Quote:
The output of iptables-save when NFS is working is very short
|
I'll guess it allows incoming connections from your workstation and localhost then drops everything else.
Quote:
the output when Internet connection sharing is working is a few pages.
|
It may be here that nfs is blocked at the port level. See details below.
It's probably this second configuration (from iptables when i/n is working) that you would want to tweak.
Quote:
Perhaps I should use Samba for linux-to-linux sharing... you can do that, right?
|
Sorry, I'm not experienced with Samba. (regarding file sharing experience i'm limited to nfs) I suppose linux w/station running Samba client could communicate with linux box running Samba server... may not be as fast as nfs.
you can google for 'nfs alternatives'
but if you want to continue with nfs here's at least the minimum.
First, nfs (minimum) services and ports:
portmap 111
rpc.nfsd 2049
rpc.mountd varies
Add to existing iptables (that already works w/internet) (let's say your workstation is 192.168.0.99) :
iptables -A INPUT -p tcp -s! 192.168.0.99 --dport 111 -j DROP
iptables -A INPUT -p udp -s! 192.168.0.99 --dport 111 -j DROP
you probably also need to allow explicit incoming connections from the workstation. Use the output from iptables-save and nfs connection (first output referred to above) as a reference.
but you need to be sure the last existing rule for INPUT is not an unconditional drop. If so, the above 2 need to be :
iptables -I INPUT <line number of unconditional drop> ...
since iptables -A just appends at the end. By unconditional drop I mean something like:
iptables -A INPUT -j DROP
i'm not sure if you
absolutely have to block port 2049 and whatever rpc.mountd is using to be secure.
To get the current ports of rpc.mountd use
rpcinfo -p
obviously checking this manually everytime you start nfs would be extremely tedious and would thus be best implemented thru a script that ran along with nfs startup.
Ok enough on iptables.
Second, implement tcpwrappers.
in /etc/hosts.deny have one line:
portmap:ALL
or better:
ALL:ALL
in /etc/hosts.allow
portmap:192.168.0.99
Third, read up on /etc/exports. There is a 'secure' option which is on by default: don't override it with 'insecure' to attempt to fix connection problems. Most likely you're only allowing your workstation with something like
/home/shared 192.168.0.99(rw,root_squash)
so your're probably ok there anyway (secure prevents connections from unprivledged ports i.e. > 1024 which wouldn't originate on your workstation. i think
. )
If you add more boxes in your setup you'll probably go with a netmask which i haven't included here.
Here's some helpful sites (though some are dated):
http://www.troubleshooters.com/linux/nfs.htm
http://jamesthornton.com/redhat/linu...rver-port.html
http://www.linuxsecurity.com/resourc...wall-seen.html
http://www.linuxexposed.com/Articles...ecurity-2.html
http://www.redhat.com/docs/manuals/l...rver-port.html
http://www.linuxselfhelp.com/howtos/...S-HOWTO-6.html
If you really feel adventurous you can look into nfs via an ssh connection:
http://www.math.ualberta.ca/imaging/snfs/ (and similary sites)
HTH
John