FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Debian > Debian User

 
 
LinkBack Thread Tools
 
Old 05-18-2008, 07:26 AM
"Owen Townend"
 
Default nfs and iptables

On 18/05/2008, Daniel Dalton <daniel.dalton@iinet.net.au> wrote:
> Hi,
>
> How can I allow nfs through my iptables firewall?
> What ports does it use?
> Are they static ports? And if not how can I make them static?
>
> Thanks for any help.
>
> Cheers,
>
> --
> Daniel Dalton

Hey,
`rpcinfo -p` will give you a list of ports in use for rpc.
nfsd defaults to 2049 (overridable with `-p <port>`),
portmapper to 111 (static),
mountd and statd to portmap assigned ports (overridable with `-p
<port>` and `-o <port>`).

As services the ports can be set at /etc/default/nfs-kernel-server
and /etc/default/nfs-common.

cheers,
Owen.


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
 
Old 05-18-2008, 03:09 PM
Alex Samad
 
Default nfs and iptables

On Sun, May 18, 2008 at 05:26:05PM +1000, Owen Townend wrote:
> On 18/05/2008, Daniel Dalton <daniel.dalton@iinet.net.au> wrote:
> > Hi,
> >
> > How can I allow nfs through my iptables firewall?
> > What ports does it use?
> > Are they static ports? And if not how can I make them static?
> >
> > Thanks for any help.
> >
> > Cheers,
> >
> > --
> > Daniel Dalton
>
> Hey,
> `rpcinfo -p` will give you a list of ports in use for rpc.
> nfsd defaults to 2049 (overridable with `-p <port>`),
> portmapper to 111 (static),
> mountd and statd to portmap assigned ports (overridable with `-p
> <port>` and `-o <port>`).
>
> As services the ports can be set at /etc/default/nfs-kernel-server
> and /etc/default/nfs-common.

have a read here

http://wiki.debian.org/SecuringNFS


>
> cheers,
> Owen.
>
>
> --
> To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
>
>

--
"We had a chance to visit with Teresa Nelson who's a parent, and a mom or a dad."

- George W. Bush
09/09/2003
Jacksonville, FL
 
Old 05-19-2008, 10:35 AM
Daniel Dalton
 
Default nfs and iptables

On Sun, 18 May 2008, Owen Townend wrote:


On 18/05/2008, Daniel Dalton <daniel.dalton@iinet.net.au> wrote:

Hi,

How can I allow nfs through my iptables firewall?
What ports does it use?
Are they static ports? And if not how can I make them static?

Thanks for any help.

Cheers,

--
Daniel Dalton


Hey,


Hi!


`rpcinfo -p` will give you a list of ports in use for rpc.


Thanks


nfsd defaults to 2049 (overridable with `-p <port>`),


Allowed in iptables


portmapper to 111 (static),


Also allowed.


mountd and statd to portmap assigned ports (overridable with `-p
<port>` and `-o <port>`).


I believe they are also allowed, but it doesn't work.
It now actually guesses the path to the server eg: mount 192.168.2.10:/med
and then tab completion works, where as before that was not the case and
after pressing enter it sits there trying to mount before timing out.
Before it just couldn't find the server and didn't tab complete and just
exited mount straight away.

So there is certainly an improvement.
Do you know why its not mounting?
I have pasted below:
/etc/default/nfs-common
and /etc/default/nfs-kernel-server
as well as my iptables rules:

/etc/default/nfs-kernel-server:

# Number of servers to start up
RPCNFSDCOUNT=8

# Runtime priority of server (see nice(1))
RPCNFSDPRIORITY=0

# Options for rpc.mountd.
# If you have a port-based firewall, you might want to set up
# a fixed port here using the --port option. For more information,
# see rpc.mountd(8) or http://wiki.debian.org/?SecuringNFS

RPCMOUNTDOPTS="-p 4002 -o 4003"

# Do you want to start the svcgssd daemon? It is only required for Kerberos
# exports. Valid alternatives are "yes" and "no"; the default is "no".
NEED_SVCGSSD=

# Options for rpc.svcgssd.
RPCSVCGSSDOPTS=

/etc/default/nfs-common:

# If you do not set values for the NEED_ options, they will be attempted
# autodetected; this should be sufficient for most people. Valid alternatives
# for the NEED_ options are "yes" and "no".

# Do you want to start the statd daemon? It is not needed for NFSv4.
NEED_STATD=

# Options for rpc.statd.
# Should rpc.statd listen on a specific port? This is especially useful
# when you have a port-based firewall. To use a fixed port, set this
# this variable to a statd argument like: "--port 4000 --outgoing-port 4001".
# For more information, see rpc.statd(8) or http://wiki.debian.org/?SecuringNFS
STATDOPTS="-p 4000 -o 4001"

# Do you want to start the idmapd daemon? It is only needed for NFSv4.
NEED_IDMAPD=

# Do you want to start the gssd daemon? It is required for Kerberos mounts.
NEED_GSSD=

And finally the iptables rules:

iptables -A INPUT -p tcp --dport 2049 -j ACCEPT
iptables -A INPUT -p tcp --dport 4000 -j ACCEPT
iptables -A INPUT -p tcp --dport 4001 -j ACCEPT
iptables -A INPUT -p tcp --dport 4002 -j ACCEPT
iptables -A INPUT -p tcp --dport 4003 -j ACCEPT
iptables -A INPUT -p tcp --dport 111 -j ACCEPT

All these files and iptables rules are on the server.
So the client can see the nfs share (the dir I am sharing), but won't
mount it, it times out.

My firewall is blocking it since when I open it it will connect.

So why isn't it working?
What port should I open?

Thanks for all your help.

Cheers,

--
Daniel Dalton

http://members.iinet.net.au/~ddalton/
<daniel.dalton@iinet.net.au>


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
 
Old 05-19-2008, 10:41 AM
Alex Samad
 
Default nfs and iptables

On Mon, May 19, 2008 at 08:35:28PM +1000, Daniel Dalton wrote:
> On Sun, 18 May 2008, Owen Townend wrote:
>
[snip]

> # a fixed port here using the --port option. For more information, # see
> rpc.mountd(8) or http://wiki.debian.org/?SecuringNFS

I mentioned this in my previous email http://wiki.debian.org/SecuringNFS
have you read it. It goes through all the steps and it works

[snip]

>
> So why isn't it working?
> What port should I open?
>
> Thanks for all your help.
>
> Cheers,
>
> --
> Daniel Dalton
>
> http://members.iinet.net.au/~ddalton/
> <daniel.dalton@iinet.net.au>
>
>
> --
> To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org with a
> subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
>
>


--
"I own a timber company? That's news to me. Need some wood?"

- George W. Bush
10/08/2004
St. Louis, MO
Second presidential debate
 
Old 05-19-2008, 12:17 PM
Daniel Dalton
 
Default nfs and iptables

On Mon, 19 May 2008, Alex Samad wrote:



I mentioned this in my previous email http://wiki.debian.org/SecuringNFS
have you read it. It goes through all the steps and it works


You did, sorry missed that one.
Yes I read it and it does indeed work.

Thanks!
Is now sorted.

Just a quick iptables questions: slightly ot I know, but how do I specify
more than 1 ip in a rule?
For example how can I tell it to do this rule for the ips 192.168.1.100
and 192.168.1.101 ?


Thanks,

--
Daniel Dalton

http://members.iinet.net.au/~ddalton/
<daniel.dalton@iinet.net.au>


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
 
Old 05-19-2008, 02:44 PM
Alex Samad
 
Default nfs and iptables

On Mon, May 19, 2008 at 10:17:43PM +1000, Daniel Dalton wrote:
> On Mon, 19 May 2008, Alex Samad wrote:
>
>>
>> I mentioned this in my previous email http://wiki.debian.org/SecuringNFS
>> have you read it. It goes through all the steps and it works
>
> You did, sorry missed that one.
> Yes I read it and it does indeed work.
>
> Thanks!
> Is now sorted.
>
> Just a quick iptables questions: slightly ot I know, but how do I specify
> more than 1 ip in a rule?
> For example how can I tell it to do this rule for the ips 192.168.1.100
> and 192.168.1.101 ?

with normal iptables i don't think you can ie only one -s to a line, but
you could use iprange (man iptables <cr>/iprange<cr>)

>
> Thanks,
>
> --
> Daniel Dalton
>
> http://members.iinet.net.au/~ddalton/
> <daniel.dalton@iinet.net.au>
>
>
> --
> To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org with a
> subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
>
>

--
"Well, we've made the decision to defeat the terrorists abroad so we don't have to face them here at home. And when you engage the terrorists abroad, it causes activity and action."

- George W. Bush
04/28/2005
Washington, DC
 

Thread Tools




All times are GMT. The time now is 11:59 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org