[gentoo-user] nfs and iptables - gentoo-user - Gentoo Mailing List Archives

From:	Arnau Bria <arnau@×××××××××.net>
To:	gentoo-user@l.g.o
Subject:	[gentoo-user] nfs and iptables
Date:	Fri, 23 Jun 2006 09:15:20
Message-Id:	`20060623110408.192f26d5@lx-arnau.pic.es`

1

Hi all,

2

3

I'm trying to configure my firewall in order to be able to mount a

4

remote NFS exported directory.

5

6

AFAIK I must open port 111 tcp/udp (portmat). rpcinfo confirms it:

7

8

# rpcinfo -p

9

   program vers proto   port

10

    100000    2   tcp    111  portmapper

11

    100000    2   udp    111  portmapper

12

13

Well, so I set next rule in my firewall:

14

-A INPUT -d 193.146.196.198 -i eth0 -p tcp -m tcp --dport 111 -j ACCEPT

15

-A INPUT -d 193.146.196.198 -i eth0 -p tcp -m tcp --dport 111 -j LOG

16

--log-prefix "NFS (tcp) Input: " --log-level 7 -A INPUT -d

17

193.146.196.198 -i eth0 -p udp -m udp --dport 111 -j LOG --log-prefix

18

"NFS (udp) Input: " --log-level 7 -A INPUT -d 193.146.196.198 -i eth0

19

-p udp -m udp --dport 111 -j ACCEPT

20

21

22

And restart my firewall.

23

(I use same rules for other ports, ssh, smtp...)

24

25

Well, I'm no able to mount the directory, and I see this in logs:

26

27

UDP privileged ports DROP:IN=eth0 OUT=

28

MAC=00:11:11:20:6e:81:00:16:35:0a:a8:b6:08:00 SRC=193.146.196.234

29

DST=193.146.196.198 LEN=56 TOS=0x00 PREC=0x00 TTL=64 ID=57 DF PROTO=UDP

30

SPT=111 DPT=822 LEN=36

31

32

and this logs comes from next rule:

33

34

-A INPUT -d 193.146.196.198 -i eth0 -p udp -m udp --dport 0:1023 -j LOG

35

--log-prefix "UDP privileged ports DROP:" --log-level 7 -A INPUT -d

36

193.146.196.198 -i eth0 -p udp -m udp --dport 0:1023 -j REJECT

37

38

which is at bottom of all rules...

39

40

I don't understand what happen, cause I can telnet to port 111 and get

41

response. And I hace portmat in that port:

42

43

#netstat -putan |grep 111

44

tcp        0      0 0.0.0.0:111             0.0.0.0:*               LISTEN      10028/portmap

45

udp        0      0 0.0.0.0:111             0.0.0.0:*                           10028/portmap

46

47

I do the mount:

48

49

lx-arnau ~ # mount -t nfs hostname:/export/media /mnt/musica/

50

mount: RPC: Program not registered

51

52

Got the error... but:

53

54

lx-arnau ~ # netstat -putan |grep 111

55

tcp        0      0 0.0.0.0:111             0.0.0.0:*               LISTEN      10028/portmap

56

tcp        0      0 my_IP:60394             nfs_server:111     TIME_WAIT   -

57

udp        0      0 0.0.0.0:111             0.0.0.0:*                           10028/portmap

58

59

...

60

61

If I disable firewall, I can mount with no problem...

62

what am I missing?¿

63

64

Thanks in advance.

65

66

--

67

Arnau Bria

68

http://blog.emergetux.net

69

"Flanders, de nada sirve rezar: yo mismo acabo de hacerlo y los dos 

70

no vamos a ganar"

71

~Homer J. Simpson~

72

73

--

74

gentoo-user@g.o mailing list

Subject	Author
Re: [gentoo-user] nfs and iptables	Daniel Iliev <danny@××××××××.com>
Re: [gentoo-user] nfs and iptables	Rick van Hattem <Rick.van.Hattem@××××.nl>

Gentoo Archives: gentoo-user

Replies

1	Hi all,
2
3	I'm trying to configure my firewall in order to be able to mount a
4	remote NFS exported directory.
5
6	AFAIK I must open port 111 tcp/udp (portmat). rpcinfo confirms it:
7
8	# rpcinfo -p
9	program vers proto port
10	100000 2 tcp 111 portmapper
11	100000 2 udp 111 portmapper
12
13	Well, so I set next rule in my firewall:
14	-A INPUT -d 193.146.196.198 -i eth0 -p tcp -m tcp --dport 111 -j ACCEPT
15	-A INPUT -d 193.146.196.198 -i eth0 -p tcp -m tcp --dport 111 -j LOG
16	--log-prefix "NFS (tcp) Input: " --log-level 7 -A INPUT -d
17	193.146.196.198 -i eth0 -p udp -m udp --dport 111 -j LOG --log-prefix
18	"NFS (udp) Input: " --log-level 7 -A INPUT -d 193.146.196.198 -i eth0
19	-p udp -m udp --dport 111 -j ACCEPT
20
21
22	And restart my firewall.
23	(I use same rules for other ports, ssh, smtp...)
24
25	Well, I'm no able to mount the directory, and I see this in logs:
26
27	UDP privileged ports DROP:IN=eth0 OUT=
28	MAC=00:11:11:20:6e:81:00:16:35:0a:a8:b6:08:00 SRC=193.146.196.234
29	DST=193.146.196.198 LEN=56 TOS=0x00 PREC=0x00 TTL=64 ID=57 DF PROTO=UDP
30	SPT=111 DPT=822 LEN=36
31
32	and this logs comes from next rule:
33
34	-A INPUT -d 193.146.196.198 -i eth0 -p udp -m udp --dport 0:1023 -j LOG
35	--log-prefix "UDP privileged ports DROP:" --log-level 7 -A INPUT -d
36	193.146.196.198 -i eth0 -p udp -m udp --dport 0:1023 -j REJECT
37
38	which is at bottom of all rules...
39
40	I don't understand what happen, cause I can telnet to port 111 and get
41	response. And I hace portmat in that port:
42
43	#netstat -putan \|grep 111
44	tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN 10028/portmap
45	udp 0 0 0.0.0.0:111 0.0.0.0:* 10028/portmap
46
47	I do the mount:
48
49	lx-arnau ~ # mount -t nfs hostname:/export/media /mnt/musica/
50	mount: RPC: Program not registered
51
52	Got the error... but:
53
54	lx-arnau ~ # netstat -putan \|grep 111
55	tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN 10028/portmap
56	tcp 0 0 my_IP:60394 nfs_server:111 TIME_WAIT -
57	udp 0 0 0.0.0.0:111 0.0.0.0:* 10028/portmap
58
59	...
60
61	If I disable firewall, I can mount with no problem...
62	what am I missing?¿
63
64	Thanks in advance.
65
66	--
67	Arnau Bria
68	http://blog.emergetux.net
69	"Flanders, de nada sirve rezar: yo mismo acabo de hacerlo y los dos
70	no vamos a ganar"
71	~Homer J. Simpson~
72
73	--
74	gentoo-user@g.o mailing list