Linode Forum :: can't get past iptables with NFS

I checked the daemon log and it appears that when the client mount was working, the port that was used was essentially random. Reading elsewhere, this appears to be common with NFS and consequently a problem connecting through iptables. Even locking the port in the nfs-kernel-server configuration didn't help. So I changed the iptables port to a wide range and set the connection to just my client's private ip, and it works now.

Thanks.

Author:	cap [ Sun Apr 18, 2010 10:01 pm ]
Post subject:	can't get past iptables with NFS
I'm having trouble getting past iptables in a NFS setup. The NFS server iptable has the following rules: -A INPUT -p tcp --dport 111 -j ACCEPT -A INPUT -p udp --dport 111 -j ACCEPT -A INPUT -p tcp --dport 2049 -j ACCEPT -A INPUT -p udp --dport 2049 -j ACCEPT My understanding is this should open the ports to my client machine, but it's not happening. If I comment out the last deny rule below I have no problem mounting from the client: -A INPUT -j REJECT With the above uncommented in the server iptable, I'm blocked. Obviously my 'accept' rules are incorrect. Any suggestions would be greatly appreciated. Thanks,

Author:	kangaby [ Mon Apr 19, 2010 4:11 am ]
Post subject:
Only a guess, but doesn't having the REJECT last override all the ACCEPT lines? (assumes you have it in this order) REJECT first then ACCEPT and see if that works.

Author:	cap [ Mon Apr 19, 2010 12:17 pm ]
Post subject:
I checked the daemon log and it appears that when the client mount was working, the port that was used was essentially random. Reading elsewhere, this appears to be common with NFS and consequently a problem connecting through iptables. Even locking the port in the nfs-kernel-server configuration didn't help. So I changed the iptables port to a wide range and set the connection to just my client's private ip, and it works now. Thanks.

Author:	jed [ Mon Apr 19, 2010 4:55 pm ]
Post subject:
cap wrote: I checked the daemon log and it appears that when the client mount was working, the port that was used was essentially random. Reading elsewhere, this appears to be common with NFS and consequently a problem connecting through iptables. Even locking the port in the nfs-kernel-server configuration didn't help. So I changed the iptables port to a wide range and set the connection to just my client's private ip, and it works now. Thanks. Yes. This is the function of the RPC mechanism. Lock down the RPC server to just the source IPs that you need -- RPC is a favorite target. I was able to get all of NFS's daemons to lodge to one port using configuration options in /etc/defaults (Ubuntu), but not for NFSv4 -- just NFSv3.

Author:	db3l [ Mon Apr 19, 2010 5:52 pm ]
Post subject:
cap wrote: So I changed the iptables port to a wide range and set the connection to just my client's private ip, and it works now. Another option (if you're essentially locking things down to a specific client) is to set up a VPN, such as OpenVPN, from the client, and then let any VPN tunnel traffic through in general on the server side. That way, you have a single client-side step of establishing the VPN, and after that you have full access to your server without requiring any further fiddling with any filters. -- David

Linode Forum https://forum.linode.com/

can't get past iptables with NFS https://forum.linode.com/viewtopic.php?f=19&t=5481	Page 1 of 1

Page 1 of 1	All times are UTC-04:00
Powered by phpBB® Forum Software © phpBB Group http://www.phpbb.com/