LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 01-07-2011, 08:14 PM   #1
ETCKerry
Member
 
Registered: Sep 2008
Posts: 37

Rep: Reputation: 15
Problems with nfs and iptables


Hello,

I've been trying to get nfs working, and afer struggling for a little while, I think I've almost got it. I believe the only thing holding me back is iptables (when I disable iptables, I can connect without any issues).

I'm running Fedora 11 on the server.

Here is my /etc/sysconfig/nfs:
Code:
RQUOTAD_PORT=875
LOCKD_TCPPORT=32803
LOCKD_UDPPORT=32769
MOUNTD_PORT=892
STATD_PORT=662
STATD_OUTGOING_PORT=2020
to verify the port assignments:
Code:
[myself@machine ~]$ rpcinfo -p
   program vers proto   port  service
    100000    4   tcp    111  portmapper
    100000    3   tcp    111  portmapper
    100000    2   tcp    111  portmapper
    100000    4   udp    111  portmapper
    100000    3   udp    111  portmapper
    100000    2   udp    111  portmapper
    100011    1   udp    875  rquotad
    100011    2   udp    875  rquotad
    100011    1   tcp    875  rquotad
    100011    2   tcp    875  rquotad
    100003    2   udp   2049  nfs
    100003    3   udp   2049  nfs
    100003    4   udp   2049  nfs
    100021    1   udp  32769  nlockmgr
    100021    3   udp  32769  nlockmgr
    100021    4   udp  32769  nlockmgr
    100021    1   tcp  32803  nlockmgr
    100021    3   tcp  32803  nlockmgr
    100021    4   tcp  32803  nlockmgr
    100003    2   tcp   2049  nfs
    100003    3   tcp   2049  nfs
    100003    4   tcp   2049  nfs
    100005    1   udp    892  mountd
    100005    1   tcp    892  mountd
    100005    2   udp    892  mountd
    100005    2   tcp    892  mountd
    100005    3   udp    892  mountd
    100005    3   tcp    892  mountd
    100024    1   udp    662  status
    100024    1   tcp    662  status
and the relevant portion of my iptables:
Code:
# Set of ports to open for NFS
-A INPUT -s (client machine)/24 -p tcp -m tcp --dport 111 -j ACCEPT
-A INPUT -s (client machine)/24 -p udp -m udp --dport 111 -j ACCEPT
-A INPUT -s (client machine)/24 -p tcp -m tcp --dport 2049 -j ACCEPT
-A INPUT -s (client machine)/24 -p udp -m udp --dport 2049 -j ACCEPT
-A INPUT -s (client machine)/24 -p tcp -m tcp --dport 32803 -j ACCEPT
-A INPUT -s (client machine)/24 -p udp -m udp --dport 32769 -j ACCEPT
-A INPUT -s (client machine)/24 -p tcp -m tcp --dport 662 -j ACCEPT
-A INPUT -s (client machine)/24 -p udp -m udp --dport 662 -j ACCEPT
-A INPUT -s (client machine)/24 -p tcp -m tcp --dport 875 -j ACCEPT
-A INPUT -s (client machine)/24 -p udp -m udp --dport 875 -j ACCEPT
-A INPUT -s (client machine)/24 -p tcp -m tcp --dport 892 -j ACCEPT
-A INPUT -s (client machine)/24 -p udp -m udp --dport 892 -j ACCEPT

#-A INPUT -s (client machine)/24 -m state --state NEW -p tcp --dport 111 -j ACCEPT
#-A INPUT -s (client machine)/24 -m state --state NEW -p udp --dport 111 -j ACCEPT
#-A INPUT -s (client machine)/24 -m state --state NEW -p tcp --dport 2049 -j ACCEPT
#-A INPUT -s (client machine)/24 -m state --state NEW -p tcp --dport 32803 -j ACCEPT
#-A INPUT -s (client machine)/24 -m state --state NEW -p udp --dport 32769 -j ACCEPT
#-A INPUT -s (client machine)/24 -m state --state NEW -p tcp --dport 662 -j ACCEPT
#-A INPUT -s (client machine)/24 -m state --state NEW -p udp --dport 662 -j ACCEPT
#-A INPUT -s (client machine)/24 -m state --state NEW -p tcp --dport 875 -j ACCEPT
#-A INPUT -s (client machine)/24 -m state --state NEW -p udp --dport 875 -j ACCEPT
#-A INPUT -s (client machine)/24 -m state --state NEW -p tcp --dport 892 -j ACCEPT
#-A INPUT -s (client machine)/24 -m state --state NEW -p udp --dport 892 -j ACCEPT

#-A INPUT -s (client machine)/24 -m state --state NEW -p tcp --dport 111 -j ACCEPT
#-A INPUT -s (client machine)/24 -m state --state NEW -p udp --dport 111 -j ACCEPT
#-A INPUT -s (client machine)/24 -m state --state NEW -p tcp --dport 2049 -j ACCEPT
#-A INPUT -s (client machine)/24 -m state --state NEW -p tcp --dport 32803 -j ACCEPT
#-A INPUT -s (client machine)/24 -m state --state NEW -p udp --dport 32769 -j ACCEPT
#-A INPUT -s (client machine)/24 -m state --state NEW -p tcp --dport 662 -j ACCEPT
#-A INPUT -s (client machine)/24 -m state --state NEW -p udp --dport 662 -j ACCEPT
#-A INPUT -s (client machine)/24 -m state --state NEW -p tcp --dport 875 -j ACCEPT
#-A INPUT -s (client machine)/24 -m state --state NEW -p udp --dport 875 -j ACCEPT
#-A INPUT -s (client machine)/24 -m state --state NEW -p tcp --dport 892 -j ACCEPT
#-A INPUT -s (client machine)/24 -m state --state NEW -p udp --dport 892 -j ACCEPT

#-A OUTPUT -d (client machine)/24 -m state --state NEW -p tcp --sport 111 -j ACCEPT
#-A OUTPUT -d (client machine)/24 -m state --state NEW -p udp --sport 111 -j ACCEPT

# Log firewall rejections for debugging purposes
-A INPUT -m limit --limit 15/minute -j LOG --log-level 7 --log-prefix "Dropped by firewall (in): "
-A OUTPUT -m limit --limit 15/minute -j LOG --log-level 7 --log-prefix "Dropped by firewall (out): "
I tried several variations based on different guides I found - I get exactly the same results regardless of which block of rules I uncomment.

I added the log to see if it would help me figure out what was going on. I managed to catch some seemingly relevant messages, but they don't help me any. I'm hoping someone here will be able to make sense of them (or spot my mistake somewhere else).

From the client, I do this:
$showmount -e 192.168.1.200
(client is 192.168.1.201, server is .200)
and I get this in my firewall log:
Code:
Jan  7 21:10:38 machine kernel: Dropped by firewall (out): IN= OUT=eth0 SRC=192.168.1.200 DST=192.168.1.201 LEN=112 TOS=0x00 PREC=0xC0 TTL=64 ID=22146 PROTO=ICMP TYPE=3 CODE=10 [SRC=192.168.1.201 DST=192.168.1.200 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=43240 DPT=111 LEN=64 ] 
Jan  7 21:10:38 machine kernel: Dropped by firewall (out): IN= OUT=eth0 SRC=192.168.1.200 DST=192.168.1.201 LEN=112 TOS=0x00 PREC=0xC0 TTL=64 ID=22147 PROTO=ICMP TYPE=3 CODE=10 [SRC=192.168.1.201 DST=192.168.1.200 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=46830 DPT=111 LEN=64 ]
Any ideas?

Thanks!

-Kerry

Last edited by ETCKerry; 01-07-2011 at 08:16 PM. Reason: additional information
 
Old 01-08-2011, 03:36 PM   #2
Tinkster
Moderator
 
Registered: Apr 2002
Location: in a fallen world
Distribution: slackware by choice, others too :} ... android.
Posts: 23,067
Blog Entries: 11

Rep: Reputation: 910Reputation: 910Reputation: 910Reputation: 910Reputation: 910Reputation: 910Reputation: 910Reputation: 910
Yah. You're permitting a SOURCE port of 111 ... DESTINATION 111 gets dropped.

/me listens for ticking cogs.



Cheers,
Tink
 
Old 01-08-2011, 04:53 PM   #3
ETCKerry
Member
 
Registered: Sep 2008
Posts: 37

Original Poster
Rep: Reputation: 15
I thought I was permitting a destination of 111 (with --dport), and specifying a source IP address of the client machine (with -s)?

My iptables configuration comes from sites describing how to configure nfs and iptables - I haven't seen anything like this:
Code:
-A OUTPUT -d (client machine)/24 -p udp -m udp --sport 111 -j ACCEPT
which is what I guess would be required to open a destination of port 111?

I tried adding this line (and the tcp variant) to iptables with the same result.

Maybe I'm misunderstanding what you're saying?

Thanks for the reply.

-Kerry
 
Old 01-08-2011, 05:04 PM   #4
ETCKerry
Member
 
Registered: Sep 2008
Posts: 37

Original Poster
Rep: Reputation: 15
Whoops!

Got it now: I had the rules in iptables misordered:

This line was before all of my NFS rules:
Code:
-A INPUT -j REJECT --reject-with icmp-host-prohibited
Moving it to after my NFS rules solved the problem.

Thanks for your help!

-Kerry
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
NFS problems with firewall (iptables) custangro Linux - General 3 01-17-2009 05:55 PM
NFS and RH Cluster Suite; Problems relating services/resources to NFS l_long_island Linux - Server 5 08-30-2008 11:20 AM
Allowing NFS in IPTABLES: Fix port for NFS Lock Manager Swakoo Linux - General 10 08-25-2006 05:24 AM
nfs and iptables muumi Linux - General 0 08-15-2006 02:31 PM
Very Slow Exporting during NFS Start / Many NFS Problems VorlonInfoTech Linux - Networking 3 06-28-2006 06:48 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie

All times are GMT -5. The time now is 05:22 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration