Can't mount nfs dir with iptables up on server

Laserjock · 06-17-2009, 07:57 PM

I'm trying to mount an NFS share on my client computer but cannot connect unless I turn the iptables service off. I'm not sure which rule is blocking the connection. My NFS/RPC ports all seem to be associated with ACCEPT rules in my firewall.

I'm still learning iptables, which is a lot more complex than I initially thought. (I have a bad habit of editing the iptables file directly and backing it up all the time.)

Client mount attempt:

Code:

mount -v 192.168.1.11:/install /shared
mount: trying 192.168.1.11 prog 100003 vers 3 prot tcp port 2049
mount: mount to NFS server '192.168.1.11' failed: timed out (retrying)

Server: /etc/sysconfig/nfs:

Code:

#
# Define which protocol versions mountd
# will advertise. The values are "no" or "yes"
# with yes being the default
#MOUNTD_NFS_V1="no"
#MOUNTD_NFS_V2="no"
#MOUNTD_NFS_V3="no"
#
#
# Path to remote quota server. See rquotad(8)
#RQUOTAD="/usr/sbin/rpc.rquotad"
# Port rquotad should listen on.
RQUOTAD_PORT=10005
# Optinal options passed to rquotad
#RPCRQUOTADOPTS=""
#
#
# TCP port rpc.lockd should listen on.
LOCKD_TCPPORT=10000
# UDP port rpc.lockd should listen on.
LOCKD_UDPPORT=10001
#
#
# Optional arguments passed to rpc.nfsd. See rpc.nfsd(8)
# Turn off v2 and v3 protocol support
#RPCNFSDARGS="-N 2 -N 3"
# Turn off v4 protocol support
#RPCNFSDARGS="-N 4"
# Number of nfs server processes to be started.
# The default is 8.
#RPCNFSDCOUNT=8
# Stop the nfsd module from being pre-loaded
#NFSD_MODULE="noload"
#
#
# Optional arguments passed to rpc.mountd. See rpc.mountd(8)
#RPCMOUNTDOPTS=""
# Port rpc.mountd should listen on.
MOUNTD_PORT=10004
#
#
# Optional arguments passed to rpc.statd. See rpc.statd(8)
#STATDARG=""
# Port rpc.statd should listen on.
STATD_PORT=10002
# Outgoing port statd should used. The default is port
# is random
STATD_OUTGOING_PORT=10003
# Specify callout program
#STATD_HA_CALLOUT="/usr/local/bin/foo"
#
#
# Optional arguments passed to rpc.idmapd. See rpc.idmapd(8)
#RPCIDMAPDARGS=""
#
# Set to turn on Secure NFS mounts.
#SECURE_NFS="yes"
# Optional arguments passed to rpc.gssd. See rpc.gssd(8)
#RPCGSSDARGS="-vvv"
# Optional arguments passed to rpc.svcgssd. See rpc.svcgssd(8)
#RPCSVCGSSDARGS="-vvv"
# Don't load security modules in to the kernel
#SECURE_NFS_MODS="noload"
#
# Don't load sunrpc module.
#RPCMTAB="noload"

Server: iptables -nL:

Code:

Chain INPUT (policy ACCEPT)
target     prot opt source               destination
RH-Firewall-1-INPUT  all  --  0.0.0.0/0            0.0.0.0/0

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
RH-Firewall-1-INPUT  all  --  0.0.0.0/0            0.0.0.0/0

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain RH-Firewall-1-INPUT (2 references)
target     prot opt source               destination
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0           icmp type 255
ACCEPT     esp  --  0.0.0.0/0            0.0.0.0/0
ACCEPT     ah   --  0.0.0.0/0            0.0.0.0/0
ACCEPT     udp  --  0.0.0.0/0            224.0.0.251         udp dpt:5353
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           udp dpt:631
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:631
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:25
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:21
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:22
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           state NEW udp dpt:137
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           state NEW udp dpt:138
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:139
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:445
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:443
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:80
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:5801
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:5901
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:6001
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:53
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           udp dpt:53
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:111
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:111
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           udp dpt:2049
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:2049
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpts:10000:10005
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           udp dpts:10000:10005
REJECT     all  --  0.0.0.0/0            0.0.0.0/0           reject-with icmp-host-prohibited

chrism01 · 06-18-2009, 12:02 AM

I think that looks ok, have you run

service nfs status
exportfs -v

to check all nfs-related services are up on server?

Laserjock · 06-18-2009, 01:22 PM

chrism01,

I ran exportfs -v and made sure that NFS was running properly, but I still can't get through. It has to be iptables, since I can mount the NFS share when I stop the service (service iptables stop).

Do my rules look ok? What is the difference between the "state NEW" rules and the rather generic ones underneath?

chrism01 · 06-18-2009, 06:32 PM

In your case, not a lot

Traditionally, replace your 'NEW' keyword with 'ESTABLISHED,RELATED' ie check for known cxns first, then 'new' (optional keyword).
You'll need a

service iptables restart

Please show the output of those other cmds I mentioned.

Also need to check firewall on client