Skip to content

Instantly share code, notes, and snippets.

@psct
Created July 27, 2021 19:15
Show Gist options
  • Save psct/2b54957968702746958a314acb16ff3a to your computer and use it in GitHub Desktop.
Save psct/2b54957968702746958a314acb16ff3a to your computer and use it in GitHub Desktop.
Mit Pi OS/Debian eine SMBv1-Brücke bauen / Use Pi OS/Debian as a SMBv1 bridge
# /etc/fstab define share
//192.168.178.2/scans /reshare cifs uid=reuser,gid=reuser,credentials=/root/cred
# /root/cred put credentials for upstream SMBv2/3 server
username=upuser
password=uppassword
domain=example
# create user
adduser reuser --disabled-password --gecos "" --home /reshare --quiet
# mount /reshare (see above)
mount -a
# install samba
apt-get install samba
# fill fresh /etc/samba/smb.conf with:
[global]
workgroup = SMBONE
ntlm auth = ntlmv1-permitted
interfaces = eth0
[reshare]
path = /reshare
root preexec = mount /reshare
writeable = yes
force user = reuser
force group = reuser
veto files = .ssh
# set SMB password for reuser
smbpasswd -a reuser
# restart smbd/Samba server daemon
systemctl restart smbd
# iptables rules just allowing smb traffic between Raspi and legacy SMBv1 server
# apply only in case you run Raspi and legacy server within same network
iptables -I INPUT -i eth0 -p tcp -m multiport --ports 445,137,139 -j DROP
iptables -I INPUT -i eth0 -p udp -m multiport --ports 137,139 -j DROP
iptables -I INPUT -i eth0 -p tcp -m multiport --ports 445,137,139 -s 192.168.178.2 -j ACCEPT
iptables -I INPUT -i eth0 -p udp -m multiport --ports 137,139 -s 192.168.178.2 -j ACCEPT
iptables -I INPUT -i eth0 -p tcp -m multiport --ports 445,137,139 -s 192.168.178.5 -j ACCEPT
iptables -I INPUT -i eth0 -p udp -m multiport --ports 137,139 -s 192.168.178.5 -j ACCEPT
# Add package to save iptables rules (asks to save current rules)
apt-get install iptables-persistent
# flush all persistent firewall rules (if Raspi and legacy server in separated networks)
netfilter-persistent flush
# static ip configuration via /etc/network/interfaces
allow-hotplug eth0
iface eth0 inet static
address 192.168.64.1
netmask 255.255.255.0
allow-hotplug wlan0
iface wlan0 inet static
address 192.168.178.3
netmask 255.255.255.0
gateway 192.168.178.1
dns-nameservers 192.168.178.1
wpa-conf /etc/wpa_supplicant/wpa_supplicant.conf
# WLAN setup as mentioned before in /etc/wpa_supplicant/wpa_supplicant.conf
ctrl_interface=DIR=/var/run/wpa_supplicant GROUP=netdev
update_config=1
country=DE
network={
ssid="meinwlan"
psk="meinepassphrase"
}
# optional install dnsmasq
apt-get install dnsmasq
# optional add minimal configuration for dnsmasq
# be sure those lines exists in /etc/dnsmasq.conf
interface=eth0
dhcp-range=192.168.64.50,192.168.64.50,12h
# enable ip forwarding by creating /etc/sysctl.d/97-ipfw.conf and insert
net.ipv4.ip_forward=1
# allow device with legacy SMBv1 server to reach out for internet service (nat behind Raspi)
iptables -t nat -I POSTROUTING -o wlan0 -j MASQUERADE -s 192.168.64.50/32
# dort forward SMB traffic from legacy SMBv1 server into production network
iptables -I FORWARD -i eth0 -p tcp --dport 445 -j DROP
iptables -I FORWARD -i eth0 -p tcp -m multiport --ports 137,139 -j DROP
iptables -I FORWARD -i eth0 -p udp -m multiport --ports 137,139 -j DROP
# save firewall rules
netfilter-persistent save
# forward some services from production net into
# private net with legacy SMBv1 server/device
# net.ipv4.ip_forward=1 has to be set
iptables -I PREROUTING -t nat -p tcp --dport 80 -j DNAT --to-destination 192.168.64.50
iptables -I PREROUTING -t nat -p tcp --dport 23 -j DNAT --to-destination 192.168.64.50:22
# save firewall rules again, if you like
netfilter-persistent save
# suggestions to disable IPv6 at all or on
# private net (use one of those or none) within
# a file named etc/sysctl.d/
net.ipv6.conf.all.disable_ipv6=1
net.ipv6.conf.eth0.disable_ipv6=1
# test SMBv1 connection; remember to create
# ./smb.conf with contents shown above
smbclient //192.168.64.1/reshare -s ./smb.conf -m NT1 -U reuser
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment