[gentoo-user] nfs and iptables

[gentoo-user] nfs and iptables

[Arnau Bria]

Hi all,

I'm trying to configure my firewall in order to be able to mount a
remote NFS exported directory.

AFAIK I must open port 111 tcp/udp (portmat). rpcinfo confirms it:

# rpcinfo -p
   program vers proto   port
    100000    2   tcp    111  portmapper
    100000    2   udp    111  portmapper

Well, so I set next rule in my firewall:
-A INPUT -d 193.146.196.198 -i eth0 -p tcp -m tcp --dport 111 -j ACCEPT
-A INPUT -d 193.146.196.198 -i eth0 -p tcp -m tcp --dport 111 -j LOG
--log-prefix "NFS (tcp) Input: " --log-level 7 -A INPUT -d
193.146.196.198 -i eth0 -p udp -m udp --dport 111 -j LOG --log-prefix
"NFS (udp) Input: " --log-level 7 -A INPUT -d 193.146.196.198 -i eth0
-p udp -m udp --dport 111 -j ACCEPT


And restart my firewall.
(I use same rules for other ports, ssh, smtp...)

Well, I'm no able to mount the directory, and I see this in logs:

UDP privileged ports DROP:IN=eth0 OUT=
MAC=00:11:11:20:6e:81:00:16:35:0a:a8:b6:08:00 SRC=193.146.196.234
DST=193.146.196.198 LEN=56 TOS=0x00 PREC=0x00 TTL=64 ID=57 DF PROTO=UDP
SPT=111 DPT=822 LEN=36

and this logs comes from next rule:

-A INPUT -d 193.146.196.198 -i eth0 -p udp -m udp --dport 0:1023 -j LOG
--log-prefix "UDP privileged ports DROP:" --log-level 7 -A INPUT -d
193.146.196.198 -i eth0 -p udp -m udp --dport 0:1023 -j REJECT

which is at bottom of all rules...

I don't understand what happen, cause I can telnet to port 111 and get
response. And I hace portmat in that port:

#netstat -putan |grep 111
tcp        0      0 0.0.0.0:111             0.0.0.0:*               LISTEN      10028/portmap
udp        0      0 0.0.0.0:111             0.0.0.0:*                           10028/portmap

I do the mount:

lx-arnau ~ # mount -t nfs hostname:/export/media /mnt/musica/
mount: RPC: Program not registered

Got the error... but:

lx-arnau ~ # netstat -putan |grep 111
tcp        0      0 0.0.0.0:111             0.0.0.0:*               LISTEN      10028/portmap
tcp        0      0 my_IP:60394             nfs_server:111     TIME_WAIT   -
udp        0      0 0.0.0.0:111             0.0.0.0:*                           10028/portmap

...

If I disable firewall, I can mount with no problem...
what am I missing?¿

Thanks in advance.

-- 
Arnau Bria
http://blog.emergetux.net
"Flanders, de nada sirve rezar: yo mismo acabo de hacerlo y los dos 
no vamos a ganar"
~Homer J. Simpson~

-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] nfs and iptables

[Daniel Iliev]

On Fri, June 23, 2006 12:04 pm, Arnau Bria wrote:

>
> Well, so I set next rule in my firewall:
> -A INPUT -d 193.146.196.198 -i eth0 -p tcp -m tcp --dport 111 -j ACCEPT
> -A INPUT -d 193.146.196.198 -i eth0 -p tcp -m tcp --dport 111 -j LOG
> --log-prefix "NFS (tcp) Input: " --log-level 7 -A INPUT -d
> 193.146.196.198 -i eth0 -p udp -m udp --dport 111 -j LOG --log-prefix
> "NFS (udp) Input: " --log-level 7 -A INPUT -d 193.146.196.198 -i eth0
> -p udp -m udp --dport 111 -j ACCEPT

My first guess is that you have another FW rule which matches those packets and
drops them before they meet the rule you mention.
You could try:

 -D INPUT -d 193.146.196.198 -i eth0 -p tcp -m tcp --dport 111 -j ACCEPT
 -I INPUT -d 193.146.196.198 -i eth0 -p tcp -m tcp --dport 111 -j ACCEPT
(drop the rule and insert it on top of all other)



-- 
Best regards,
Daniel

-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] nfs and iptables

[Arnau Bria]

On Fri, 23 Jun 2006 12:38:13 +0300 (EEST)
"Daniel Iliev" <danny@ilievnet.com> wrote:

> 
> On Fri, June 23, 2006 12:04 pm, Arnau Bria wrote:
> 
[...]
> My first guess is that you have another FW rule which matches those
> packets and drops them before they meet the rule you mention.
> You could try:
> -D INPUT -d 193.146.196.198 -i eth0 -p tcp -m tcp --dport 111 -j
> ACCEPT
> -I INPUT -d 193.146.196.198 -i eth0 -p tcp -m tcp --dport 111 -j ACCEPT

Well, that was what I first tough, but this is my first rule:
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     udp  --  anywhere             my_host_name     udp dpt:sunrpc
ACCEPT     tcp  --  anywhere             my_host_name     tcp dpt:sunrpc
then ssh rule
then smtp rule
then the drop one I posted in first mail.

ssh and smtp works fine, and, I can telnet to 111!! that's really
strange, cause if I can telnet, it means I have my port open... so, why
when I try to mount, it's blocked by a later rule?

thanks!
-- 
Arnau Bria
http://blog.emergetux.net
"Flanders, de nada sirve rezar: yo mismo acabo de hacerlo y los dos 
no vamos a ganar"
~Homer J. Simpson~
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] nfs and iptables

[Rick van Hattem]

[-- Attachment #1: Type: text/plain, Size: 350 bytes --]

On Friday 23 June 2006 11:04, Arnau Bria wrote:
> Hi all,
>
> I'm trying to configure my firewall in order to be able to mount a
> remote NFS exported directory.
>
Have a look at the gentoo-wiki :)
http://gentoo-wiki.com/HOWTO_Share_Directories_via_NFS#Setting_Up_Firewall_.28Client_Side.29

-- 
Rick van Hattem	Rick.van.Hattem(at)Fawo.nl

[-- Attachment #2: Type: application/pgp-signature, Size: 198 bytes --]

Re: [gentoo-user] nfs and iptables

[Arnau Bria]

On Fri, 23 Jun 2006 12:20:34 +0200
Rick van Hattem <Rick.van.Hattem@fawo.nl> wrote:

> On Friday 23 June 2006 11:04, Arnau Bria wrote:
> > Hi all,
> >
> > I'm trying to configure my firewall in order to be able to mount a
> > remote NFS exported directory.
> >
> Have a look at the gentoo-wiki :)
> http://gentoo-wiki.com/HOWTO_Share_Directories_via_NFS#Setting_Up_Firewall_.28Client_Side.29
Yes, I've read that howto.
But, if you see at the bottom, it says:

"Setting up firewall on the client side is much much simpler. The only
relevant port is 111 tcp/udp. This is the port for portmap, the only service required for client to run."
And that's what i'm trying to do, and where I'm having problems.

thanks! 


-- 
Arnau Bria
http://blog.emergetux.net
"Flanders, de nada sirve rezar: yo mismo acabo de hacerlo y los dos 
no vamos a ganar"
~Homer J. Simpson~
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] nfs and iptables

[Arnau Bria]

Hi,

I solved it adding next at top of rules:

-A INPUT -p tcp ! --syn -j ACCEPT
-A INPUT -p udp -j ACCEPT


for what I read, it allows my connections established to pass filter 
without evaluating other rules.

Is this a correct config?


Thanks to all for your attention,

-- 
Arnau Bria
http://blog.emergetux.net
"Flanders, de nada sirve rezar: yo mismo acabo de hacerlo y los dos 
no vamos a ganar"
~Homer J. Simpson~
-- 
gentoo-user@gentoo.org mailing list

[gentoo-user] Re: nfs and iptables

[Remy Blank]

Arnau Bria wrote:
> I solved it adding next at top of rules:
> 
> -A INPUT -p tcp ! --syn -j ACCEPT
> -A INPUT -p udp -j ACCEPT

While the first line is mostly harmless (well, even that's not really
true, but let's keep it simple), the second line opens your firewall to
*all* incoming UDP packets, and therefore effectively disables your
firewall for UDP services.

I don't know if you have another line of defense before your iptables
firewall (e.g. a router/firewall). If you don't, you expose yourself to
serious trouble.

In general, my advice would be not to build your own iptables firewall
ruleset unless you have *very good* knowledge about IP protocols. Use
one of the firewall builder tools like shorewall [1] or firestarter [2].

-- Remy

[1] http://www.shorewall.net/
[2] http://www.fs-security.com/


Remove underscore and suffix in reply address for a timely response.

-- 
gentoo-user@gentoo.org mailing list