Re: Diskless and Firewall

[Roman Fiedler <roman.fiedler@ait.ac.at>]

Khaled Hussein wrote:
> Dear All,
> 
> I am running a machine with diskless boot, it is running CentOS, i have problem with iptables, when i restart iptables i lost connection with NFS server so i lost my hard disks and machine become unreachable, this happened when i use DROP as default policy on INPUT and OUTPUT and FORWARD chains, i tried to use mangle table with default ACCEPT on these chains but the same, if i changed default policy to ACCEPT on above chains, so is there any way to avoid this problem

I had same problem with autosetup thingy recently. I think that the following fixed the problem for me (and not something else, that I overlooked while tuning the configs):

* Set conntrack liberal globally (via proc)

* Load minimal iptables set with accept on all chains (which is as secure as having no rules, like before, so nothing lost)

* Make sure to have traffic on all connections your want to keep alive, netfilter seems to create conntracks for them (you might use the conntrack tools for the same work also). In your case you might open a file, you haven't read yet to force NFS traffic.

* Switch to your final ruleset, that has a --state ESTABLISHED -j ACCEPT at the beginning of each chain (I loaded with iptables-restore to avoid glitches that might kill a connection)

* Disable conntrack liberal

The final rules were strict, with output filtering and stateful connection tracking.

Hope this is helpful,

-- 
Roman Fiedler
Safety & Security Department
Information Management & eHealth

AIT Austrian Institute of Technology GmbH
Reininghausstraße 13/1  |  8020 Graz  |  Austria
T +43(0) 316 586570-63  |  M +43(0) 664 8251194  |  F +43(0) 316 586570-12
roman.fiedler@ait.ac.at <mailto:roman.fiedler@ait.ac.at> | http://www.ait.ac.at <http://www.ait.ac.at/>
http://www.ait.ac.at/eHealth/ <http://www.ait.ac.at/eHealth/>

FN: 115980 i HG Wien  |  UID: ATU14703506
This email and any attachments thereto, is intended only for use by the addressee(s) named herein and may contain legally privileged and/or confidential information. If you are not the intended recipient, please notify the sender by return e-mail or by telephone and delete this message from your system and any printout thereof. Any unauthorized use, reproduction, or dissemination of this message is strictly prohibited. Please note that e-mails are susceptible to change. AIT Austrian Institute of Technology GmbH shall not be liable for the improper or incomplete transmission of the information contained in this communication, nor shall it be liable for any delay in its receipt.