i set up a linux ip masquerading which is causing application problems in windows. For example when a user uses "Homesite" to access a file accross the firewall on a server, problems arise(i.e. Te file wont save properly or wil get an I/O error)
Tek-Tips is the largest IT community on the Internet today!
Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!
-
Congratulations Westi on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!
ip masquerading causes application problems in windows
- Thread starter pollux0
- Start date
Hi,
I'm not familar with homesite but it sounds like you may need some kind of application gateway.
With NATing like this - where source IP addresses are 'edited' on the wy out- there is an issue if the application/protocol being used embeds the source IP address WITHIN the packet data itself as well as the source address field.
The firewll needs to be aware and modify the packet data as well as the source address.
There are common application gateways for such as irc, ftp, netmeeting etc which need this functionality. With an ipchains type firewall, you would use:
/sbin/modprobe ip_masq_ftp
/sbin/modprobe ip_masq_irc
for ftp and irc.
Not sure what may be reqired for homesite but bear this in mind.
I'm not familar with homesite but it sounds like you may need some kind of application gateway.
With NATing like this - where source IP addresses are 'edited' on the wy out- there is an issue if the application/protocol being used embeds the source IP address WITHIN the packet data itself as well as the source address field.
The firewll needs to be aware and modify the packet data as well as the source address.
There are common application gateways for such as irc, ftp, netmeeting etc which need this functionality. With an ipchains type firewall, you would use:
/sbin/modprobe ip_masq_ftp
/sbin/modprobe ip_masq_irc
for ftp and irc.
Not sure what may be reqired for homesite but bear this in mind.
- Thread starter
- #4
- Thread starter
- #5
I'm assuming you've configured samba for this ?
if so , could you provide your configuration, it sounds like something may not be set properly.
You may want to verify that your setting for SAMBA 'workgroup'settings match those under your win machines.
if so , could you provide your configuration, it sounds like something may not be set properly.
You may want to verify that your setting for SAMBA 'workgroup'settings match those under your win machines.
- Thread starter
- #7
- Thread starter
- #9
i found these erorrs in the microsoft server we are trying to access:
************************************
Event Type: Error
Event Source: Srv
Event Category: None
Event ID: 2006
Date: 12/11/2002
Time: 1:38:14 PM
User: N/A
Computer: USVAS003
Description:
The server received an incorrectly formatted request from \\202.202.202.2
************************************
where 202.202.202.2 is the ip of the firewall (external eth0 ip address) this obviously is not coincidental....
the other error:
************************************
Event Type: Error
Event Source: Service Control Manager
Event Category: None
Event ID: 7005
Date: 12/13/2002
Time: 4:23:54 PM
User: N/A
Computer: USVAS003
Description:
The RpcImpersonateClient call failed with the following error:
No security context is available to allow impersonation.
************************************
it looks like theses errors started when we began using the 192 ip masq linux firewall.
************************************
Event Type: Error
Event Source: Srv
Event Category: None
Event ID: 2006
Date: 12/11/2002
Time: 1:38:14 PM
User: N/A
Computer: USVAS003
Description:
The server received an incorrectly formatted request from \\202.202.202.2
************************************
where 202.202.202.2 is the ip of the firewall (external eth0 ip address) this obviously is not coincidental....
the other error:
************************************
Event Type: Error
Event Source: Service Control Manager
Event Category: None
Event ID: 7005
Date: 12/13/2002
Time: 4:23:54 PM
User: N/A
Computer: USVAS003
Description:
The RpcImpersonateClient call failed with the following error:
No security context is available to allow impersonation.
************************************
it looks like theses errors started when we began using the 192 ip masq linux firewall.
- Thread starter
- #11
|
|
|---------server we are trying to access(202.202.202.5)
|
|to internet
|
_______________________________
|external ip 202.202.202.2 |
| |
| linux firewall(ip masq) |
| |
|internal ip 192.168.1.1 |
--------------------------------
|
|to internal network
|
|
|--client that is trying to access the server(192.168.1.5)
|
|
|
|---------server we are trying to access(202.202.202.5)
|
|to internet
|
_______________________________
|external ip 202.202.202.2 |
| |
| linux firewall(ip masq) |
| |
|internal ip 192.168.1.1 |
--------------------------------
|
|to internal network
|
|
|--client that is trying to access the server(192.168.1.5)
|
|
have you verified that the assigned workgroup to the
share(s) match the assigned workgroup of the connecting workstations?
It appears that the masqurade is working, since your server logged the firewall address rather than the workstations ip of 192.168.*.*
This is indeed odd :-\
share(s) match the assigned workgroup of the connecting workstations?
It appears that the masqurade is working, since your server logged the firewall address rather than the workstations ip of 192.168.*.*
This is indeed odd :-\
- Thread starter
- #13
We are using a microsoft dom controller for our network which is also the same domain for the internal network.
Two other things that are odd...
1.the network drives on the client machines in the internal network are mapped to the server(s) outside the firewall. Usually they do not disconnect for the default time( i'm guessing about 15 minutes). But after setting up the firewall they discconect within a matter of seconds!! it seems the whole windows file system is "refreshing" or trying to reconnect or reset on all the computers behind the firewall. Outside the firewall everything is perfect....
2. under "my network places" i cannot see the computers that are outside the firewall. and vice versa outside the firewall i cannot see the clients inside the firewall. When I restart the computer browser service on the master browser on the internal network, I can see the computers outside the network in "my network places". But after a minute or so, they disappear!!
But eveything else on our network seems perfect...internet, dns, i can ping the computers outside the network and vice versa, i can "manage" the computers outside the network and vice versa, etc, etc, etc,.....the only problem is the file system within windows
Two other things that are odd...
1.the network drives on the client machines in the internal network are mapped to the server(s) outside the firewall. Usually they do not disconnect for the default time( i'm guessing about 15 minutes). But after setting up the firewall they discconect within a matter of seconds!! it seems the whole windows file system is "refreshing" or trying to reconnect or reset on all the computers behind the firewall. Outside the firewall everything is perfect....
2. under "my network places" i cannot see the computers that are outside the firewall. and vice versa outside the firewall i cannot see the clients inside the firewall. When I restart the computer browser service on the master browser on the internal network, I can see the computers outside the network in "my network places". But after a minute or so, they disappear!!
But eveything else on our network seems perfect...internet, dns, i can ping the computers outside the network and vice versa, i can "manage" the computers outside the network and vice versa, etc, etc, etc,.....the only problem is the file system within windows
- Thread starter
- #14
Hi,
Ah, I've had a look for homesite and see it's a code editor by Macromedia. I would be 99% sure that it will use ftp to transfer the files up to any server as that would be the only protocol used for file transfer up to virtually all web servers. Certainly, all other Macromedia products (dreamweaver, ultradev etc) use ftp for this process.
Don't know if the app gateway will fix the server error but a guess would be that you may have some non standard authentication method for logging onto the ftp server - make sure that you haven't got NT auth (or whatever the equiv is in 2000) but plain text for regular ftp uploads. I recall that the original w2k implementation of the kerberos authentication method was, ahem, "extended" so that only MC clients would work (though I think this was addressed later) so this might not work either if you're using that. (I know your client machine is an MS box but as the gateway is NATing the local network behind a single IP address, the ftp app gateway will be acting as a proxy on behalf of the client PC).
With regards to the pcs appearing in the network places. Computers in that view are there if they are identified via subnet broadcasts - so you only ever see them when they are on the same subnet. One way around this is to reference a WINs server on the other subnet which will bridge the gateway.
Ah, I've had a look for homesite and see it's a code editor by Macromedia. I would be 99% sure that it will use ftp to transfer the files up to any server as that would be the only protocol used for file transfer up to virtually all web servers. Certainly, all other Macromedia products (dreamweaver, ultradev etc) use ftp for this process.
Don't know if the app gateway will fix the server error but a guess would be that you may have some non standard authentication method for logging onto the ftp server - make sure that you haven't got NT auth (or whatever the equiv is in 2000) but plain text for regular ftp uploads. I recall that the original w2k implementation of the kerberos authentication method was, ahem, "extended" so that only MC clients would work (though I think this was addressed later) so this might not work either if you're using that. (I know your client machine is an MS box but as the gateway is NATing the local network behind a single IP address, the ftp app gateway will be acting as a proxy on behalf of the client PC).
With regards to the pcs appearing in the network places. Computers in that view are there if they are identified via subnet broadcasts - so you only ever see them when they are on the same subnet. One way around this is to reference a WINs server on the other subnet which will bridge the gateway.
- Thread starter
- #16
ftp can be used w/ macromedia but is not a requirement if you are logged in on the domain under microsoft. Its not ftp ..instead its like clicking on "my network places" and using a file share. im not sure what the protocol is that microsoft uses for "my network places" and "share folders", but it is embedded within the microsoft OS and network structure. homesite, like photoshop and flash, make use of that protocol when accessing a remote file. I beleive the problem is within the microsoft or network structure but is propegating to the applications that use it, like homesite. I say this because the network dives are also acting funny when i am copying files to and fro the server which have nothing to do with homesite.
furthermore, I beleive that with the release of w2k, WINS is not a requirement;I have even tried it across the internet. I connected a cluster of computers to this domain across the internet and i was able to see all the servers and clients on the other side with out ever touching WINS. This problem is happening just over this linux box.
the only thing the linux firewall is doing is changing the ip address, thats it. there are only two lines in the iptables script:
iptables -t nat -A POSTROUTING -o eth0 -j MASQURADE
echo > /proc/sys/net/ipv4/ip_forward
furthermore, I beleive that with the release of w2k, WINS is not a requirement;I have even tried it across the internet. I connected a cluster of computers to this domain across the internet and i was able to see all the servers and clients on the other side with out ever touching WINS. This problem is happening just over this linux box.
the only thing the linux firewall is doing is changing the ip address, thats it. there are only two lines in the iptables script:
iptables -t nat -A POSTROUTING -o eth0 -j MASQURADE
echo > /proc/sys/net/ipv4/ip_forward
- Status