Find the answer to your Linux question:
Results 1 to 9 of 9
I have a CentOS 5.7 VM I use for secure communications. It has an interface to my private LAN (eth0) and a secure VPN interface using OpenVPN (tun0). I use ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    Oct 2011
    Posts
    4

    iptables Question


    I have a CentOS 5.7 VM I use for secure communications. It has an interface to my private LAN (eth0) and a secure VPN interface using OpenVPN (tun0). I use the following iptables script to lock this box down so it can only talk through the VPN tunnel except for a couple of local services I need.

    Everything works great with one exception. I'm trying to mount an nfs filesystem on a NAS that resides at 172.16.1.14 (my private LAN). It doesn't work with my current rules. If I disable the firewall the mount works perfectly. I'm not an iptables guru and can't figure out what I'm doing wrong. Any help is appreciated. Thanks.

    My firewall setup script ...

    #!/bin/bash
    #
    # iptables example configuration script
    #
    # Flush all current rules from iptables
    #
    iptables -F
    #
    # Allow SSH connections on tcp port 22
    #
    iptables -A INPUT -p tcp -i eth0 --dport 22 -j ACCEPT
    #
    # Set default policies for INPUT, FORWARD and OUTPUT chains
    #
    iptables -P INPUT DROP
    iptables -P FORWARD DROP
    iptables -P OUTPUT DROP
    #
    # Allow DNS non-VPN traffic just to get the VPN established
    #
    iptables -A OUTPUT -p tcp --dport domain -j ACCEPT
    iptables -A OUTPUT -p udp --dport domain -j ACCEPT
    #
    # Allow all traffic for localhost
    #
    iptables -A INPUT -i lo -j ACCEPT
    #
    # Allow all traffic through the vpn interface
    #
    iptables -A INPUT -i tun0 -j ACCEPT
    iptables -A OUTPUT -o tun0 -j ACCEPT
    #
    # Allow port 1194 through all interfaces
    #
    iptables -A OUTPUT -p udp --dport 1194 -j ACCEPT
    #
    # Allow traffic to specific hosts on LAN
    #
    iptables -A INPUT -i eth0 -s 172.16.1.14 -j ACCEPT
    iptables -A OUTPUT -o eth0 -s 172.16.1.14 -j ACCEPT
    #
    # Accept packets belonging to established and related connections
    #
    iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
    #
    # Save settings
    #
    /sbin/service iptables save
    #
    # List rules
    #
    iptables -L -v

  2. #2
    Trusted Penguin
    Join Date
    May 2011
    Posts
    4,307
    You need to open up several ports for NFS to be able to work. This changed in RHEL 6.x, but you're obviously not there yet. For example, on my CentOS 5.x box, I have 7 different ports configured just NFS. I had to change some NFS-related config files (like /etc/sysconfig/nfs for one) to manually use those ports, so I could hard-code them in iptables. Just google for NFS and iptables.

  3. #3
    Just Joined!
    Join Date
    Oct 2011
    Posts
    4
    As I understand NFS some of the server ports are dynamic unless I go to the server (a Netgear ReadyNAS NV+) and reconfig it to use specific ports. I can probably do that, but since it's a "packaged" NAS I'd rather not mess with it any more than I must. I'm okay with opening up everything just to that one IP address and only on my private LAN. The iptables config I listed above is for my NFS client and was supposed to do that based on my limited understanding, but doesn't work. Seems to me that's simpler if I can get it working.

  4. #4
    Trusted Penguin
    Join Date
    May 2011
    Posts
    4,307
    Then on your NFS server, look at open ports, while the nfs daemon is running. Some combo of these ought to get you there:

    Code:
    nmap -n localhost
    netstat -tuna
    lsof -i

  5. #5
    Just Joined!
    Join Date
    Oct 2011
    Posts
    4
    I guess I'm not stating my issue clearly. The server ports are mostly dynamic, so opening up what's currently in use doesn't help. If I stop iptables, mount the volume then rpcinfo -p I can see the ports in use. But if I umount the volume and mount it again, rpcinfo shows different ports. The only way I can make it work on a port-by-port basis is to make these ports static on the server. The ReadyNAS uses a weird custom distro and I have no clue where the equivalent of /etc/sysconfig/nfs resides on that server. I was hoping to just open all traffic between my VM and the NAS. That would be simpler even though it's not "completely" secure. If I can allow just between those 2 hosts I'll feel good enough about the security.

  6. #6
    Linux Guru Lazydog's Avatar
    Join Date
    Jun 2004
    Location
    The Keystone State
    Posts
    2,672
    I think you are looking at the client side ports, that should be dynamic. The server side should not be dynamic.

    Regards
    Robert

    Linux
    The adventure of a life time.

    Linux User #296285
    Get Counted

  7. #7
    Just Joined!
    Join Date
    Oct 2011
    Posts
    4
    Correct. It's the client side I'm securing.

  8. #8
    Trusted Penguin
    Join Date
    May 2011
    Posts
    4,307
    If you want to make iptables wide open for the client, try this suggestion from Lazydog

  9. #9
    Linux Guru Lazydog's Avatar
    Join Date
    Jun 2004
    Location
    The Keystone State
    Posts
    2,672
    Can you post the output from the following:

    Code:
    iptables -L

    Regards
    Robert

    Linux
    The adventure of a life time.

    Linux User #296285
    Get Counted

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •