iptables blocking client NFS access

"Ronald W. Heiby" <heiby_rh@xxxxxxxxxxxxxxxx> · Thu, 6 Feb 2003 17:12:45 -0600

Hello psyche-list,

I've got a couple of RH 8.0 systems on a network. On one of these,
I've set up a couple of entries in /etc/exports and set up NFS. On
this (server) machine, I have opened up the iptables firewall to allow
incoming tcp/udp ports 111 and 2049.

On another (client) system, I've also opened up the iptables firewall
to allow incoming tcp/udp ports 111 and 2049. On this client, I have
been able to NFS mount just fine, if I "/etc/init.d/iptables stop"
first. After a lot of trial and error, I determined that the iptables
line "at fault" is the one that blocks all incoming 0:1023 udp
traffic.

Now, I'm stuck. I'd like to leave that line in the firewall, but I
would also like this machine to be able to be an NFS client.

I have not yet tried any other client machines.

Below is my iptables file. Any ideas? Thanks!

Ron.

# Generated by iptables-save v1.2.6a on Thu Feb  6 16:37:17 2003
*nat
:PREROUTING ACCEPT [1:48]
:POSTROUTING ACCEPT [2:200]
:OUTPUT ACCEPT [2:200]
COMMIT
# Completed on Thu Feb  6 16:37:17 2003
# Generated by iptables-save v1.2.6a on Thu Feb  6 16:37:17 2003
*mangle
:PREROUTING ACCEPT [800:38591]
:INPUT ACCEPT [800:38591]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [1380:888103]
:POSTROUTING ACCEPT [1380:888103]
COMMIT
# Completed on Thu Feb  6 16:37:17 2003
# Generated by iptables-save v1.2.6a on Thu Feb  6 16:37:17 2003
*filter
:FORWARD ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:RH-Lokkit-0-50-INPUT - [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -j RH-Lokkit-0-50-INPUT
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 80 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 22 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p udp -m udp -i eth0 --dport 67:68 --sport 67:68 -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p udp -m udp -i eth1 --dport 67:68 --sport 67:68 -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p udp -m udp --dport 111 -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 111 -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p udp -m udp --dport 2049 -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 2049 -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 137:139 -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p udp -m udp --dport 137:139 -j ACCEPT
-A RH-Lokkit-0-50-INPUT -i lo -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 0:1023 --tcp-flags SYN,RST,ACK SYN -j REJECT  --reject-with icmp-port-unreachable 
-A RH-Lokkit-0-50-INPUT -p udp -m udp --dport 0:1023 -j REJECT  --reject-with icmp-port-unreachable 
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 6000:6009 --tcp-flags SYN,RST,ACK SYN -j REJECT  --reject-with icmp-port-unreachable 
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 7100 --tcp-flags SYN,RST,ACK SYN -j REJECT  --reject-with icmp-port-unreachable 
COMMIT
# Completed on Thu Feb  6 16:37:17 2003

-- 
Psyche-list mailing list
Psyche-list@redhat.com
https://listman.redhat.com/mailman/listinfo/psyche-list