Firewall blocking the NFS server.

ZAMO · 12-14-2007, 10:50 AM

Hi everyone,

I have 2 servers connected to internet , but they are in the same location and subnet.
NFS server is running on server1(for example 192.168.1.1). i am able to access the server(192.168.1.1) from client 192.168.1.2 , even able to mount shares. Whenever i start the firewall(Iptables) in server1 , the NFS connection is refused and unable to mount the shares:

The following is the error i get:
mount: mount to NFS server 'x.x.x.x' failed: System Error: No route to host.

I have added the client IP to the firewall of server1 as follows. Is it enough to allow the NFS service?

iptables -A INPUT -s 192.168.1.2 -p udp --dport 2049 -j ACCEPT
iptables -A INPUT -s 193.168.1.2 -p udp --dport 2219 -j ACCEPT

IS it ok? or am doing something wrong. Please advice me.

Thanks in Advance.

dkm999 · 12-15-2007, 07:42 PM

Do you by any chance have rules in your firewall that are doing NAT between the greater Internet and your private net (192.168.x.x)? If so, there is a real likelihood that a flaw in the rules may be doing you in. Once upon a time, I had a rule in my NAT table that said

Quote:

-t nat -A POSTROUTING -s 192.168.x.0/24 -j snat --to-source 216.39.145.64

This rule is missing a critical bit of qualification: it will remap packets originating on the local net without regard for whether they are going to the Internet. In particular, packets that originate on the firewall, and are intended for the local net will have their source address translated. This is not generally too big a problem, since the firewall knows both of its addresses, but in the case of NFS, the altered source address is probably not permitted to connect to the target, and you get an error.

The solution is to include an additional qualifier in the NAT rule:

Quote:

-t nat -A POSTROUTING -o {public net interface IP} -s 192.168.x.0/24 -j snat --to-source 216.39.145.64

This restricts the address translation to those packets that are headed out to the public Internet, and leaves traffic between the firewall and internal net hosts unmolested.

HTH

ZAMO · 12-17-2007, 04:34 AM

Thank you dkm999,
I had open the port and it is working. Thank you

wanghao · 12-17-2007, 09:09 AM

what did you find,and how it was solved !
"i have open the port ",that means you used the incorrect ports in you firewall rule ,is it ? or you blocked you rpc port 111 ?