我家里有一台运行 Ubuntu Server 12.04 的计算机,该计算机已映射到外部 IP 地址。该服务器正在运行具有一个共享的 Samba 服务器。以下是配置文件:
...
#======================= Global Settings =======================
[global]
## Browsing/Identification ###
# Change this to the workgroup/NT-domain name your Samba server will part of
workgroup = UBUNTUSERVER
# server string is the equivalent of the NT Description field
server string = %h server (Samba, Ubuntu)
# Windows Internet Name Serving Support Section:
# WINS Support - Tells the NMBD component of Samba to enable its WINS Server
# wins support = no
# WINS Server - Tells the NMBD components of Samba to be a WINS Client
# Note: Samba can be either a WINS Server, or a WINS Client, but NOT both
; wins server = w.x.y.z
# This will prevent nmbd to search for NetBIOS names through DNS.
dns proxy = no
# What naming service and in what order should we use to resolve host names
# to IP addresses
; name resolve order = lmhosts host wins bcast
...
#### Debugging/Accounting ####
# This tells Samba to use a separate log file for each machine
# that connects
log file = /var/log/samba/log.%m
# Cap the size of the individual log files (in KiB).
max log size = 1000
# If you want Samba to only log through syslog then set the following
# parameter to 'yes'.
# syslog only = no
# We want Samba to log a minimum amount of information to syslog. Everything
# should go to /var/log/samba/log.{smbd,nmbd} instead. If you want to log
# through syslog you should set the following parameter to something higher.
syslog = 0
# Do something sensible when Samba crashes: mail the admin a backtrace
panic action = /usr/share/samba/panic-action %d
####### Authentication #######
# "security = user" is always a good idea. This will require a Unix account
# in this server for every user accessing the server. See
# /usr/share/doc/samba-doc/htmldocs/Samba3-HOWTO/ServerType.html
# in the samba-doc package for details.
# security = user
# You may wish to use password encryption. See the section on
# 'encrypt passwords' in the smb.conf(5) manpage before enabling.
encrypt passwords = true
# If you are using encrypted passwords, Samba will need to know what
# password database type you are using.
passdb backend = tdbsam
obey pam restrictions = yes
# This boolean parameter controls whether Samba attempts to sync the Unix
# password with the SMB password when the encrypted SMB password in the
# passdb is changed.
unix password sync = yes
# For Unix password sync to work on a Debian GNU/Linux system, the following
# parameters must be set (thanks to Ian Kahan <<[email protected]> for
# sending the correct chat script for the passwd program in Debian Sarge).
passwd program = /usr/bin/passwd %u
passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
# This boolean controls whether PAM will be used for password changes
# when requested by an SMB client instead of the program listed in
# 'passwd program'. The default is 'no'.
pam password change = yes
# This option controls how unsuccessful authentication attempts are mapped
# to anonymous connections
map to guest = bad user
...
[share]
comment = John Share
path=/data/share
read only = no
browseable = yes
guest ok = no
如您所见,我在配置文件底部有一个名为“share”的自定义共享。我的服务器有一个内部 IP 地址,192.168.1.157并映射到一个外部 IP 地址66.73.*.*
当我在本地网络上时,我可以通过以下方式连接到我的 samba 共享:
smb://[email protected]/share
但当我尝试时:
smb://[email protected].**.**/share
我收到一个错误:
Could not display "smb://[email protected].**.**/share/"
Error: Failed to mount Windows share
Please select another viewer and try again
我已在路由器上为外部 IP 地址启用了 DMZplus 模式。它应允许所有流量流向外部 IP 地址:
允许所有应用程序(DMZplus 模式) - 将选定的计算机设置为 DMZplus 模式。所有入站流量(使用“允许单个应用程序”功能专门分配给另一台计算机的流量除外)将自动定向到此计算机。启用 DMZplus 的计算机不太安全,因为所有未分配的防火墙端口都为该计算机打开。
注意:在具有私有 IP 地址的 LAN 设备上,一旦选择了 DMZplus 模式并单击“保存”,系统将向所选计算机发出新的 IP 地址。必须将计算机设置为 DHCP 模式才能从系统接收新的 IP 地址,并且必须重新启动计算机。如果您要将 DMZplus 模式从一台计算机更改为另一台计算机,则必须重新启动两台计算机。
现在,当我对我的外部 IP 进行端口扫描时,(66.73.**.**)我得到了以下信息:
Starting Nmap 5.21 ( http://nmap.org ) at 2014-01-15 18:00 CST
Nmap scan report for ********************** (66.73.**.**)
Host is up (0.094s latency).
Not shown: 996 closed ports
PORT STATE SERVICE
22/tcp open ssh
135/tcp filtered msrpc
139/tcp filtered netbios-ssn
445/tcp filtered microsoft-ds
如您所见,防火墙外的 samba 端口是打开的。我尝试使用 Ubuntu 12.04 上的 samba 客户端再次连接它,但仍然出现相同的错误。
路由器级别的防火墙不应阻止任何流量。我的 ubuntu 服务器上的防火墙也被禁用了:
john@john-server:~$ sudo ufw status
[sudo] password for john:
Status: inactive
john@john-server:~$
traceroute和ping也正常:
john@john-ubuntu:~$ traceroute 66.73.**.**
traceroute to 66.73.**.** (66.73.**.**), 30 hops max, 60 byte packets
1 homeportal (192.168.1.254) 5.974 ms 5.967 ms 5.967 ms
2 *************************************** (66.73.**.*) 74.207 ms 74.602 ms 79.749 ms
3 *************************************** (66.73.**.**) 86.636 ms 87.632 ms 87.639 ms
PING 66.73.**.** (66.73.**.**) 56(84) bytes of data.
64 bytes from 66.73.**.**: icmp_req=1 ttl=63 time=71.0 ms
64 bytes from 66.73.**.**: icmp_req=2 ttl=63 time=171 ms
64 bytes from 66.73.**.**: icmp_req=3 ttl=63 time=140 ms
^C
--- 66.73.**.** ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2002ms
rtt min/avg/max/mdev = 71.006/127.456/171.293/41.903 ms
我有一个 AT&T 路由器:
型号:4111N-031
有谁知道我的连接哪里出了问题?
答案1
您的 ISP(尤其是住宅 ISP)可能会阻止端口。这是为了防止许多感染实际 Windows 系统的漏洞,通常是较旧的 Windows 操作系统,例如 Windows 98 等。 康卡斯特这样做。
您确实也不想通过不受信任的网络(例如 Internet)发送未加密的 SMB 流量,尤其是在您拥有仅支持弱 NTLM 身份验证的旧版 Windows 系统的情况下。
Samba 在路由或桥接 OpenVPN 设置上运行良好 - 并且更加安全。
使用 SSH/WinSCP 作为更易于设置的替代方案。