LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)
-   -   configure iptable for NFS (https://www.linuxquestions.org/questions/linux-security-4/configure-iptable-for-nfs-453956/)

jovie 06-12-2006 05:35 AM
configure iptable for NFS
 
Hello

Can someone help me configure the firewall on fedora core 4 to allow NFS?

I have one Master/head-node with two network cards. One connecting it to the internet and one to a private subnet of Slave-nodes. I want to mount one Master dir on all the Slaves and one Slave dir (from only one of the slaves) on the Master.

NFS works great if I take the firewall down on the Master (/etc/init.d/iptables stop) but with it running I get the following errors...

Trying to mount Slave dir on Master

Code:
[root@master ~]# /etc/init.d/iptables start
Applying iptables firewall rules:                          [  OK  ]
[root@master ~]# mount -Fv slave2:/usr/blastdb /usr/blastdb/
mount: no type was given - I'll assume nfs because of the colon
Then after a 2/3 min delay

Code:
mount: slave2:/usr/blastdb: can't read superblock

[root@master ~]# tail /var/log/messages
Jun 12 10:22:23 master kernel: ip_tables: (C) 2000-2002 Netfilter core team
Jun 12 10:23:36 master kernel: nfs: server slave2 not responding, timed out
It say's the slave was not responding but that has to be because of the Master's firewall because starting it is the only change I made from a working NFS. (The slaves are running a firewall, Redhat9, but it's not a problem)

Trying to mount Master dir on a Slave

Code:
[root@slave2 ~]# mount -Fv master:/home /users
mount: no type was given - I'll assume nfs because of the colon
mount: RPC: Remote system error - Connection refused
This responce is imediate with no messages in var/log/messages.

I know NFS uses random ports and therefore I need portmap running, which it is, but the FC4 firewall must need something adjusted to work with it. Any ideas?

The only route to the slaves is through the master, thus I don't need a firewall on the network card to the slaves. Can't I just have the firewall enables on one card?

Thanks

Code:
[root@master ~]# more /etc/hosts.allow
#
# hosts.allow  This file describes the names of the hosts which are
#              allowed to use the local INET services, as decided
#              by the '/usr/sbin/tcpd' server.
#
ALL:192.168.0.1*
portmap:192.168.0.10
portmap:192.168.0.11
portmap:192.168.0.12
portmap:192.168.0.13
portmap:192.168.0.14
portmap:192.168.0.15
portmap:192.168.0.16
portmap:192.168.0.17
lockd:192.168.0.1*
mountd:192.168.0.1*
rquotad:192.168.0.1*
statd:192.168.0.1*
[root@galaxy ~]#

jovie 06-13-2006 01:12 AM
Does anyone have a FC4 firewall configured to work with NFS?

Is it possible to restrict the firewall to one network card?

Does anyone know a work round? I've got a cluster sitting doing nothing, some impatient users and no idea how to proceed. :scratch:

Thanks in advance to anyone who can help.

win32sux 06-18-2006 03:46 AM
Quote:
Originally Posted by jovie
Can't I just have the firewall enables on one card?
yes, just specify which card the iptables rule should apply to...

for example, let's say you have several cards (eth0, eth1, eth2, etc.):
Code:
iptables -P INPUT DROP

iptables -A INPUT -i eth0 -j ACCEPT
this would allow all traffic coming into eth0, while still blocking everything coming into any other interface... keep in mind this is just an example...


All times are GMT -5. The time now is 04:20 PM.