LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Server (https://www.linuxquestions.org/questions/linux-server-73/)
-   -   NFS doesn't work unless iptables are stopped (https://www.linuxquestions.org/questions/linux-server-73/nfs-doesnt-work-unless-iptables-are-stopped-657523/)

nyheat 07-22-2008 04:34 PM

NFS doesn't work unless iptables are stopped
 
I'm running CentOS 5.2.

I've enabled NFS through the system-config-securitylevel (firewall) tool but the client machine can't mount the NFS unless I first do service iptables stop on the server.

Here's some output from the server:
Quote:

[root@localhost ~]# vi /etc/hosts.allow
#
# hosts.allow This file describes the names of the hosts which are
# allowed to use the local INET services, as decided
# by the '/usr/sbin/tcpd' server.
#


ALL: 192.168.1.101
ALL: 192.168.1.102
Quote:

[root@localhost ~]# vi /etc/hosts.deny
#
# hosts.deny This file describes the names of the hosts which are
# *not* allowed to use the local INET services, as decided
# by the '/usr/sbin/tcpd' server.
#
# The portmap line is redundant, but it is left to remind you that
# the new secure portmap uses hosts.deny and hosts.allow. In particular
# you should know that NFS uses portmap!

ALL: ALL
Quote:

[root@localhost ~]# nmap -sT -O localhost

Starting Nmap 4.20 ( http://insecure.org ) at 2008-07-22 17:27 EDT
Interesting ports on localhost.localdomain (127.0.0.1):
Not shown: 1687 closed ports
PORT STATE SERVICE
22/tcp open ssh
25/tcp open smtp
80/tcp open http
111/tcp open rpcbind
619/tcp open unknown
631/tcp open ipp
669/tcp open unknown
1001/tcp open unknown
2049/tcp open nfs
3306/tcp open mysql
Device type: general purpose
....etc..
I can mount the NFS just fine as long as I turn off iptables. Obviously this is a security concern so I'd like to find out what specifically I need to enable to make this work.

WorldIsNotFair 07-23-2008 12:06 AM

Hello,

Its not that simple,

You have to open other port to this service on your iptables:
- portmap
- mountd
- statd_port
- lockd_tcpport
- lockd_udpport
- rquotad_port

you can modify the port on /etc/sysconfig/nfs, usually we set it to
port 4002-4005 , so you can modify tour iptables more easy.

iptables may contain like below:

-A INPUT -p tcp -m tcp --dport 111 -j ACCEPT
-A INPUT -p udp -m udp --dport 111 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 4002:4005 -j ACCEPT
-A INPUT -p udp -m udp --dport 4002:4005 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 2049 -j ACCEPT
-A INPUT -p udp -m udp --dport 2049 -j ACCEPT

give it a try mate !


All times are GMT -5. The time now is 04:59 AM.