Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here. |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
|
02-23-2005, 07:13 PM
|
#1
|
Member
Registered: Jan 2005
Distribution: Fedora 5, Debian
Posts: 56
Rep:
|
Firewall blocking NFS even though ports are open
I've speant the last couple of hours trying endlessly to get NFS to work accross two machines. I've worked out that it's something to do with the firewall on the server (FC3) blocking the service as if it's disabled it works fine!
I found a thread and a couple of documents that said ports 111 and 2049 need to be opened up so did this in the Security Level app... still it fails. Even when this is done by hand using the iptables command it still fails (I have restarted the firewall after changing the settings.. even tried rebooting).
The only difference between trying the two methods above was that the error changes when the gui is used... now the client reports bak saying:
mount: RPC: Unable to receive; errno = No route to host
Has anyone got a sure fireway to set up the FC3 firewall (iptables) to allow NFS to work?
|
|
|
02-23-2005, 09:55 PM
|
#2
|
Senior Member
Registered: Nov 2004
Location: Third rock from the Sun
Distribution: NetBSD-2, FreeBSD-5.4, OpenBSD-3.[67], RHEL[34], OSX 10.4.1
Posts: 1,197
Rep:
|
Not trying to condescend, but you do have basic network connectivity to the other machine, right? Can you ping each host from the other and all that?
Mountd and friends use more or less random ports in their communication. A quick google turned up this page which seems to address the issue.
Last edited by sigsegv; 02-23-2005 at 09:56 PM.
|
|
|
02-24-2005, 03:33 AM
|
#3
|
Member
Registered: Jan 2005
Distribution: Fedora 5, Debian
Posts: 56
Original Poster
Rep:
|
Cheers for that! That appears to be exactly what I'm looking for.
I appreciate your concern about the network conectivity but as I said in my thread if I disable the firewall on the server everything works fine... It definately has to be the dynamic NFS ports.
... I'll let you know how I get on.
|
|
|
02-24-2005, 08:54 AM
|
#4
|
Member
Registered: Jan 2005
Distribution: Fedora 5, Debian
Posts: 56
Original Poster
Rep:
|
The solution
Ok this is one proceadure for fixing the NFS ports in Fedora Core 3 (FC3) and opening the firewall for these ports.
After folloing the "Newbie's Guide to Small Home LAN "from the Networking section of linux questions tutorials follow these steps to allow another linux box to see the NFS server (run: "/usr/sbin/rpcinfo -p" before and after to make sure it has worked!)
1. Create the file "/etc/sysconfig/nfs" and add the following contents:
STATD_PORT=4001
LOCKD_TCPPORT=4002
LOCKD_UDPPORT=4002
MOUNTD_PORT=4003
2. Append the following to the file "/etc/services":
rquotad 4004/tcp # rpc.rquotad tcp port
rquotad 4004/udp # rpc.rquotad udp port
3. Restart the nfs services:
/etc/init.d/nfs restart
/etc/init.d/nfslock restart
4. Re-run /usr/sbin/rpcinfo -p and make sure all the ports above have changed.
5. Open up the following ports (tcp and udp) on the Fedora firewall. Do this either using the "Security Level" app in "System Settings" or using the command line iptables command (think it's in /sbin/):
111:tcp, 111:udp, 2049:tcp, 2049:udp, 4001:tcp, 4001:udp, 4002:tcp, 4002:udp, 4003:tcp, 4003:udp, 4004:tcp, 4004:udp
(You can copy and paste the above text into the "Other ports: (1029:tcp)" section of the "Security Level Configuration").
Now you should be able to mount the NFS share on the other box like so:
# mkdir /mnt/tom_share
# mount tom.exampledomain.org:/share /mnt/tom_share
If anyone knows of an eaier way please say!!
|
|
|
02-24-2005, 11:55 AM
|
#5
|
Senior Member
Registered: Nov 2004
Location: Third rock from the Sun
Distribution: NetBSD-2, FreeBSD-5.4, OpenBSD-3.[67], RHEL[34], OSX 10.4.1
Posts: 1,197
Rep:
|
Quote:
Originally posted by OmnipotentOscar
I appreciate your concern about the network conectivity but as I said in my thread if I disable the firewall on the server everything works fine... It definately has to be the dynamic NFS ports.
|
My apologies. I didn't (and still don't) see where you said it works if you disable the firewall, only that you had worked out that it was the firewall. If I had a nickel for every time someone thought they knew what the problem was, only to be *way* off ... Well, you know.
At any rate, I'm glad you got it working
|
|
|
02-24-2005, 04:36 PM
|
#6
|
Member
Registered: Jan 2005
Distribution: Fedora 5, Debian
Posts: 56
Original Poster
Rep:
|
No worries... it probably wasn't clear but it was the last 5 words in the first paragraph:
"I've worked out that it's something to do with the firewall on the server (FC3) blocking the service as if it's disabled it works fine!"
The "it's" was refering too the firewall... probably my bad english!
|
|
|
02-25-2005, 12:24 AM
|
#7
|
Senior Member
Registered: Nov 2004
Location: Third rock from the Sun
Distribution: NetBSD-2, FreeBSD-5.4, OpenBSD-3.[67], RHEL[34], OSX 10.4.1
Posts: 1,197
Rep:
|
Hehehe ... Sometimes I read too fast and my brain misses important little facts like that. I see it now
|
|
|
08-10-2007, 08:41 AM
|
#8
|
LQ Newbie
Registered: Jul 2007
Location: The Hague, netherlands
Distribution: osx 10.4, kubuntu, ubuntu, opensuse
Posts: 2
Rep:
|
OmnipotentOscar was right. While NFS uses port 2049 and portmapper uses port 111, the underlying RPC mapper uses a variation of ports, by default randomly assigned as part of the Sun specs.
You can check the IANA list of port numbers to see all official port numbers
When you start a firewall, the random ports keep getting blocked and the client cannot connect to the NFS share.
Please check lowth.com for a good, decent, web-based iptables configuration wizard. They also offer a very clear set of instructions to tie NFS down to static port (i.e. fixed and chosen by you).
JM2C as I've just run into the same <del>problem</del>issue.
|
|
|
08-31-2007, 02:58 PM
|
#9
|
LQ Newbie
Registered: Aug 2007
Posts: 1
Rep:
|
lowth.org no longer exists
I've run into the same problem in that I need to lock the NFS services on a MacOS 10.4.10 box to static ports. The pages referred to at "lowth.org" no longer seem to exist. Does anyone out there know how to do this? Do I have to twiddle some settings in Netinfo? Apple front-line support doesn't seem to have a clue ...
|
|
|
08-31-2007, 03:17 PM
|
#10
|
LQ Guru
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870
|
Quote:
Originally Posted by spankme
I've run into the same problem in that I need to lock the NFS services on a MacOS 10.4.10 box to static ports. The pages referred to at "lowth.org" no longer seem to exist. Does anyone out there know how to do this? Do I have to twiddle some settings in Netinfo? Apple front-line support doesn't seem to have a clue ...
|
We actually have a forum specially for non-Linux questions of a UNIX nature here. You'll need to post your question in that forum.
|
|
|
11-25-2008, 01:53 PM
|
#11
|
LQ Newbie
Registered: Apr 2002
Posts: 2
Rep:
|
Firewall blocking NFS
Thanks for the procedure OmnipotentOscar!
On RHEL-5 or CentOS-5 I did:
edit uncomment the default ports:
Code:
LOCKD_TCPPORT=32803
LOCKD_UDPPORT=32769
MOUNTD_PORT=892
STATD_PORT=662
Add those ports to your firewall rules:
edit
Code:
/etc/sysconfig/iptables
Code:
# NFS
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 111 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 111 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 662 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 662 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 892 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 892 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 2049 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 2049 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 32803 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 32803 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 32769 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 32769 -j ACCEPT
Restart the services:
Code:
/etc/init.d/iptables restart
/etc/init.d/nfs restart
/etc/init.d/nfslock restart
You should be able to NFS to the server now. No need to modify /etc/services
Last edited by igorgrin; 11-25-2008 at 01:54 PM.
|
|
|
12-07-2009, 09:27 PM
|
#12
|
LQ Newbie
Registered: Feb 2009
Posts: 1
Rep:
|
hi, igorgrin
Thanks so much!
I did mount nfs successfully according to your steps
(in centOS 5.4)
|
|
|
01-25-2010, 01:37 PM
|
#13
|
LQ Newbie
Registered: Apr 2008
Posts: 3
Rep:
|
hi, igorgrin
Thanks so much, too!
I did mount nfs successfully according to your steps
(in centOS 5.4 server / opensuse 11.2)
Tags: linux centOs 5.4 nfs problem: System Error: No route to host
nfs client error: "System Error: No route to host"
Problema: nfs server ativado (CentOs 5.4 - ip 192.168.0.1); nfs client ativado no (opensuse 11.2 - ip 192.168.0.2);
O nfs cliente não conseguia conectar o nfs servidor, o firewall do opensuse estava aberto para nfs client, realizava o ping, e realizava ssh.
O problema foi solucionado com a dica acim ado igorgrin.
->escolher um pasta a ser compartilhada.
->sistema->administracao->configuracaoDeServidor->NFS
no botao "configuracao do servidor" colocar as portas relacionadas:
LOCKD_TCPPORT=32803
LOCKD_UDPPORT=32769
MOUNTD_PORT=892
STATD_PORT=662
ok->salvar->sair
--> seguir o roteiro acima.
Obrigado.
Tks.
|
|
|
01-25-2010, 01:47 PM
|
#14
|
LQ Guru
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870
|
Okay, I'm not sure how I missed this zombie thread the first time around, but I've got a clear visual now and I'm proceeding to engage it. tnt2br, please don't resurrect dead threads. Instead, start a new thread for your issue and include any necessary links in it (such as, for example, links to dead threads with similar problems).
|
|
|
All times are GMT -5. The time now is 09:33 PM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|