LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Newbie (https://www.linuxquestions.org/questions/linux-newbie-8/)
-   -   Can't mount nfs dir with iptables up on server (https://www.linuxquestions.org/questions/linux-newbie-8/can%27t-mount-nfs-dir-with-iptables-up-on-server-733742/)

Laserjock 06-17-2009 07:57 PM
Can't mount nfs dir with iptables up on server
 
I'm trying to mount an NFS share on my client computer but cannot connect unless I turn the iptables service off. I'm not sure which rule is blocking the connection. My NFS/RPC ports all seem to be associated with ACCEPT rules in my firewall.

I'm still learning iptables, which is a lot more complex than I initially thought. (I have a bad habit of editing the iptables file directly and backing it up all the time.)

Client mount attempt:
Code:
mount -v 192.168.1.11:/install /shared
mount: trying 192.168.1.11 prog 100003 vers 3 prot tcp port 2049
mount: mount to NFS server '192.168.1.11' failed: timed out (retrying)
Server: /etc/sysconfig/nfs:
Code:
#
# Define which protocol versions mountd
# will advertise. The values are "no" or "yes"
# with yes being the default
#MOUNTD_NFS_V1="no"
#MOUNTD_NFS_V2="no"
#MOUNTD_NFS_V3="no"
#
#
# Path to remote quota server. See rquotad(8)
#RQUOTAD="/usr/sbin/rpc.rquotad"
# Port rquotad should listen on.
RQUOTAD_PORT=10005
# Optinal options passed to rquotad
#RPCRQUOTADOPTS=""
#
#
# TCP port rpc.lockd should listen on.
LOCKD_TCPPORT=10000
# UDP port rpc.lockd should listen on.
LOCKD_UDPPORT=10001
#
#
# Optional arguments passed to rpc.nfsd. See rpc.nfsd(8)
# Turn off v2 and v3 protocol support
#RPCNFSDARGS="-N 2 -N 3"
# Turn off v4 protocol support
#RPCNFSDARGS="-N 4"
# Number of nfs server processes to be started.
# The default is 8.
#RPCNFSDCOUNT=8
# Stop the nfsd module from being pre-loaded
#NFSD_MODULE="noload"
#
#
# Optional arguments passed to rpc.mountd. See rpc.mountd(8)
#RPCMOUNTDOPTS=""
# Port rpc.mountd should listen on.
MOUNTD_PORT=10004
#
#
# Optional arguments passed to rpc.statd. See rpc.statd(8)
#STATDARG=""
# Port rpc.statd should listen on.
STATD_PORT=10002
# Outgoing port statd should used. The default is port
# is random
STATD_OUTGOING_PORT=10003
# Specify callout program
#STATD_HA_CALLOUT="/usr/local/bin/foo"
#
#
# Optional arguments passed to rpc.idmapd. See rpc.idmapd(8)
#RPCIDMAPDARGS=""
#
# Set to turn on Secure NFS mounts.
#SECURE_NFS="yes"
# Optional arguments passed to rpc.gssd. See rpc.gssd(8)
#RPCGSSDARGS="-vvv"
# Optional arguments passed to rpc.svcgssd. See rpc.svcgssd(8)
#RPCSVCGSSDARGS="-vvv"
# Don't load security modules in to the kernel
#SECURE_NFS_MODS="noload"
#
# Don't load sunrpc module.
#RPCMTAB="noload"

Server: iptables -nL:
Code:
Chain INPUT (policy ACCEPT)
target    prot opt source              destination
RH-Firewall-1-INPUT  all  --  0.0.0.0/0            0.0.0.0/0

Chain FORWARD (policy ACCEPT)
target    prot opt source              destination
RH-Firewall-1-INPUT  all  --  0.0.0.0/0            0.0.0.0/0

Chain OUTPUT (policy ACCEPT)
target    prot opt source              destination

Chain RH-Firewall-1-INPUT (2 references)
target    prot opt source              destination
ACCEPT    all  --  0.0.0.0/0            0.0.0.0/0
ACCEPT    icmp --  0.0.0.0/0            0.0.0.0/0          icmp type 255
ACCEPT    esp  --  0.0.0.0/0            0.0.0.0/0
ACCEPT    ah  --  0.0.0.0/0            0.0.0.0/0
ACCEPT    udp  --  0.0.0.0/0            224.0.0.251        udp dpt:5353
ACCEPT    udp  --  0.0.0.0/0            0.0.0.0/0          udp dpt:631
ACCEPT    tcp  --  0.0.0.0/0            0.0.0.0/0          tcp dpt:631
ACCEPT    all  --  0.0.0.0/0            0.0.0.0/0          state RELATED,ESTABLISHED
ACCEPT    tcp  --  0.0.0.0/0            0.0.0.0/0          state NEW tcp dpt:25
ACCEPT    tcp  --  0.0.0.0/0            0.0.0.0/0          state NEW tcp dpt:21
ACCEPT    tcp  --  0.0.0.0/0            0.0.0.0/0          state NEW tcp dpt:22
ACCEPT    udp  --  0.0.0.0/0            0.0.0.0/0          state NEW udp dpt:137
ACCEPT    udp  --  0.0.0.0/0            0.0.0.0/0          state NEW udp dpt:138
ACCEPT    tcp  --  0.0.0.0/0            0.0.0.0/0          state NEW tcp dpt:139
ACCEPT    tcp  --  0.0.0.0/0            0.0.0.0/0          state NEW tcp dpt:445
ACCEPT    tcp  --  0.0.0.0/0            0.0.0.0/0          state NEW tcp dpt:443
ACCEPT    tcp  --  0.0.0.0/0            0.0.0.0/0          state NEW tcp dpt:80
ACCEPT    tcp  --  0.0.0.0/0            0.0.0.0/0          state NEW tcp dpt:5801
ACCEPT    tcp  --  0.0.0.0/0            0.0.0.0/0          state NEW tcp dpt:5901
ACCEPT    tcp  --  0.0.0.0/0            0.0.0.0/0          state NEW tcp dpt:6001
ACCEPT    tcp  --  0.0.0.0/0            0.0.0.0/0          tcp dpt:53
ACCEPT    udp  --  0.0.0.0/0            0.0.0.0/0          udp dpt:53
ACCEPT    tcp  --  0.0.0.0/0            0.0.0.0/0          tcp dpt:111
ACCEPT    tcp  --  0.0.0.0/0            0.0.0.0/0          tcp dpt:111
ACCEPT    udp  --  0.0.0.0/0            0.0.0.0/0          udp dpt:2049
ACCEPT    tcp  --  0.0.0.0/0            0.0.0.0/0          tcp dpt:2049
ACCEPT    tcp  --  0.0.0.0/0            0.0.0.0/0          tcp dpts:10000:10005
ACCEPT    udp  --  0.0.0.0/0            0.0.0.0/0          udp dpts:10000:10005
REJECT    all  --  0.0.0.0/0            0.0.0.0/0          reject-with icmp-host-prohibited

chrism01 06-18-2009 12:02 AM
I think that looks ok, have you run

service nfs status
exportfs -v

to check all nfs-related services are up on server?

Laserjock 06-18-2009 01:22 PM
chrism01,

I ran exportfs -v and made sure that NFS was running properly, but I still can't get through. It has to be iptables, since I can mount the NFS share when I stop the service (service iptables stop).

Do my rules look ok? What is the difference between the "state NEW" rules and the rather generic ones underneath?

chrism01 06-18-2009 06:32 PM
In your case, not a lot :)

Traditionally, replace your 'NEW' keyword with 'ESTABLISHED,RELATED' ie check for known cxns first, then 'new' (optional keyword).
You'll need a

service iptables restart

Please show the output of those other cmds I mentioned.

Also need to check firewall on client


All times are GMT -5. The time now is 06:47 AM.