Possible double post: Using netfilter on a nested LAN (NT)

Ryan Hoegg RHoegg@CCEX.COM
Wed, 5 Jan 2000 16:05:50 -0500 

Hi,

Apologies if this is a double post, I can't seem to figure out which address
to send my netfilter mail to.

I am attempting to use netfilter on 2.3.34 within our existing LAN using
address space 206.x.x.0/24.  My new internal network is 192.168.152.0/24.
Here is the output of ipnatctl -L :

generic [SRC] 192.168.152.0/24->0.0.0.0/0 proto=17 srcpt=137 TO: 206.x.x.15
port 137 
generic [SRC] 192.168.152.0/24->0.0.0.0/0 proto=17 srcpt=138 TO: 206.x.x.15
port 138 
generic [SRC] 192.168.152.0/24->0.0.0.0/0 proto=17 srcpt=139 TO: 206.x.x.15
port 139 
generic [SRC] 192.168.152.0/24->0.0.0.0/0 proto=6 TO: 206.x.x.15 
generic [SRC] 192.168.152.0/24->0.0.0.0/0 proto=17 TO: 206.x.x.15 
generic [SRC] 192.168.152.0/24->0.0.0.0/0 proto=1 TO: 206.x.x.15 

As you can see I have made explicit rules to make sure that udp ports 137,
138, and 139 are forwarded out the same ports on the other NIC.  I have also
forwarded all tcp, icmp, and all other udp traffic.  

The problem is this:  I have Windows 9x and NT machines that will be
residing on my 192.168.152.0 network and two NT servers that will be
residing on the publicly available network.  The 9x and NT boxes on the
private network will need to log into the PDC at 206.x.x.11 and to access
the Microsoft Exchange server at 206.x.x.10.  I have made the appropriate
LMHOSTS entries:

[LMHOSTS]
206.x.x.10	MAIL	#PRE
206.x.x.11	PDC	#PRE	#DOM:DOMAIN

The main problem I have is that domain logons are not working, but access to
the Exchange server is.  Examining my network traffic  with NetXRay I notice
that when the same 9x box is connected with the IP 206.x.x.29 logon works
perfectly and I see some UDP NetBIOS traffic, but when the logon attempt is
made while connected as 192.x.x.29 through my netfilter box no UDP NetBIOS
traffic is generated from 206.x.x.15.  As I said earlier, in this situation
Exchange access is fully functional.

Also, are my explicit port assignments for UDP superfluous?

Thanks,
Ryan Hoegg
rhoegg@ccex.com