| View previous topic :: View next topic |
| Author |
Message |
hujuice
Guru
Joined: 16 Oct 2007
Posts: 336
Location: Rome, Italy
|
 Posted: Fri Nov 20, 2015 10:07 pm Post subject: nfs, rpc and network interface/ip |
 |
|
Hello everybody.
I'm administering an host with two interfaces: one public (say eth0) and one private, in a small LAN (say eth1). Each interface has two address, IPv4 and IPv6.
The host has NFS service, obviously intended to work for the LAN, but the simple /etc/exports configuration leave a handful of open port on the public interface.
I would like to limit all the services (rpcbind, rcp.statd, so on) to the LAN interface only, but I cannot find the way.
(ip(6)tables is an extra option, I would like to limit the origin.)
Some netstat could be more clear:
| netstat -unap|grep rpc: |
udp 0 0 127.0.0.1:647 0.0.0.0:* 30575/rpc.statd
udp 0 0 0.0.0.0:45705 0.0.0.0:* 30603/rpc.mountd
udp 0 0 0.0.0.0:34728 0.0.0.0:* 30575/rpc.statd
udp 0 0 192.168.142.1:111 0.0.0.0:* 30534/rpcbind
udp 0 0 127.0.0.1:111 0.0.0.0:* 30534/rpcbind
udp 0 0 0.0.0.0:50646 0.0.0.0:* 30603/rpc.mountd
udp 0 0 0.0.0.0:60915 0.0.0.0:* 30603/rpc.mountd
udp 0 0 0.0.0.0:605 0.0.0.0:* 30534/rpcbind
udp6 0 0 :::35552 :::* 30603/rpc.mountd
udp6 0 0 ::1:111 :::* 30534/rpcbind
udp6 0 0 :::50438 :::* 30603/rpc.mountd
udp6 0 0 :::57741 :::* 30575/rpc.statd
udp6 0 0 :::38436 :::* 30603/rpc.mountd
udp6 0 0 :::605 :::* 30534/rpcbind |
(note that it is udp only)
Editing /etc/conf.d/rpcbind I'm able to limit the :111 access to the LAN IPv4 address, no more.
I'm unable to limit the IPv6 address for rpcbind and I'm unable to limit all other services.
The 192.168.142.1:111 line (and localhost) is the one that I like.
I remember that something can be done with the sysctl configuration, but googling around didn't help.
Here is my very poor attempt
| /etc/conf.d/rpcbind: |
RPCBIND_OPTS="-l -h 192.168.142.1 -h fe80::211:22ff:fe02:1d01" |
(It works on IPv4 only)
Here is the exports
| /etc/exports: | /usr/portage [fe80::/10](rw,sync,no_subtree_check,no_root_squash,anonuid=250,anongid=250)
/usr/portage 192.168.142.0/24(rw,sync,no_subtree_check,no_root_squash,anonuid=250,anongid=250) |
Hints?
Regards,
HUjuice
_________________
Who hasn't a spine, should have a method.
Chi non ha carattere, deve pur avere un metodo. |
|
| Back to top |
|
 |
krinn
Watchman
Joined: 02 May 2003
Posts: 7470
|
| Posted: Sat Nov 21, 2015 9:32 am Post subject: |
|
|
nfs use tcpd, so if you want
-limit nfs to your network only (i assume you, and should, setup hosts.deny with ALL:ALL)
/etc/hosts.allow with nfsd: LOCAL
- limit nfs to one of your networks: (two cards, each card own its network 192.168.0.* and 192.168.1.*)
/etc/hosts.allow nfsd: LOCAL 192.168.0.*
- limit nfs to any of your network, but not 192.168.1.*
/etc/hosts.allow nfsd: LOCAL EXCEPT 192.168.1.*
- limit nfs to a range from your network:
/etc/hosts.allow nfsd: (a long list of IP you wish them able to use the service) or from exports limited to these ip
-limit some share only to some hosts
that's something you should set in your exports, to only allow some share to be access from some hosts.
do that for any services nfsd, rpcbind... |
|
| Back to top |
|
|
hujuice
Guru
Joined: 16 Oct 2007
Posts: 336
Location: Rome, Italy
|
| Posted: Sat Nov 21, 2015 5:17 pm Post subject: |
|
|
| krinn wrote: | | nfs use tcpd, so if you want |
| man rpc.mountd: | You can protect your rpc.mountd listeners using the tcp_wrapper library or iptables(8).
Note that the tcp_wrapper library supports only IPv4 networking |
So, the iptables/netfilter solution is THE solution, since I have IPv6. Maybe I'm paranoid?
Thanks anyway, krinn.
HUjuice
_________________
Who hasn't a spine, should have a method.
Chi non ha carattere, deve pur avere un metodo. |
|
| Back to top |
|
|
szatox
Advocate
Joined: 27 Aug 2013
Posts: 3134
|
| Posted: Sat Nov 21, 2015 5:34 pm Post subject: |
|
|
| I'd rather keep iptables rules than host.accept and host.deny, so I can have all my traffic filtering done in one place and I don't have to look for it and scratch my head thinking "where the hell would I put it?" whenever I change something. Or whenever I want to change something. |
|
| Back to top |
|
|
krinn
Watchman
Joined: 02 May 2003
Posts: 7470
|
| Posted: Mon Nov 23, 2015 4:53 am Post subject: |
|
|
| hujuice wrote: |
Note that the tcp_wrapper library supports only IPv4 networking[/code]
|
I lack to see any value of ipv6 for local network.
ipv6 was made because ipv4 limit to number of hosts on internet, internet is so big...
But seriously, how many local network would reach the limit of ipv4 (local) hosts count?
I didn't check if ipv6 has increase number of hosts for local networking (so that ipv6 have local network ip range that ipv4 doesn't have), but what i'm mostly sure, is that the limit to local number of hosts for ipv4 could only be reach by something not only huge, but totally crazy (something i think only google or nsa on earth may have reach, i even doubt they have, but if any have, must be google or nsa).
Of course iptables can do the job, but unlike szatox, i prefer iptables handling internet filtering, and kept my local filter out of iptables to reduce noise ; keeping only iptables rules for internet (that is the most important).
iptables should be use on the host that is dmz from your network, all others hosts have no real use of iptables as a firewall except to use it to add some weird local network limit. |
|
| Back to top |
|
|
hujuice
Guru
Joined: 16 Oct 2007
Posts: 336
Location: Rome, Italy
|
| Posted: Mon Nov 23, 2015 1:26 pm Post subject: |
|
|
| krinn wrote: | i prefer iptables handling internet filtering, and kept my local filter out of iptables to reduce noise ; keeping only iptables rules for internet (that is the most important).
iptables should be use on the host that is dmz from your network, all others hosts have no real use of iptables as a firewall except to use it to add some weird local network limit. |
I agree about iptables, that's why iptables comes later for me. But what I wanted to do is to connect two DMZ hosts.
IPv6 has the link-local scope, appearing to me interesting for security (I'm not expert, I'm using IPv6 for the first time).
I understood that the link scope addresses are definitely not routable.
The real scenario is not so much more than an exercise. I have two VPSs in the same infrastructure.
Since I want to connect them (the provider gave to me two "physically" linked interfaces), what I want to do is to NFS a filesystem between them. Except this and some minor needs, the hosts are oriented to be public.
So:
1) I have those "LAN" interfaces, on both hosts.
2) I have that "private" address, given by the provider.
3) I understood that they are not routable, so more secure (?).
4) I want to share a filesystem via NFS.
I can configure the "LAN" with IPv4 or IPv6, but I cannot say to the NFS stack «don't use the IPv6 public address».
Obviously, I can also remove the IPv6 support from NFS and drive the management to IPv4/tcpd.
But the two hosts are development, personal hosts, no production.
So, my knowledge matter more than the real security.
Thanks to all,
HUjucie
_________________
Who hasn't a spine, should have a method.
Chi non ha carattere, deve pur avere un metodo. |
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
Networking & Security
