Firewall & NFS
This is a discussion on Firewall & NFS within the Linux Security forums, part of the System Security and Security Related category; Hi, I'm trying to setup host firewall (iptables) on two server on an internal subnet. One of those servers ...
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
12-04-2005
|
|||
|
|||
Firewall & NFS
Hi,
I'm trying to setup host firewall (iptables) on two server on an internal subnet. One of those servers mounts a NFS share of the other. If I apply the rules when the servers have already booted (and mounted the NFS share) everything is ok. The problem is that if I reboot the "client" server (the server that mounts the share) it is unable to mount it again. Here are the NFS related rules I'm using. NFS Client: ------------ # Localhost rules /sbin/iptables -A INPUT -s 127.0.0.1 -d 127.0.0.1 -i lo -j ACCEPT /sbin/iptables -A OUTPUT -d 127.0.0.1 -s 127.0.0.1 -o lo -j ACCEPT # Portmapper /sbin/iptables -A INPUT -s 172.16.0.0/16 -p tcp --dport 111 -m state --state NEW,ESTABLISHED -j ACCEPT /sbin/iptables -A OUTPUT -p tcp --sport 111 -m state --state ESTABLISHED -j ACCEPT /sbin/iptables -A INPUT -s 172.16.0.0/16 -p udp --dport 111 -m state --state NEW,ESTABLISHED -j ACCEPT /sbin/iptables -A OUTPUT -p udp --sport 111 -m state --state ESTABLISHED -j ACCEPT # Statd /sbin/iptables -A INPUT -s 172.16.0.0/16 -p tcp --dport 32768 -m state --state NEW,ESTABLISHED -j ACCEPT /sbin/iptables -A OUTPUT -p tcp --sport 32768 -m state --state ESTABLISHED -j ACCEPT /sbin/iptables -A INPUT -s 172.16.0.0/16 -p udp --dport 32768 -m state --state NEW,ESTABLISHED -j ACCEPT /sbin/iptables -A OUTPUT -p udp --sport 32768 -m state --state ESTABLISHED -j ACCEPT /sbin/iptables -A INPUT -s 172.16.0.0/16 -p tcp --dport 32769 -m state --state NEW,ESTABLISHED -j ACCEPT /sbin/iptables -A OUTPUT -p tcp --sport 32769 -m state --state ESTABLISHED -j ACCEPT /sbin/iptables -A INPUT -s 172.16.0.0/16 -p udp --dport 32769 -m state --state NEW,ESTABLISHED -j ACCEPT /sbin/iptables -A OUTPUT -p udp --sport 32769 -m state --state ESTABLISHED -j ACCEPT # NFS /sbin/iptables -A OUTPUT -p tcp --dport 2049 -m state --state NEW,ESTABLISHED -j ACCEPT /sbin/iptables -A INPUT -p tcp --sport 2049 -m state --state ESTABLISHED -j ACCEPT /sbin/iptables -A OUTPUT -p udp --dport 2049 -m state --state NEW,ESTABLISHED -j ACCEPT /sbin/iptables -A INPUT -p udp --sport 2049 -m state --state ESTABLISHED -j ACCEPT NFS Server: ------------- # Localhost rules /sbin/iptables -A INPUT -s 127.0.0.1 -d 127.0.0.1 -i lo -j ACCEPT /sbin/iptables -A OUTPUT -d 127.0.0.1 -s 127.0.0.1 -o lo -j ACCEPT # Statd /sbin/iptables -A INPUT -s 172.16.0.0/16 -p tcp --dport 32768 -m state --state NEW,ESTABLISHED -j ACCEPT /sbin/iptables -A OUTPUT -p tcp --sport 32768 -m state --state ESTABLISHED -j ACCEPT /sbin/iptables -A INPUT -s 172.16.0.0/16 -p udp --dport 32768 -m state --state NEW,ESTABLISHED -j ACCEPT /sbin/iptables -A OUTPUT -p udp --sport 32768 -m state --state ESTABLISHED -j ACCEPT # Portmapper /sbin/iptables -A INPUT -s 172.16.0.0/16 -p tcp --dport 111 -m state --state NEW,ESTABLISHED -j ACCEPT /sbin/iptables -A OUTPUT -p tcp --sport 111 -m state --state ESTABLISHED -j ACCEPT /sbin/iptables -A INPUT -s 172.16.0.0/16 -p udp --dport 111 -m state --state NEW,ESTABLISHED -j ACCEPT /sbin/iptables -A OUTPUT -p udp --sport 111 -m state --state ESTABLISHED -j ACCEPT # NFS /sbin/iptables -A INPUT -s 172.16.0.0/16 -p tcp --dport 2049 -m state --state NEW,ESTABLISHED -j ACCEPT /sbin/iptables -A OUTPUT -p tcp --sport 2049 -m state --state ESTABLISHED -j ACCEPT /sbin/iptables -A INPUT -s 172.16.0.0/16 -p udp --dport 2049 -m state --state NEW,ESTABLISHED -j ACCEPT /sbin/iptables -A OUTPUT -p udp --sport 2049 -m state --state ESTABLISHED -j ACCEPT # rquotad /sbin/iptables -A INPUT -s 172.16.0.0/16 -p udp --dport 1016 -m state --state NEW,ESTABLISHED -j ACCEPT /sbin/iptables -A OUTPUT -p udp --sport 1016 -m state --state ESTABLISHED -j ACCEPT # rpc.mountd /sbin/iptables -A INPUT -s 172.16.0.0/16 -p tcp --dport 1015 -m state --state NEW,ESTABLISHED -j ACCEPT /sbin/iptables -A OUTPUT -p tcp --sport 1015 -m state --state ESTABLISHED -j ACCEPT /sbin/iptables -A INPUT -s 172.16.0.0/16 -p udp --dport 1015 -m state --state NEW,ESTABLISHED -j ACCEPT /sbin/iptables -A OUTPUT -p udp --sport 1015 -m state --state ESTABLISHED -j ACCEPT Any suggestions will be appreciated. Sincerely, -- chabral 
|
|
12-04-2005
|
|||
|
|||
|
Re: Firewall & NFS
chabral wrote:
> Hi, > I'm trying to setup host firewall (iptables) on two server on an internal > subnet. One of those servers mounts a NFS share of the other. If I apply the > rules when the servers have already booted (and mounted the NFS share) > everything is ok. The problem is that if I reboot the "client" server (the > server that mounts the share) it is unable to mount it again. > > Here are the NFS related rules I'm using.... > Some NFS-associated ports are dynamic, so the ports you specified probably aren't valid. Typically outbound traffic on a connection allows the inbound traffic to return through netfilter. Netfilter makes up a state at startup, allowing your "established" connections to continue. (At least I suspect that's what's happening.) portmap port is always 111 nfsd port is always 2049 lockd port can be defined in /etc/modprobe.conf mountd and statd ports can be defined as startup options (how you define them varies with distro; RH and FC use /etc/sysconfig/nfs) rquotad port can't be defined (last I checked, but you don't need it unless you're using quotas) See man pages and assorted, existing howtos for more info.
|
|
12-05-2005
|
|||
|
|||
|
Re: Firewall & NFS
chabral wrote:
> Hi, > I'm trying to setup host firewall (iptables) on two server on an internal > subnet. One of those servers mounts a NFS share of the other. If I apply the > rules when the servers have already booted (and mounted the NFS share) > everything is ok. The problem is that if I reboot the "client" server (the > server that mounts the share) it is unable to mount it again. > > Here are the NFS related rules I'm using. > > NFS Client: > ------------ > > # Localhost rules > /sbin/iptables -A INPUT -s 127.0.0.1 -d 127.0.0.1 -i lo -j ACCEPT > /sbin/iptables -A OUTPUT -d 127.0.0.1 -s 127.0.0.1 -o lo -j ACCEPT > > # Portmapper > /sbin/iptables -A INPUT -s 172.16.0.0/16 -p tcp --dport 111 -m state --state > NEW,ESTABLISHED -j ACCEPT > /sbin/iptables -A OUTPUT -p tcp --sport 111 -m state --state ESTABLISHED -j > ACCEPT > > /sbin/iptables -A INPUT -s 172.16.0.0/16 -p udp --dport 111 -m state --state > NEW,ESTABLISHED -j ACCEPT > /sbin/iptables -A OUTPUT -p udp --sport 111 -m state --state ESTABLISHED -j > ACCEPT > > # Statd > /sbin/iptables -A INPUT -s 172.16.0.0/16 -p tcp --dport 32768 -m > state --state NEW,ESTABLISHED -j ACCEPT > /sbin/iptables -A OUTPUT -p tcp --sport 32768 -m state --state > ESTABLISHED -j ACCEPT > /sbin/iptables -A INPUT -s 172.16.0.0/16 -p udp --dport 32768 -m > state --state NEW,ESTABLISHED -j ACCEPT > /sbin/iptables -A OUTPUT -p udp --sport 32768 -m state --state > ESTABLISHED -j ACCEPT > /sbin/iptables -A INPUT -s 172.16.0.0/16 -p tcp --dport 32769 -m > state --state NEW,ESTABLISHED -j ACCEPT > /sbin/iptables -A OUTPUT -p tcp --sport 32769 -m state --state > ESTABLISHED -j ACCEPT > /sbin/iptables -A INPUT -s 172.16.0.0/16 -p udp --dport 32769 -m > state --state NEW,ESTABLISHED -j ACCEPT > /sbin/iptables -A OUTPUT -p udp --sport 32769 -m state --state > ESTABLISHED -j ACCEPT > > # NFS > /sbin/iptables -A OUTPUT -p tcp --dport 2049 -m state --state > NEW,ESTABLISHED -j ACCEPT > /sbin/iptables -A INPUT -p tcp --sport 2049 -m state --state ESTABLISHED -j > ACCEPT > /sbin/iptables -A OUTPUT -p udp --dport 2049 -m state --state > NEW,ESTABLISHED -j ACCEPT > /sbin/iptables -A INPUT -p udp --sport 2049 -m state --state ESTABLISHED -j > ACCEPT > > NFS Server: > ------------- > # Localhost rules > /sbin/iptables -A INPUT -s 127.0.0.1 -d 127.0.0.1 -i lo -j ACCEPT > /sbin/iptables -A OUTPUT -d 127.0.0.1 -s 127.0.0.1 -o lo -j ACCEPT > > # Statd > /sbin/iptables -A INPUT -s 172.16.0.0/16 -p tcp --dport 32768 -m > state --state NEW,ESTABLISHED -j ACCEPT > /sbin/iptables -A OUTPUT -p tcp --sport 32768 -m state --state > ESTABLISHED -j ACCEPT > /sbin/iptables -A INPUT -s 172.16.0.0/16 -p udp --dport 32768 -m > state --state NEW,ESTABLISHED -j ACCEPT > /sbin/iptables -A OUTPUT -p udp --sport 32768 -m state --state > ESTABLISHED -j ACCEPT > > # Portmapper > /sbin/iptables -A INPUT -s 172.16.0.0/16 -p tcp --dport 111 -m state --state > NEW,ESTABLISHED -j ACCEPT > /sbin/iptables -A OUTPUT -p tcp --sport 111 -m state --state ESTABLISHED -j > ACCEPT > /sbin/iptables -A INPUT -s 172.16.0.0/16 -p udp --dport 111 -m state --state > NEW,ESTABLISHED -j ACCEPT > /sbin/iptables -A OUTPUT -p udp --sport 111 -m state --state ESTABLISHED -j > ACCEPT > > # NFS > /sbin/iptables -A INPUT -s 172.16.0.0/16 -p tcp --dport 2049 -m > state --state NEW,ESTABLISHED -j ACCEPT > /sbin/iptables -A OUTPUT -p tcp --sport 2049 -m state --state ESTABLISHED -j > ACCEPT > /sbin/iptables -A INPUT -s 172.16.0.0/16 -p udp --dport 2049 -m > state --state NEW,ESTABLISHED -j ACCEPT > /sbin/iptables -A OUTPUT -p udp --sport 2049 -m state --state ESTABLISHED -j > ACCEPT > > # rquotad > /sbin/iptables -A INPUT -s 172.16.0.0/16 -p udp --dport 1016 -m > state --state NEW,ESTABLISHED -j ACCEPT > /sbin/iptables -A OUTPUT -p udp --sport 1016 -m state --state ESTABLISHED -j > ACCEPT > > # rpc.mountd > /sbin/iptables -A INPUT -s 172.16.0.0/16 -p tcp --dport 1015 -m > state --state NEW,ESTABLISHED -j ACCEPT > /sbin/iptables -A OUTPUT -p tcp --sport 1015 -m state --state ESTABLISHED -j > ACCEPT > /sbin/iptables -A INPUT -s 172.16.0.0/16 -p udp --dport 1015 -m > state --state NEW,ESTABLISHED -j ACCEPT > /sbin/iptables -A OUTPUT -p udp --sport 1015 -m state --state ESTABLISHED -j > ACCEPT > > Any suggestions will be appreciated. > Sincerely, > > -- > chabral > > 1) you can choose which protocol is used with nfs, so you don't need to open both protocols for that traffic. 2) Allen is absolutely right, the ports are dynamic, like passive ftp. 3) you should use interface settings instead of ip addresses. 4) open the server port and allow established (related) traffic from one to the other. server 1 iptables -A INPUT -i <int-iface1> -s <nfs-host2> -d <nfs-ip1> -p <protocol> --dport 111 -m state --state NEW,ESTABLISHED iptables -A OUTPUT -o <int-iface1> -d <nfs-host2> -s <nfs-ip1> -p <protocol> -m state --state RELATED,ESTABLISHED server 2 iptables -A INPUT -i <int-iface2> -s <nfs-host1> -d <nfs-ip2> -p <protocol> --dport 111 -m state --state NEW,ESTABLISHED iptables -A OUTPUT -o <int-iface2> -d <nfs-host1> -s <nfs-ip2> -p <protocol> -m state --state RELATED,ESTABLISHED greetz, Eric
|
|
12-05-2005
|
|||
|
|||
|
Re: Firewall & NFS
Allen Kistler wrote:
> chabral wrote: > >>Hi, >> I'm trying to setup host firewall (iptables) on two server on an internal >>subnet. One of those servers mounts a NFS share of the other. If I apply the >>rules when the servers have already booted (and mounted the NFS share) >>everything is ok. The problem is that if I reboot the "client" server (the >>server that mounts the share) it is unable to mount it again. >> >>Here are the NFS related rules I'm using.... >> > > > Some NFS-associated ports are dynamic, so the ports you specified > probably aren't valid. Typically outbound traffic on a connection > allows the inbound traffic to return through netfilter. Netfilter makes > up a state at startup, allowing your "established" connections to > continue. (At least I suspect that's what's happening.) > > portmap port is always 111 > > nfsd port is always 2049 > > lockd port can be defined in /etc/modprobe.conf > > mountd and statd ports can be defined as startup options (how you define > them varies with distro; RH and FC use /etc/sysconfig/nfs) > > rquotad port can't be defined (last I checked, but you don't need it > unless you're using quotas) > > See man pages and assorted, existing howtos for more info. 1) you can choose which protocol is used with nfs, so you don't need to open both protocols for that particular traffic. 2) Allen is absolutely right, the ports can be dynamic, like passive ftp. 3) you should use interface settings instead of ip addresses or use both. 4) open the server port and allow established (related) traffic from one to the other. As far as i know, these rules should do it. server 1 iptables -A INPUT -i <int-iface1> -s <nfs-ip2> -d <nfs-ip1> -p <protocol> --dport 111 -m state --state NEW,ESTABLISHED iptables -A OUTPUT -o <int-iface1> -d <nfs-ip2> -s <nfs-ip1> -p <protocol> -m state --state RELATED,ESTABLISHED server 2 iptables -A INPUT -i <int-iface2> -s <nfs-ip1> -d <nfs-ip2> -p <protocol> --dport 111 -m state --state NEW,ESTABLISHED iptables -A OUTPUT -o <int-iface2> -d <nfs-ip1> -s <nfs-ip2> -p <protocol> -m state --state RELATED,ESTABLISHED greetz, Eric
|
Linear Mode
