Hello,
I've been trying to get nfs working, and afer struggling for a little while, I think I've almost got it. I believe the only thing holding me back is iptables (when I disable iptables, I can connect without any issues).
I'm running Fedora 11 on the server.
Here is my /etc/sysconfig/nfs:
Code:
RQUOTAD_PORT=875
LOCKD_TCPPORT=32803
LOCKD_UDPPORT=32769
MOUNTD_PORT=892
STATD_PORT=662
STATD_OUTGOING_PORT=2020
to verify the port assignments:
Code:
[myself@machine ~]$ rpcinfo -p
program vers proto port service
100000 4 tcp 111 portmapper
100000 3 tcp 111 portmapper
100000 2 tcp 111 portmapper
100000 4 udp 111 portmapper
100000 3 udp 111 portmapper
100000 2 udp 111 portmapper
100011 1 udp 875 rquotad
100011 2 udp 875 rquotad
100011 1 tcp 875 rquotad
100011 2 tcp 875 rquotad
100003 2 udp 2049 nfs
100003 3 udp 2049 nfs
100003 4 udp 2049 nfs
100021 1 udp 32769 nlockmgr
100021 3 udp 32769 nlockmgr
100021 4 udp 32769 nlockmgr
100021 1 tcp 32803 nlockmgr
100021 3 tcp 32803 nlockmgr
100021 4 tcp 32803 nlockmgr
100003 2 tcp 2049 nfs
100003 3 tcp 2049 nfs
100003 4 tcp 2049 nfs
100005 1 udp 892 mountd
100005 1 tcp 892 mountd
100005 2 udp 892 mountd
100005 2 tcp 892 mountd
100005 3 udp 892 mountd
100005 3 tcp 892 mountd
100024 1 udp 662 status
100024 1 tcp 662 status
and the relevant portion of my iptables:
Code:
# Set of ports to open for NFS
-A INPUT -s (client machine)/24 -p tcp -m tcp --dport 111 -j ACCEPT
-A INPUT -s (client machine)/24 -p udp -m udp --dport 111 -j ACCEPT
-A INPUT -s (client machine)/24 -p tcp -m tcp --dport 2049 -j ACCEPT
-A INPUT -s (client machine)/24 -p udp -m udp --dport 2049 -j ACCEPT
-A INPUT -s (client machine)/24 -p tcp -m tcp --dport 32803 -j ACCEPT
-A INPUT -s (client machine)/24 -p udp -m udp --dport 32769 -j ACCEPT
-A INPUT -s (client machine)/24 -p tcp -m tcp --dport 662 -j ACCEPT
-A INPUT -s (client machine)/24 -p udp -m udp --dport 662 -j ACCEPT
-A INPUT -s (client machine)/24 -p tcp -m tcp --dport 875 -j ACCEPT
-A INPUT -s (client machine)/24 -p udp -m udp --dport 875 -j ACCEPT
-A INPUT -s (client machine)/24 -p tcp -m tcp --dport 892 -j ACCEPT
-A INPUT -s (client machine)/24 -p udp -m udp --dport 892 -j ACCEPT
#-A INPUT -s (client machine)/24 -m state --state NEW -p tcp --dport 111 -j ACCEPT
#-A INPUT -s (client machine)/24 -m state --state NEW -p udp --dport 111 -j ACCEPT
#-A INPUT -s (client machine)/24 -m state --state NEW -p tcp --dport 2049 -j ACCEPT
#-A INPUT -s (client machine)/24 -m state --state NEW -p tcp --dport 32803 -j ACCEPT
#-A INPUT -s (client machine)/24 -m state --state NEW -p udp --dport 32769 -j ACCEPT
#-A INPUT -s (client machine)/24 -m state --state NEW -p tcp --dport 662 -j ACCEPT
#-A INPUT -s (client machine)/24 -m state --state NEW -p udp --dport 662 -j ACCEPT
#-A INPUT -s (client machine)/24 -m state --state NEW -p tcp --dport 875 -j ACCEPT
#-A INPUT -s (client machine)/24 -m state --state NEW -p udp --dport 875 -j ACCEPT
#-A INPUT -s (client machine)/24 -m state --state NEW -p tcp --dport 892 -j ACCEPT
#-A INPUT -s (client machine)/24 -m state --state NEW -p udp --dport 892 -j ACCEPT
#-A INPUT -s (client machine)/24 -m state --state NEW -p tcp --dport 111 -j ACCEPT
#-A INPUT -s (client machine)/24 -m state --state NEW -p udp --dport 111 -j ACCEPT
#-A INPUT -s (client machine)/24 -m state --state NEW -p tcp --dport 2049 -j ACCEPT
#-A INPUT -s (client machine)/24 -m state --state NEW -p tcp --dport 32803 -j ACCEPT
#-A INPUT -s (client machine)/24 -m state --state NEW -p udp --dport 32769 -j ACCEPT
#-A INPUT -s (client machine)/24 -m state --state NEW -p tcp --dport 662 -j ACCEPT
#-A INPUT -s (client machine)/24 -m state --state NEW -p udp --dport 662 -j ACCEPT
#-A INPUT -s (client machine)/24 -m state --state NEW -p tcp --dport 875 -j ACCEPT
#-A INPUT -s (client machine)/24 -m state --state NEW -p udp --dport 875 -j ACCEPT
#-A INPUT -s (client machine)/24 -m state --state NEW -p tcp --dport 892 -j ACCEPT
#-A INPUT -s (client machine)/24 -m state --state NEW -p udp --dport 892 -j ACCEPT
#-A OUTPUT -d (client machine)/24 -m state --state NEW -p tcp --sport 111 -j ACCEPT
#-A OUTPUT -d (client machine)/24 -m state --state NEW -p udp --sport 111 -j ACCEPT
# Log firewall rejections for debugging purposes
-A INPUT -m limit --limit 15/minute -j LOG --log-level 7 --log-prefix "Dropped by firewall (in): "
-A OUTPUT -m limit --limit 15/minute -j LOG --log-level 7 --log-prefix "Dropped by firewall (out): "
I tried several variations based on different guides I found - I get exactly the same results regardless of which block of rules I uncomment.
I added the log to see if it would help me figure out what was going on. I managed to catch some seemingly relevant messages, but they don't help me any. I'm hoping someone here will be able to make sense of them (or spot my mistake somewhere else).
From the client, I do this:
$showmount -e 192.168.1.200
(client is 192.168.1.201, server is .200)
and I get this in my firewall log:
Code:
Jan 7 21:10:38 machine kernel: Dropped by firewall (out): IN= OUT=eth0 SRC=192.168.1.200 DST=192.168.1.201 LEN=112 TOS=0x00 PREC=0xC0 TTL=64 ID=22146 PROTO=ICMP TYPE=3 CODE=10 [SRC=192.168.1.201 DST=192.168.1.200 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=43240 DPT=111 LEN=64 ]
Jan 7 21:10:38 machine kernel: Dropped by firewall (out): IN= OUT=eth0 SRC=192.168.1.200 DST=192.168.1.201 LEN=112 TOS=0x00 PREC=0xC0 TTL=64 ID=22147 PROTO=ICMP TYPE=3 CODE=10 [SRC=192.168.1.201 DST=192.168.1.200 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=46830 DPT=111 LEN=64 ]
Any ideas?
Thanks!
-Kerry