Usenet Forums - View Single Post

#3 (**permalink**) 12-05-2005

chabral wrote:
> Hi,
> I'm trying to setup host firewall (iptables) on two server on an internal
> subnet. One of those servers mounts a NFS share of the other. If I apply the
> rules when the servers have already booted (and mounted the NFS share)
> everything is ok. The problem is that if I reboot the "client" server (the
> server that mounts the share) it is unable to mount it again.
>
> Here are the NFS related rules I'm using.
>
> NFS Client:
> ------------
>
> # Localhost rules
> /sbin/iptables -A INPUT -s 127.0.0.1 -d 127.0.0.1 -i lo -j ACCEPT
> /sbin/iptables -A OUTPUT -d 127.0.0.1 -s 127.0.0.1 -o lo -j ACCEPT
>
> # Portmapper
> /sbin/iptables -A INPUT -s 172.16.0.0/16 -p tcp --dport 111 -m state --state
> NEW,ESTABLISHED -j ACCEPT
> /sbin/iptables -A OUTPUT -p tcp --sport 111 -m state --state ESTABLISHED -j
> ACCEPT
>
> /sbin/iptables -A INPUT -s 172.16.0.0/16 -p udp --dport 111 -m state --state
> NEW,ESTABLISHED -j ACCEPT
> /sbin/iptables -A OUTPUT -p udp --sport 111 -m state --state ESTABLISHED -j
> ACCEPT
>
> # Statd
> /sbin/iptables -A INPUT -s 172.16.0.0/16 -p tcp --dport 32768 -m
> state --state NEW,ESTABLISHED -j ACCEPT
> /sbin/iptables -A OUTPUT -p tcp --sport 32768 -m state --state
> ESTABLISHED -j ACCEPT
> /sbin/iptables -A INPUT -s 172.16.0.0/16 -p udp --dport 32768 -m
> state --state NEW,ESTABLISHED -j ACCEPT
> /sbin/iptables -A OUTPUT -p udp --sport 32768 -m state --state
> ESTABLISHED -j ACCEPT
> /sbin/iptables -A INPUT -s 172.16.0.0/16 -p tcp --dport 32769 -m
> state --state NEW,ESTABLISHED -j ACCEPT
> /sbin/iptables -A OUTPUT -p tcp --sport 32769 -m state --state
> ESTABLISHED -j ACCEPT
> /sbin/iptables -A INPUT -s 172.16.0.0/16 -p udp --dport 32769 -m
> state --state NEW,ESTABLISHED -j ACCEPT
> /sbin/iptables -A OUTPUT -p udp --sport 32769 -m state --state
> ESTABLISHED -j ACCEPT
>
> # NFS
> /sbin/iptables -A OUTPUT -p tcp --dport 2049 -m state --state
> NEW,ESTABLISHED -j ACCEPT
> /sbin/iptables -A INPUT -p tcp --sport 2049 -m state --state ESTABLISHED -j
> ACCEPT
> /sbin/iptables -A OUTPUT -p udp --dport 2049 -m state --state
> NEW,ESTABLISHED -j ACCEPT
> /sbin/iptables -A INPUT -p udp --sport 2049 -m state --state ESTABLISHED -j
> ACCEPT
>
> NFS Server:
> -------------
> # Localhost rules
> /sbin/iptables -A INPUT -s 127.0.0.1 -d 127.0.0.1 -i lo -j ACCEPT
> /sbin/iptables -A OUTPUT -d 127.0.0.1 -s 127.0.0.1 -o lo -j ACCEPT
>
> # Statd
> /sbin/iptables -A INPUT -s 172.16.0.0/16 -p tcp --dport 32768 -m
> state --state NEW,ESTABLISHED -j ACCEPT
> /sbin/iptables -A OUTPUT -p tcp --sport 32768 -m state --state
> ESTABLISHED -j ACCEPT
> /sbin/iptables -A INPUT -s 172.16.0.0/16 -p udp --dport 32768 -m
> state --state NEW,ESTABLISHED -j ACCEPT
> /sbin/iptables -A OUTPUT -p udp --sport 32768 -m state --state
> ESTABLISHED -j ACCEPT
>
> # Portmapper
> /sbin/iptables -A INPUT -s 172.16.0.0/16 -p tcp --dport 111 -m state --state
> NEW,ESTABLISHED -j ACCEPT
> /sbin/iptables -A OUTPUT -p tcp --sport 111 -m state --state ESTABLISHED -j
> ACCEPT
> /sbin/iptables -A INPUT -s 172.16.0.0/16 -p udp --dport 111 -m state --state
> NEW,ESTABLISHED -j ACCEPT
> /sbin/iptables -A OUTPUT -p udp --sport 111 -m state --state ESTABLISHED -j
> ACCEPT
>
> # NFS
> /sbin/iptables -A INPUT -s 172.16.0.0/16 -p tcp --dport 2049 -m
> state --state NEW,ESTABLISHED -j ACCEPT
> /sbin/iptables -A OUTPUT -p tcp --sport 2049 -m state --state ESTABLISHED -j
> ACCEPT
> /sbin/iptables -A INPUT -s 172.16.0.0/16 -p udp --dport 2049 -m
> state --state NEW,ESTABLISHED -j ACCEPT
> /sbin/iptables -A OUTPUT -p udp --sport 2049 -m state --state ESTABLISHED -j
> ACCEPT
>
> # rquotad
> /sbin/iptables -A INPUT -s 172.16.0.0/16 -p udp --dport 1016 -m
> state --state NEW,ESTABLISHED -j ACCEPT
> /sbin/iptables -A OUTPUT -p udp --sport 1016 -m state --state ESTABLISHED -j
> ACCEPT
>
> # rpc.mountd
> /sbin/iptables -A INPUT -s 172.16.0.0/16 -p tcp --dport 1015 -m
> state --state NEW,ESTABLISHED -j ACCEPT
> /sbin/iptables -A OUTPUT -p tcp --sport 1015 -m state --state ESTABLISHED -j
> ACCEPT
> /sbin/iptables -A INPUT -s 172.16.0.0/16 -p udp --dport 1015 -m
> state --state NEW,ESTABLISHED -j ACCEPT
> /sbin/iptables -A OUTPUT -p udp --sport 1015 -m state --state ESTABLISHED -j
> ACCEPT
>
> Any suggestions will be appreciated.
> Sincerely,
>
> --
> chabral
>
>

1) you can choose which protocol is used with nfs, so you don't need to
open both protocols for that traffic.

2) Allen is absolutely right, the ports are dynamic, like passive ftp.

3) you should use interface settings instead of ip addresses.

4) open the server port and allow established (related) traffic from one
to the other.

server 1
iptables -A INPUT -i <int-iface1> -s <nfs-host2> -d <nfs-ip1> -p
<protocol> --dport 111 -m state --state NEW,ESTABLISHED
iptables -A OUTPUT -o <int-iface1> -d <nfs-host2> -s <nfs-ip1> -p
<protocol> -m state --state RELATED,ESTABLISHED

server 2
iptables -A INPUT -i <int-iface2> -s <nfs-host1> -d <nfs-ip2> -p
<protocol> --dport 111 -m state --state NEW,ESTABLISHED
iptables -A OUTPUT -o <int-iface2> -d <nfs-host1> -s <nfs-ip2> -p
<protocol> -m state --state RELATED,ESTABLISHED

greetz,
Eric

Thread: Firewall & NFS View Single Post

Thread: Firewall & NFS
View Single Post