You are not logged in.
Hi
I'm trying to configure iptables to let through nfs, currently I've got these iptables rules:
iptables -N open
iptables -N interfaces
iptables -A INPUT -p icmp -j ACCEPT
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -j interfaces
iptables -A INPUT -j open
iptables -A INPUT -p tcp -j REJECT --reject-with tcp-reset
iptables -A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
iptables -A interfaces -i lo -j ACCEPT
iptables -A open -p tcp --dport 10023 -j ACCEPT
#Allow nfs, see /etc/conf.d/nfs for port config
iptables -A open -p tcp --dport 32767 -j ACCEPT
iptables -A open -p tcp --dport 32765:32766 -j ACCEPT
iptables -A open -p tcp --dport 32764 -j ACCEPT
iptables -A open -p tcp --dport 111 -j ACCEPT #portmap
iptables -A open -p udp --dport 111 -j ACCEPT #portmap
iptables -A open -p tcp --dport 2049 -j ACCEPT
iptables -A open -p udp --dport 2049 -j ACCEPT
And this is my /etc/conf.d/nfs:
# Number of servers to be started up by default
NFSD_OPTS=1
# Options to pass to rpc.mountd
# e.g. MOUNTDOPTS="-p 32767"
MOUNTD_OPTS="--no-nfs-version 1 --no-nfs-version 2 -p 32767"
# Options to pass to rpc.statd
# N.B. statd normally runs on both client and server, and run-time
# options should be specified accordingly. Specifically, the Arch
# NFS init scripts require the --no-notify flag on the server,
# but not on the client e.g.
# STATD_OPTS="--no-notify -p 32765 -o 32766" -> server
# STATD_OPTS="-p 32765 -o 32766" -> client
STATD_OPTS="--no-notify -p 32765 -o 32766"
# Options to pass to sm-notify
# e.g. SMNOTIFY_OPTS="-p 32764"
SMNOTIFY_OPTS="-p 32764"
But when trying to mount the an nfs volume from another pc, I get this:
mount.nfs: mount to NFS server '192.168.123.106' failed: timed out, retrying
It works with iptables disabled and locally. Does anyone one know why iptables blocks nfs?
Offline
on the server machine, maybe try netstat -antulp and look for open ports..
Last edited by daf666 (2008-02-08 18:39:48)
Offline
I thought you cannot just append nwe rules at the bottom, because the order of things is important for iptables. IIRC the last line should be the one rejecting or dropping everything that is not listed.
But I really don't know enough to assist you in this matter. Here you have my iptables-script which I got from our IT-guy (we use NFS too):
...
I didn't find anything related to NFS in our iptables, so I guess it's not necessary? Or maybe it is because it is setup with Kerberos-support here...
Zl.
Offline
I've found the problem, lockd was still being assigned random ports, I've added this to my kernel line in grub:
lockd.nlm_udpport=32768 lockd.nlm_tcpport=32768
and allowed that port.
My full iptables script is like this now:
#!/bin/sh
iptables -N open
iptables -N interfaces
iptables -A INPUT -p icmp -j ACCEPT
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -j interfaces
iptables -A INPUT -j open
iptables -A INPUT -p tcp -j REJECT --reject-with tcp-reset
iptables -A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable
iptables -I INPUT -p icmp --icmp-type redirect -j DROP
iptables -I INPUT -p icmp --icmp-type router-advertisement -j DROP
iptables -I INPUT -p icmp --icmp-type router-solicitation -j DROP
iptables -I INPUT -p icmp --icmp-type address-mask-request -j DROP
iptables -I INPUT -p icmp --icmp-type address-mask-reply -j DROP
iptables -A INPUT -p icmp --icmp-type echo-request -i eth0 -j DROP
iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
iptables -A INPUT -f -j DROP
iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
iptables -A interfaces -i lo -j ACCEPT
iptables -A open -p tcp -m state --state NEW --dport 10023 -j ACCEPT
#Allow nfs, see /etc/conf.d/nfs for port config
iptables -A open -p tcp -m state --state NEW -m multiport --dport 111,2049,32764:32768 -j ACCEPT
iptables -A open -p udp -m state --state NEW -m multiport --dport 111,2049,32764:32768 -j ACCEPT
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
exit
I think this is sufficient for the moment
Offline
It blocked out my SSH server.
Last edited by yassin (2008-02-11 01:45:18)
"The real danger is not that computers will begin to think like men, but that men will begin to think like computers."
— Sydney J. Harris
Offline
It blocked out my SSH server.
My script did? That's probably because I've got ssh running on port 10023, change line 29 to allow your ssh port (probably 22).
Offline