domainname.com which will popup a
>>user/pass dialog and let them access the file server.
>>
>>I did the following, but it doesn't seem to work:
>>iptables -t nat -A PREROUTING -j DNAT -i eth0 -p tcp --dport 139 --to
>>192.168.1.2:139 
>>assuming "139" is NetBios
> 
> 
> Also try 445 instead of 139.
> 
> Then, if that still does not work, you maybe need to forward UDP 137.
> 
> 
> 
> Jan Engelhardt

All of the ports for windows file sharing you want to call it are..

135/tcp, 137/udp, 138/tcp, 139/udp, 139/tcp, 445/tcp

Some of them are for RPC things so you might not actually want them
open, but I don't know which specific one(s) they are.


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 187 bytes --]

Re: DNATing Windows File Sharing

[Jan Engelhardt]

>All of the ports for windows file sharing you want to call it are..
>
>135/tcp, 137/udp, 138/tcp, 139/udp, 139/tcp, 445/tcp
>
>Some of them are for RPC things so you might not actually want them
>open, but I don't know which specific one(s) they are.

epmap           135/tcp    # DCE endpoint resolution
epmap           135/udp    # DCE endpoint resolution
netbios-ns      137/tcp    # NETBIOS Name Service    
netbios-ns      137/udp    # NETBIOS Name Service    
netbios-dgm     138/tcp    # NETBIOS Datagram Service
netbios-dgm     138/udp    # NETBIOS Datagram Service
netbios-ssn     139/tcp    # NETBIOS Session Service
netbios-ssn     139/udp    # NETBIOS Session Service
microsoft-ds    445/tcp    # Microsoft-DS
microsoft-ds    445/udp    # Microsoft-DS

I have never seen epmap on my network, so 135 does not belong to it. 138 
traffic is also rare.


Jan Engelhardt
-- 

Re: DNATing Windows File Sharing

[Jason Opperisano]

On Mon, Jul 18, 2005 at 01:09:01PM +0200, Jan Engelhardt wrote:
> epmap           135/tcp    # DCE endpoint resolution
> epmap           135/udp    # DCE endpoint resolution
> netbios-ns      137/tcp    # NETBIOS Name Service    
> netbios-ns      137/udp    # NETBIOS Name Service    
> netbios-dgm     138/tcp    # NETBIOS Datagram Service
> netbios-dgm     138/udp    # NETBIOS Datagram Service
> netbios-ssn     139/tcp    # NETBIOS Session Service
> netbios-ssn     139/udp    # NETBIOS Session Service
> microsoft-ds    445/tcp    # Microsoft-DS
> microsoft-ds    445/udp    # Microsoft-DS

quoting a services file like it's an RFC is not a great way to write
firewall rules.  just because a port has been reserved for a service,
doesn't mean it's actually used.  the obvious example here would be
HTTP:

  http             80/tcp    www www-http #World Wide Web HTTP
  http             80/udp    www www-http #World Wide Web HTTP

now, we're not all going to run out and open up UDP port 80 so that our
web servers function, are we?

the safest way to write firewall rules, is by dropping and logging the
traffic or by using tcpdump to discover the ports and protocols one by
one.  that being said, in my experience, the ports used by "windows file
sharing" are:

  TCP 139
  TCP 445
  UDP 137
  UDP 138

that being said, i've also noticed that NAT-ing a windows file server
doesn't always work--depending on your network topology.

-j

--
"Susan Sarandon: I'm Susan Sarandon. Most of you know me as Tim
 Robbins' mother, but actually I'm his wife!"
        --Family Guy

Re: DNATing Windows File Sharing

[Jan Engelhardt]

>quoting a services file like it's an RFC is not a great way to write
>firewall rules.  just because a port has been reserved for a service,
>doesn't mean it's actually used.  the obvious example here would be

So it looks like Win98 does not use 135.
If you are not happy with the results, use -m layer7 and go from there. 
_That's_ safe, across udp, tcp and the whole port range. :)

>that being said, i've also noticed that NAT-ing a windows file server
>doesn't always work--depending on your network topology.

No, I think because it uses broadcasts which ... are normally not propagated 
across networks unless you utilize userspace proxies. I have recently turned a 
friend's network(s) into a bridged one to overcome this problem. (Or to evade, 
depending on the viewpoint.)