NFS problems with firewall (iptables)

custangro · 01-17-2009, 12:38 PM

Hello All,

Ok, so I don't know what I'm doing wrong. I've been at this for a few days now and I can't seem to get NFS working though the firewall.

I am running Centos 5.2

First I edited the /etc/sysconfig/nfs file and uncommented/edited these entries...

Code:

LOCKD_TCPPORT=32769
LOCKD_UDPPORT=32769
MOUNTD_PORT=892
STATD_PORT=662

Next I ran the system-config-securitylevel and I added 111(tcp/udp), 32769(tcp/udp), 892(tcp/udp), 662(tcp/udp), And I even put a check next to NFSv4. Here is the output of iptables -L

Code:

Chain INPUT (policy ACCEPT)
target     prot opt source               destination
RH-Firewall-1-INPUT  all  --  anywhere             anywhere

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
RH-Firewall-1-INPUT  all  --  anywhere             anywhere

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain RH-Firewall-1-INPUT (2 references)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere
ACCEPT     icmp --  anywhere             anywhere            icmp any
ACCEPT     esp  --  anywhere             anywhere
ACCEPT     ah   --  anywhere             anywhere
ACCEPT     udp  --  anywhere             224.0.0.251         udp dpt:mdns
ACCEPT     udp  --  anywhere             anywhere            udp dpt:ipp
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:ipp
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:nfs
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:ssh
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:sunrpc
ACCEPT     udp  --  anywhere             anywhere            state NEW udp dpt:sunrpc
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:filenet-rpc
ACCEPT     udp  --  anywhere             anywhere            state NEW udp dpt:filenet-rpc
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:pftp
ACCEPT     udp  --  anywhere             anywhere            state NEW udp dpt:pftp
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:892
ACCEPT     udp  --  anywhere             anywhere            state NEW udp dpt:892
REJECT     all  --  anywhere             anywhere            reject-with icmp-host-prohibited

I added this in my /etc/exports

Code:

/data    *(ro,sync)

And started nfsd/portmap

Code:

[root@centos-virt sysconfig]# service nfs start
Starting NFS services:                                     [  OK  ]
Starting NFS quotas:                                       [  OK  ]
Starting NFS daemon:                                       [  OK  ]
Starting NFS mountd:                                       [  OK  ]
[root@centos-virt sysconfig]# service portmap start
Starting portmap:                                          [  OK  ]

And I STILL can't mount the share

I get an error about "no route to host"...but when I do a iptables -F I can mount it just fine...

Thoughts/Help?

Thanks,

-C