NFS and iptables.

Linux Netfilter discussions
 help / color / mirror / Atom feed

* NFS and iptables.
@ 2004-04-24 22:00 Krunk
  2004-04-24 23:12 ` Cedric Blancher
  0 siblings, 1 reply; 7+ messages in thread
From: Krunk @ 2004-04-24 22:00 UTC (permalink / raw)
  To: netfilter

I've bound my NFS ports (moountd, statd, lockd, quotad) and freed up the
ports they are bound to, but the client still hangs when I try to mount
the remote share. 

rpcinfo -p
 program vers proto   port
    100000    2   tcp    111  portmapper
    100000    2   udp    111  portmapper
    100024    1   udp  32765  status
    100024    1   tcp  32765  status
    100003    2   udp   2049  nfs
    100003    3   udp   2049  nfs
    100003    2   tcp   2049  nfs
    100003    3   tcp   2049  nfs
    100021    1   udp  32772  nlockmgr
    100021    3   udp  32772  nlockmgr
    100021    4   udp  32772  nlockmgr
    100021    1   tcp  32769  nlockmgr
    100021    3   tcp  32769  nlockmgr
    100021    4   tcp  32769  nlockmgr
    100005    1   udp  32767  mountd
    100005    1   tcp  32767  mountd
    100005    2   udp  32767  mountd
    100005    2   tcp  32767  mountd
    100005    3   udp  32767  mountd
    100005    3   tcp  32767  mountd

command that opens ports:
 NFS="2049 32764 32765 32766 32767 32768 32772 sunrpc"
# opening tcp for NFS
for i in $NFS
do
   echo -n "$i"
   $IPT -A OUTPUT  -o $EXTIF -p tcp -s $EXTIP  \
    --dport $i --syn -m state --state NEW -j ACCEPT
   $IPT -A FORWARD -i $INTIF1 -p tcp -s $INTNET1 \
    --dport $i --syn -m state --state NEW -j ACCEPT
   $IPT -A FORWARD -i $INTIF2 -p tcp -s $INTNET2 \
    --dport $i --syn -m state --state NEW -j ACCEPT
done
echo ""
#opening udp for NFS
for i in $NFS
do
    echo -n "$i"
    $IPT -A OUTPUT  -o $EXTIF -p udp -s $EXTIP  \
        --dport $i -m state --state NEW -j ACCEPT
    $IPT -A FORWARD -i $INTIF1 -p udp -s $INTNET1 \
        --dport $i -m state --state NEW -j ACCEPT
    $IPT -A FORWARD -i $INTIF2 -p udp -s $INTNET2 \
        --dport $i -m state --state NEW -j ACCEPT
done
echo ""


This same loop is used for every service I've opened up (cups, ssh, etc)
and works fine. So I'm sure the loop itself works (e.g. it's in the
right spot sequentially, and the rest of the script works fine).

output of log file when client is trying to connect:

Apr 24 16:53:35 tuxmac DROPl:IN=eth1 OUT= MAC=<mac here> SRC=192.168.xxx.xxx DST=192.168.xxx.xxx LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=41035 DF PROTO=TCP SPT=896 DPT=111 WINDOW=5840 RES=0x00 SYN URGP=0
Apr 24 16:53:37 tuxmac DROPl:IN=ppp0 OUT= MAC= SRC=129.81.224.6 DST=<my isp assigned ip> LEN=89 TOS=0x00 PREC=0x00 TTL=46 ID=17196 DF PROTO=TCP SPT=143 DPT=49366 WINDOW=32900 RES=0x00 ACK PSH FIN URGP=0
Apr 24 16:53:38 tuxmac DROPl:IN=eth1 OUT= MAC=<eth1 mack here> SRC=192.168.xxx.xxx DST=192.168.xxx.xxx LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=41036 DF PROTO=TCP SPT=896 DPT=111 WINDOW=5840 RES=0x00 SYN URGP=0
Apr 24 16:53:44 tuxmac DROPl:IN=eth1 OUT= MAC=<eth1 mac here> SRC=192.168.xxx.xxx DST=192.168.xxx.xxx LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=41037 DF PROTO=TCP SPT=896 DPT=111 WINDOW=5840 RES=0x00 SYN URGP=0

The source and destination ip's are right.




^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: NFS and iptables.
  2004-04-24 22:00 NFS and iptables Krunk
@ 2004-04-24 23:12 ` Cedric Blancher
  2004-04-24 23:40   ` John A. Sullivan III
  2004-04-25  0:32   ` Krunk
  0 siblings, 2 replies; 7+ messages in thread
From: Cedric Blancher @ 2004-04-24 23:12 UTC (permalink / raw)
  To: Krunk; +Cc: netfilter

Le dim 25/04/2004 à 00:00, Krunk a écrit :
> I've bound my NFS ports (moountd, statd, lockd, quotad) and freed up the
> ports they are bound to, but the client still hangs when I try to mount
> the remote share.
[...]
> command that opens ports:
>  NFS="2049 32764 32765 32766 32767 32768 32772 sunrpc"
[...]
> Apr 24 16:53:35 tuxmac DROPl:IN=eth1 OUT= MAC=<mac here>
> SRC=192.168.xxx.xxx DST=192.168.xxx.xxx LEN=60 TOS=0x00 PREC=0x00
> TTL=64 ID=41035 DF PROTO=TCP SPT=896 DPT=111 WINDOW=5840 RES=0x00 SYN
> URGP=0

As far as I can see, your client is trying to connect to portmapper in
order to get NFS service port back. But there's nothing in your script
excerpt that opens TCP/111.

PS : maybe you should consider use the RPC helper available in
patch'o'matic extra section.

-- 
http://www.netexit.com/~sid/
PGP KeyID: 157E98EE FingerPrint: FA62226DA9E72FA8AECAA240008B480E157E98EE
>> Hi! I'm your friendly neighbourhood signature virus.
>> Copy me to your signature file and help me spread!


^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: NFS and iptables.
  2004-04-24 23:12 ` Cedric Blancher
@ 2004-04-24 23:40   ` John A. Sullivan III
  2004-04-25  8:24     ` Cedric Blancher
  2004-04-25  0:32   ` Krunk
  1 sibling, 1 reply; 7+ messages in thread
From: John A. Sullivan III @ 2004-04-24 23:40 UTC (permalink / raw)
  To: Cedric Blancher; +Cc: Krunk, netfilter

On Sat, 2004-04-24 at 19:12, Cedric Blancher wrote:
<snip>
> PS : maybe you should consider use the RPC helper available in
> patch'o'matic extra section.
I have always and recently found the RPC helper patch to be highly
unstable as much as I would really love to use it - John
-- 
Open Source Development Corporation
Financially Sustainable open source development
http://www.opensourcedevelopmentcorp.com



^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: NFS and iptables.
  2004-04-24 23:40   ` John A. Sullivan III
@ 2004-04-25  8:24     ` Cedric Blancher
  0 siblings, 0 replies; 7+ messages in thread
From: Cedric Blancher @ 2004-04-25  8:24 UTC (permalink / raw)
  To: John A. Sullivan III; +Cc: Krunk, netfilter

Le dim 25/04/2004 à 01:40, John A. Sullivan III a écrit :
> I have always and recently found the RPC helper patch to be highly
> unstable as much as I would really love to use it - John

Good to know.
I didn't have to firewall RPC at the time, but who knows ?

-- 
http://www.netexit.com/~sid/
PGP KeyID: 157E98EE FingerPrint: FA62226DA9E72FA8AECAA240008B480E157E98EE
>> Hi! I'm your friendly neighbourhood signature virus.
>> Copy me to your signature file and help me spread!


^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: NFS and iptables.
  2004-04-24 23:12 ` Cedric Blancher
  2004-04-24 23:40   ` John A. Sullivan III
@ 2004-04-25  0:32   ` Krunk
  2004-04-25  1:47     ` Alistair Tonner
  2004-04-25  1:48     ` NFS and iptables.[FIXED] Krunk
  1 sibling, 2 replies; 7+ messages in thread
From: Krunk @ 2004-04-25  0:32 UTC (permalink / raw)
  To: netfilter

sunrpc is port 111 as defined in /etc/services.

I'll try to explicitly set port 111.

No same result, same type of logs being show. Thanks for the suggestion
though.

On Sat, 2004-04-24 at 18:12, Cedric Blancher wrote:
> Le dim 25/04/2004 à 00:00, Krunk a écrit :
> > I've bound my NFS ports (moountd, statd, lockd, quotad) and freed up the
> > ports they are bound to, but the client still hangs when I try to mount
> > the remote share.
> [...]
> > command that opens ports:
> >  NFS="2049 32764 32765 32766 32767 32768 32772 sunrpc"
> [...]
> > Apr 24 16:53:35 tuxmac DROPl:IN=eth1 OUT= MAC=<mac here>
> > SRC=192.168.xxx.xxx DST=192.168.xxx.xxx LEN=60 TOS=0x00 PREC=0x00
> > TTL=64 ID=41035 DF PROTO=TCP SPT=896 DPT=111 WINDOW=5840 RES=0x00 SYN
> > URGP=0
> 
> As far as I can see, your client is trying to connect to portmapper in
> order to get NFS service port back. But there's nothing in your script
> excerpt that opens TCP/111.
> 
> PS : maybe you should consider use the RPC helper available in
> patch'o'matic extra section.




^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: NFS and iptables.
  2004-04-25  0:32   ` Krunk
@ 2004-04-25  1:47     ` Alistair Tonner
  2004-04-25  1:48     ` NFS and iptables.[FIXED] Krunk
  1 sibling, 0 replies; 7+ messages in thread
From: Alistair Tonner @ 2004-04-25  1:47 UTC (permalink / raw)
  To: netfilter

On April 24, 2004 08:32 pm, Krunk wrote:
> sunrpc is port 111 as defined in /etc/services.
>
> I'll try to explicitly set port 111.
>
> No same result, same type of logs being show. Thanks for the suggestion
> though.
>
> On Sat, 2004-04-24 at 18:12, Cedric Blancher wrote:
> > Le dim 25/04/2004 à 00:00, Krunk a écrit :
> > > I've bound my NFS ports (moountd, statd, lockd, quotad) and freed up
> > > the ports they are bound to, but the client still hangs when I try to
> > > mount the remote share.
> >
> > [...]
> >
> > > command that opens ports:
> > >  NFS="2049 32764 32765 32766 32767 32768 32772 sunrpc"
> >
> > [...]
> >
> > > Apr 24 16:53:35 tuxmac DROPl:IN=eth1 OUT= MAC=<mac here>
> > > SRC=192.168.xxx.xxx DST=192.168.xxx.xxx LEN=60 TOS=0x00 PREC=0x00
> > > TTL=64 ID=41035 DF PROTO=TCP SPT=896 DPT=111 WINDOW=5840 RES=0x00 SYN
> > > URGP=0
> >
> > As far as I can see, your client is trying to connect to portmapper in
> > order to get NFS service port back. But there's nothing in your script
> > excerpt that opens TCP/111.
> >
> > PS : maybe you should consider use the RPC helper available in
> > patch'o'matic extra section.


	Silly question ... you are opening ports for state NEW ... I don't see an 
explicit rule for ESTABLISHED RELATED any where ... but I'm assuming that 
rule exists somewhere ...... else.

	Alistair Tonner 
	
	(sometimes the simplest answers.....)


^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: NFS and iptables.[FIXED]
  2004-04-25  0:32   ` Krunk
  2004-04-25  1:47     ` Alistair Tonner
@ 2004-04-25  1:48     ` Krunk
  1 sibling, 0 replies; 7+ messages in thread
From: Krunk @ 2004-04-25  1:48 UTC (permalink / raw)
  To: netfilter

Fixed.

On Sat, 2004-04-24 at 19:32, Krunk wrote:
> sunrpc is port 111 as defined in /etc/services.
> 
> I'll try to explicitly set port 111.
> 
> No same result, same type of logs being show. Thanks for the suggestion
> though.
> 
> On Sat, 2004-04-24 at 18:12, Cedric Blancher wrote:
> > Le dim 25/04/2004 à 00:00, Krunk a écrit :
> > > I've bound my NFS ports (moountd, statd, lockd, quotad) and freed up the
> > > ports they are bound to, but the client still hangs when I try to mount
> > > the remote share.
> > [...]
> > > command that opens ports:
> > >  NFS="2049 32764 32765 32766 32767 32768 32772 sunrpc"
> > [...]
> > > Apr 24 16:53:35 tuxmac DROPl:IN=eth1 OUT= MAC=<mac here>
> > > SRC=192.168.xxx.xxx DST=192.168.xxx.xxx LEN=60 TOS=0x00 PREC=0x00
> > > TTL=64 ID=41035 DF PROTO=TCP SPT=896 DPT=111 WINDOW=5840 RES=0x00 SYN
> > > URGP=0
> > 
> > As far as I can see, your client is trying to connect to portmapper in
> > order to get NFS service port back. But there's nothing in your script
> > excerpt that opens TCP/111.
> > 
> > PS : maybe you should consider use the RPC helper available in
> > patch'o'matic extra section.
> 





^ permalink raw reply	[flat|nested] 7+ messages in thread

end of thread, other threads:[~2004-04-25  8:24 UTC | newest]

Thread overview: 7+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2004-04-24 22:00 NFS and iptables Krunk
2004-04-24 23:12 ` Cedric Blancher
2004-04-24 23:40   ` John A. Sullivan III
2004-04-25  8:24     ` Cedric Blancher
2004-04-25  0:32   ` Krunk
2004-04-25  1:47     ` Alistair Tonner
2004-04-25  1:48     ` NFS and iptables.[FIXED] Krunk

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox