LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 08-06-2006, 07:15 PM   #1
dansawyer
Member
 
Registered: Mar 2005
Posts: 124

Rep: Reputation: 15
how to configure iptables for nfs ??


All,

The system is FC5. Does anyone have an example of how to configure iptables to support nfs? There in one site that speaks to some services with unbound ports.

Does anyone know the list of required ports?

How, and where, are can those ports be bound?

Once that is done is it as simple as editing the security configuration?

Thanks - Dan
 
Old 08-06-2006, 07:23 PM   #2
billymayday
LQ Guru
 
Registered: Mar 2006
Location: Sydney, Australia
Distribution: Fedora, CentOS, OpenSuse, Slack, Gentoo, Debian, Arch, PCBSD
Posts: 6,678

Rep: Reputation: 122Reputation: 122
Have you looked at any articles like this one?

http://www.troubleshooters.com/linux/nfs.htm

btw - this was the first entry whe nI googled "nfs firewall", and looks, from a cursory glance, to be pretty complete ( you will need to follow one of the links in the article to http://www.troubleshooters.com/lpm/200305/200305.htm)
 
Old 08-06-2006, 08:34 PM   #3
Brian1
LQ Guru
 
Registered: Jan 2003
Location: Seymour, Indiana
Distribution: Distribution: RHEL 5 with Pieces of this and that. Kernel 2.6.23.1, KDE 3.5.8 and KDE 4.0 beta, Plu
Posts: 5,700

Rep: Reputation: 65
If you mean nfs with default iptables scheme then this should help. I don't remember where I found it but here goes.

NFS setup on fc3 through firewall
Ok this is one proceadure for fixing the NFS ports in Fedora Core 3 (FC3) and opening the firewall for these ports.

After folloing the "Newbie's Guide to Small Home LAN "from the Networking section of linux questions tutorials follow these steps to allow another linux box to see the NFS server (run: "/usr/sbin/rpcinfo -p" before and after to make sure it has worked!)

1. Create the file "/etc/sysconfig/nfs" and add the following contents:

STATD_PORT=4001
LOCKD_TCPPORT=4002
LOCKD_UDPPORT=4002
MOUNTD_PORT=4003

2. Append the following to the file "/etc/services":

rquotad 4004/tcp # rpc.rquotad tcp port
rquotad 4004/udp # rpc.rquotad udp port

3. Restart the nfs services:

service nfs restart
service nfslock restart

4. Re-run /usr/sbin/rpcinfo -p and make sure all the ports above have changed.

5. Open up the following ports (tcp and udp) on the Fedora firewall. Do this either using the "Security Level" app in "System Settings" or using the command line iptables command (think it's in /sbin/):

111:tcp, 111:udp, 2049:tcp, 2049:udp, 4001:tcp, 4001:udp, 4002:tcp, 4002:udp, 4003:tcp, 4003:udp, 4004:tcp, 4004:udp

(You can copy and paste the above text into the "Other ports: (1029:tcp)" section of the "Security Level Configuration").

Now you should be able to mount the NFS share on the other box like so:
 
Old 08-07-2006, 12:14 AM   #4
dansawyer
Member
 
Registered: Mar 2005
Posts: 124

Original Poster
Rep: Reputation: 15
Thank you. That is very close.

That does not quite work. Can other ports be tried? such as 410x instead of 400x?

There is a conflict on the ports.

Thanks - Dan


100000 2 tcp 111 portmapper
100000 2 udp 111 portmapper
100024 1 udp 32768 status
100024 1 tcp 44996 status
100011 1 udp 4004 rquotad
100011 2 udp 4004 rquotad
100011 1 tcp 4004 rquotad
100011 2 tcp 4004 rquotad
100003 2 udp 2049 nfs
100003 3 udp 2049 nfs
100003 4 udp 2049 nfs
100003 2 tcp 2049 nfs
100003 3 tcp 2049 nfs
100003 4 tcp 2049 nfs
100005 1 udp 4003 mountd
100005 1 tcp 4003 mountd
100005 2 udp 4003 mountd
100005 2 tcp 4003 mountd
100005 3 udp 4003 mountd
100005 3 tcp 4003 mountd
100021 1 udp 4002 nlockmgr
100021 3 udp 4002 nlockmgr
100021 4 udp 4002 nlockmgr
100021 1 tcp 4002 nlockmgr
100021 3 tcp 4002 nlockmgr
100021 4 tcp 4002 nlockmgr

ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:sunrpc
ACCEPT udp -- anywhere anywhere state NEW udp dpt:sunrpc
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:nfs
ACCEPT udp -- anywhere anywhere state NEW udp dpt:nfs
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:newoak
ACCEPT udp -- anywhere anywhere state NEW udp dpt:newoak
ACCEPT tcp -- anywhere anywhere state NEW tcp dptxc-spvr-ft
ACCEPT udp -- anywhere anywhere state NEW udp dptxc-spvr-ft
ACCEPT tcp -- anywhere anywhere state NEW tcp dptxc-splr-ft
ACCEPT udp -- anywhere anywhere state NEW udp dptxc-splr-ft
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:rquota
ACCEPT udp -- anywhere anywhere state NEW udp dpt:rquota
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:telnet
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:smtp
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ftp
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:https
ACCEPT udp -- anywhere anywhere state NEW udp dpt:netbios-ns
ACCEPT udp -- anywhere anywhere state NEW udp dpt:netbios-dgm
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:netbios-ssn
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:microsoft-ds
 
Old 08-07-2006, 12:32 AM   #5
dansawyer
Member
 
Registered: Mar 2005
Posts: 124

Original Poster
Rep: Reputation: 15
Whoops. There is an extended set of predifined tcp ports at the end of the file. I commented out the 4001 to 4 ports. That fixed the names.

- Thanks again - Dan
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Allowing NFS in IPTABLES: Fix port for NFS Lock Manager Swakoo Linux - General 10 08-25-2006 06:24 AM
NFS and IPTables? german Linux - Networking 3 11-11-2003 09:25 AM
how to configure nfs client rmuhammad Linux - Software 2 05-22-2003 07:57 PM
Help w/ nfs and iptables Newbie Chris Linux - Networking 5 03-19-2003 04:29 PM
how to configure the NFS smthakur Linux - Networking 0 09-03-2001 07:35 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 02:41 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration