-   Linux - Networking (
-   -   mdk 10.1 - Firewall allows either NFS or Internet connection sharing, not both (

joseph_k 03-21-2005 04:34 PM

mdk 10.1 - Firewall allows either NFS or Internet connection sharing, not both
My problem is that I cannot get both NFS mount points and Internet Connection Sharing working at the same time - just one or the other! The toggle switch seams to be when I configure my firewall. Here are the steps I'm taking:

I'm using 2 computers, both Mandrakelinux 10.1. One is my server, the other is my workstation. The server is connected to my cable modem with Network card #1. Network card #2 is connected to my hub, to which my workstation is also connected.

I walk through the "Internet Connection Sharing" wizard in the "Network & Internet" section of the "Mandrakelinux Control Center." Then I can access the Internet from the workstation.

I try to mount my NFS share:
(as su)
$ mount /mnt/data
mount: RPC: Remote system error - Connection refused

So I configure the firewall on the server:

- Mandrakelinux Control Center | Security | Firewall
- "Which services would you like to allow the Internet to connect to?"
- I choose "Everything (no firewall)" and click OK.
- Then I identify my "Net Device" eth0.
- The wizard closes and I'm back at the control center.

Now I can mount the NFS share on the workstation (using the above command), but I can't connect to the Internet from the workstation anymore. My web browsers gives me the error: "such-n-such URL could not be found. Please check the name and try again."

When I open the "Internet Connection Sharing" wizard to check my settings, it starts me out like I had never used the wizard before (like it had forgotten what I had setup earlier, and is starting over again). After I configure the internet connection sharing, I'm back to the 'connection refused' error when using the mount command.

Shouldn't setting the firewall to "No Firewall" allow both services? Is there another method I need to use to configure the firewall?

jxi 03-22-2005 10:03 AM

first of all, if you're connected to the internet, don't go with 'no firewall' just to get things to work.

Now, type (as root) the following on a command line:


Do this for the settings that work for i/n connection, and then for the other, nfs working connection.

if the output runs into serveral pages, perhaps we'll try work with looking for specific things instead.
Anyway, what is happening may not be a bug, but a feature! ;) Seriously, there are some vunerabilities introduced with nfs active and an simultaneous internet connection. Maybe the 'drake folks took the safe route for your sake. Portmap (for example, which nfs uses) has some known vunerabilities.

It's possible to block the various ports in use by nfs from the outside world, but it takes a little work.

And I may not know all the answers. Esp since i've never run two nic's. Just want to get you started.

Regards, John

joseph_k 03-22-2005 12:09 PM

Thank you for the reply, John. I appreciate your input.

The output of iptables-save when NFS is working is very short, the output when Internet connection sharing is working is a few pages. Is there something in particular I'm supposed to be looking for? I've never worked with iptables before.

And I understand I shouldn't use the "no firewall", but I want to keep it simple until the NFS share is working - then I'll tinker with firewall settings and share permissions.

Do you think it would be easier to share my files via Samba? I've got an WinXP computer that will be connecting to my server's file shares, as well. Perhaps I should use Samba for linux-to-linux sharing... you can do that, right? I'm thinking about abandoning NFS ... I just don't look forward to having to tweak my firewall settings beyond what's available as checkboxes in the mdk control center.

Please share your experience with files sharing.

jxi 03-22-2005 01:33 PM


The output of iptables-save when NFS is working is very short
I'll guess it allows incoming connections from your workstation and localhost then drops everything else.

the output when Internet connection sharing is working is a few pages.
It may be here that nfs is blocked at the port level. See details below.

It's probably this second configuration (from iptables when i/n is working) that you would want to tweak.


Perhaps I should use Samba for linux-to-linux sharing... you can do that, right?
Sorry, I'm not experienced with Samba. (regarding file sharing experience i'm limited to nfs) I suppose linux w/station running Samba client could communicate with linux box running Samba server... may not be as fast as nfs.

you can google for 'nfs alternatives'

but if you want to continue with nfs here's at least the minimum.

First, nfs (minimum) services and ports:
portmap 111
rpc.nfsd 2049
rpc.mountd varies

Add to existing iptables (that already works w/internet) (let's say your workstation is :
iptables -A INPUT -p tcp -s! --dport 111 -j DROP
iptables -A INPUT -p udp -s! --dport 111 -j DROP

you probably also need to allow explicit incoming connections from the workstation. Use the output from iptables-save and nfs connection (first output referred to above) as a reference.

but you need to be sure the last existing rule for INPUT is not an unconditional drop. If so, the above 2 need to be :
iptables -I INPUT <line number of unconditional drop> ...
since iptables -A just appends at the end. By unconditional drop I mean something like:
iptables -A INPUT -j DROP

i'm not sure if you absolutely have to block port 2049 and whatever rpc.mountd is using to be secure.

To get the current ports of rpc.mountd use

rpcinfo -p

obviously checking this manually everytime you start nfs would be extremely tedious and would thus be best implemented thru a script that ran along with nfs startup.

Ok enough on iptables.

Second, implement tcpwrappers.

in /etc/hosts.deny have one line:

or better:

in /etc/hosts.allow

Third, read up on /etc/exports. There is a 'secure' option which is on by default: don't override it with 'insecure' to attempt to fix connection problems. Most likely you're only allowing your workstation with something like

so your're probably ok there anyway (secure prevents connections from unprivledged ports i.e. > 1024 which wouldn't originate on your workstation. i think :scratch: . )

If you add more boxes in your setup you'll probably go with a netmask which i haven't included here.

Here's some helpful sites (though some are dated):

If you really feel adventurous you can look into nfs via an ssh connection: (and similary sites)


All times are GMT -5. The time now is 12:22 AM.