Opening ports for NFS (sanity check for newbie)

"Simon Oliver" <simon.oliver@xxxxxxxxxxx> · Wed, 4 Aug 2004 16:39:21 +0100

I'm an iptables newbie (I'm reading all the docs and man pages at the
moment).

I'm using RHEL3 with a simple firewall configuration:

*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [12:1048]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT 
-A FORWARD -j RH-Firewall-1-INPUT 
-A RH-Firewall-1-INPUT -i lo -j ACCEPT 
-A RH-Firewall-1-INPUT -p icmp -m icmp --icmp-type 255 -j ACCEPT 
-A RH-Firewall-1-INPUT -p esp -j ACCEPT 
-A RH-Firewall-1-INPUT -p ah -j ACCEPT 
-A RH-Firewall-1-INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j
ACCEPT 
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j
ACCEPT 
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited 
COMMIT

It is my understanding that this configuration permits the following (please
correct me where wrong):

all outbound traffic
all inbound traffic on loopback device
all inbound icmp type traffic
ipv6-crypt and ipv6-auth header type inbound traffic
new inbound connections for http and ssh traffic
all inbound traffic if connection ESTABLISHED above
any other inbound traffic is rejected

I want to modify the rules to allow NFS exports.  I have the relevant
services running on assigned ports (rather than random portmap ports).
Here's the list of services/ports for both tcp and udp:

sunrpc      111 (portmap)
nfsd        2049
statd       4001
lockd       4002
mountd      4003
rquotad     4004

I'm told that for NFS to work I need to allow fragments too.

First, I inserted the following to turn on logging:

iptables -I RH-Firewall-1-INPUT 8 -j LOG

Then I added the following rules:

iptables -I INPUT -f -j ACCEPT
iptables -I RH-Firewall-1-INPUT 8 -m state --state NEW -m tcp -p tcp --dport
4001:4004  -j ACCEPT 
iptables -I RH-Firewall-1-INPUT 8 -m state --state NEW -m tcp -p tcp --dport
2049  -j ACCEPT 
iptables -I RH-Firewall-1-INPUT 8 -m state --state NEW -m tcp -p tcp --dport
111  -j ACCEPT 
iptables -I RH-Firewall-1-INPUT 8 -m state --state NEW -m udp -p udp --dport
4001:4004  -j ACCEPT 
iptables -I RH-Firewall-1-INPUT 8 -m state --state NEW -m udp -p udp --dport
2049  -j ACCEPT 
iptables -I RH-Firewall-1-INPUT 8 -m state --state NEW -m udp -p udp --dport
111  -j ACCEPT

This results in:

*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [537:61336]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -f -j ACCEPT 
-A INPUT -j RH-Firewall-1-INPUT 
-A FORWARD -j RH-Firewall-1-INPUT 
-A RH-Firewall-1-INPUT -i lo -j ACCEPT 
-A RH-Firewall-1-INPUT -p icmp -m icmp --icmp-type 255 -j ACCEPT 
-A RH-Firewall-1-INPUT -p esp -j ACCEPT 
-A RH-Firewall-1-INPUT -p ah -j ACCEPT 
-A RH-Firewall-1-INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j
ACCEPT 
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j
ACCEPT 
-A RH-Firewall-1-INPUT -p udp -m state --state NEW -m udp --dport 111 -j
ACCEPT 
-A RH-Firewall-1-INPUT -p udp -m state --state NEW -m udp --dport 2049 -j
ACCEPT 
-A RH-Firewall-1-INPUT -p udp -m state --state NEW -m udp --dport 4001:4004
-j ACCEPT 
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 111 -j
ACCEPT 
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 2049 -j
ACCEPT 
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 4001:4004
-j ACCEPT 
-A RH-Firewall-1-INPUT -j LOG 
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited 
COMMIT
Does this make sense?

Anyway, it seems to work :-)

Regards

-- 
  Simon Oliver