Encrypted NFS with ssh tunneling almost there

danrh9 · 02-22-2004, 02:04 PM

This is really killin' me, so I was wondering if you guys (and gals) can help. I'm trying to setup encrypted NFS with ssh on a Redhat 9.0 box, and I'm almost there. Below are the notes I put together. Really straightforward, but I keep getting the error:

channel 2: open failed: connect failed: Connection refused
channel 2: open failed: connect failed: Connection refused
channel 2: open failed: connect failed: Connection refused

I'm a desparate man, I just want to post it on my site cuz I think it would be cool.

~ comments preceded and terminated with '~' ~
~ I'm root throughout this exercise -DK ~

[djk@localhost djk]$ su - root
Password:

[root@localhost root]# cd /etc/rc.d/init.d
[root@localhost init.d]# ./nfs start
Starting NFS services: [ OK ]
Starting NFS quotas: [ OK ]
Starting NFS daemon: [ OK ]
Starting NFS mountd: [ OK ]

[root@localhost init.d]# ./sshd restart
Stopping sshd: [ OK ]
Starting sshd: [ OK ]

~ begin setting up the encrypted connection from the 'client' (7777:localhost)
to the 'server' on port 2049 -DK ~

[root@localhost init.d]# ssh -f -c blowfish -L 7777:localhost:2049 -l djk
localhost sleep 300
djk@localhost's password:

~ need the mountd port for the next ssh mount port tunneling command -DK ~

[djk@localhost djk]$ /usr/sbin/rpcinfo -p
program vers proto port
100000 2 tcp 111 portmapper
100000 2 udp 111 portmapper
100024 1 udp 32768 status
100024 1 tcp 32768 status
391002 2 tcp 32769 sgi_fam
100011 1 udp 749 rquotad
100011 2 udp 749 rquotad
100011 1 tcp 752 rquotad
100011 2 tcp 752 rquotad
100003 2 udp 2049 nfs
100003 3 udp 2049 nfs
100021 1 udp 32770 nlockmgr
100021 3 udp 32770 nlockmgr
100021 4 udp 32770 nlockmgr
100005 1 udp 32771 mountd
100005 1 tcp 32811 mountd
100005 2 udp 32771 mountd
100005 2 tcp 32811 mountd
100005 3 udp 32771 mountd
100005 3 tcp 32811 mountd

~ note my attempt at tunneling via the udp port 32771 below, because my
repeated attempts at tunneling via the tcp port failed with

channel 2: open failed: connect failed: Connection refused
channel 2: open failed: connect failed: Connection refused
channel 2: open failed: connect failed: Connection refused
channel 2: open failed: connect failed: Connection refused

... repeated until I killed the ssh process and shutdown sshd in another
terminal window -DK ~

[root@localhost init.d]# ssh -f -c blowfish -L 8888:localhost:32771 -l djk
localhost sleep 300
djk@localhost's password:

~ port status verification -DK ~

[root@localhost init.d]# netstat -na | grep -E 'Proto|7777|8888'
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 127.0.0.1:7777 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:8888 0.0.0.0:* LISTEN

~ the failed mount command -DK ~

[root@localhost init.d]# mount -t nfs -o tcp,port=7777,mountport=8888
localhost:/tmp /mnt/nfs/sshmount
channel 2: open failed: connect failed: Connection refused
mount: RPC: Unable to receive; errno = Connection reset by peer

~ In case you're curious, some firewall setup for portmapper (port 111) and
nfs (port 2049), these rules are taken from 'cat /etc/sysconfig/iptables'
output, as you can see, I just modified the lokkit rules, this works ok as far
as I can see, because nfs starts and portmapper works -DK ~

-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 2049 --syn -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p udp -m udp --dport 0:1023 -j REJECT
-A RH-Lokkit-0-50-INPUT -p udp -m udp --dport 2049 -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p udp -m udp --dport 111 -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 111 --syn -j ACCEPT

~ the /etc/fstab file, the line we're concerned with here is the last line,
just default setup stuff you can see in 'man nfs' -DK ~

[root@localhost root]# cat /etc/fstab
LABEL=/ / ext3 defaults 1 1
LABEL=/boot /boot ext3 defaults 1 2
none /dev/pts devpts gid=5,mode=620 0 0
none /proc proc defaults 0 0
none /dev/shm tmpfs defaults 0 0
/dev/hdf3 swap swap defaults 0 0
/dev/hdd4 /mnt/zip auto noauto,owner,kudzu 0 0
/dev/cdrom /mnt/cdrom udf,iso9660
noauto,owner,kudzu,ro 0 0
/dev/cdrom /cd iso9660 ro,user,noauto,unhide
/dev/fd0 /mnt/floppy auto noauto,owner,kudzu 0 0
localhost.localdomain:/tmp /mnt/nfs/sshmount nfs
rsize=8192,wsize=8192,timeo=30,intr

~ the /etc/exports file, pretty standard -DK ~

[root@localhost root]# cat /etc/exports
/tmp localhost.localdomain(rw,insecure,root_squash)

-DK
Daniel Kemper
dan@dankemper.net

chort · 02-22-2004, 02:29 PM

You're aware that you can't tunnel UDP traffic through SSH, right? SSH is TCP-only.

danrh9 · 02-22-2004, 03:52 PM

Yeah, I tried the tcp port shown in the 'rpcinfo -p' output first, and many times after, I mentioned this ....

~ note my attempt at tunneling via the udp port 32771 below, because my
repeated attempts at tunneling via the tcp port failed with

channel 2: open failed: connect failed: Connection refused
channel 2: open failed: connect failed: Connection refused
channel 2: open failed: connect failed: Connection refused
channel 2: open failed: connect failed: Connection refused

... repeated until I killed the ssh process and shutdown sshd in another
terminal window -DK ~

Yes, I understand that the tcp/udp ports change every time nfs is restarted.

I just tried the udp port for the heck of it ....

Anybody else?