Creating a static route to an internal machine

Dear all,

I have a mini network at home, with a broadband connection. I am using
Alcatel Speedtouch 510 router to share my connection among three or
four machines.

I wish to setup samba shares for my work mates, who want to access one
of the machines on the network from their homes. Now I can easily
setup samba shares, but the problem is how do I enable them to access
this particular machine. I have read the Help pages that come with the
router but still I can't figure it out.

In advance settings of the router, there is a section which enables me
to add a new entry in IP address table, and in IP route table. My
first try was something like this:

ISP assigned static IP address: xx.xx.xxx.xxx
Router eth0 IP address: 10.0.0.138 (The IP address of the router,
which enables me to see the web interface of the router for connection
and setup etc.)
Machine1: 10.0.0.1 (The machine where samba shares are setup)

I added a new entry in the router's IP route table like so:

Destination IP: 10.0.0.1
Source IP: xx.xx.xxx.xxx
Gateway: 10.0.0.138

I saved the settings but I can't see the entry listed under the IP
route table entries. Also strange thing is that people can't even ping
to my (ISP assigned) static IP address from outside! But from inside
the network I can ping to xx.xx.xxx.xxx and also 10.0.0.138.

Could anyone with similar setup guide me through the whole process of
setting up a static IP route to enable outside access to my internal
LAN machine?

Regards
Yousaf

Yousaf <(E-Mail Removed)> wrote:

> I have a mini network at home, with a broadband connection. I am using
> Alcatel Speedtouch 510 router to share my connection among three or
> four machines.
>
> I wish to setup samba shares for my work mates, who want to access one
> of the machines on the network from their homes. Now I can easily
> setup samba shares, but the problem is how do I enable them to access
> this particular machine. I have read the Help pages that come with the
> router but still I can't figure it out.

You need to redirect the Samba traffic hitting your router
to the Samba server. So you need to redirect UDP port 138
and TCP port 139 traffic to your Samba server.

This can't be done with a static route, you need Destination
NAT for this. Don't know how this is called in the Alcatel
routers menues.


> In advance settings of the router, there is a section which enables me
> to add a new entry in IP address table, and in IP route table. My
> first try was something like this:

You need to find menue which allows you to provision something
like:

redirect protocol UDP port <port value x> to IP <IP Addr>
redirect protocol TCP port <port value y> to IP <IP Addr>

[...]
> I added a new entry in the router's IP route table like so:

The routing table doesn't help you here.


> Also strange thing is that people can't even ping
> to my (ISP assigned) static IP address from outside! But from inside
> the network I can ping to xx.xx.xxx.xxx and also 10.0.0.138.

May be your router filters the ICMP echo request.

As a side note: May be it would be better to setup a VPN
and mount the samba shares via the VPN gateway. However
for this your router needs to be capable to forward the
VPN traffic to a VPN gateway. Not all routers support this.


Ciao, Horst
--
»When pings go wrong (It hurts me too)« E.Clapton/E.James/P.Tscharn

"Horst Knobloch" <(E-Mail Removed)> wrote in message
news:bl4i03$kr6$(E-Mail Removed)...
> Yousaf <(E-Mail Removed)> wrote:
>
> > I have a mini network at home, with a broadband connection. I am using
> > Alcatel Speedtouch 510 router to share my connection among three or
> > four machines.
> >
> > I wish to setup samba shares for my work mates, who want to access one
> > of the machines on the network from their homes. Now I can easily
> > setup samba shares, but the problem is how do I enable them to access
> > this particular machine. I have read the Help pages that come with the
> > router but still I can't figure it out.
>
> You need to redirect the Samba traffic hitting your router
> to the Samba server. So you need to redirect UDP port 138
> and TCP port 139 traffic to your Samba server.
>
> This can't be done with a static route, you need Destination
> NAT for this. Don't know how this is called in the Alcatel
> routers menues.

I'd set up VPN on the box, and have them VPN in... the firewall rules are similar.
Exploits for those services come out weekly it seems like nowadays (almost as bad as
openssh!)

Here is a description of how to set the rules up. It's for shorewall, but still
helpful. http://www.shorewall.net/VPN.htm

Eric

Horst Knobloch wrote:

> This can't be done with a static route, you need Destination
> NAT for this. Don't know how this is called in the Alcatel
> routers menues.

I think it is NAPT (Network Address and Port Translation), and in the
settings, I have the following fields to fill in:

Protocol: (tcp or udp drop down)
Inside IP: ??
Outside IP: ??
Inside Port: ??
Outside Port: ??
Default server IP address: ??

What do you think should go in the above fields??

>> Also strange thing is that people can't even ping
>> to my (ISP assigned) static IP address from outside! But from inside
>> the network I can ping to xx.xx.xxx.xxx and also 10.0.0.138.
>
> May be your router filters the ICMP echo request.

What does that mean? I know that ICMP is Internet Control Message Protocol
but what is an ICMP echo request? Are you referring to ping?

>
> As a side note: May be it would be better to setup a VPN
> and mount the samba shares via the VPN gateway. However
> for this your router needs to be capable to forward the
> VPN traffic to a VPN gateway. Not all routers support this.

No idea how would I set a VPN on Red Hat 9 as I have never attempted it
before. I will do a google on it anyway.

Regards
--
Yousaf
Linux version 2.4.20-8
gcc version 3.2.2
Red Hat 9

Yousaf <(E-Mail Removed)> wrote:

> Horst Knobloch wrote:
>
>> This can't be done with a static route, you need Destination
>> NAT for this. Don't know how this is called in the Alcatel
>> routers menues.
>
> I think it is NAPT (Network Address and Port Translation), and in the
> settings, I have the following fields to fill in:
>
> Protocol: (tcp or udp drop down)
> Inside IP: ??
> Outside IP: ??
> Inside Port: ??
> Outside Port: ??
> Default server IP address: ??
>
> What do you think should go in the above fields??

Protocol: udp
Inside IP: <Addr of you Samba Server>
Inside Port: 139
Outside Port: 139

Protocol: tcp
Inside IP: <Addr of you Samba Server>
Inside Port: 138
Outside Port: 138

I can not make sense what should go to "Outside IP" and "Default
Server IP address" in your case, so I would try to leave them
blank in both cases.


>>> Also strange thing is that people can't even ping
>>> to my (ISP assigned) static IP address from outside! But from inside
>>> the network I can ping to xx.xx.xxx.xxx and also 10.0.0.138.
>>
>> May be your router filters the ICMP echo request.
>
> What does that mean? I know that ICMP is Internet Control Message
> Protocol but what is an ICMP echo request? Are you referring to ping?

Yes, the ping command sends ICMP echo requests which are
answered with ICMP echo replies. So, if you block ICMP
in general or ICMP echo requests the ping command would
get no answer.


>> As a side note: May be it would be better to setup a VPN
>> and mount the samba shares via the VPN gateway. However
>> for this your router needs to be capable to forward the
>> VPN traffic to a VPN gateway. Not all routers support this.
>
> No idea how would I set a VPN on Red Hat 9 as I have never attempted it
> before. I will do a google on it anyway.

If your router has no support for forwarding VPN traffic
like IPSec, you should look to cIPe or OpenVPN. The latter
two use the UDP protocol to transport the encrypted data and
therefore there is no problem to forward it over any NAT
router.


HTH

Ciao, Horst
--
»When pings go wrong (It hurts me too)« E.Clapton/E.James/P.Tscharn

Horst Knobloch wrote:


> Protocol: udp
> Inside IP: <Addr of you Samba Server>
> Inside Port: 139
> Outside Port: 139
>
> Protocol: tcp
> Inside IP: <Addr of you Samba Server>
> Inside Port: 138
> Outside Port: 138
>
> I can not make sense what should go to "Outside IP" and "Default
> Server IP address" in your case, so I would try to leave them
> blank in both cases.


Thanks, the above worked very well.

I have just changed my mind about about samba shares, as the samba shares
are setup on my main machine (I don't want to allow direct traffic to my
main machine). Instead I have setup file sharing on a windows 2000 machine.
Simple file sharing with username and password. I know this question is out
of the scope of this ng, but do you know of the port on which windows 2000
serves file shares. I have looked it up and the only relevant port number I
can find is 2049 but that is Solaris and Unix related. I have enabled IIS
on port 80 (only for now to test), and my friends can access the test page
on IIS. But with 2049 they can't map the shared windows folder to their own
drive.

I would be very grateful if you could help me on this as well.
Regards
--
Yousaf
Linux version 2.4.20-8
gcc version 3.2.2
Red Hat 9

Yousaf <(E-Mail Removed)> wrote:

> Horst Knobloch wrote:
>
[...]
> I have just changed my mind about about samba shares, as the samba shares
> are setup on my main machine (I don't want to allow direct traffic to my
> main machine). Instead I have setup file sharing on a windows 2000
> machine. Simple file sharing with username and password. I know this
> question is out of the scope of this ng, but do you know of the port on
> which windows 2000 serves file shares.

AFAIK, all file sharing under newer Windows versions use
SMB aka CIFS protocol. You already know the ports since
Samba implements the same protocol.

Again, it is not advisable to share files over the public
Internet as you intend to do. You should make up your mind
which VPN you want to deploy instead. ;-)


Ciao, Horst
--
»When pings go wrong (It hurts me too)« E.Clapton/E.James/P.Tscharn

Horst Knobloch wrote:


> Again, it is not advisable to share files over the public
> Internet as you intend to do. You should make up your mind
> which VPN you want to deploy instead. ;-)

Only I wish I knew how to deploy a VPN, for which I would have to do
googling and after that loads of manuals reading, for which I do not have
anytime, as I am doing my final year studies of a degree course.

If you could guide me a little on how to create a VPN on ST510 router, I
would be very grateful.

Regards
--
Yousaf
Linux version 2.4.20-8
gcc version 3.2.2
Red Hat 9