Re: NFS mounting problems. Please help.

[Joseph Tate <jtate@xxxxxxxxxxxxxxxxx>]

Michael Schwendt wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On Fri, 02 May 2003 11:32:08 -0400, Joseph Tate wrote:
>
>  
>
> > Answers intermingled.
> >    
>
> As it should be. ;)
>
>  
>
> > > For instance, on the NFS server, if you add a log rule right after
> > > the "trust eth0" rule,
> > >
> > > -A RH-Lokkit-0-50-INPUT -i eth0 -j ACCEPT
> > > -A RH-Lokkit-0-50-INPUT -i eth0 -j LOG --log-level alert
> > >
> > > do you see anything in the logs upon booting an NFS client?
> > >
> > >      
> > Yes, tons of stuff.
> >    
>
> Ok, that would be proof that traffic from eth0 is not caught by the
> earlier ACCEPT rule. Interesting. I wish I could reproduce that. Based
> on the LOG messages and the currently loaded rules, you should be able
> to demonstrate that NFS traffic is not allowed. But is it just traffic
> related to Portmap/NFS or do you get connection refused also for other
> services?
Well, NTP connections seem to be flaky too, but once I can mount, the 
NTP connection problems go away.  I haven't tried ssh or http 
connections, but those have explicit accept rules, so not sure that 
would help.

Re-running lokkit, and starting from scratch, I can now boot the clients 
with NFS mounts connecting successfully.
The /etc/sysconfig/iptables file now looks like the following:
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Lokkit-0-50-INPUT - [0:0]
-A INPUT -j RH-Lokkit-0-50-INPUT
-A FORWARD -j RH-Lokkit-0-50-INPUT
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 993 --syn -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 995 --syn -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p udp -m udp --dport 123   -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 389 --syn -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 636 --syn -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 22 --syn -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 25 --syn -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 80 --syn -j ACCEPT
-A RH-Lokkit-0-50-INPUT -i lo -j ACCEPT
-A RH-Lokkit-0-50-INPUT -i eth0 -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 0:1023 --syn -j REJECT
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 2049 --syn -j REJECT
-A RH-Lokkit-0-50-INPUT -p udp -m udp --dport 0:1023 -j REJECT
-A RH-Lokkit-0-50-INPUT -p udp -m udp --dport 2049 -j REJECT
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 6000:6009 --syn -j REJECT
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 7100 --syn -j REJECT
COMMIT