[SOLVED] Problems with nfs and iptables

ETCKerry · 01-07-2011, 08:14 PM

Hello,

I've been trying to get nfs working, and afer struggling for a little while, I think I've almost got it. I believe the only thing holding me back is iptables (when I disable iptables, I can connect without any issues).

I'm running Fedora 11 on the server.

Here is my /etc/sysconfig/nfs:

Code:

RQUOTAD_PORT=875
LOCKD_TCPPORT=32803
LOCKD_UDPPORT=32769
MOUNTD_PORT=892
STATD_PORT=662
STATD_OUTGOING_PORT=2020

to verify the port assignments:

Code:

[myself@machine ~]$ rpcinfo -p
   program vers proto   port  service
    100000    4   tcp    111  portmapper
    100000    3   tcp    111  portmapper
    100000    2   tcp    111  portmapper
    100000    4   udp    111  portmapper
    100000    3   udp    111  portmapper
    100000    2   udp    111  portmapper
    100011    1   udp    875  rquotad
    100011    2   udp    875  rquotad
    100011    1   tcp    875  rquotad
    100011    2   tcp    875  rquotad
    100003    2   udp   2049  nfs
    100003    3   udp   2049  nfs
    100003    4   udp   2049  nfs
    100021    1   udp  32769  nlockmgr
    100021    3   udp  32769  nlockmgr
    100021    4   udp  32769  nlockmgr
    100021    1   tcp  32803  nlockmgr
    100021    3   tcp  32803  nlockmgr
    100021    4   tcp  32803  nlockmgr
    100003    2   tcp   2049  nfs
    100003    3   tcp   2049  nfs
    100003    4   tcp   2049  nfs
    100005    1   udp    892  mountd
    100005    1   tcp    892  mountd
    100005    2   udp    892  mountd
    100005    2   tcp    892  mountd
    100005    3   udp    892  mountd
    100005    3   tcp    892  mountd
    100024    1   udp    662  status
    100024    1   tcp    662  status

and the relevant portion of my iptables:

Code:

# Set of ports to open for NFS
-A INPUT -s (client machine)/24 -p tcp -m tcp --dport 111 -j ACCEPT
-A INPUT -s (client machine)/24 -p udp -m udp --dport 111 -j ACCEPT
-A INPUT -s (client machine)/24 -p tcp -m tcp --dport 2049 -j ACCEPT
-A INPUT -s (client machine)/24 -p udp -m udp --dport 2049 -j ACCEPT
-A INPUT -s (client machine)/24 -p tcp -m tcp --dport 32803 -j ACCEPT
-A INPUT -s (client machine)/24 -p udp -m udp --dport 32769 -j ACCEPT
-A INPUT -s (client machine)/24 -p tcp -m tcp --dport 662 -j ACCEPT
-A INPUT -s (client machine)/24 -p udp -m udp --dport 662 -j ACCEPT
-A INPUT -s (client machine)/24 -p tcp -m tcp --dport 875 -j ACCEPT
-A INPUT -s (client machine)/24 -p udp -m udp --dport 875 -j ACCEPT
-A INPUT -s (client machine)/24 -p tcp -m tcp --dport 892 -j ACCEPT
-A INPUT -s (client machine)/24 -p udp -m udp --dport 892 -j ACCEPT

#-A INPUT -s (client machine)/24 -m state --state NEW -p tcp --dport 111 -j ACCEPT
#-A INPUT -s (client machine)/24 -m state --state NEW -p udp --dport 111 -j ACCEPT
#-A INPUT -s (client machine)/24 -m state --state NEW -p tcp --dport 2049 -j ACCEPT
#-A INPUT -s (client machine)/24 -m state --state NEW -p tcp --dport 32803 -j ACCEPT
#-A INPUT -s (client machine)/24 -m state --state NEW -p udp --dport 32769 -j ACCEPT
#-A INPUT -s (client machine)/24 -m state --state NEW -p tcp --dport 662 -j ACCEPT
#-A INPUT -s (client machine)/24 -m state --state NEW -p udp --dport 662 -j ACCEPT
#-A INPUT -s (client machine)/24 -m state --state NEW -p tcp --dport 875 -j ACCEPT
#-A INPUT -s (client machine)/24 -m state --state NEW -p udp --dport 875 -j ACCEPT
#-A INPUT -s (client machine)/24 -m state --state NEW -p tcp --dport 892 -j ACCEPT
#-A INPUT -s (client machine)/24 -m state --state NEW -p udp --dport 892 -j ACCEPT

#-A INPUT -s (client machine)/24 -m state --state NEW -p tcp --dport 111 -j ACCEPT
#-A INPUT -s (client machine)/24 -m state --state NEW -p udp --dport 111 -j ACCEPT
#-A INPUT -s (client machine)/24 -m state --state NEW -p tcp --dport 2049 -j ACCEPT
#-A INPUT -s (client machine)/24 -m state --state NEW -p tcp --dport 32803 -j ACCEPT
#-A INPUT -s (client machine)/24 -m state --state NEW -p udp --dport 32769 -j ACCEPT
#-A INPUT -s (client machine)/24 -m state --state NEW -p tcp --dport 662 -j ACCEPT
#-A INPUT -s (client machine)/24 -m state --state NEW -p udp --dport 662 -j ACCEPT
#-A INPUT -s (client machine)/24 -m state --state NEW -p tcp --dport 875 -j ACCEPT
#-A INPUT -s (client machine)/24 -m state --state NEW -p udp --dport 875 -j ACCEPT
#-A INPUT -s (client machine)/24 -m state --state NEW -p tcp --dport 892 -j ACCEPT
#-A INPUT -s (client machine)/24 -m state --state NEW -p udp --dport 892 -j ACCEPT

#-A OUTPUT -d (client machine)/24 -m state --state NEW -p tcp --sport 111 -j ACCEPT
#-A OUTPUT -d (client machine)/24 -m state --state NEW -p udp --sport 111 -j ACCEPT

# Log firewall rejections for debugging purposes
-A INPUT -m limit --limit 15/minute -j LOG --log-level 7 --log-prefix "Dropped by firewall (in): "
-A OUTPUT -m limit --limit 15/minute -j LOG --log-level 7 --log-prefix "Dropped by firewall (out): "

I tried several variations based on different guides I found - I get exactly the same results regardless of which block of rules I uncomment.

I added the log to see if it would help me figure out what was going on. I managed to catch some seemingly relevant messages, but they don't help me any. I'm hoping someone here will be able to make sense of them (or spot my mistake somewhere else).

From the client, I do this:
$showmount -e 192.168.1.200
(client is 192.168.1.201, server is .200)
and I get this in my firewall log:

Code:

Jan  7 21:10:38 machine kernel: Dropped by firewall (out): IN= OUT=eth0 SRC=192.168.1.200 DST=192.168.1.201 LEN=112 TOS=0x00 PREC=0xC0 TTL=64 ID=22146 PROTO=ICMP TYPE=3 CODE=10 [SRC=192.168.1.201 DST=192.168.1.200 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=43240 DPT=111 LEN=64 ] 
Jan  7 21:10:38 machine kernel: Dropped by firewall (out): IN= OUT=eth0 SRC=192.168.1.200 DST=192.168.1.201 LEN=112 TOS=0x00 PREC=0xC0 TTL=64 ID=22147 PROTO=ICMP TYPE=3 CODE=10 [SRC=192.168.1.201 DST=192.168.1.200 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=46830 DPT=111 LEN=64 ]

Any ideas?

Thanks!

-Kerry

Tinkster · 01-08-2011, 03:36 PM

Yah. You're permitting a SOURCE port of 111 ... DESTINATION 111 gets dropped.

/me listens for ticking cogs.

Cheers,
Tink

ETCKerry · 01-08-2011, 04:53 PM

I thought I was permitting a destination of 111 (with --dport), and specifying a source IP address of the client machine (with -s)?

My iptables configuration comes from sites describing how to configure nfs and iptables - I haven't seen anything like this:

Code:

-A OUTPUT -d (client machine)/24 -p udp -m udp --sport 111 -j ACCEPT

which is what I guess would be required to open a destination of port 111?

I tried adding this line (and the tcp variant) to iptables with the same result.

Maybe I'm misunderstanding what you're saying?

Thanks for the reply.

-Kerry

ETCKerry · 01-08-2011, 05:04 PM

Whoops!

Got it now: I had the rules in iptables misordered:

This line was before all of my NFS rules:

Code:

-A INPUT -j REJECT --reject-with icmp-host-prohibited

Moving it to after my NFS rules solved the problem.

Thanks for your help!

-Kerry