Find the answer to your Linux question:
Results 1 to 8 of 8
Hi everybody! I am trying to set up NFS on a Debian/Lenny box as a server. It is running its' own firewall in the DMZ because I don't have really ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    Jan 2010
    Posts
    5

    iptables and nfs


    Hi everybody!
    I am trying to set up NFS on a Debian/Lenny box as a server. It is running its' own firewall in the DMZ because I don't have really control over the router which connects to the internet. I created this firewall by copy&paste from all kinds of sources as I am an absolute newbie with iptables.
    Now I can't figure out how I can open the port for rpc.mountd which I assigned in /etc/default/nfs-kernel-server under RPCMOUNTOPTS. The mount doesn't happen, it just times out. This is where I got so far:

    On the server side:

    /etc/default/nfs-kernel-server
    Code:
    RPCNFSDCOUNT=8
    RPCNFSDPRIORITY=0
    RPCMOUNTDOPTS="-p 2233 -o 2234"
    NEED_SVCGSSD=
    RPCSVCGSSDOPTS=
    /etc/default/nfs-common
    Code:
    NEED_STATD=
    STATDOPTS="--port 2231" --outgoing-port 2232"
    NEED_IDMAPD=
    NEED_GSSD=
    cat /etc/modprobe.d/local.conf
    Code:
    # /etc/modprobe.d/local.conf
     options lockd nlm_udpport=2230 nlm_tcpport=2230
    cat /etc/iptables.up.rules
    Code:
    *filter
    
    # Allows all loopback (lo0) traffic and drop all traffic to 127/8 that doesn't use lo0
    -A INPUT -i lo -j ACCEPT
    -A INPUT -i ! lo -d 127.0.0.0/8 -j REJECT
    
    # Accepts all established inbound connections
    -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
    
    # Allows all outbound traffic
    # You could modify this to only allow certain traffic
    -A OUTPUT -j ACCEPT
    
    # NFS
    -A INPUT -p tcp -m tcp --dport 2049 --syn -j ACCEPT
    -A INPUT -p tcp -m tcp --dport 111 --syn -j ACCEPT
    -A INPUT -p udp --dport 2230 -j ACCEPT
    -A INPUT -p tcp --dport 2230 -j ACCEPT
    -A INPUT -p udp --dport 2231 -j ACCEPT
    -A INPUT -p tcp --dport 2231 -j ACCEPT
    -A INPUT -p udp --dport 2232 -j ACCEPT
    -A INPUT -p tcp --dport 2232 -j ACCEPT
    -A INPUT -p udp --dport 2233 -j ACCEPT
    -A INPUT -p tcp --dport 2233 -j ACCEPT
    -A INPUT -p udp --dport 2234 -j ACCEPT
    -A INPUT -p tcp --dport 2234 -j ACCEPT
    
    # log iptables denied calls (access via 'dmesg' command)
    -A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7
    
    # Reject all other inbound - default deny unless explicitly allowed policy:
    -A INPUT -j REJECT
    -A FORWARD -j REJECT
    
    COMMIT
    I am pretty sure it's a problem with the iptables because when I flush them the exported folders will mount flawlessly. Also then it shows me (mount -vv) that it is using tcp 2049 and udp port 2233 for the mounting. Port 2049 seems to work either ways though.
    By the way, on the client side I haven't done any modifications. Am I supposed to do something here also? Do I really need to open and assign the other ports as well? I can't see that they are in use anywhere.
    Thanks for any help!

  2. #2
    Linux User
    Join Date
    Nov 2009
    Location
    France
    Posts
    292
    You should analyse the logged blocked connections and see what they reveal pertaining to the relevant ports and protocols.

  3. #3
    Linux Guru Lazydog's Avatar
    Join Date
    Jun 2004
    Location
    The Keystone State
    Posts
    2,677
    Here is a TUTORIAL you might find helpful. There is a lot of information in here. Get away from a mixed firewall and use either a STATEFUL or CONNECTION based firewall. Cutting and pasting from different sources without knowing what you are doing is never a good idea. What you think you might be closing or opening could be just the opposite.

    Regards
    Robert

    Linux
    The adventure of a life time.

    Linux User #296285
    Get Counted

  4. $spacer_open
    $spacer_close
  5. #4
    Just Joined!
    Join Date
    Jan 2010
    Posts
    5
    Looking for logs was the first thing I did but unfortunately I could't find any for NFS. Does it log at a different location than /var/log/ by default? How can I find out?
    There are iptables logs in dmesg and it is coming up with a lots of messages like this:

    Code:
    [1184488.263273] iptables denied: IN=eth1 OUT= MAC=ff:ff:ff:ff:ff:ff:00:30:65:8c:22:a4:08:00 SRC=192.168.178.21 DST=255.255.255.255 LEN=134 TOS=0x00 PREC=0x00 TTL=64 ID=5860 PROTO=UDP SPT=49234 DPT=2222 LEN=114 
    [1184499.857717] iptables denied: IN=eth1 OUT= MAC=01:00:5e:00:00:01:00:1f:3f:f4:94:9f:08:00 SRC=192.168.178.1 DST=224.0.0.1 LEN=36 TOS=0x00 PREC=0xC0 TTL=1 ID=0 DF PROTO=2
    There is no hint to any of these ports I have trouble with.
    The servers' ip does appear in some of these entries but not the clients' (which is blocked by the firewall).
    Can't make any head or tail of it really.

  6. #5
    Linux Guru Lazydog's Avatar
    Join Date
    Jun 2004
    Location
    The Keystone State
    Posts
    2,677
    Remove the Limit from your logging rule so that everything is logged.
    Then you should be able to see what is going on.

    Regards
    Robert

    Linux
    The adventure of a life time.

    Linux User #296285
    Get Counted

  7. #6
    Just Joined!
    Join Date
    Jan 2010
    Posts
    5
    Thanks Robert for your suggetions (I know cutting and pasting is not the way - but somewhere I had to start).
    I removed the limit and this time I saw my client being blocked but not really much more.
    At least I found out that the output of /var/log/syslog is more useful because it shows similar output to dmesg but with the exact date. And I found out this way that there was NIS enables. I disabled it but it didn't change anything regarding to the firewall problem.
    Your tutorial is great (thanks) although it is a bit of an overkill for me now.

  8. #7
    Linux Guru Lazydog's Avatar
    Join Date
    Jun 2004
    Location
    The Keystone State
    Posts
    2,677
    Quote Originally Posted by ijon-tichy View Post
    Thanks Robert for your suggetions (I know cutting and pasting is not the way - but somewhere I had to start).
    I removed the limit and this time I saw my client being blocked but not really much more.
    This is a start as you should be able to see what port is being blocked and then go from there.

    At least I found out that the output of /var/log/syslog is more useful because it shows similar output to dmesg but with the exact date. And I found out this way that there was NIS enables. I disabled it but it didn't change anything regarding to the firewall problem.
    NIS has nothing to do with the firewall. Firewall is blocking on the ports and the logs should now have what ports it is blocking. Now you should be able to see what is being blocked and then decide if you need to open the port or not.

    Your tutorial is great (thanks) although it is a bit of an overkill for me now.
    Best way to use it is to look at things you want to learn about and not try to read everything in the beginning. You will see you learn more faster by reading what you need and then applying it.

    Regards
    Robert

    Linux
    The adventure of a life time.

    Linux User #296285
    Get Counted

  9. #8
    Banned
    Join Date
    Feb 2010
    Posts
    31

    something like this

    First:
    1. Create the file (or add to it) "/etc/sysconfig/nfs" and add the following contents:
    STATD_PORT=4001
    LOCKD_TCPPORT=4002
    LOCKD_UDPPORT=4002
    MOUNTD_PORT=4003

    2. Append the following to the file "/etc/services":
    rquotad 4004/tcp # rpc.rquotad tcp port
    rquotad 4004/udp # rpc.rquotad udp port

    3. Your iptables should look something like this:
    *filter
    :INPUT ACCEPT [0:0]
    :FORWARD ACCEPT [0:0]
    :OUTPUT ACCEPT [0:0]
    :RH-Firewall-1-INPUT - [0:0]
    -A INPUT -j RH-Firewall-1-INPUT
    -A FORWARD -j RH-Firewall-1-INPUT

    # NFS:

    -A RH-Firewall-1-INPUT -p tcp -m multiport --dport 4001:4004 -j ACCEPT
    -A RH-Firewall-1-INPUT -p udp -m multiport --dport 4001:4004 -j ACCEPT
    -A RH-Firewall-1-INPUT -p tcp -m tcp --dport 111 -j ACCEPT
    -A RH-Firewall-1-INPUT -p udp -m udp --dport 111 -j ACCEPT
    -A RH-Firewall-1-INPUT -p tcp -m tcp --dport 2049 -j ACCEPT
    -A RH-Firewall-1-INPUT -p udp -m udp --dport 2049 -j ACCEPT

    # SSH:
    -A RH-Firewall-1-INPUT -p tcp -m tcp --dport 22 -j ACCEPT

    # basic rules:
    -A RH-Firewall-1-INPUT -i lo -j ACCEPT
    -A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
    -A RH-Firewall-1-INPUT -p 50 -j ACCEPT
    -A RH-Firewall-1-INPUT -p 51 -j ACCEPT
    -A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT
    -A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
    -A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT
    -A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
    -A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
    COMMIT

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •