Mit Pi OS/Debian eine SMBv1-Brücke bauen / Use Pi OS/Debian as a SMBv1 bridge

smbv1bridge.txt

# /etc/fstab define share

//192.168.178.2/scans /reshare cifs uid=reuser,gid=reuser,credentials=/root/cred

# /root/cred put credentials for upstream SMBv2/3 server

username=upuser
password=uppassword
domain=example

# create user

adduser reuser --disabled-password --gecos "" --home /reshare --quiet

# mount /reshare (see above)

mount -a

# install samba

apt-get install samba

# fill fresh /etc/samba/smb.conf with:

[global]
  workgroup = SMBONE
  ntlm auth = ntlmv1-permitted
  interfaces = eth0
[reshare]
  path = /reshare
  root preexec = mount /reshare
  writeable = yes
  force user = reuser
  force group = reuser
  veto files = .ssh

# set SMB password for reuser 

smbpasswd -a reuser

# restart smbd/Samba server daemon

systemctl restart smbd

# iptables rules just allowing smb traffic between Raspi and legacy SMBv1 server
# apply only in case you run Raspi and legacy server within same network

iptables -I INPUT -i eth0 -p tcp -m multiport --ports 445,137,139 -j DROP
iptables -I INPUT -i eth0 -p udp -m multiport --ports 137,139 -j DROP
iptables -I INPUT -i eth0 -p tcp -m multiport --ports 445,137,139 -s 192.168.178.2 -j ACCEPT
iptables -I INPUT -i eth0 -p udp -m multiport --ports 137,139 -s 192.168.178.2 -j ACCEPT
iptables -I INPUT -i eth0 -p tcp -m multiport --ports 445,137,139 -s 192.168.178.5 -j ACCEPT
iptables -I INPUT -i eth0 -p udp -m multiport --ports 137,139 -s 192.168.178.5 -j ACCEPT

# Add package to save iptables rules (asks to save current rules)

apt-get install iptables-persistent

# flush all persistent firewall rules (if Raspi and legacy server in separated networks)

netfilter-persistent flush

# static ip configuration via /etc/network/interfaces

allow-hotplug eth0
iface eth0 inet static
  address 192.168.64.1
  netmask 255.255.255.0
allow-hotplug wlan0
iface wlan0 inet static
  address 192.168.178.3
  netmask 255.255.255.0
  gateway 192.168.178.1
  dns-nameservers 192.168.178.1
wpa-conf /etc/wpa_supplicant/wpa_supplicant.conf 

# WLAN setup as mentioned before in /etc/wpa_supplicant/wpa_supplicant.conf

ctrl_interface=DIR=/var/run/wpa_supplicant GROUP=netdev
update_config=1
country=DE
network={
 ssid="meinwlan"
 psk="meinepassphrase"
}

# optional install dnsmasq 

apt-get install dnsmasq

# optional add minimal configuration for dnsmasq
# be sure those lines exists in /etc/dnsmasq.conf 

interface=eth0
dhcp-range=192.168.64.50,192.168.64.50,12h

# enable ip forwarding by creating /etc/sysctl.d/97-ipfw.conf and insert

net.ipv4.ip_forward=1

# allow device with legacy SMBv1 server to reach out for internet service (nat behind Raspi)

iptables -t nat -I POSTROUTING -o wlan0 -j MASQUERADE -s 192.168.64.50/32

# dort forward SMB traffic from legacy SMBv1 server into production network

iptables -I FORWARD -i eth0 -p tcp --dport 445 -j DROP
iptables -I FORWARD -i eth0 -p tcp -m multiport --ports 137,139 -j DROP
iptables -I FORWARD -i eth0 -p udp -m multiport --ports 137,139 -j DROP

# save firewall rules

netfilter-persistent save

# forward some services from production net into 
# private net with legacy SMBv1 server/device
# net.ipv4.ip_forward=1 has to be set

iptables -I PREROUTING -t nat -p tcp --dport 80 -j DNAT --to-destination 192.168.64.50
iptables -I PREROUTING -t nat -p tcp --dport 23 -j DNAT --to-destination 192.168.64.50:22

# save firewall rules again, if you like

netfilter-persistent save

# suggestions to disable IPv6 at all or on 
# private net (use one of those or none) within
# a file named etc/sysctl.d/ 

net.ipv6.conf.all.disable_ipv6=1
net.ipv6.conf.eth0.disable_ipv6=1

# test SMBv1 connection; remember to create 
# ./smb.conf with contents shown above

smbclient //192.168.64.1/reshare -s ./smb.conf -m NT1 -U reuser