You are not logged in.

Pages: 1

#1 2015-09-10 00:11:53

gillecaluim
Member
Registered: 2014-11-02
Posts: 42

[SOLVED] iptables blocking nfs client connection

I'm having trouble connecting from my archlinux server (192.168.1.3) to a nfs server (192.168.1.2) on the lan
I'm able to showmount & mount a nfs share with iptables disabled but I get this when my iptables.rules used:

showmount -e 192.168.1.2 
clnt_create: RPC: Port mapper failure - Unable to send: errno 1 (Operation not permitted)

Here's my iptables.rules

# Allow NFS service
-A INPUT -p tcp -m tcp -m state -s 192.168.1.0/24 --dport 111 --state NEW -j ACCEPT
-A INPUT -p udp -m udp -m state -s 192.168.1.0/24 --dport 111 --state NEW -j ACCEPT
-A INPUT -p tcp -m state -s 192.168.1.0/24 --dport 2049 --state NEW -j ACCEPT
-A INPUT -p udp -m state -s 192.168.1.0/24 --dport 2049 --state NEW -j ACCEPT
-A INPUT -p tcp -m state -s 192.168.1.0/24 --dport 20048 --state NEW -j ACCEPT
-A INPUT -p udp -m state -s 192.168.1.0/24 --dport 20048 --state NEW -j ACCEPT
-A INPUT -p tcp -m state -s 192.168.1.0/24 --dport 32764 --state NEW -j ACCEPT
-A INPUT -p udp -m state -s 192.168.1.0/24 --dport 32764 --state NEW -j ACCEPT
-A INPUT -p tcp -m state -s 192.168.1.0/24 --dport 32765 --state NEW -j ACCEPT
-A INPUT -p udp -m state -s 192.168.1.0/24 --dport 32765 --state NEW -j ACCEPT
-A INPUT -p tcp -m state -s 192.168.1.0/24 --dport 32766 --state NEW -j ACCEPT
-A INPUT -p udp -m state -s 192.168.1.0/24 --dport 32766 --state NEW -j ACCEPT
-A INPUT -p tcp -m state -s 192.168.1.0/24 --dport 32803 --state NEW -j ACCEPT
-A INPUT -p udp -m state -s 192.168.1.0/24 --dport 32803 --state NEW -j ACCEPT

this is the rpcinfo

   program vers proto   port  service
    100000    4   tcp    111  portmapper
    100000    3   tcp    111  portmapper
    100000    2   tcp    111  portmapper
    100000    4   udp    111  portmapper
    100000    3   udp    111  portmapper
    100000    2   udp    111  portmapper
    100005    1   udp  20048  mountd
    100005    1   tcp  20048  mountd
    100005    2   udp  20048  mountd
    100005    2   tcp  20048  mountd
    100005    3   udp  20048  mountd
    100005    3   tcp  20048  mountd
    100024    1   udp  32765  status
    100024    1   tcp  32765  status
    100003    3   tcp   2049  nfs
    100003    4   tcp   2049  nfs
    100227    3   tcp   2049  nfs_acl
    100003    3   udp   2049  nfs
    100003    4   udp   2049  nfs
    100227    3   udp   2049  nfs_acl
    100021    1   udp  32803  nlockmgr
    100021    3   udp  32803  nlockmgr
    100021    4   udp  32803  nlockmgr
    100021    1   tcp  32803  nlockmgr
    100021    3   tcp  32803  nlockmgr
    100021    4   tcp  32803  nlockmgr

I'm obviously missing a port that needs to be opened, but how can I figure which?

Last edited by gillecaluim (2015-09-11 16:31:45)

Offline

#2 2015-09-10 02:12:59

fukawi2
Ex-Administratorino
From: .vic.au
Registered: 2007-09-28
Posts: 6,224
Website

Re: [SOLVED] iptables blocking nfs client connection

Try adding a rule for RELATED and ESTABLISHED packets:

iptables -A INPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT

Also, post the output of `iptables-save` instead of a subset of the rules you (think) are loading.

Are you familiar with our Forum Rules, and How To Ask Questions The Smart Way?

BlueHackers // fscanary // resticctl

Offline

#3 2015-09-10 02:22:26

gillecaluim
Member
Registered: 2014-11-02
Posts: 42

Re: [SOLVED] iptables blocking nfs client connection

sorry for not listing entire iptables.rules.....already had established/related included....so I don't think that's the problem

# Generated by iptables-save v1.4.21 on Mon Sep  7 15:05:10 2015
*nat
:PREROUTING ACCEPT [116:24089]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -s 10.20.30.0/24 -o net0 -j MASQUERADE
COMMIT
# Completed on Mon Sep  7 15:05:10 2015
# Generated by iptables-save v1.4.21 on Mon Sep  7 15:05:10 2015
*filter
:INPUT DROP [45:4220]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
-A INPUT -m conntrack --ctstate INVALID -j LOG --log-prefix "DROP INVALID " --log-tcp-options --log-ip-options
-A INPUT -m conntrack --ctstate INVALID -j DROP
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT ! -s 10.20.30.0/24 -i lan -j LOG --log-prefix "SPOOFED PKT "
-A INPUT ! -s 10.20.30.0/24 -i lan -j DROP
-A INPUT -s 10.20.30.0/24 -i lan -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW -j ACCEPT
-A INPUT -s 192.168.1.0/24 -i net0 -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A INPUT ! -i lo -j LOG --log-prefix "DROP " --log-tcp-options --log-ip-options
-A INPUT -i lo -j ACCEPT
# Allow NFS service
-A INPUT -p tcp -m tcp -m state -s 192.168.1.0/24 --dport 111 --state NEW -j ACCEPT
-A INPUT -p udp -m udp -m state -s 192.168.1.0/24 --dport 111 --state NEW -j ACCEPT
-A INPUT -p tcp -m state -s 192.168.1.0/24 --dport 2049 --state NEW -j ACCEPT
-A INPUT -p udp -m state -s 192.168.1.0/24 --dport 2049 --state NEW -j ACCEPT
-A INPUT -p tcp -m state -s 192.168.1.0/24 --dport 20048 --state NEW -j ACCEPT
-A INPUT -p udp -m state -s 192.168.1.0/24 --dport 20048 --state NEW -j ACCEPT
-A INPUT -p tcp -m state -s 192.168.1.0/24 --dport 32764 --state NEW -j ACCEPT
-A INPUT -p udp -m state -s 192.168.1.0/24 --dport 32764 --state NEW -j ACCEPT
-A INPUT -p tcp -m state -s 192.168.1.0/24 --dport 32765 --state NEW -j ACCEPT
-A INPUT -p udp -m state -s 192.168.1.0/24 --dport 32765 --state NEW -j ACCEPT
-A INPUT -p tcp -m state -s 192.168.1.0/24 --dport 32766 --state NEW -j ACCEPT
-A INPUT -p udp -m state -s 192.168.1.0/24 --dport 32766 --state NEW -j ACCEPT
-A INPUT -p tcp -m state -s 192.168.1.0/24 --dport 32803 --state NEW -j ACCEPT
-A INPUT -p udp -m state -s 192.168.1.0/24 --dport 32803 --state NEW -j ACCEPT

-A FORWARD -m conntrack --ctstate INVALID -j LOG --log-prefix "DROP INVALID " --log-tcp-options --log-ip-options
-A FORWARD -m conntrack --ctstate INVALID -j DROP
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD ! -s 10.20.30.0/24 -i lan -j LOG --log-prefix "SPOOFED PKT "
-A FORWARD ! -s 10.20.30.0/24 -i lan -j DROP
-A FORWARD -s 10.20.30.0/24 -i lan -p tcp -m tcp --dport 21 -m conntrack --ctstate NEW -j ACCEPT
-A FORWARD -s 10.20.30.0/24 -i lan -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW -j ACCEPT
-A FORWARD -s 10.20.30.0/24 -i lan -p tcp -m tcp --dport 25 -m conntrack --ctstate NEW -j ACCEPT
-A FORWARD -s 10.20.30.0/24 -i lan -p tcp -m tcp --dport 43 -m conntrack --ctstate NEW -j ACCEPT
-A FORWARD -p tcp -m tcp --dport 80 -m conntrack --ctstate NEW -j ACCEPT
-A FORWARD -p tcp -m tcp --dport 443 -m conntrack --ctstate NEW -j ACCEPT
-A FORWARD -s 10.20.30.0/24 -i lan -p tcp -m tcp --dport 4321 -m conntrack --ctstate NEW -j ACCEPT
-A FORWARD -p tcp -m tcp --dport 53 -m conntrack --ctstate NEW -j ACCEPT
-A FORWARD -p udp -m udp --dport 53 -m conntrack --ctstate NEW -j ACCEPT
-A FORWARD -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A FORWARD ! -i lo -j LOG --log-prefix "DROP " --log-tcp-options --log-ip-options
-A OUTPUT -m conntrack --ctstate INVALID -j LOG --log-prefix "DROP INVALID " --log-tcp-options --log-ip-options
-A OUTPUT -m conntrack --ctstate INVALID -j DROP
-A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 21 -m conntrack --ctstate NEW -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 25 -m conntrack --ctstate NEW -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 43 -m conntrack --ctstate NEW -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 80 -m conntrack --ctstate NEW -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 443 -m conntrack --ctstate NEW -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 4321 -m conntrack --ctstate NEW -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 53 -m conntrack --ctstate NEW -j ACCEPT
-A OUTPUT -p udp -m udp --dport 53 -m conntrack --ctstate NEW -j ACCEPT
-A OUTPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A OUTPUT ! -o lo -j LOG --log-prefix "DROP " --log-tcp-options --log-ip-options
-A OUTPUT -o lo -j ACCEPT
COMMIT
# Completed on Mon Sep  7 15:05:10 2015

the nfs client seems to try to use a port that's not open.  Is there a simple way to see which port it's trying to use?

Offline

#4 2015-09-10 03:00:01

fukawi2
Ex-Administratorino
From: .vic.au
Registered: 2007-09-28
Posts: 6,224
Website

Re: [SOLVED] iptables blocking nfs client connection

gillecaluim wrote:

the nfs client seems to try to use a port that's not open.  Is there a simple way to see which port it's trying to use?

NFS uses dynamic ports and is notoriously painful for firewalling. FWIW, these ports work for me on my hosts but YMMV. Are any of your logging rules being hit?

Are you familiar with our Forum Rules, and How To Ask Questions The Smart Way?

BlueHackers // fscanary // resticctl

Offline

#5 2015-09-11 16:37:06

gillecaluim
Member
Registered: 2014-11-02
Posts: 42

Re: [SOLVED] iptables blocking nfs client connection

I looked again at my iptables rules and realized that I had a default output drop rule which was preventing nfs from contacting the remote NFS server

Offline

Pages: 1

Board footer

Powered by FluxBB