From: Arnau Bria <arnau@emergetux.net>
To: gentoo-user@lists.gentoo.org
Subject: [gentoo-user] nfs and iptables
Date: Fri, 23 Jun 2006 11:04:08 +0200 [thread overview]
Message-ID: <20060623110408.192f26d5@lx-arnau.pic.es> (raw)
Hi all,
I'm trying to configure my firewall in order to be able to mount a
remote NFS exported directory.
AFAIK I must open port 111 tcp/udp (portmat). rpcinfo confirms it:
# rpcinfo -p
program vers proto port
100000 2 tcp 111 portmapper
100000 2 udp 111 portmapper
Well, so I set next rule in my firewall:
-A INPUT -d 193.146.196.198 -i eth0 -p tcp -m tcp --dport 111 -j ACCEPT
-A INPUT -d 193.146.196.198 -i eth0 -p tcp -m tcp --dport 111 -j LOG
--log-prefix "NFS (tcp) Input: " --log-level 7 -A INPUT -d
193.146.196.198 -i eth0 -p udp -m udp --dport 111 -j LOG --log-prefix
"NFS (udp) Input: " --log-level 7 -A INPUT -d 193.146.196.198 -i eth0
-p udp -m udp --dport 111 -j ACCEPT
And restart my firewall.
(I use same rules for other ports, ssh, smtp...)
Well, I'm no able to mount the directory, and I see this in logs:
UDP privileged ports DROP:IN=eth0 OUT=
MAC=00:11:11:20:6e:81:00:16:35:0a:a8:b6:08:00 SRC=193.146.196.234
DST=193.146.196.198 LEN=56 TOS=0x00 PREC=0x00 TTL=64 ID=57 DF PROTO=UDP
SPT=111 DPT=822 LEN=36
and this logs comes from next rule:
-A INPUT -d 193.146.196.198 -i eth0 -p udp -m udp --dport 0:1023 -j LOG
--log-prefix "UDP privileged ports DROP:" --log-level 7 -A INPUT -d
193.146.196.198 -i eth0 -p udp -m udp --dport 0:1023 -j REJECT
which is at bottom of all rules...
I don't understand what happen, cause I can telnet to port 111 and get
response. And I hace portmat in that port:
#netstat -putan |grep 111
tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN 10028/portmap
udp 0 0 0.0.0.0:111 0.0.0.0:* 10028/portmap
I do the mount:
lx-arnau ~ # mount -t nfs hostname:/export/media /mnt/musica/
mount: RPC: Program not registered
Got the error... but:
lx-arnau ~ # netstat -putan |grep 111
tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN 10028/portmap
tcp 0 0 my_IP:60394 nfs_server:111 TIME_WAIT -
udp 0 0 0.0.0.0:111 0.0.0.0:* 10028/portmap
...
If I disable firewall, I can mount with no problem...
what am I missing?¿
Thanks in advance.
--
Arnau Bria
http://blog.emergetux.net
"Flanders, de nada sirve rezar: yo mismo acabo de hacerlo y los dos
no vamos a ganar"
~Homer J. Simpson~
--
gentoo-user@gentoo.org mailing list
next reply other threads:[~2006-06-23 9:15 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2006-06-23 9:04 Arnau Bria [this message]
2006-06-23 9:38 ` [gentoo-user] nfs and iptables Daniel Iliev
2006-06-23 9:55 ` Arnau Bria
2006-06-23 12:10 ` Arnau Bria
2006-06-23 13:20 ` [gentoo-user] " Remy Blank
2006-06-23 10:20 ` [gentoo-user] " Rick van Hattem
2006-06-23 11:15 ` Arnau Bria
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20060623110408.192f26d5@lx-arnau.pic.es \
--to=arnau@emergetux.net \
--cc=gentoo-user@lists.gentoo.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox