nfs, ssh, and iptables

[The Doctor]

I'm trying to turn my old computer into a file server. So far, it seems mostly successful, with a few major exeptions:

ssh isn't using public keys authentication
the firewall blocks ssh traffic
the firewall blocks nfs traffic

I would also like the system to fail gracefully if the server isn't online since this will probably be most of the time. Is there a simple way to accomplish this? Waiting for netmount to fail took about 2 minutes.

My ssh config on the server

[Ant P.]

For netmount, you could have a cron @reboot job or /etc/local.d/ script start the service manually, which then wouldn't block other initscripts from starting up.

[The Doctor]

Thanks for the idea.

Unfortunately, it doesn't work in practice.
_________________
First things first, but not necessarily in that order.

Apologies if I take a while to respond. I'm currently working on the dematerialization circuit for my blue box.

[szatox]

For ssh to use publik key authentication you jst need to
1) generate a pair of keys (using ssh-keygen)
2) apped public key to ~/.ssh/authorized_keys (this part happens at server site, in $HOME of user you want to login as)

NFS is rather hard to get to work through a firewall since it choses random port for data transfer. At least it used to be this way. However, if you consider your network secure enough for NFS, you might consider more permissive rules. E.g. accept everything that comes from your LAN and block everything that comes from the world (unless you asked for it -> conntrack handles this well). You usualy don't want to expose your NFS to the outside world anyway

[py-ro]

Or use nfs >= Version 4, only one TCP Port, no Portmap.

[Hu]

I hope that script is only a reference for how you configured it. You should never use a script that runs iptables repeatedly if you want to wipe and load an entire set of rules. Instead, use iptables-restore to load the rules as a single operation. Since you do not set -e, your script will blow past any failures and leave you with a misconfigured firewall if any of the commands fail.

[The Doctor]

Thanks for the replies.

@szatox.
I do have the keys properly set up. Currently, aurthorized_keys is identical to my public key. This is partly why I'm finding the ssh problem to be so puzzling. As far as I can tell, it should be working with my configuration, but it isn't.

@Hu,

Yes, the script is purely for initial configuration and memory. Once the rules are set the iptables runscript takes care of the rest.

Thanks for the set -e. I was completely unaware that it existed.

I'm afraid I don't have any good answers to the whys of the firewall. I have never been able to really get my head around iptables, so I end up 'borrowing' configurations that other people use. Part of the problem is that there doesn't seem to be an good documentation on the subject. About the only source I found is the Arch wiki. Does this look better? It seems to work perfectly as it allows both nfs and ssh.

As for offering ssh, I don't particularly mind if it is open on the local network since the router doesn't forward ssh.
_________________
First things first, but not necessarily in that order.

Apologies if I take a while to respond. I'm currently working on the dematerialization circuit for my blue box.

[Hu]

That looks better. You now accept effectively all unsolicited inbound connection attempts on TCP and UDP. This is fine for systems that are meant to be public access or are meant to be protected by some other firewall. It may be undesirable if you want to restrict offered services and have no other device handling that job for you.