VPN
Welcome to Notes on setting up tunneling using Debian 2.4 (Sid) and Kernels 2.4.xx


At present you will need to upgrade to Sid to get some needed libraries, it may well be possible to run on woody, I have not tried as yet (but I think woody now does).

There are 3 kinds of tunnels in Linux. There's IP in IP tunneling, GRE tunneling and tunnels that live outside the kernel (like, for example PPTP).

Howto http://www.ds9a.nl/2.4Routing/HOWTO/cvs/2.4routing/output/2.4routing-3.html

Setup

Install iproute, nmap and traceroute with apt-get update followed by apt-get install iproute nmap traceroute (assumes apt points to bunk's site),

Try some of these useful commands (you will need these later so test them out now) provided by iproute are,

ip link list
ip address show
ip route show
ip route list table local
ip route list table main

IPSEC

Quote "These services allow you to build secure tunnels through untrusted networks. Everything passing through the untrusted net is encrypted by the IPSEC gateway machine and decrypted by the gateway at the other end. The result is Virtual Private Network or VPN. This is a network which is effectively private even though it includes machines at several different sites connected by the insecure Internet."

This work is based on the official web site stuff at http://www.freeswan.org/intro.html http://www.freeswan.org/intro.html

Initial setup

Upgrade Potato to Sid ( needed for libgmp2, libgmp3, libgmp3-dev)

Install packages gmp, libgmp2, libgmp3, libgmp3-dev with apt-get install gmp libgmp2 libgmp3 libgmp3-dev

Compile a debianised kernel as per my page install this kernel and make sure its working as you expect, eg Iptables functions. Please see this page if need be for Iptables on Debian.

Make a symbolic linux to linux from kernel-source-2.4.14 to linux with ln -s kernel-source-2.4.14 linux

Download the ipsec source from ftp://ftp.xs4all.nl/pub/crypto/freeswan/

Move it to /usr/src/ and untar it with tar zxvf freeswan-1.92.tar.gz

Enter /usr/src/linux and type clean, then type cd ../freeswan-1.92 to move to /usr/src/freeswan-1.92

In the /usr/src/freeswan-1.92 directory type make ogo or make menugo (NB ncurses may not work for menugo so revert to ogo if so). This converts the first .config in /usr/src/linux to be ipsec aware so a kernel can be compiled. Move back there, by typing cd ../linux

In /usr/src/linux type make dep, followed by make-kpkg clean you then get lots of lines fly past again (only a few seconds worth).Ok and this is the long one type make-kpkg --revision=2.4.14-fwipsec.1.0 kernel_image.

At the end of this process there should be a valid kernel-image.xxxx.deb waiting for you in /usr/src/, install with dpkg -i kernel-image-2.4.14_2.4.14-fwipsec.1.0_i386.deb

The make ogo process installs the files (such as ipsec.conf and ipsec.secrets in /etc), and generates the RSA keys, so generally its easiest to do the compiling on the firewall (even if not secure/advisable).

First cp /etc/ipsec.conf to /etc/ipsec.conf-orig, the initial ipsec.conf looks something like this,


# /etc/ipsec.conf - FreeS/WAN IPsec configuration file

# More elaborate and more varied sample configurations can be found
# in FreeS/WAN's doc/examples file, and in the HTML documentation.



# basic configuration
config setup
	# THIS SETTING MUST BE CORRECT or almost nothing will work;
	# %defaultroute is okay for most simple cases.
	interfaces=%defaultroute
	# Debug-logging controls:  "none" for (almost) none, "all" for lots.
	klipsdebug=none
	plutodebug=none
	# Use auto= parameters in conn descriptions to control startup actions.
	plutoload=%search
	plutostart=%search
	# Close down old connection when new one using same ID shows up.
	uniqueids=yes

# defaults for subsequent connection descriptions
conn %default
	# How persistent to be in (re)keying negotiations (0 means very).
	keyingtries=0
	# RSA authentication with keys from DNS.
	authby=rsasig
	leftrsasigkey=%dns
	rightrsasigkey=%dns

# connection description for (experimental!) opportunistic encryption
# (requires KEY record in your DNS reverse map; see doc/opportunism.howto)
conn me-to-anyone
	left=%defaultroute
	right=%opportunistic
	# uncomment to enable incoming; change to auto=route for outgoing
	#auto=add



# sample VPN connection
conn sample
	
	# Left security gateway, subnet behind it, next hop toward right.
	left=10.0.0.1
	leftsubnet=172.16.0.0/24
	leftnexthop=10.22.33.44
	# Right security gateway, subnet behind it, next hop toward left.
	right=10.12.12.1
	rightsubnet=192.168.0.0/24
	rightnexthop=10.101.102.103
	# To authorize this connection, but not actually start it, at startup,
	# uncomment this.
	#auto=add

At this point rebooting should see ipsec initialise, typing ipsec whack --status should show,

000 interface ipsec0/eth0 192.168.1.253
000
000

That is not much yet.

/etc/ipsec.conf

My VPN network looks like this,

172.16.0.0/16------172.16.0.1/eth1-eth0/192.168.1.254.............192.168.1.253/eth0-eth1/172.31.0.1------172.31.0.0/16

192.168.1.1 sits between 192.168.1.254 and 192.168.1.253 and is the gateway to the Internet (default route), 192.168.1.254 hostname katch is the left connection and 192.168.1.253 hostname kabuto is the right connection. My domain is thing.dyndns.org.

In /etc/ is a file called ipsec.secrets in here is your public key followed by your private key eg,


# This file holds shared secrets or RSA private keys for inter-Pluto
# authentication.  See ipsec_pluto(8) manpage, and HTML documentation.

# RSA private key for this host, authenticating it to any other host
# which knows the public part.  Suitable public keys, for ipsec.conf, DNS,
# or configuration of other implementations, can be extracted conveniently
# with "ipsec showhostkey".
: RSA	{
	# RSA 2048 bits   kabuto   Sat Jul 21 18:49:46 2001
	# for signatures only, UNSAFE FOR ENCRYPTION
	#pubkey=0sAQODNQ0I5lhx7QhcoE5g8SRbLvEKBp20qmFZ+sosD3nVpuKWyuOKakrjp7nyhZStItdhuOCFbUE9o7YGMlpfCT1khEJltkl/r2FhR5Y+yHBAOXTreEvpKDt2fWkAyfCXBJkxhGoKVfs0JWbtnPXT7uvskwz34K6JTl9WmnRnN/oO9pJyVvnqqqqJyU86j2zfWd0DlJ7AokFSrOb2YdwukZbxm5fqEQQrnIa1CrlSh/5DP9ehsOYtZsZbbmpWdIGkI2Iukrpu7sIzeq4dP+/7fU99oTI+cMUtrE2NqqpRSU8DaEq4LwKcVKet6CxWC4Mx4LT0JvX1s0951FrBMh9MwXdV
	#IN KEY 0x4200 4 1 AQODNQ0I2lhx7QhcoE5g8SRbLvEKBp20qmFZ+sosD3nVpuKWyuOKakrjp7nyhZStItdhuOCFbUE9o7YGMlpfCT1khEJltkl/r2FhR5Y+yHBAOXTreEvpKDt2fWkAyfCXBJkxhGoKVfs0JWbtnPXT7uvskwz34K6JTl9WmnRnN/oO9pJyVvnETGEJyU86j2zfWd0DlJ7AokFSrOb2YdwukZbxm5fqEQQrnIa1CrlSh/5DP9ehsOYtZsZbbmpWdIGkI2Iukrpu7sIzeq4dP+/7fU99oTI+cMUtrE2NqqpRSU8DaEq4LwKcVKet6CxWC4Mx4LT0JvX1s0951FrBMh9MwXDV
	# (0x4200 = auth-only host-level, 4 = IPSec, 1 = RSA)
	Modulus: 0x83350d08da5871ed085ca04e60f1245b2ef10a069db4aa6159faca2c0f79d5a6e296cae38a6a4ae3a7b9f28594ad22d761b8e0856d413da3b606325a5f093d64844265b6497faf616147963ec870403974eb784be9283b767d6900c9f097049931846a0a55fb342566ed9cf5d3eeebec930cf7e0ae894e5f569a746737fa0ef6927256f9c44c6109c94f3a8f6cdf59dd03949ec0a24152ace6f661dc2e9196f19b97ea11042b9c86b50ab95287fe433fd7a1b0e62d66c65b6e6a567481a423622e92ba6eeec2337aae1d3feffb7d4f7da1323e70c52dac4d8daaaa51494f03684ab82f029c54a7ade82c560b8331e0b4f426f5f5b34f79d45ac1321f4cc170d5
	PublicExponent: 0x03
	# everything after this point is secret
	PrivateExponent: 
0xxxxxxxxxxxxxxxxxxxxxxxxxx
	Prime1: 
0xxxxxxxxxxxxxxxxxxxxxxxxxx
	Prime2: 
0xxxxxxxxxxxxxxxxxxxxxxxxxx
	Exponent1: 
0xxxxxxxxxxxxxxxxxxxxxxxxxx
	Exponent2: 
0xxxxxxxxxxxxxxxxxxxxxxxxxx
	Coefficient: 
0xxxxxxxxxxxxxxxxxxxxxxxxxx
	}
# do not change the indenting of that "}"

Do not edit this file in any way!!!!!

The only part we want is,

0sAQODNQ0I5lhx7QhcoE5g8SRbLvEKBp20qmFZ+sosD3nVpuKWyuOKakrjp7nyhZStItdhuOCFbUE9o7YGMlpfCT1khEJltkl/r2FhR5Y+yHBAOXTreEvpKDt2fWkAyfCXBJkxhGoKVfs0JWbtnPXT7uvskwz34K6JTl9WmnRnN/oO9pJyVvnqqqqJyU86j2zfWd0DlJ7AokFSrOb2YdwukZbxm5fqEQQrnIa1CrlSh/5DP9ehsOYtZsZbbmpWdIGkI2Iukrpu7sIzeq4dP+/7fU99oTI+cMUtrE2NqqpRSU8DaEq4LwKcVKet6CxWC4Mx4LT0JvX1s0951FrBMh9MwXdV

which is the public key for the "right" machine.

This together with the left key gets put into the ipsec.conf file which ends up looking like this,


# /etc/ipsec.conf - FreeS/WAN IPsec configuration file
#this file belongs to the ppro200 kabuto
# More elaborate and more varied sample configurations can be found
# in FreeS/WAN's doc/examples file, and in the HTML documentation.
# basic configuration
config setup
	# THIS SETTING MUST BE CORRECT or almost nothing will work;
	# %defaultroute is okay for most simple cases.
	interfaces=%defaultroute
	# Debug-logging controls:  "none" for (almost) none, "all" for lots.
	klipsdebug=none
	plutodebug=none
	# Use auto= parameters in conn descriptions to control startup actions.
	plutoload=%search
	plutostart=%search
	# Close down old connection when new one using same ID shows up.
	uniqueids=yes


# defaults for subsequent connection descriptions
conn %default
	# How persistent to be in (re)keying negotiations (0 means very).
	keyingtries=0
	# RSA authentication with keys from DNS.
	authby=rsasig
	#leftrsasigkey=%dns
	#rightrsasigkey=%dns


# connection description for (experimental!) opportunistic encryption
# (requires KEY record in your DNS reverse map; see doc/opportunism.howto)
#ssj conn me-to-anyone
	#ssj left=%defaultroute
	#ssj right=%opportunistic
	# uncomment to enable incoming; change to auto=route for outgoing
	#auto=add

conn  sample
	# Left security gateway, subnet behind it, next hop toward right.
	leftid=@katch.thing.dyndns.org
leftrsasigkey=0sAQN9Y.....................
	left=192.168.1.254
	leftsubnet=172.16.0.0/16
	#leftnexthop=192.168.1.253
	# Right security gateway, subnet behind it, next hop toward left.
	rightid=@kabuto.thing.dyndns.org
	rightrsasigkey=0sAQODNQ0I......................
	right=192.168.1.253
	rightsubnet=172.31.0.0/16
	#rightnexthop=192.168.1.254
	# To authorize this connection, but not actually start it, at startup,
	# uncomment this.
	#auto=add
	auto=start

rp_filter

This is on by default, turn it off by opening /etc/network/options and changing spoofprotect to no eg

ip_forward=yes
spoofprotect=no
syncookies=no

Once rebooted do a ipsec whack --status should give something like this,


000 interface ipsec0/eth0 192.168.1.253
000  
000 "sample": 172.31.0.0/16===192.168.1.253[@kabuto.thing.dyndns.org]...
000 "sample": ...192.168.1.254[@katch.thing.dyndns.org]===172.16.0.0/16
000 "sample":   ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0
000 "sample":   policy: RSASIG+ENCRYPT+TUNNEL+PFS; interface: eth0; erouted
000 "sample":   newest ISAKMP SA: #3; newest IPsec SA: #2; eroute owner: #2
000  
000 #3: "sample" STATE_MAIN_R3 (sent MR3, ISAKMP SA established); EVENT_SA_REPLACE in 3300s; newest ISAKMP
000 #2: "sample" STATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_REPLACE in 27987s; newest IPSEC; eroute owner
000 #2: "sample" esp.7e9978be@192.168.1.254 esp.3b8f572f@192.168.1.253 tun.1002@192.168.1.254 tun.1001@192.168.1.253
000 #1: "sample" STATE_MAIN_I4 (ISAKMP SA established); EVENT_SA_REPLACE in 2545s

With ipsec look showing this,


kabuto Sun Jul 29 16:12:03 NZST 2001
172.31.0.0/16      -> 172.16.0.0/16      => tun0x1002@192.168.1.254 esp0x7e9978be@192.168.1.254  (0)
ipsec0->eth0 mtu=16260(1500)->1500
esp0x3b8f572f@192.168.1.253 ESP_3DES_HMAC_MD5: dir=in  src=192.168.1.254 iv_bits=64bits iv=0x9230b6a423aa4c69 ooowin=64 alen=128 aklen=128 eklen=192 life(c,s,h)=add(79,0,0)
esp0x7e9978be@192.168.1.254 ESP_3DES_HMAC_MD5: dir=out src=192.168.1.253 iv_bits=64bits iv=0x06a171354747b618 ooowin=64 alen=128 aklen=128 eklen=192 life(c,s,h)=add(79,0,0)
tun0x1001@192.168.1.253 IPIP: dir=in  src=192.168.1.254 life(c,s,h)=add(79,0,0)
tun0x1002@192.168.1.254 IPIP: dir=out src=192.168.1.253 life(c,s,h)=add(79,0,0)
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
0.0.0.0         192.168.1.1     0.0.0.0         UG       40 0          0 eth0
172.16.0.0      192.168.1.254   255.255.0.0     UG       40 0          0 ipsec0
192.168.1.0     0.0.0.0         255.255.255.0   U        40 0          0 eth0
192.168.1.0     0.0.0.0         255.255.255.0   U        40 0          0 ipsec0
and route -n shows,

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
192.168.1.0     0.0.0.0         255.255.255.0   U     0      0        0 eth0
192.168.1.0     0.0.0.0         255.255.255.0   U     0      0        0 ipsec0
172.31.0.0      0.0.0.0         255.255.0.0     U     0      0        0 eth1
172.16.0.0      192.168.1.254   255.255.0.0     UG    0      0        0 ipsec0
0.0.0.0         192.168.1.1     0.0.0.0         UG    0      0        0 eth0

The updated route commands tried earlier should now show ipsec0 eg ip route list table main,

192.168.1.0/24 dev eth0  proto kernel  scope link  src 192.168.1.253 
192.168.1.0/24 dev ipsec0  proto kernel  scope link  src 192.168.1.253 
172.31.0.0/16 dev eth1  proto kernel  scope link  src 172.31.0.1 
172.16.0.0/16 via 192.168.1.254 dev ipsec0 
default via 192.168.1.1 dev eth0

ip route show,

192.168.1.0/24 dev eth0  proto kernel  scope link  src 192.168.1.253 
192.168.1.0/24 dev ipsec0  proto kernel  scope link  src 192.168.1.253 
172.31.0.0/16 dev eth1  proto kernel  scope link  src 172.31.0.1 
172.16.0.0/16 via 192.168.1.254 dev ipsec0 
default via 192.168.1.1 dev eth0

ip address show,

1: lo:  mtu 16436 qdisc noqueue 
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
2: ipsec0:  mtu 16260 qdisc pfifo_fast qlen 10
    link/ether 00:80:c8:f5:c2:d4 brd ff:ff:ff:ff:ff:ff
    inet 192.168.1.253/24 brd 192.168.1.255 scope global ipsec0
3: ipsec1:  mtu 0 qdisc noop qlen 10
    link/ipip 
4: ipsec2:  mtu 0 qdisc noop qlen 10
    link/ipip 
5: ipsec3:  mtu 0 qdisc noop qlen 10
    link/ipip 
6: eth0:  mtu 1500 qdisc pfifo_fast qlen 100
    link/ether 00:80:c8:f5:c2:d4 brd ff:ff:ff:ff:ff:ff
    inet 192.168.1.253/24 brd 192.168.1.255 scope global eth0
7: eth1:  mtu 1500 qdisc pfifo_fast qlen 100
    link/ether 00:80:5f:2a:b0:a0 brd ff:ff:ff:ff:ff:ff
    inet 172.31.0.1/16 brd 172.31.255.255 scope global eth1

IPTABLES - authentication

You will need a few lines, the first one,

iptables -A INPUT -s 192.168.1.253 -p udp --dport 500 -j ACCEPT

Allows the RSA key authentication to take place, the next rule allows the actual traffic/tunnels to be created,

iptables -A INPUT -s 192.168.1.253 -p 50 -j ACCEPT
iptables -A INPUT -s 192.168.1.253 -p 51 -j ACCEPT

iptables -A INPUT -s 192.168.1.254 -p 50 -j ACCEPT
iptables -A INPUT -s 192.168.1.254 -p 51 -j ACCEPT

Use one pair for each side, these will allow ssh, telnet, www, smtp, pop/imap.

Note these 3 lines are not terribly secure by themselves (but remember the authenication string is simply huge), I need to tighten them up a bit! the danger is IP spoofing, there is a MAC address paramter for iptables which I need to experiment with. Note however some machines like Sun boxes have a MAC that is settable by the system admin so this is not much better!

IPTABLES - Samba/Netbios

Netbios needs another line in both scripts, otherwise authentication, wins wont work, once established it doesnt seem to matter the data flows.

iptables -A FORWARD -i ipsec0 -j ACCEPT

IPTABLES - IPSEC

#!/bin/bash
#iptables firewall script
#rev 2 17/06/01
#rev 3 20/11/01 ipsec input rules added and tightened
#rev 4 8/12/01 Rule to allow netbios over ipsec added.
#rev 5 8/12/01 tidy up some unclean & invalid etc with rules

#start ip_forwarding
#echo "1" > /proc/sys/net/ipv4/ip_forward
#echo "forwarding started"
#started in /etc/network/options 

#set constants
outer_nic="eth0"
inner_nic1="eth1"
inner_nic2="eth2"
inner_nw1="172.31.0.0/16"
rh_fwall="192.168.1.253"
lh_fwall="192.168.1.254"
#inner_nw1="192.168.0.0/24"
#inner_nw2="10.0.0.0/8"
#web="172.31.0.16:80"
#web="172.16.0.20:80"
#smtp="172.16.0.20:25"
#web="192.168.0.100:80"
#ident="10.0.0.2:113"
echo "firewall constants setup"

#load any modules needed for connection tracking
#allow passive ftp
/sbin/modprobe ip_conntrack_ftp
#irc module
#/sbin/modprobe ip_conntrack_irc
#/sbin/modprobe 
echo "started connection tracking"

#individual port forwarding
#www
#iptables -A PREROUTING -t nat -p tcp -i $outer_nic --dport 80 \
#-j DNAT --to $web
#smtp
#iptables -A PREROUTING -t nat -p tcp -i $outer_nic --dport 25 \
#-j DNAT --to $smtp
#ident
#iptables -A PREROUTING -t nat -p tcp -i $outer_nic --dport 113 \
#-j DNAT --to $ident
#--to $ident
iptables -A PREROUTING -t nat -i eth0 -d $inner_nw1 -j DROP
#iptables -A PREROUTING -t nat -i eth0 -d $inner_nw2 -j DROP
echo "no portfw started"
#echo "portfw started"

#forward rules
iptables -t nat -A POSTROUTING -s $inner_nw1 -o $outer_nic -j MASQUERADE
#iptables -t nat -A POSTROUTING -s $inner_nw1 -o inner_nic2 \
#-j MASQUERADE
iptables -A FORWARD -i $inner_nic1 -j ACCEPT
#iptables -A FORWARD -i $inner_nic2 -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
#ipsec rule for NETBIOS/SAMBA over the tunnel
iptables -A FORWARD -i ipsec0 -j ACCEPT
#clean up a bad syn which needs a specific rule
iptables -A FORWARD -p tcp ! --syn -m state --state NEW -j DROP
#clean these up as well
iptables -A FORWARD -m state --state INVALID -j DROP
iptables -A FORWARD -m unclean -j DROP
 
#Final default policy
iptables -P FORWARD DROP
#iptables -P FORWARD ACCEPT
echo "FORWARD rules now in place"

#INPUT rules
#specific ipsec lines
iptables -A INPUT -s $lh_fwall -p udp --dport 500 -j ACCEPT
iptables -A INPUT -s $lh_fwall -p 50 -j ACCEPT
iptables -A INPUT -s $lh_fwall -p 51 -j ACCEPT
echo "ipsec rules in place"

#general
iptables -A INPUT -p tcp --syn --dport 22 -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -m state --state NEW -i ! $outer_nic -j ACCEPT
#allow ping replies (may not be desired)
iptables -A INPUT -p icmp -s 0/0 --icmp-type echo-request -j ACCEPT

iptables -P INPUT DROP
#iptables -P INPUT ACCEPT
echo "INPUT rules now in place"

#limit logging levels to save clutter and /var from being swamped
#iptables -A FORWARD -m limit --limit 3/m -j LOG
#iptables -A FORWARD -j LOG
echo "log limiting in place"

#specific defence rules eg DoS attacks
#syn-flood protection
iptables -A FORWARD -p tcp --syn -m limit  -j ACCEPT
#furtive port scanner
iptables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit
#ping of death
iptables -A FORWARD -p icmp --icmp-type echo-request -m limit
echo "DoS defences setup"

exit

Testing - IPSEC

We should now be in a position to test the tunnel, it should be up and running, on each side of the tunnel inside the subnet should be a suitable client such as linux boxen, start by trying to ping each other (do not do this on the tunnel/firewall boxes themeselves this will NOT work) this should work fine. Next try telnet/ssh.

For netbios use ./smbclient -NL servername from a Sun / Linux box.

This will give you an output like this if all is well,

# ./smbclient -NL kasper
added interface ip=172.31.0.16 bcast=172.31.255.255 nmask=255.255.0.0
Got a positive name query response from 172.16.0.16 ( 172.16.0.16 )
Anonymous login successful
Domain=[TEST] OS=[Unix] Server=[Samba 2.0.8]

        Sharename      Type      Comment
        ---------      ----      -------
        homes          Disk      Home Directories
        IPC$           IPC       IPC Service (kasper server (Samba 2.0.8))

        Server               Comment
        ---------            -------
        KASPER               kasper server (Samba 2.0.8)

        Workgroup            Master
        ---------            -------
        TEST                 KASPER

and from the other side,

kasper:~# smbclient -NL katana
added interface ip=172.16.0.16 bcast=172.16.255.255 nmask=255.255.0.0
Anonymous login successful
Domain=[TEST] OS=[Unix] Server=[Samba 2.2.2]

        Sharename      Type      Comment
        ---------      ----      -------
        IPC$           IPC       IPC Service (Samba Server)
        ADMIN$         Disk      IPC Service (Samba Server)

        Server               Comment
        ---------            -------

        Workgroup            Master
        ---------            -------
Further tests that you can use are, on a remote linux/sun client ./nmblookup kasper which should give a reply like,

querying kasper on 172.31.255.255
172.16.0.16 kasper < 00 >

On a NT4 client try c:\ > net view \\kasper which should give you a reply something like this,

kasper server < samba 2.0.8 >

Share Name     Type    Used as   Comment

---------------------------------------------------
homes			Disk			Home Directories
thing			Disk			Home Directories
The command completed successfully.

C:\ >

Further reading - IPTABLES

An excellent page for iptables is here, and worth reading



Copyright Thing 08/12/2001 to be used freely without restriction, however if this page is copied to your own web site please drop me a line with the URL - thanks.

This page has been created with help from users on the samba and freeswan mailing lists, thier help is gratefully acknowledged.

The Debian logo is a trademark of Debian, who in no way endorse or take responsibility for information on this site.