iptables and nfs

**ijon-tichy** · 01-10-2010

Hi everybody!
I am trying to set up NFS on a Debian/Lenny box as a server. It is running its' own firewall in the DMZ because I don't have really control over the router which connects to the internet. I created this firewall by copy&paste from all kinds of sources as I am an absolute newbie with iptables.
Now I can't figure out how I can open the port for rpc.mountd which I assigned in /etc/default/nfs-kernel-server under RPCMOUNTOPTS. The mount doesn't happen, it just times out. This is where I got so far:

On the server side:

/etc/default/nfs-kernel-server

Code:

RPCNFSDCOUNT=8
RPCNFSDPRIORITY=0
RPCMOUNTDOPTS="-p 2233 -o 2234"
NEED_SVCGSSD=
RPCSVCGSSDOPTS=

/etc/default/nfs-common

Code:

NEED_STATD=
STATDOPTS="--port 2231" --outgoing-port 2232"
NEED_IDMAPD=
NEED_GSSD=

cat /etc/modprobe.d/local.conf

Code:

# /etc/modprobe.d/local.conf
 options lockd nlm_udpport=2230 nlm_tcpport=2230

cat /etc/iptables.up.rules

Code:

*filter

# Allows all loopback (lo0) traffic and drop all traffic to 127/8 that doesn't use lo0
-A INPUT -i lo -j ACCEPT
-A INPUT -i ! lo -d 127.0.0.0/8 -j REJECT

# Accepts all established inbound connections
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# Allows all outbound traffic
# You could modify this to only allow certain traffic
-A OUTPUT -j ACCEPT

# NFS
-A INPUT -p tcp -m tcp --dport 2049 --syn -j ACCEPT
-A INPUT -p tcp -m tcp --dport 111 --syn -j ACCEPT
-A INPUT -p udp --dport 2230 -j ACCEPT
-A INPUT -p tcp --dport 2230 -j ACCEPT
-A INPUT -p udp --dport 2231 -j ACCEPT
-A INPUT -p tcp --dport 2231 -j ACCEPT
-A INPUT -p udp --dport 2232 -j ACCEPT
-A INPUT -p tcp --dport 2232 -j ACCEPT
-A INPUT -p udp --dport 2233 -j ACCEPT
-A INPUT -p tcp --dport 2233 -j ACCEPT
-A INPUT -p udp --dport 2234 -j ACCEPT
-A INPUT -p tcp --dport 2234 -j ACCEPT

# log iptables denied calls (access via 'dmesg' command)
-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7

# Reject all other inbound - default deny unless explicitly allowed policy:
-A INPUT -j REJECT
-A FORWARD -j REJECT

COMMIT

I am pretty sure it's a problem with the iptables because when I flush them the exported folders will mount flawlessly. Also then it shows me (mount -vv) that it is using tcp 2049 and udp port 2233 for the mounting. Port 2049 seems to work either ways though.
By the way, on the client side I haven't done any modifications. Am I supposed to do something here also? Do I really need to open and assign the other ports as well? I can't see that they are in use anywhere.
Thanks for any help!

**nmset** · 01-10-2010

You should analyse the logged blocked connections and see what they reveal pertaining to the relevant ports and protocols.

**Lazydog** · 01-10-2010

Here is a TUTORIAL you might find helpful. There is a lot of information in here. Get away from a mixed firewall and use either a STATEFUL or CONNECTION based firewall. Cutting and pasting from different sources without knowing what you are doing is never a good idea. What you think you might be closing or opening could be just the opposite.

**ijon-tichy** · 01-10-2010

Looking for logs was the first thing I did but unfortunately I could't find any for NFS. Does it log at a different location than /var/log/ by default? How can I find out?
There are iptables logs in dmesg and it is coming up with a lots of messages like this:

Code:

[1184488.263273] iptables denied: IN=eth1 OUT= MAC=ff:ff:ff:ff:ff:ff:00:30:65:8c:22:a4:08:00 SRC=192.168.178.21 DST=255.255.255.255 LEN=134 TOS=0x00 PREC=0x00 TTL=64 ID=5860 PROTO=UDP SPT=49234 DPT=2222 LEN=114 
[1184499.857717] iptables denied: IN=eth1 OUT= MAC=01:00:5e:00:00:01:00:1f:3f:f4:94:9f:08:00 SRC=192.168.178.1 DST=224.0.0.1 LEN=36 TOS=0x00 PREC=0xC0 TTL=1 ID=0 DF PROTO=2

There is no hint to any of these ports I have trouble with.
The servers' ip does appear in some of these entries but not the clients' (which is blocked by the firewall).
Can't make any head or tail of it really.

**Lazydog** · 01-11-2010

Remove the Limit from your logging rule so that everything is logged.
Then you should be able to see what is going on.

**ijon-tichy** · 01-12-2010

Thanks Robert for your suggetions (I know cutting and pasting is not the way - but somewhere I had to start).
I removed the limit and this time I saw my client being blocked but not really much more.
At least I found out that the output of /var/log/syslog is more useful because it shows similar output to dmesg but with the exact date. And I found out this way that there was NIS enables. I disabled it but it didn't change anything regarding to the firewall problem.
Your tutorial is great (thanks) although it is a bit of an overkill for me now.

**Lazydog** · 01-13-2010

Originally Posted by ijon-tichy

Thanks Robert for your suggetions (I know cutting and pasting is not the way - but somewhere I had to start).
I removed the limit and this time I saw my client being blocked but not really much more.

This is a start as you should be able to see what port is being blocked and then go from there.

At least I found out that the output of /var/log/syslog is more useful because it shows similar output to dmesg but with the exact date. And I found out this way that there was NIS enables. I disabled it but it didn't change anything regarding to the firewall problem.

NIS has nothing to do with the firewall. Firewall is blocking on the ports and the logs should now have what ports it is blocking. Now you should be able to see what is being blocked and then decide if you need to open the port or not.

Your tutorial is great (thanks) although it is a bit of an overkill for me now.

Best way to use it is to look at things you want to learn about and not try to read everything in the beginning. You will see you learn more faster by reading what you need and then applying it.

**ccolumbu** · 02-14-2010

First:
1. Create the file (or add to it) "/etc/sysconfig/nfs" and add the following contents:
STATD_PORT=4001
LOCKD_TCPPORT=4002
LOCKD_UDPPORT=4002
MOUNTD_PORT=4003

2. Append the following to the file "/etc/services":
rquotad 4004/tcp # rpc.rquotad tcp port
rquotad 4004/udp # rpc.rquotad udp port

3. Your iptables should look something like this:
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT

# NFS:

-A RH-Firewall-1-INPUT -p tcp -m multiport --dport 4001:4004 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m multiport --dport 4001:4004 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 111 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 111 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 2049 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 2049 -j ACCEPT

# SSH:
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 22 -j ACCEPT

# basic rules:
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
-A RH-Firewall-1-INPUT -p 51 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT

Thread Tools

Display

iptables and nfs

something like this

Posting Permissions