Re: NFS Client/Server Firewall.

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Vincent Mortellaro wrote:
Hi,

I recently tried setting up an NFS server in my LAN and I've already nailed down the necessary ports so that lockd, statd, rquota and mountd now occupied ports 4000-4003. I did the same thing with clients just in case it would be necessary for running iptables there too. I setup iptables on the server using suse's yast tool, and then editing their susefirewall2 script to allow these ports: 2049, 111, 4000:4003 and the server worked fine - all of my clients could access it. However, when I went to firewall my clients (again using yast to configure iptables with the same ports) I couldn't connect to my server. Instead it gave an error message of "RPC: Timed Out".

I had some issues running NFS on a SuSE server through iptables a while back. A few things you might try:

1. Make sure you have udp and tcp port 111 and udp 2049 open. My configuration doesn't seem to need the 4000-4003 ports.

2. Tale a look in your /var/log/messages file and see if you are getting any other errors from either iptables or the kernel itself. Usually this error is secondary to another problem.

3. Make sure statd is running on both the clients and the server. YaST2 doesn't seem to know which supporting services you need and won't start them automatically.

I'd be more than happy writting my own iptables ruleset however I'm unsure as to what needs to be allowed by default for linux to work thats why I used yast to just add-in the parts I thought I needed. If anyone could give any advise about what I'm doing wrong or how I could setup iptables myself with rules that would protect both my nfs/samba server and my normal clients I'd appreciate it greatly.

Ultimately it's best to write your own script. YaST2 is a very good tool to configure most services (better in my opinion than the Redhat tools) but it is terrible for iptables. I'm sure the default script is very good (it's enormous and even I don't know what they're doing in some sections) but the gui configuration options are far too broad and ambiguous to be useful.

That said, writing your own script requires a fairly good understanding of iptables commands and how netfilter works. It takes some time and you really want to practice on an unimportant system before letting your scripts loose on a production network. I'd recommend trying to get the YaST2 configuration working first, then you have time to learn to use iptables the right way. If you do decide to write your own script start by reading Oskar's tutorial:

http://iptables-tutorial.frozentux.net/

Good luck and let me know how it goes.

Jeff


[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux