Thread: Firewall & NFS
View Single Post

  #4 (permalink)  
Old 12-05-2005
EricT
 
Posts: n/a
Default Re: Firewall & NFS
Allen Kistler wrote:
> chabral wrote:
>
>>Hi,
>> I'm trying to setup host firewall (iptables) on two server on an internal
>>subnet. One of those servers mounts a NFS share of the other. If I apply the
>>rules when the servers have already booted (and mounted the NFS share)
>>everything is ok. The problem is that if I reboot the "client" server (the
>>server that mounts the share) it is unable to mount it again.
>>
>>Here are the NFS related rules I'm using....
>>
>
>
> Some NFS-associated ports are dynamic, so the ports you specified
> probably aren't valid. Typically outbound traffic on a connection
> allows the inbound traffic to return through netfilter. Netfilter makes
> up a state at startup, allowing your "established" connections to
> continue. (At least I suspect that's what's happening.)
>
> portmap port is always 111
>
> nfsd port is always 2049
>
> lockd port can be defined in /etc/modprobe.conf
>
> mountd and statd ports can be defined as startup options (how you define
> them varies with distro; RH and FC use /etc/sysconfig/nfs)
>
> rquotad port can't be defined (last I checked, but you don't need it
> unless you're using quotas)
>
> See man pages and assorted, existing howtos for more info.

1) you can choose which protocol is used with nfs, so you don't need to
open both protocols for that particular traffic.

2) Allen is absolutely right, the ports can be dynamic, like passive ftp.

3) you should use interface settings instead of ip addresses or use both.

4) open the server port and allow established (related) traffic from one
to the other.

As far as i know, these rules should do it.

server 1
iptables -A INPUT -i <int-iface1> -s <nfs-ip2> -d <nfs-ip1> -p
<protocol> --dport 111 -m state --state NEW,ESTABLISHED
iptables -A OUTPUT -o <int-iface1> -d <nfs-ip2> -s <nfs-ip1> -p
<protocol> -m state --state RELATED,ESTABLISHED

server 2
iptables -A INPUT -i <int-iface2> -s <nfs-ip1> -d <nfs-ip2> -p
<protocol> --dport 111 -m state --state NEW,ESTABLISHED
iptables -A OUTPUT -o <int-iface2> -d <nfs-ip1> -s <nfs-ip2> -p
<protocol> -m state --state RELATED,ESTABLISHED

greetz,
Eric
Reply With Quote