iptables Question

[SvartaHufa]

I have a CentOS 5.7 VM I use for secure communications. It has an interface to my private LAN (eth0) and a secure VPN interface using OpenVPN (tun0). I use the following iptables script to lock this box down so it can only talk through the VPN tunnel except for a couple of local services I need.

Everything works great with one exception. I'm trying to mount an nfs filesystem on a NAS that resides at 172.16.1.14 (my private LAN). It doesn't work with my current rules. If I disable the firewall the mount works perfectly. I'm not an iptables guru and can't figure out what I'm doing wrong. Any help is appreciated. Thanks.

My firewall setup script ...

#!/bin/bash
#
# iptables example configuration script
#
# Flush all current rules from iptables
#
iptables -F
#
# Allow SSH connections on tcp port 22
#
iptables -A INPUT -p tcp -i eth0 --dport 22 -j ACCEPT
#
# Set default policies for INPUT, FORWARD and OUTPUT chains
#
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP
#
# Allow DNS non-VPN traffic just to get the VPN established
#
iptables -A OUTPUT -p tcp --dport domain -j ACCEPT
iptables -A OUTPUT -p udp --dport domain -j ACCEPT
#
# Allow all traffic for localhost
#
iptables -A INPUT -i lo -j ACCEPT
#
# Allow all traffic through the vpn interface
#
iptables -A INPUT -i tun0 -j ACCEPT
iptables -A OUTPUT -o tun0 -j ACCEPT
#
# Allow port 1194 through all interfaces
#
iptables -A OUTPUT -p udp --dport 1194 -j ACCEPT
#
# Allow traffic to specific hosts on LAN
#
iptables -A INPUT -i eth0 -s 172.16.1.14 -j ACCEPT
iptables -A OUTPUT -o eth0 -s 172.16.1.14 -j ACCEPT
#
# Accept packets belonging to established and related connections
#
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
#
# Save settings
#
/sbin/service iptables save
#
# List rules
#
iptables -L -v

[atreyu]

You need to open up several ports for NFS to be able to work. This changed in RHEL 6.x, but you're obviously not there yet. For example, on my CentOS 5.x box, I have 7 different ports configured just NFS. I had to change some NFS-related config files (like /etc/sysconfig/nfs for one) to manually use those ports, so I could hard-code them in iptables. Just google for NFS and iptables.

[SvartaHufa]

As I understand NFS some of the server ports are dynamic unless I go to the server (a Netgear ReadyNAS NV+) and reconfig it to use specific ports. I can probably do that, but since it's a "packaged" NAS I'd rather not mess with it any more than I must. I'm okay with opening up everything just to that one IP address and only on my private LAN. The iptables config I listed above is for my NFS client and was supposed to do that based on my limited understanding, but doesn't work. Seems to me that's simpler if I can get it working.

[atreyu]

Then on your NFS server, look at open ports, while the nfs daemon is running. Some combo of these ought to get you there:

Code:

nmap -n localhost
netstat -tuna
lsof -i

[SvartaHufa]

I guess I'm not stating my issue clearly. The server ports are mostly dynamic, so opening up what's currently in use doesn't help. If I stop iptables, mount the volume then rpcinfo -p I can see the ports in use. But if I umount the volume and mount it again, rpcinfo shows different ports. The only way I can make it work on a port-by-port basis is to make these ports static on the server. The ReadyNAS uses a weird custom distro and I have no clue where the equivalent of /etc/sysconfig/nfs resides on that server. I was hoping to just open all traffic between my VM and the NAS. That would be simpler even though it's not "completely" secure. If I can allow just between those 2 hosts I'll feel good enough about the security.

[Lazydog]

I think you are looking at the client side ports, that should be dynamic. The server side should not be dynamic.

[SvartaHufa]

Correct. It's the client side I'm securing.

[atreyu]

If you want to make iptables wide open for the client, try this suggestion from Lazydog

[Lazydog]

Can you post the output from the following:

Code:

iptables -L