NFS Client - Mount only works with proto=tcp while iptables is running
Linux - NetworkingThis forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
NFS Client - Mount only works with proto=tcp while iptables is running
Hi,
Client is running Oracle VM Server 2.2.1 (kernel 2.6.18-128.2.1.4.37.el5xen). Storage is a NetApp 3210 (NFS configured to use TCP).
Iptables on client has udp and tcp ports 111, 2049 and the NFS server ports opened. Info retrieved using:
rpcinfo -p NetApp
When trying a manual mount ...
#mount -v NetApp:/share /mnt
mount: no type was given - I'll assume nfs because of the colon
mount: trying NetApp prog 100003 vers 3 prot tcp port 2049
mount: mount to NFS server 'NetApp' failed: timed out (retrying).
... but when using the proto=tcp option, it works ...
#mount -v -o proto=tcp NetApp:/share /mnt
... stopping iptables also works (I can manually mount the share without using proto=tcp).
Is the mounting process somehow trying to negotiate first using udp which the Netapp doesn't respond and hence it fails by timing out?
Can I configure iptables such that I don't have to use the proto=tcp option? Or is there another configuration file I can tweak so that I don't have to use the proto=tcp option?
Client is running Oracle VM Server 2.2.1 (kernel 2.6.18-128.2.1.4.37.el5xen). Storage is a NetApp 3210 (NFS configured to use TCP).
Iptables on client has udp and tcp ports 111, 2049 and the NFS server ports opened. Info retrieved using:
rpcinfo -p NetApp
When trying a manual mount ...
#mount -v NetApp:/share /mnt
mount: no type was given - I'll assume nfs because of the colon
mount: trying NetApp prog 100003 vers 3 prot tcp port 2049
mount: mount to NFS server 'NetApp' failed: timed out (retrying).
... but when using the proto=tcp option, it works ...
#mount -v -o proto=tcp NetApp:/share /mnt
... stopping iptables also works (I can manually mount the share without using proto=tcp).
Is the mounting process somehow trying to negotiate first using udp which the Netapp doesn't respond and hence it fails by timing out?
Can I configure iptables such that I don't have to use the proto=tcp option? Or is there another configuration file I can tweak so that I don't have to use the proto=tcp option?
Thanks.
Can you post the iptables configuration on your NFS server (Netapp)?
You could check /etc/nfsmount.conf to check that the default protocol is tcp.
NFS over TCP has been enabled from the filer's web interface. This was done when it was first set up. I had another look and its still enabled. There isn't a nfsmount.conf file in /etc. the config may be stored in a different file.
Can't find any iptables files in the Netapp. At least its not in the /etc folder.
NFS over TCP has been enabled from the filer's web interface. This was done when it was first set up. I had another look and its still enabled. There isn't a nfsmount.conf file in /etc. the config may be stored in a different file.
Can't find any iptables files in the Netapp. At least its not in the /etc folder.
The command iptables is not available on the NetApp. But if its my client that you are referring to, then:
# iptables -vL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 DROP tcp -- any any anywhere anywhere state NEW tcp dpt:ftp
0 0 DROP tcp -- any any anywhere anywhere state NEW tcp dpt:http
37 2947 RH-Firewall-1-INPUT all -- any any anywhere anywhere
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 17 packets, 4804 bytes)
pkts bytes target prot opt in out source destination
Chain RH-Firewall-1-INPUT (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- lo any anywhere anywhere
0 0 ACCEPT icmp -- any any anywhere anywhere icmp any
0 0 ACCEPT esp -- any any anywhere anywhere
0 0 ACCEPT ah -- any any anywhere anywhere
0 0 ACCEPT udp -- any any anywhere 224.0.0.251 udp dpt:mdns
0 0 ACCEPT udp -- any any anywhere anywhere udp dpt:ipp
0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:ipp
19 1176 ACCEPT all -- any any anywhere anywhere state RELATED,ESTABLISHED
0 0 ACCEPT tcp -- any any anywhere anywhere state NEW tcp dpt:ftp
0 0 ACCEPT tcp -- any any anywhere anywhere state NEW tcp dpt:ssh
0 0 ACCEPT udp -- any any anywhere anywhere state NEW udp dpt:domain
0 0 ACCEPT tcp -- any any anywhere anywhere state NEW tcp dpt:domain
0 0 ACCEPT tcp -- any any anywhere anywhere state NEW tcp dpt:http
0 0 ACCEPT tcp -- any any anywhere anywhere state NEW tcp dpt:nfs
0 0 ACCEPT tcp -- any any anywhere anywhere state NEW tcp dpt:compaq-https
0 0 ACCEPT tcp -- any any anywhere anywhere state NEW tcp dpts:5900:5950
0 0 ACCEPT tcp -- any any anywhere anywhere state NEW tcp dpt:teradataordbms
0 0 ACCEPT tcp -- any any anywhere anywhere state NEW tcp dpt:8003
0 0 ACCEPT tcp -- any any anywhere anywhere state NEW tcp dpt:8899
0 0 ACCEPT tcp -- any any anywhere anywhere state NEW tcp dpt:cbt
18 1771 REJECT all -- any any anywhere anywhere reject-with icmp-host-prohibited
The command iptables is not available on the NetApp. But if its my client that you are referring to, then:
# iptables -vL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 DROP tcp -- any any anywhere anywhere state NEW tcp dpt:ftp
0 0 DROP tcp -- any any anywhere anywhere state NEW tcp dpt:http
37 2947 RH-Firewall-1-INPUT all -- any any anywhere anywhere
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 17 packets, 4804 bytes)
pkts bytes target prot opt in out source destination
Chain RH-Firewall-1-INPUT (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- lo any anywhere anywhere
0 0 ACCEPT icmp -- any any anywhere anywhere icmp any
0 0 ACCEPT esp -- any any anywhere anywhere
0 0 ACCEPT ah -- any any anywhere anywhere
0 0 ACCEPT udp -- any any anywhere 224.0.0.251 udp dpt:mdns
0 0 ACCEPT udp -- any any anywhere anywhere udp dpt:ipp
0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:ipp 19 1176 ACCEPT all -- any any anywhere anywhere state RELATED,ESTABLISHED
0 0 ACCEPT tcp -- any any anywhere anywhere state NEW tcp dpt:ftp
0 0 ACCEPT tcp -- any any anywhere anywhere state NEW tcp dpt:ssh
0 0 ACCEPT udp -- any any anywhere anywhere state NEW udp dpt:domain
0 0 ACCEPT tcp -- any any anywhere anywhere state NEW tcp dpt:domain
0 0 ACCEPT tcp -- any any anywhere anywhere state NEW tcp dpt:http
0 0 ACCEPT tcp -- any any anywhere anywhere state NEW tcp dpt:nfs
0 0 ACCEPT tcp -- any any anywhere anywhere state NEW tcp dpt:compaq-https
0 0 ACCEPT tcp -- any any anywhere anywhere state NEW tcp dpts:5900:5950
0 0 ACCEPT tcp -- any any anywhere anywhere state NEW tcp dpt:teradataordbms
0 0 ACCEPT tcp -- any any anywhere anywhere state NEW tcp dpt:8003
0 0 ACCEPT tcp -- any any anywhere anywhere state NEW tcp dpt:8899
0 0 ACCEPT tcp -- any any anywhere anywhere state NEW tcp dpt:cbt
18 1771 REJECT all -- any any anywhere anywhere reject-with icmp-host-prohibited
mmm...
The bolded rule, should allow UDP NFS connections from this client to any server. You really need to ensure that the server is allowing UDP traffic on port 2049.
Since nfsmount.conf is not there, you could try looking for /etc/sysconfig/nfs
You could also run the nfsddaemon in debug mode to see if you can identify the cause of your problem.
The NetApp has been configured for NFS over TCP. The description of this setting is "use TCP rather than UDP". Not sure whether this means only use TCP.
What I don't understand fully is how iptables is involved. If I stop iptables, I can mount without proto=tcp. If I start iptables, I need to use proto=tcp.
So I'm suspecting I should look here on my client instead of the NetApp, in particular the iptables itself. The NetApp does not have the usual unix commands or file system structure. Hence there's no sysconfig folder or nfsddaemon.
Your iptables config looks like it should allow all type of connections that are initiated from the client (the bold line).
I guess you try to explicitly allow udp connections on nfs port, but you mentioned that the server is listening on TCP only, so this is unlikely to make a difference.
Thanks mate. I tried using tcpdump and it seem to get stuck at a certain interface.
What's happening is I'm mounting using 10.1.50.1 which is a virtual interface (lif0-50) created on the Netapp for vlan 50.
The actual interface (lif0) is on 10.1.20.1 (this is on vlan 1). Tcpdump says this destination is unreachable (protocol ICMP). If I try mounting using 10.1.20.1 instead (without proto=tcp), it works.
So iptables blocks 10.1.50.1 while it allows 10.1.20.1 (both without using proto=tcp option).
Any insight into this networking issue would be greatly appreciated.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.