View previous topic :: View next topic |
Author |
Message |
jody l33t
Joined: 16 Oct 2007 Posts: 668 Location: Switzerland
|
Posted: Mon Apr 25, 2016 4:19 pm Post subject: [SOLVED]added iptables to nfs server: can't mount anymore |
|
|
Hi
After adding iptables to my nfs server (hoping to make it safer), i can't mount networdrives from there anymore.
Currently, the iptables for the nfs server look like this: Code: | $ sudo iptables -L
Password:
Chain INPUT (policy ACCEPT)
target prot opt source destination
DROP tcp -- anywhere anywhere tcp dpt:1947
DROP tcp -- anywhere anywhere tcp dpt:5357
DROP tcp -- anywhere anywhere tcp dpt:34909
DROP tcp -- anywhere anywhere tcp dpt:45222
DROP tcp -- anywhere anywhere tcp dpt:45365
DROP tcp -- anywhere anywhere tcp dpt:49156
DROP tcp -- anywhere anywhere tcp dpt:51864
DROP tcp -- anywhere anywhere tcp dpt:56418
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT icmp -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere tcp dpt:8000
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:http
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:nfs
ACCEPT tcp -- net-XXXXX anywhere state NEW multiport dports sunrpc,892,nfs,32803
ACCEPT udp -- net-XXXXX anywhere state NEW multiport dports sunrpc,892,nfs,32769
ACCEPT tcp -- net-XXXXX anywhere state NEW multiport dports ftp-data,ftp
ACCEPT udp -- net-XXXXX anywhere state NEW multiport dports ftp-data,ftp
ACCEPT tcp -- net-YYYYY anywhere state NEW multiport dports ftp-data,ftp
ACCEPT udp -- net-YYYYY anywhere state NEW multiport dports ftp-data,ftp
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:875
ACCEPT udp -- anywhere anywhere state NEW udp dpt:875
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:662
ACCEPT udp -- anywhere anywhere state NEW udp dpt:662
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:8090
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
Chain FORWARD (policy ACCEPT)
target prot opt source destination
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
|
(XXXXX and YYYYY are two IP ranges; my client machine's IP address is in the range XXXXX)
As far as i can tell, Port 2049 (nfs) is open on the nfsserver; i get a connection when i use telnet: Code: | $ telnet nfsserver 2049
Trying XXX.XXX.XXX.XXX...
Connected to nfsserver.
Escape character is '^]'.
|
When i do a 'sudo mount -v -t nfs nfsserver:/data/jw_simulations localdata/' on the client machine, i get Code: | mount.nfs: timeout set for Mon Apr 25 18:10:25 2016
mount.nfs: trying text-based options 'vers=4,addr=XXX.XXX.XXX.XXX,clientaddr=YYY.YYY.YYY.YYY'
mount.nfs: mount(2): Protocol not supported
mount.nfs: trying text-based options 'addr=XXX.XXX.XXX.XXX'
mount.nfs: prog 100003, trying vers=3, prot=6
mount.nfs: trying XXX.XXX.XXX.XXX prog 100003 vers 3 prot TCP port 2049
mount.nfs: prog 100005, trying vers=3, prot=17
mount.nfs: trying XXX.XXX.XXX.XXX prog 100005 vers 3 prot UDP port 33098
mount.nfs: portmap query retrying: RPC: Unable to receive - No route to host
mount.nfs: prog 100005, trying vers=3, prot=6
mount.nfs: trying XXX.XXX.XXX.XXX prog 100005 vers 3 prot TCP port 45637
mount.nfs: portmap query failed: RPC: Remote system error - No route to host
mount.nfs: trying text-based options 'vers=4,addr=XXX.XXX.XXX.XXX,clientaddr=YYY.YYY.YYY.YYY'
...
|
(this block of output is repeated 'endlessly')
I have the same services running on the nfsserver as before (when mounting worked before i added the iptables): Code: | $ /etc/init.d/nfs status
* status: started
$ /etc/init.d/rpcbind status
* status: started
$ /etc/init.d/rpc.statd status
* status: started
|
Any ideas what might be the problem here?
Thank You
jody
Last edited by jody on Tue Apr 26, 2016 4:14 pm; edited 1 time in total |
|
Back to top |
|
|
szatox Advocate
Joined: 27 Aug 2013 Posts: 3137
|
Posted: Mon Apr 25, 2016 5:24 pm Post subject: |
|
|
Well, you clearly have made it safer.
Which NFS version do you use? AFAIR NFS3 uses random ports. No idea about NFS4.
Have you tried sniffing network traffic at either of those machines? Perhaps it would let you spot a connection that doesn't get fully initiated.
Also, why set a rule like
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
when you can just set policy to reject? |
|
Back to top |
|
|
jody l33t
Joined: 16 Oct 2007 Posts: 668 Location: Switzerland
|
Posted: Tue Apr 26, 2016 4:13 pm Post subject: |
|
|
By removing the rule Code: | REJECT all -- anywhere anywhere reject-with icmp-host-prohibited |
the remote drives could be mounted again.
I copied the rules for my nfs server from a different server with different OS - i must admit i don't know what this rule is for.... |
|
Back to top |
|
|
|
|
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
|
|