pete.... ok.. it looks like i have it working for now... but it appears that i'm going to have to make some changes to the /etc/rc.d/init.d/nfs script. it appears that the associated processes for nfs have ports that need to be accounted for in the iptables. in particular the processes statd, mountd, quotad.... the iptables that i created for the nfs server is below... i'm going to need to know how to modify the nfs script to lock the ports for the processes down, as these processes apparently use random ports... but i'm not sure how to make the changes to the nfs script... currently used iptable for nfs server... # Firewall configuration written by lokkit # Manual customization of this file is not recommended. # Note: ifup-post will punch the current nameservers through the # firewall; such entries will *not* be listed here. *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :RH-Lokkit-0-50-INPUT - [0:0] -A INPUT -j RH-Lokkit-0-50-INPUT -A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 80 --syn -j ACCEPT -A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 22 --syn -j ACCEPT -A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 23 --syn -j ACCEPT -A RH-Lokkit-0-50-INPUT -p udp -m udp -s 0/0 --sport 67:68 -d 0/0 --dport 67:68 -i eth0 -j ACCEPT -A RH-Lokkit-0-50-INPUT -p udp -m udp -s 0/0 --sport 67:68 -d 0/0 --dport 67:68 -i eth1 -j ACCEPT -A RH-Lokkit-0-50-INPUT -i lo -j ACCEPT ### ### nfs related stuff... -A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 32768:32770 -j ACCEPT -A RH-Lokkit-0-50-INPUT -p udp -m udp --dport 32768:32770 -j ACCEPT -A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 111 -j ACCEPT -A RH-Lokkit-0-50-INPUT -p udp -m udp --dport 111 -j ACCEPT -A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 0:1023 --syn -j REJECT -A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 2049 --syn -j ACCEPT -A RH-Lokkit-0-50-INPUT -p udp -m udp --dport 0:1023 -j REJECT -A RH-Lokkit-0-50-INPUT -p udp -m udp --dport 2049 -j ACCEPT -A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 6000:6009 --syn -j REJECT -A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 7100 --syn -j REJECT COMMIT i've seen the following docs:. <<<<<<<<<<<<<<<<<<===========================>>>>>>>>>>>>>>>>>>>>>>>>>>>>> The other daemons, statd, mountd, lockd, and rquotad, will normally move around to the first available port they are informed of by the portmapper. To force statd to bind to a particular port, use the -p portnum option. To force statd to respond on a particular port, additionally use the -o portnum option when starting it. (ok... but how do i find the process that starts the statd process. is this the /etc/rc.d/init.d/nfs script?????? ) To force mountd to bind to a particular port use the -p portnum option. For example, to have statd broadcast of port 32765 and listen on port 32766, and mountd listen on port 32767, you would type: # statd -p 32765 -o 32766 # mountd -p 32767 lockd is started by the kernel when it is needed. Therefore you need to pass module options (if you have it built as a module) or kernel options to force lockd to listen and respond only on certain ports. If you are using loadable modules and you would like to specify these options in your /etc/modules.conf file add a line like this to the file: options lockd nlm_udpport=32768 nlm_tcpport=32768 The above line would specify the udp and tcp port for lockd to be 32768. If you are not using loadable modules or if you have compiled lockd into the kernel instead of building it as a module then you will need to pass it an option on the kernel boot line. It should look something like this: vmlinuz 3 root=/dev/hda1 lockd.udpport=32768 lockd.tcpport=32768 The port numbers do not have to match but it would simply add unnecessary confusion if they didn't. <<<<<<<<<<<<<<<<<<===========================>>>>>>>>>>>>>>>>>>>>>>>>>>>>> my copy of the /etc.../nfs script doesn't have "statd"... should i add it??? also, how do i know if i'm using "loadable modules", or if the kernel had lockd compiled... and if i do need to pass the options in as boot parameters, where/how would i do this... what file would i have to edit...????? -----Original Message----- From: redhat-list-bounces@xxxxxxxxxx [mailto:redhat-list-bounces@xxxxxxxxxx]On Behalf Of Pete Nesbitt Sent: Friday, July 02, 2004 11:15 AM To: bedouglas@xxxxxxxxxxxxx; General Red Hat Linux discussion list Subject: Re: nfs issue... On July 2, 2004 09:51 am, bruce wrote: > pete.... > > arrgghhhh... something's going wrong again....... > > i rebooted the server.... and restarted nfs, and the required processes... > > without iptables running on the client/server.. i can connect from the > client to the server. > > when i enable iptables on the server, the client no longer connects... i > get: > > mount: RPC: Remote system error - Connection refused > > the iptables for the server is what we used last night... > > # Firewall configuration written by lokkit > # Manual customization of this file is not recommended. > # Note: ifup-post will punch the current nameservers through the > # firewall; such entries will *not* be listed here. > *filter > > :INPUT ACCEPT [0:0] > :FORWARD ACCEPT [0:0] > :OUTPUT ACCEPT [0:0] > :RH-Lokkit-0-50-INPUT - [0:0] > > -A INPUT -j RH-Lokkit-0-50-INPUT > -A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 80 --syn -j ACCEPT > -A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 22 --syn -j ACCEPT > -A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 23 --syn -j ACCEPT > -A RH-Lokkit-0-50-INPUT -p udp -m udp -s 0/0 --sport 67:68 -d 0/0 --dport > 67:68 -i eth0 -j ACCEPT > -A RH-Lokkit-0-50-INPUT -p udp -m udp -s 0/0 --sport 67:68 -d 0/0 --dport > 67:68 -i eth1 -j ACCEPT > -A RH-Lokkit-0-50-INPUT -i lo -j ACCEPT > -A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 0:1023 --syn -j REJECT > -A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 2049 --syn -j ACCEPT > -A RH-Lokkit-0-50-INPUT -p udp -m udp --dport 0:1023 -j REJECT > -A RH-Lokkit-0-50-INPUT -p udp -m udp --dport 2049 -j ACCEPT > -A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 6000:6009 --syn -j REJECT > -A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 7100 --syn -j REJECT > COMMIT > Bruce, Is iptables stopped on the client? Can you post the output of 'service iptables status' from the server? On the client, with iptables stopped, it's "service iptables status" should be "Firewall is stopped." -- Pete Nesbitt, rhce -- redhat-list mailing list unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe https://www.redhat.com/mailman/listinfo/redhat-list -- redhat-list mailing list unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe https://www.redhat.com/mailman/listinfo/redhat-list
