Encrypted NFS via ssh tunelling

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

This is really killin' me, so I was wondering if you guys (and gals) can help.
 I'm trying to setup encrypted NFS with ssh on a Redhat 9.0 box, and I'm
almost there.  Below are the notes I put together.  Really straightforward,
but I keep getting the error:

channel 2: open failed: connect failed: Connection refused
channel 2: open failed: connect failed: Connection refused
channel 2: open failed: connect failed: Connection refused

I'm a desparate man, I really want to get it cuz I'm so close.  Any advice you
have would help.  I just want to post it on my site cuz I think it would be cool.

~ comments preceded and terminated with '~' ~
~ I'm root throughout this exercise -DK ~

[djk@localhost djk]$ su - root
Password:

[root@localhost root]# cd /etc/rc.d/init.d
[root@localhost init.d]# ./nfs start
Starting NFS services:                                     [  OK  ]
Starting NFS quotas:                                       [  OK  ]
Starting NFS daemon:                                       [  OK  ]
Starting NFS mountd:                                       [  OK  ]

[root@localhost init.d]# ./sshd restart
Stopping sshd:                                             [  OK  ]
Starting sshd:                                             [  OK  ]

~ begin setting up the encrypted connection from the 'client' (7777:localhost)
to the 'server' on port 2049 -DK ~

[root@localhost init.d]# ssh -f -c blowfish -L 7777:localhost:2049 -l djk
localhost sleep 300
djk@localhost's password:

~ need the mountd port for the next ssh mount port tunneling command -DK ~

[djk@localhost djk]$ /usr/sbin/rpcinfo -p
 program vers proto   port
  100000    2   tcp    111  portmapper
  100000    2   udp    111  portmapper
  100024    1   udp  32768  status
  100024    1   tcp  32768  status
  391002    2   tcp  32769  sgi_fam
  100011    1   udp    749  rquotad
  100011    2   udp    749  rquotad
  100011    1   tcp    752  rquotad
  100011    2   tcp    752  rquotad
  100003    2   udp   2049  nfs
  100003    3   udp   2049  nfs
  100021    1   udp  32770  nlockmgr
  100021    3   udp  32770  nlockmgr
  100021    4   udp  32770  nlockmgr
  100005    1   udp  32771  mountd
  100005    1   tcp  32811  mountd
  100005    2   udp  32771  mountd
  100005    2   tcp  32811  mountd
  100005    3   udp  32771  mountd
  100005    3   tcp  32811  mountd

~ note my attempt at tunneling via the udp port 32771 below, because my
repeated attempts at tunneling via the tcp port failed with

channel 2: open failed: connect failed: Connection refused
channel 2: open failed: connect failed: Connection refused
channel 2: open failed: connect failed: Connection refused
channel 2: open failed: connect failed: Connection refused

... repeated until I killed the ssh process and shutdown sshd in another
terminal window -DK ~

[root@localhost init.d]# ssh -f -c blowfish -L 8888:localhost:32771 -l djk
localhost sleep 300
djk@localhost's password:

~ port status verification -DK ~

[root@localhost init.d]# netstat -na | grep -E 'Proto|7777|8888'
Proto Recv-Q Send-Q Local Address           Foreign Address         State
tcp        0      0 127.0.0.1:7777          0.0.0.0:*               LISTEN
tcp        0      0 127.0.0.1:8888          0.0.0.0:*               LISTEN

~ the failed mount command -DK ~

[root@localhost init.d]# mount -t nfs -o tcp,port=7777,mountport=8888
localhost:/tmp /mnt/nfs/sshmount
channel 2: open failed: connect failed: Connection refused
mount: RPC: Unable to receive; errno = Connection reset by peer

~ In case you're curious, some firewall setup for portmapper (port 111) and
nfs (port 2049), these rules are taken from 'cat /etc/sysconfig/iptables'
output, as you can see, I just modified the lokkit rules, this works ok as far
as I can see, because nfs starts and portmapper works -DK ~

-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 2049 --syn -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p udp -m udp --dport 0:1023 -j REJECT
-A RH-Lokkit-0-50-INPUT -p udp -m udp --dport 2049 -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p udp -m udp --dport 111 -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 111 --syn -j ACCEPT

~ the /etc/fstab file, the line we're concerned with here is the last line,
just default setup stuff you can see in 'man nfs' -DK ~

[root@localhost root]# cat /etc/fstab
LABEL=/                 /                       ext3    defaults        1 1
LABEL=/boot             /boot                   ext3    defaults        1 2
none                    /dev/pts                devpts  gid=5,mode=620  0 0
none                    /proc                   proc    defaults        0 0
none                    /dev/shm                tmpfs   defaults        0 0
/dev/hdf3               swap                    swap    defaults        0 0
/dev/hdd4               /mnt/zip                auto    noauto,owner,kudzu 0 0
/dev/cdrom              /mnt/cdrom              udf,iso9660
noauto,owner,kudzu,ro 0 0
/dev/cdrom      /cd     iso9660 ro,user,noauto,unhide
/dev/fd0                /mnt/floppy             auto    noauto,owner,kudzu 0 0
localhost.localdomain:/tmp      /mnt/nfs/sshmount       nfs    
rsize=8192,wsize=8192,timeo=30,intr

~ the /etc/exports file, pretty standard -DK ~

[root@localhost root]# cat /etc/exports
/tmp    localhost.localdomain(rw,insecure,root_squash)

-DK
Daniel Kemper
dan@xxxxxxxxxxxxx

-DK
Daniel Kemper
dan@xxxxxxxxxxxxx


-- 
Shrike-list mailing list
Shrike-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/shrike-list
[Index of Archives]     [Fedora Users]     [Centos Users]     [Kernel Development]     [Red Hat Install]     [Red Hat Watch]     [Red Hat Development]     [Red Hat Phoebe Beta]     [Yosemite Forum]     [Fedora Discussion]     [Gimp]     [Stuff]     [Yosemite News]

  Powered by Linux