|
Dear laforge
Today, I installed NFS server: ReadHat7.3, kernel2.4.20,
iptables1.2.8a, patch-o-magic20030107. I hoped to use iptables
to secure the server. so I add the following rules to only
accept NFS packets and insmoded ip_conntrack_rpc_tcp,
ip_conntrack_rpc_udp
and ipt_record_rpc kernel module.
#iptables -A INPUT -p tcp --dport 111 -j ACCEPT
#iptables -A INPUT -p udp --dport 111 -j ACCEPT
#iptables -A INPUT -p tcp --dport 2049 -j ACCEPT
#iptables -A INPUT -p udp --dport 2049 -j ACCEPT
#iptables -A INPUT -p tcp -m state --state ESTABLISHED,RELATED
-j ACCEPT
#iptables -A INPUT -p udp -m state --state ESTABLISHED,RELATED
-j ACCEPT
#iptables -A INPUT -j DROP
#iptables -A OUTPUT -j DROP
client mounts exported filesystem failed. I used tcpdump to whatch
packets.
first, client build tcp connections with dport 111(portmapper).
these packets hitting the 1st rule were accepted.
second, client sent a udp packets with dport 321714(MOUNTD_PORT).
these packets hited 7th rule and were droped.
I had thought these
packets would hit 6th rule because ip_conntrack_rpc_tcp can track the coming udp
connection
in the portmapper
reply packet.
I don't know whether ip_conntrack_rpc_tcp/ip_conntrack_rpc_udp module will
create an entry
for coming udp connection to mountd, like ip_conntrack_ftp(create a entry
for coming data conection).
maybe I mistaked in configured the iptables.
hope you to give me some guides.
Thanks
Steven Lu |
