LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices

Reply
 
Search this Thread
Old 03-21-2005, 04:34 PM   #1
joseph_k
Member
 
Registered: Aug 2001
Location: North Dakota (USA)
Distribution: Ubuntu
Posts: 43

Rep: Reputation: 15
mdk 10.1 - Firewall allows either NFS or Internet connection sharing, not both


My problem is that I cannot get both NFS mount points and Internet Connection Sharing working at the same time - just one or the other! The toggle switch seams to be when I configure my firewall. Here are the steps I'm taking:

I'm using 2 computers, both Mandrakelinux 10.1. One is my server, the other is my workstation. The server is connected to my cable modem with Network card #1. Network card #2 is connected to my hub, to which my workstation is also connected.

I walk through the "Internet Connection Sharing" wizard in the "Network & Internet" section of the "Mandrakelinux Control Center." Then I can access the Internet from the workstation.

I try to mount my NFS share:
(as su)
$ mount 192.168.0.1:/home/data /mnt/data
mount: RPC: Remote system error - Connection refused

So I configure the firewall on the server:

- Mandrakelinux Control Center | Security | Firewall
- "Which services would you like to allow the Internet to connect to?"
- I choose "Everything (no firewall)" and click OK.
- Then I identify my "Net Device" eth0.
- The wizard closes and I'm back at the control center.

Now I can mount the NFS share on the workstation (using the above command), but I can't connect to the Internet from the workstation anymore. My web browsers gives me the error: "such-n-such URL could not be found. Please check the name and try again."

When I open the "Internet Connection Sharing" wizard to check my settings, it starts me out like I had never used the wizard before (like it had forgotten what I had setup earlier, and is starting over again). After I configure the internet connection sharing, I'm back to the 'connection refused' error when using the mount command.

Shouldn't setting the firewall to "No Firewall" allow both services? Is there another method I need to use to configure the firewall?
 
Old 03-22-2005, 10:03 AM   #2
jxi
Member
 
Registered: Feb 2003
Location: Richmond VA
Distribution: Slackware 11 -- CentOS 4.4
Posts: 115

Rep: Reputation: 15
first of all, if you're connected to the internet, don't go with 'no firewall' just to get things to work.

Now, type (as root) the following on a command line:

iptables-save

Do this for the settings that work for i/n connection, and then for the other, nfs working connection.

if the output runs into serveral pages, perhaps we'll try work with looking for specific things instead.
Anyway, what is happening may not be a bug, but a feature! Seriously, there are some vunerabilities introduced with nfs active and an simultaneous internet connection. Maybe the 'drake folks took the safe route for your sake. Portmap (for example, which nfs uses) has some known vunerabilities.

It's possible to block the various ports in use by nfs from the outside world, but it takes a little work.

And I may not know all the answers. Esp since i've never run two nic's. Just want to get you started.

Regards, John
 
Old 03-22-2005, 12:09 PM   #3
joseph_k
Member
 
Registered: Aug 2001
Location: North Dakota (USA)
Distribution: Ubuntu
Posts: 43

Original Poster
Rep: Reputation: 15
Thank you for the reply, John. I appreciate your input.

The output of iptables-save when NFS is working is very short, the output when Internet connection sharing is working is a few pages. Is there something in particular I'm supposed to be looking for? I've never worked with iptables before.

And I understand I shouldn't use the "no firewall", but I want to keep it simple until the NFS share is working - then I'll tinker with firewall settings and share permissions.

Do you think it would be easier to share my files via Samba? I've got an WinXP computer that will be connecting to my server's file shares, as well. Perhaps I should use Samba for linux-to-linux sharing... you can do that, right? I'm thinking about abandoning NFS ... I just don't look forward to having to tweak my firewall settings beyond what's available as checkboxes in the mdk control center.

Please share your experience with files sharing.
 
Old 03-22-2005, 01:33 PM   #4
jxi
Member
 
Registered: Feb 2003
Location: Richmond VA
Distribution: Slackware 11 -- CentOS 4.4
Posts: 115

Rep: Reputation: 15
Quote:
The output of iptables-save when NFS is working is very short
I'll guess it allows incoming connections from your workstation and localhost then drops everything else.
Quote:
the output when Internet connection sharing is working is a few pages.
It may be here that nfs is blocked at the port level. See details below.

It's probably this second configuration (from iptables when i/n is working) that you would want to tweak.

Quote:
Perhaps I should use Samba for linux-to-linux sharing... you can do that, right?
Sorry, I'm not experienced with Samba. (regarding file sharing experience i'm limited to nfs) I suppose linux w/station running Samba client could communicate with linux box running Samba server... may not be as fast as nfs.

you can google for 'nfs alternatives'

but if you want to continue with nfs here's at least the minimum.

First, nfs (minimum) services and ports:
portmap 111
rpc.nfsd 2049
rpc.mountd varies

Add to existing iptables (that already works w/internet) (let's say your workstation is 192.168.0.99) :
iptables -A INPUT -p tcp -s! 192.168.0.99 --dport 111 -j DROP
iptables -A INPUT -p udp -s! 192.168.0.99 --dport 111 -j DROP

you probably also need to allow explicit incoming connections from the workstation. Use the output from iptables-save and nfs connection (first output referred to above) as a reference.

but you need to be sure the last existing rule for INPUT is not an unconditional drop. If so, the above 2 need to be :
iptables -I INPUT <line number of unconditional drop> ...
since iptables -A just appends at the end. By unconditional drop I mean something like:
iptables -A INPUT -j DROP

i'm not sure if you absolutely have to block port 2049 and whatever rpc.mountd is using to be secure.

To get the current ports of rpc.mountd use

rpcinfo -p

obviously checking this manually everytime you start nfs would be extremely tedious and would thus be best implemented thru a script that ran along with nfs startup.

Ok enough on iptables.


Second, implement tcpwrappers.

in /etc/hosts.deny have one line:
portmap:ALL

or better:
ALL:ALL

in /etc/hosts.allow
portmap:192.168.0.99

Third, read up on /etc/exports. There is a 'secure' option which is on by default: don't override it with 'insecure' to attempt to fix connection problems. Most likely you're only allowing your workstation with something like

/home/shared 192.168.0.99(rw,root_squash)
so your're probably ok there anyway (secure prevents connections from unprivledged ports i.e. > 1024 which wouldn't originate on your workstation. i think . )

If you add more boxes in your setup you'll probably go with a netmask which i haven't included here.

Here's some helpful sites (though some are dated):
http://www.troubleshooters.com/linux/nfs.htm
http://jamesthornton.com/redhat/linu...rver-port.html
http://www.linuxsecurity.com/resourc...wall-seen.html
http://www.linuxexposed.com/Articles...ecurity-2.html
http://www.redhat.com/docs/manuals/l...rver-port.html
http://www.linuxselfhelp.com/howtos/...S-HOWTO-6.html

If you really feel adventurous you can look into nfs via an ssh connection:
http://www.math.ualberta.ca/imaging/snfs/ (and similary sites)

HTH
John
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
MDK 10 - Sharing Internet connection - cannot even ping Singing Banzo Linux - Networking 15 03-31-2005 09:01 PM
Troubles with firewall and internet sharing Sim_one80 Linux - Security 6 09-13-2004 02:17 AM
2x Computers with Slackware 9.1 NFS/Internet PPPD sharing jimdaworm Linux - Networking 2 11-22-2003 10:32 AM
Internet connection sharing with Firewall steve1401 Linux - Networking 0 06-30-2003 10:15 AM
MDK 9.0, Internet Connection Sharing and Shorewall... deputyjim Linux - Networking 1 11-21-2002 03:14 PM


All times are GMT -5. The time now is 01:23 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration