I am trying to set up NFS on a Debian/Lenny box as a server. It is running its' own firewall in the DMZ because I don't have really control over the router which connects to the internet. I created this firewall by copy&paste from all kinds of sources as I am an absolute newbie with iptables.
Now I can't figure out how I can open the port for rpc.mountd which I assigned in /etc/default/nfs-kernel-server under RPCMOUNTOPTS. The mount doesn't happen, it just times out. This is where I got so far:
On the server side:
RPCMOUNTDOPTS="-p 2233 -o 2234"
STATDOPTS="--port 2231" --outgoing-port 2232"
options lockd nlm_udpport=2230 nlm_tcpport=2230
I am pretty sure it's a problem with the iptables because when I flush them the exported folders will mount flawlessly. Also then it shows me (mount -vv) that it is using tcp 2049 and udp port 2233 for the mounting. Port 2049 seems to work either ways though.Code:
# Allows all loopback (lo0) traffic and drop all traffic to 127/8 that doesn't use lo0
-A INPUT -i lo -j ACCEPT
-A INPUT -i ! lo -d 127.0.0.0/8 -j REJECT
# Accepts all established inbound connections
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# Allows all outbound traffic
# You could modify this to only allow certain traffic
-A OUTPUT -j ACCEPT
-A INPUT -p tcp -m tcp --dport 2049 --syn -j ACCEPT
-A INPUT -p tcp -m tcp --dport 111 --syn -j ACCEPT
-A INPUT -p udp --dport 2230 -j ACCEPT
-A INPUT -p tcp --dport 2230 -j ACCEPT
-A INPUT -p udp --dport 2231 -j ACCEPT
-A INPUT -p tcp --dport 2231 -j ACCEPT
-A INPUT -p udp --dport 2232 -j ACCEPT
-A INPUT -p tcp --dport 2232 -j ACCEPT
-A INPUT -p udp --dport 2233 -j ACCEPT
-A INPUT -p tcp --dport 2233 -j ACCEPT
-A INPUT -p udp --dport 2234 -j ACCEPT
-A INPUT -p tcp --dport 2234 -j ACCEPT
# log iptables denied calls (access via 'dmesg' command)
-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7
# Reject all other inbound - default deny unless explicitly allowed policy:
-A INPUT -j REJECT
-A FORWARD -j REJECT
By the way, on the client side I haven't done any modifications. Am I supposed to do something here also? Do I really need to open and assign the other ports as well? I can't see that they are in use anywhere.
Thanks for any help!