View previous topic :: View next topic |
Author |
Message |
The Doctor Moderator
Joined: 27 Jul 2010 Posts: 2678
|
Posted: Sat Aug 23, 2014 1:26 am Post subject: nfs, ssh, and iptables |
|
|
I'm trying to turn my old computer into a file server. So far, it seems mostly successful, with a few major exeptions:
ssh isn't using public keys authentication
the firewall blocks ssh traffic
the firewall blocks nfs traffic
I would also like the system to fail gracefully if the server isn't online since this will probably be most of the time. Is there a simple way to accomplish this? Waiting for netmount to fail took about 2 minutes.
My ssh config on the server Code: | X11Forwarding yes
Protocol 2
PermitRootLogin no
PubkeyAuthentication yes
AuthorizedKeysFile .ssh/authorized_keys
#HostbasedAuthentication no
#PasswordAuthentication no
#PermitEmptyPasswords no
AllowGroups wheel admin
SyslogFacility AUTH
LogLevel INFO
Subsystem sftp /usr/lib64/misc/sftp-server
AcceptEnv LANG LC_* |
My firewall basically drops everything except what is allowed. I added these lines to allow ssh Code: | iptables -A OUTPUT -p tcp --dport ssh -j ACCEPT
iptables -A INPUT -p tcp --dport ssh -j ACCEPT | The complete script I use to configure iptables (shamelessly coped from the forums and slightly modified)
Looking at F12 it looks like the catchall FIREWALL is blocking it. _________________ First things first, but not necessarily in that order.
Apologies if I take a while to respond. I'm currently working on the dematerialization circuit for my blue box. |
|
Back to top |
|
|
Ant P. Watchman
Joined: 18 Apr 2009 Posts: 6920
|
Posted: Sat Aug 23, 2014 2:42 am Post subject: |
|
|
For netmount, you could have a cron @reboot job or /etc/local.d/ script start the service manually, which then wouldn't block other initscripts from starting up. |
|
Back to top |
|
|
The Doctor Moderator
Joined: 27 Jul 2010 Posts: 2678
|
Posted: Sat Aug 23, 2014 3:32 am Post subject: |
|
|
Thanks for the idea.
Unfortunately, it doesn't work in practice. _________________ First things first, but not necessarily in that order.
Apologies if I take a while to respond. I'm currently working on the dematerialization circuit for my blue box. |
|
Back to top |
|
|
szatox Advocate
Joined: 27 Aug 2013 Posts: 3136
|
Posted: Sat Aug 23, 2014 8:26 am Post subject: |
|
|
For ssh to use publik key authentication you jst need to
1) generate a pair of keys (using ssh-keygen)
2) apped public key to ~/.ssh/authorized_keys (this part happens at server site, in $HOME of user you want to login as)
NFS is rather hard to get to work through a firewall since it choses random port for data transfer. At least it used to be this way. However, if you consider your network secure enough for NFS, you might consider more permissive rules. E.g. accept everything that comes from your LAN and block everything that comes from the world (unless you asked for it -> conntrack handles this well). You usualy don't want to expose your NFS to the outside world anyway |
|
Back to top |
|
|
py-ro Veteran
Joined: 24 Sep 2002 Posts: 1734 Location: Velbert
|
Posted: Sat Aug 23, 2014 10:20 am Post subject: |
|
|
Or use nfs >= Version 4, only one TCP Port, no Portmap. |
|
Back to top |
|
|
Hu Moderator
Joined: 06 Mar 2007 Posts: 21633
|
Posted: Sat Aug 23, 2014 4:03 pm Post subject: |
|
|
I hope that script is only a reference for how you configured it. You should never use a script that runs iptables repeatedly if you want to wipe and load an entire set of rules. Instead, use iptables-restore to load the rules as a single operation. Since you do not set -e, your script will blow past any failures and leave you with a misconfigured firewall if any of the commands fail.
Why do you lump ICMP echo request in with state notification messages like host unreachable?
This is handled automatically if you have reverse path filtering enabled.
Fragments are not always bogus. Why are you dropping them?
Did you intend to offer ssh service to the world?
This is just wrong.
http://pastebin.com/yaMh8nHH: | iptables -A OUTPUT -p udp --dport 53 -d 8.8.8.8 -j ACCEPT
iptables -A OUTPUT -p udp --dport 53 -d 8.8.8.8 -j ACCEPT | Repeating the rule does not increase its effect. |
|
Back to top |
|
|
The Doctor Moderator
Joined: 27 Jul 2010 Posts: 2678
|
Posted: Sat Aug 23, 2014 5:58 pm Post subject: |
|
|
Thanks for the replies.
@szatox.
I do have the keys properly set up. Currently, aurthorized_keys is identical to my public key. This is partly why I'm finding the ssh problem to be so puzzling. As far as I can tell, it should be working with my configuration, but it isn't.
@Hu,
Yes, the script is purely for initial configuration and memory. Once the rules are set the iptables runscript takes care of the rest.
Thanks for the set -e. I was completely unaware that it existed.
I'm afraid I don't have any good answers to the whys of the firewall. I have never been able to really get my head around iptables, so I end up 'borrowing' configurations that other people use. Part of the problem is that there doesn't seem to be an good documentation on the subject. About the only source I found is the Arch wiki. Does this look better? It seems to work perfectly as it allows both nfs and ssh.
As for offering ssh, I don't particularly mind if it is open on the local network since the router doesn't forward ssh. _________________ First things first, but not necessarily in that order.
Apologies if I take a while to respond. I'm currently working on the dematerialization circuit for my blue box. |
|
Back to top |
|
|
Hu Moderator
Joined: 06 Mar 2007 Posts: 21633
|
Posted: Sat Aug 23, 2014 10:04 pm Post subject: |
|
|
That looks better. You now accept effectively all unsolicited inbound connection attempts on TCP and UDP. This is fine for systems that are meant to be public access or are meant to be protected by some other firewall. It may be undesirable if you want to restrict offered services and have no other device handling that job for you. |
|
Back to top |
|
|
|