Samba 共享分布在 VPN 子网上

Samba 共享分布在 VPN 子网上

我正在尝试通过我使用 OpenVPN 设置的 VPN 连接到 Samba 共享。Samba 和 OpenVPN 均在运行 Ubunutu 14.04 的虚拟机中设置。在客户端,我使用多台 Windows 机器。VPN 运行正常,我目前正在将 Web 流量从客户端路由到 www(一种 Web 代理),并且我能够访问其他客户端以及服务机器本身(ping 和网站)。我使用的当前子网:

  • 我不确定你是否可以说服务器端有一个“子网”,因为它是一个有自己 VLAN 的虚拟机
  • 客户端子网为 172.16.0.0/16
  • VPN 子网为 192.168.0.0/24

ifconfig服务器上的输出为(将公网ip涂黑):

lo        Link encap:Local Loopback
      inet addr:127.0.0.1  Mask:255.0.0.0
      inet6 addr: ::1/128 Scope:Host
      UP LOOPBACK RUNNING  MTU:65536  Metric:1
      RX packets:22 errors:0 dropped:0 overruns:0 frame:0
      TX packets:22 errors:0 dropped:0 overruns:0 carrier:0
      collisions:0 txqueuelen:0
      RX bytes:1100 (1.1 KB)  TX bytes:1100 (1.1 KB)

tun0      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
      inet addr:192.168.0.1  P-t-P:192.168.0.2  Mask:255.255.255.255
      UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
      RX packets:6046 errors:0 dropped:0 overruns:0 frame:0
      TX packets:7621 errors:0 dropped:0 overruns:0 carrier:0
      collisions:0 txqueuelen:100
      RX bytes:549492 (549.4 KB)  TX bytes:6177350 (6.1 MB)

venet0    Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
      inet addr:127.0.0.1  P-t-P:127.0.0.1  Bcast:0.0.0.0  Mask:255.255.255.255
      inet6 addr: ::2/128 Scope:Compat
      UP BROADCAST POINTOPOINT RUNNING NOARP  MTU:1500  Metric:1
      RX packets:77095 errors:0 dropped:0 overruns:0 frame:0
      TX packets:84984 errors:0 dropped:32 overruns:0 carrier:0
      collisions:0 txqueuelen:0
      RX bytes:26204249 (26.2 MB)  TX bytes:25862190 (25.8 MB)

venet0:0  Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
      inet addr:xxx.xxx.xxx.xxx  P-t-P:xxx.xxx.xxx.xxx  Bcast:xxx.xxx.xxx.xxx  Mask:255.255.255.255
      UP BROADCAST POINTOPOINT RUNNING NOARP  MTU:1500  Metric:1

对 VPN 使用不同的子网(10.8.0.0./24),以避免在我疏忽某些事情时发生冲突……无论如何都不起作用。

OpenVPN 服务器.conf我使用的样子如下:

port 1095

proto tcp

dev tun0

ca /usr/share/easy-rsa/keys/ca.crt
cert /usr/share/easy-rsa/keys/server.crt
key /usr/share/easy-rsa/keys/server.key

dh /usr/share/easy-rsa/keys/dh2048.pem

server 192.168.0.0 255.255.255.0

ifconfig-pool-persist ipp.txt

push "route 192.168.0.0 255.255.255.0"

push "redirect-gateway def1 bypass-dhcp"

;push "route 0.0.0.0 0.0.0.0"

push "dhcp-option DNS 208.67.222.222"
push "dhcp-option WINS 208.67.220.220"

client-to-client

keepalive 10 120

auth SHA1

cipher BF-CBC

comp-lzo

user <sambauser>
group <sambagroupshare>

persist-key
persist-tun

status openvpn-status.log
log-append  openvpn.log

verb 3

<sambauser>拥有我想要访问的目录的用户,也是拥有该目录的组的成员<sambashare>。这里也尝试了不同的用户和组。

也许我需要注意一些有关用户权限管理的事情?

我还启用push "route 0.0.0.0 0.0.0.0"和禁用了它,因为无论如何我都用不到它。

testparm显示以下内容smb配置文件

Load smb config files from /etc/samba/smb.conf
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
WARNING: The "syslog" option is deprecated
Processing section "[homes]"
Processing section "[share]"
Loaded services file OK.
Server role: ROLE_STANDALONE

Press enter to see a dump of your service definitions

# Global parameters
[global]
    workgroup = LAB
    server string = %h server (Samba, Ubuntu)
    interfaces = tun0
    bind interfaces only = Yes
    server role = standalone server
    map to guest = Bad User
    obey pam restrictions = Yes
    pam password change = Yes
    passwd program = /usr/bin/passwd %u
    passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
    unix password sync = Yes
    log file = /var/log/samba/log.%m
    max log size = 1000
    dns proxy = No
    wins support = Yes
    usershare allow guests = Yes
    panic action = /usr/share/samba/panic-action %d
    idmap config * : backend = tdb
    hosts allow = 192.168.0.0/24


[homes]
    comment = Home Directories
    create mask = 0740
    directory mask = 0740
    directory mode = 0740


[share]
    comment = share
    path = /home/share
    create mask = 0600
    directory mask = 0740
    directory mode = 0740
    guest ok = Yes

此外我已经设定hosts allow = 192.168.0.0/24

我使用的规则iptables看起来像这样:

#
# NAT
#

*nat

# Route all VPN Subnet traffic to the www
-A POSTROUTING -o venet0 -s 192.168.0.0/24 -j MASQUERADE
#-A POSTROUTING -s 10.8.0.0/24 -o venet0 -j SNAT --to-source 81.169.250.110
#-A POSTROUTING -s 10.8.0.0/24 -o venet0 -j SNAT --to-source $(ifconfig venet0:0 | grep -i 'inet' | cut -d: -f2 | awk '{ print $1}')

COMMIT

#
# FILTER
#

*filter

#
# FILTER - INPUT
#

# Log incoming traffic
#-A INPUT -p tcp -j LOG --log-prefix "iptables: " --log-level 7
#-A INPUT -p udp -j LOG --log-prefix "iptables: " --log-level 7

# Allows all loopback (lo0) traffic and drop all traffic to 127/8 that does not use lo0
-A INPUT -i lo -j ACCEPT
-A INPUT ! -i lo -d 127.0.0.0/8 -j ACCEPT

# Accepts all established inbound connections
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# HTTP
-A INPUT -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
-A INPUT -p udp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
# HTTPS
-A INPUT -p tcp --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT
-A INPUT -p udp --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT

# VPN
-A INPUT -p tcp --dport 1095 -m state --state NEW,ESTABLISHED -j ACCEPT

# SAMBA
-A INPUT -i tun0 -p udp --dport 137 -j ACCEPT
-A INPUT -i tun0 -p udp --dport 138 -j ACCEPT
-A INPUT -i tun0 -p tcp --dport 139 -j ACCEPT
-A INPUT -i tun0 -p tcp --dport 445 -j ACCEPT

# Allows SSH connections
# The --dport number *has to be* the same as in /etc/ssh/sshd_config
-A INPUT -p tcp -m state --state NEW --dport 22 -m limit --limit 1/m --limit-burst 5 -j ACCEPT

# Allow ping
#  note that blocking other types of icmp packets is considered a bad idea by some
#  remove -m icmp --icmp-type 8 from this line to allow all kinds of icmp:
#  https://security.stackexchange.com/questions/22711
#-A INPUT -s 10.8.0.0/255.255.255.0 -p icmp -m icmp --icmp-type 8 -j ACCEPT
# Allow all kinds of icmp
-A INPUT -i tun0 -s 192.168.0.0/24 -p icmp -j ACCEPT

# log iptables denied calls (access via "dmesg" command)
-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7

# Drop everything else
-A INPUT -j DROP

#
# FILTER - FORWARD
#

# Forward all established connections
-A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

# VPN - PROXY
-A FORWARD -o venet0 -i tun0 -s 192.168.0.0/24 -j ACCEPT

# Drop everything else
-A FORWARD -j DROP

#
# FILTER - OUTPUT
#

# Accepts all established outbound connections
-A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# Allow HTTP and HTTPS
-A OUTPUT -p tcp --sport 80 -j ACCEPT
-A OUTPUT -p tcp --sport 443 -j ACCEPT

# VPN
-A OUTPUT -p tcp --dport 1095 -j ACCEPT
-A OUTPUT -p tcp --sport 1095 -j ACCEPT

# SAMBA
#-A OUTPUT -p udp --dport 137 -j ACCEPT
-A OUTPUT -p udp --sport 137 -j ACCEPT

#-A OUTPUT -p udp --dport 138 -j ACCEPT
-A OUTPUT -p udp --sport 138 -j ACCEPT

#-A OUTPUT -p tcp --dport 139 -j ACCEPT
-A OUTPUT -p tcp --sport 139 -j ACCEPT

#-A OUTPUT -p tcp --dport 445 -j ACCEPT
-A OUTPUT -p tcp --sport 445 -j ACCEPT

# Allow SSH
-A OUTPUT -p tcp --sport 22 -j ACCEPT

# Allow ping
-A OUTPUT -p icmp -j ACCEPT

# Drop everything else
-A OUTPUT -j DROP

#
# /FILTER
#

COMMIT

我不知道我还能做些什么。我尝试了几种 iptables 配置,例如允许所有输入来自(哪里tun0-A INPUT -i tun0 -j ACCEPT

我还尝试禁用hosts allow = 192.168.0.0/24-line 并禁用对tun0-接口。另一方面,我尝试像这样收紧接口绑定:

hosts allow = 192.168.0.0/24
interfaces = 192.168.0.0/24 tun0
bind interfaces only = yes

这当然没有什么明显的区别。

尝试通过在 Windows资源管理器的地址行中键入\\192.168.0.1\share或来手动从 Windows 访问共享,最终会提示错误消息。\\192.168.0.1

如果有人能帮助我,我将非常感激,我欢迎任何建议!

亲切的问候 ga

答案1

我看到您在 smb.conf 中尝试将 tun 接口与“仅绑定接口”配置指令相结合。由于 tun 不是“支持广播”的接口,因此这不起作用(请参阅 Samba 文档以了解“仅绑定接口”)。您稍后的配置中的 192.168.0.0/24 仍然是相同的 tun 接口,因此此更改无济于事。

结果,Samba 没有监听任何地方,因此无法满足任何请求。

您可以在 log.smbd 中检查日志级别 = 3 是否存在这种情况。您可能会发现类似以下内容:

[YYYY/MM/DD HH:HH:SS.ssssss,X] ../source3/lib/interface.c:316(add_interface) 未添加非广播接口 tun0

[YYYY/MM/DD HH:HH:SS.ssssss,X] ../source3/lib/interface.c:543(load_interfaces) 警告:没有网络接口成立

答案2

如果您只想通过 VPN 访问 samba,那么 smb.conf 中的全局部分应该包含以下行:

   interfaces = 127.0.0.0/8 192.168.0.0/24
   hosts deny = ALL
   hosts allow = 127.0.0.1 192.168.0.1/24

相关内容