LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Closed Thread
  Search this Thread
Old 02-23-2005, 07:13 PM   #1
OmnipotentOscar
Member
 
Registered: Jan 2005
Distribution: Fedora 5, Debian
Posts: 56

Rep: Reputation: 15
Firewall blocking NFS even though ports are open


I've speant the last couple of hours trying endlessly to get NFS to work accross two machines. I've worked out that it's something to do with the firewall on the server (FC3) blocking the service as if it's disabled it works fine!

I found a thread and a couple of documents that said ports 111 and 2049 need to be opened up so did this in the Security Level app... still it fails. Even when this is done by hand using the iptables command it still fails (I have restarted the firewall after changing the settings.. even tried rebooting).

The only difference between trying the two methods above was that the error changes when the gui is used... now the client reports bak saying:

mount: RPC: Unable to receive; errno = No route to host

Has anyone got a sure fireway to set up the FC3 firewall (iptables) to allow NFS to work?
 
Old 02-23-2005, 09:55 PM   #2
sigsegv
Senior Member
 
Registered: Nov 2004
Location: Third rock from the Sun
Distribution: NetBSD-2, FreeBSD-5.4, OpenBSD-3.[67], RHEL[34], OSX 10.4.1
Posts: 1,197

Rep: Reputation: 47
Not trying to condescend, but you do have basic network connectivity to the other machine, right? Can you ping each host from the other and all that?

Mountd and friends use more or less random ports in their communication. A quick google turned up this page which seems to address the issue.

Last edited by sigsegv; 02-23-2005 at 09:56 PM.
 
Old 02-24-2005, 03:33 AM   #3
OmnipotentOscar
Member
 
Registered: Jan 2005
Distribution: Fedora 5, Debian
Posts: 56

Original Poster
Rep: Reputation: 15
Cheers for that! That appears to be exactly what I'm looking for.

I appreciate your concern about the network conectivity but as I said in my thread if I disable the firewall on the server everything works fine... It definately has to be the dynamic NFS ports.

... I'll let you know how I get on.
 
Old 02-24-2005, 08:54 AM   #4
OmnipotentOscar
Member
 
Registered: Jan 2005
Distribution: Fedora 5, Debian
Posts: 56

Original Poster
Rep: Reputation: 15
The solution

Ok this is one proceadure for fixing the NFS ports in Fedora Core 3 (FC3) and opening the firewall for these ports.

After folloing the "Newbie's Guide to Small Home LAN "from the Networking section of linux questions tutorials follow these steps to allow another linux box to see the NFS server (run: "/usr/sbin/rpcinfo -p" before and after to make sure it has worked!)

1. Create the file "/etc/sysconfig/nfs" and add the following contents:

STATD_PORT=4001
LOCKD_TCPPORT=4002
LOCKD_UDPPORT=4002
MOUNTD_PORT=4003

2. Append the following to the file "/etc/services":

rquotad 4004/tcp # rpc.rquotad tcp port
rquotad 4004/udp # rpc.rquotad udp port

3. Restart the nfs services:

/etc/init.d/nfs restart
/etc/init.d/nfslock restart

4. Re-run /usr/sbin/rpcinfo -p and make sure all the ports above have changed.

5. Open up the following ports (tcp and udp) on the Fedora firewall. Do this either using the "Security Level" app in "System Settings" or using the command line iptables command (think it's in /sbin/):

111:tcp, 111:udp, 2049:tcp, 2049:udp, 4001:tcp, 4001:udp, 4002:tcp, 4002:udp, 4003:tcp, 4003:udp, 4004:tcp, 4004:udp

(You can copy and paste the above text into the "Other ports: (1029:tcp)" section of the "Security Level Configuration").

Now you should be able to mount the NFS share on the other box like so:

# mkdir /mnt/tom_share
# mount tom.exampledomain.org:/share /mnt/tom_share

If anyone knows of an eaier way please say!!
 
Old 02-24-2005, 11:55 AM   #5
sigsegv
Senior Member
 
Registered: Nov 2004
Location: Third rock from the Sun
Distribution: NetBSD-2, FreeBSD-5.4, OpenBSD-3.[67], RHEL[34], OSX 10.4.1
Posts: 1,197

Rep: Reputation: 47
Quote:
Originally posted by OmnipotentOscar
I appreciate your concern about the network conectivity but as I said in my thread if I disable the firewall on the server everything works fine... It definately has to be the dynamic NFS ports.
My apologies. I didn't (and still don't) see where you said it works if you disable the firewall, only that you had worked out that it was the firewall. If I had a nickel for every time someone thought they knew what the problem was, only to be *way* off ... Well, you know.

At any rate, I'm glad you got it working
 
Old 02-24-2005, 04:36 PM   #6
OmnipotentOscar
Member
 
Registered: Jan 2005
Distribution: Fedora 5, Debian
Posts: 56

Original Poster
Rep: Reputation: 15
No worries... it probably wasn't clear but it was the last 5 words in the first paragraph:

"I've worked out that it's something to do with the firewall on the server (FC3) blocking the service as if it's disabled it works fine!"

The "it's" was refering too the firewall... probably my bad english!
 
Old 02-25-2005, 12:24 AM   #7
sigsegv
Senior Member
 
Registered: Nov 2004
Location: Third rock from the Sun
Distribution: NetBSD-2, FreeBSD-5.4, OpenBSD-3.[67], RHEL[34], OSX 10.4.1
Posts: 1,197

Rep: Reputation: 47
Hehehe ... Sometimes I read too fast and my brain misses important little facts like that. I see it now
 
Old 08-10-2007, 08:41 AM   #8
Dreamszz
LQ Newbie
 
Registered: Jul 2007
Location: The Hague, netherlands
Distribution: osx 10.4, kubuntu, ubuntu, opensuse
Posts: 2

Rep: Reputation: 0
OmnipotentOscar was right. While NFS uses port 2049 and portmapper uses port 111, the underlying RPC mapper uses a variation of ports, by default randomly assigned as part of the Sun specs.

You can check the IANA list of port numbers to see all official port numbers

When you start a firewall, the random ports keep getting blocked and the client cannot connect to the NFS share.

Please check lowth.com for a good, decent, web-based iptables configuration wizard. They also offer a very clear set of instructions to tie NFS down to static port (i.e. fixed and chosen by you).

JM2C as I've just run into the same <del>problem</del>issue.
 
Old 08-31-2007, 02:58 PM   #9
spankme
LQ Newbie
 
Registered: Aug 2007
Posts: 1

Rep: Reputation: 0
lowth.org no longer exists

I've run into the same problem in that I need to lock the NFS services on a MacOS 10.4.10 box to static ports. The pages referred to at "lowth.org" no longer seem to exist. Does anyone out there know how to do this? Do I have to twiddle some settings in Netinfo? Apple front-line support doesn't seem to have a clue ...
 
Old 08-31-2007, 03:17 PM   #10
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 380Reputation: 380Reputation: 380Reputation: 380
Quote:
Originally Posted by spankme View Post
I've run into the same problem in that I need to lock the NFS services on a MacOS 10.4.10 box to static ports. The pages referred to at "lowth.org" no longer seem to exist. Does anyone out there know how to do this? Do I have to twiddle some settings in Netinfo? Apple front-line support doesn't seem to have a clue ...
We actually have a forum specially for non-Linux questions of a UNIX nature here. You'll need to post your question in that forum.
 
Old 11-25-2008, 01:53 PM   #11
igorgrin
LQ Newbie
 
Registered: Apr 2002
Posts: 2

Rep: Reputation: 1
Firewall blocking NFS

Thanks for the procedure OmnipotentOscar!

On RHEL-5 or CentOS-5 I did:
edit
Code:
/etc/sysconfig/nfs
uncomment the default ports:
Code:
LOCKD_TCPPORT=32803
LOCKD_UDPPORT=32769
MOUNTD_PORT=892
STATD_PORT=662
Add those ports to your firewall rules:
edit
Code:
/etc/sysconfig/iptables
Code:
# NFS
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 111 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 111 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 662 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 662 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 892 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 892 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 2049 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 2049 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 32803 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 32803 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 32769 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 32769 -j ACCEPT
Restart the services:
Code:
/etc/init.d/iptables restart
/etc/init.d/nfs restart
/etc/init.d/nfslock restart
You should be able to NFS to the server now. No need to modify /etc/services

Last edited by igorgrin; 11-25-2008 at 01:54 PM.
 
Old 12-07-2009, 09:27 PM   #12
ardisia
LQ Newbie
 
Registered: Feb 2009
Posts: 1

Rep: Reputation: 0
hi, igorgrin
Thanks so much!
I did mount nfs successfully according to your steps
(in centOS 5.4)
 
Old 01-25-2010, 01:37 PM   #13
tnt2br
LQ Newbie
 
Registered: Apr 2008
Posts: 3

Rep: Reputation: 0
hi, igorgrin
Thanks so much, too!
I did mount nfs successfully according to your steps
(in centOS 5.4 server / opensuse 11.2)

Tags: linux centOs 5.4 nfs problem: System Error: No route to host

nfs client error: "System Error: No route to host"

Problema: nfs server ativado (CentOs 5.4 - ip 192.168.0.1); nfs client ativado no (opensuse 11.2 - ip 192.168.0.2);
O nfs cliente não conseguia conectar o nfs servidor, o firewall do opensuse estava aberto para nfs client, realizava o ping, e realizava ssh.

O problema foi solucionado com a dica acim ado igorgrin.

->escolher um pasta a ser compartilhada.

->sistema->administracao->configuracaoDeServidor->NFS
no botao "configuracao do servidor" colocar as portas relacionadas:

LOCKD_TCPPORT=32803
LOCKD_UDPPORT=32769
MOUNTD_PORT=892
STATD_PORT=662

ok->salvar->sair

--> seguir o roteiro acima.

Obrigado.
Tks.
 
Old 01-25-2010, 01:47 PM   #14
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 380Reputation: 380Reputation: 380Reputation: 380
Okay, I'm not sure how I missed this zombie thread the first time around, but I've got a clear visual now and I'm proceeding to engage it. tnt2br, please don't resurrect dead threads. Instead, start a new thread for your issue and include any necessary links in it (such as, for example, links to dead threads with similar problems).
 
  


Closed Thread


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Blocking telnet on open ports rabeea Linux - Security 2 08-13-2004 09:03 AM
blocking telent on open ports rabeea Linux - Networking 2 08-11-2004 01:42 PM
Blocking telent on open ports rabeea Linux - Security 2 08-11-2004 09:07 AM
Firewall not blocking ports... bfloeagle Linux - Security 9 05-20-2003 03:53 PM
SuSE 7.2 Firewall (IPChains) Blocking Ports Led*Zep Linux - Networking 1 04-01-2003 03:06 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 09:33 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration