From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from lists.gentoo.org ([140.105.134.102] helo=robin.gentoo.org)
	by nuthatch.gentoo.org with esmtp (Exim 4.60)
	(envelope-from <gentoo-user+bounces-44528-garchives=archives.gentoo.org@gentoo.org>)
	id 1Fthl2-0005ka-Hz
	for garchives@archives.gentoo.org; Fri, 23 Jun 2006 09:15:20 +0000
Received: from robin.gentoo.org (localhost [127.0.0.1])
	by robin.gentoo.org (8.13.7/8.13.6) with SMTP id k5N9D40b029814;
	Fri, 23 Jun 2006 09:13:04 GMT
Received: from afrodita.emergetux.net (41.Red-80-37-233.staticIP.rima-tde.net [80.37.233.41])
	by robin.gentoo.org (8.13.7/8.13.6) with ESMTP id k5N94LdU004281
	for <gentoo-user@lists.gentoo.org>; Fri, 23 Jun 2006 09:04:22 GMT
Received: from localhost (localhost [127.0.0.1])
	by afrodita.emergetux.net (Postfix) with ESMTP id 2B5015C262
	for <gentoo-user@lists.gentoo.org>; Fri, 23 Jun 2006 11:04:22 +0200 (CEST)
Received: from afrodita.emergetux.net ([127.0.0.1])
	by localhost (afrodita.emergetux.net [127.0.0.1]) (amavisd-new, port 10024)
	with LMTP id 0+tTK1+BCcWP for <gentoo-user@lists.gentoo.org>;
	Fri, 23 Jun 2006 11:04:17 +0200 (CEST)
Received: from lx-arnau.pic.es (lx-arnau.pic.es [193.146.196.198])
	(using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by afrodita.emergetux.net (Postfix) with ESMTP id B09E25C0E7
	for <gentoo-user@lists.gentoo.org>; Fri, 23 Jun 2006 11:04:15 +0200 (CEST)
Date: Fri, 23 Jun 2006 11:04:08 +0200
From: Arnau Bria <arnau@emergetux.net>
To: gentoo-user@lists.gentoo.org
Subject: [gentoo-user] nfs and iptables
Message-ID: <20060623110408.192f26d5@lx-arnau.pic.es>
X-Mailer: Sylpheed-Claws 2.3.0 (GTK+ 2.8.12; i686-pc-linux-gnu)
Precedence: bulk
List-Post: <mailto:gentoo-user@lists.gentoo.org>
List-Help: <mailto:gentoo-user+help@gentoo.org>
List-Unsubscribe: <mailto:gentoo-user+unsubscribe@gentoo.org>
List-Subscribe: <mailto:gentoo-user+subscribe@gentoo.org>
List-Id: Gentoo Linux mail <gentoo-user.gentoo.org>
X-BeenThere: gentoo-user@gentoo.org
Reply-to: gentoo-user@lists.gentoo.org
Mime-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1
X-MIME-Autoconverted: from quoted-printable to 8bit by robin.gentoo.org id k5N94LdU004281
Content-Transfer-Encoding: quoted-printable
X-MIME-Autoconverted: from 8bit to quoted-printable by robin.gentoo.org id k5N9D40s029814
X-Archives-Salt: 0c2f5565-612a-4a69-b7ea-bd3995ca1b1f
X-Archives-Hash: 7c30273345178d13f60529f322d9b5b2

Hi all,

I'm trying to configure my firewall in order to be able to mount a
remote NFS exported directory.

AFAIK I must open port 111 tcp/udp (portmat). rpcinfo confirms it:

# rpcinfo -p
   program vers proto   port
    100000    2   tcp    111  portmapper
    100000    2   udp    111  portmapper

Well, so I set next rule in my firewall:
-A INPUT -d 193.146.196.198 -i eth0 -p tcp -m tcp --dport 111 -j ACCEPT
-A INPUT -d 193.146.196.198 -i eth0 -p tcp -m tcp --dport 111 -j LOG
--log-prefix "NFS (tcp) Input: " --log-level 7 -A INPUT -d
193.146.196.198 -i eth0 -p udp -m udp --dport 111 -j LOG --log-prefix
"NFS (udp) Input: " --log-level 7 -A INPUT -d 193.146.196.198 -i eth0
-p udp -m udp --dport 111 -j ACCEPT


And restart my firewall.
(I use same rules for other ports, ssh, smtp...)

Well, I'm no able to mount the directory, and I see this in logs:

UDP privileged ports DROP:IN=3Deth0 OUT=3D
MAC=3D00:11:11:20:6e:81:00:16:35:0a:a8:b6:08:00 SRC=3D193.146.196.234
DST=3D193.146.196.198 LEN=3D56 TOS=3D0x00 PREC=3D0x00 TTL=3D64 ID=3D57 DF=
 PROTO=3DUDP
SPT=3D111 DPT=3D822 LEN=3D36

and this logs comes from next rule:

-A INPUT -d 193.146.196.198 -i eth0 -p udp -m udp --dport 0:1023 -j LOG
--log-prefix "UDP privileged ports DROP:" --log-level 7 -A INPUT -d
193.146.196.198 -i eth0 -p udp -m udp --dport 0:1023 -j REJECT

which is at bottom of all rules...

I don't understand what happen, cause I can telnet to port 111 and get
response. And I hace portmat in that port:

#netstat -putan |grep 111
tcp        0      0 0.0.0.0:111             0.0.0.0:*               LISTE=
N      10028/portmap
udp        0      0 0.0.0.0:111             0.0.0.0:*                    =
       10028/portmap

I do the mount:

lx-arnau ~ # mount -t nfs hostname:/export/media /mnt/musica/
mount: RPC: Program not registered

Got the error... but:

lx-arnau ~ # netstat -putan |grep 111
tcp        0      0 0.0.0.0:111             0.0.0.0:*               LISTE=
N      10028/portmap
tcp        0      0 my_IP:60394             nfs_server:111     TIME_WAIT =
  -
udp        0      0 0.0.0.0:111             0.0.0.0:*                    =
       10028/portmap

...

If I disable firewall, I can mount with no problem...
what am I missing?=BF

Thanks in advance.

--=20
Arnau Bria
http://blog.emergetux.net
"Flanders, de nada sirve rezar: yo mismo acabo de hacerlo y los dos=20
no vamos a ganar"
~Homer J. Simpson~

--=20
gentoo-user@gentoo.org mailing list