Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
[SOLVED]added iptables to nfs server: can't mount anymore
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
jody
Guru
Guru


Joined: 16 Oct 2007
Posts: 509
Location: Switzerland

PostPosted: Mon Apr 25, 2016 4:19 pm    Post subject: [SOLVED]added iptables to nfs server: can't mount anymore Reply with quote

Hi

After adding iptables to my nfs server (hoping to make it safer), i can't mount networdrives from there anymore.
Currently, the iptables for the nfs server look like this:
Code:
 $ sudo iptables -L
Password:
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
DROP       tcp  --  anywhere             anywhere             tcp dpt:1947
DROP       tcp  --  anywhere             anywhere             tcp dpt:5357
DROP       tcp  --  anywhere             anywhere             tcp dpt:34909
DROP       tcp  --  anywhere             anywhere             tcp dpt:45222
DROP       tcp  --  anywhere             anywhere             tcp dpt:45365
DROP       tcp  --  anywhere             anywhere             tcp dpt:49156
DROP       tcp  --  anywhere             anywhere             tcp dpt:51864
DROP       tcp  --  anywhere             anywhere             tcp dpt:56418
ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED
ACCEPT     icmp --  anywhere             anywhere           
ACCEPT     all  --  anywhere             anywhere           
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:8000
ACCEPT     tcp  --  anywhere             anywhere             state NEW tcp dpt:ssh
ACCEPT     tcp  --  anywhere             anywhere             state NEW tcp dpt:http
ACCEPT     tcp  --  anywhere             anywhere             state NEW tcp dpt:nfs
ACCEPT     tcp  --  net-XXXXX  anywhere             state NEW multiport dports sunrpc,892,nfs,32803
ACCEPT     udp  --  net-XXXXX anywhere             state NEW multiport dports sunrpc,892,nfs,32769
ACCEPT     tcp  --  net-XXXXX  anywhere             state NEW multiport dports ftp-data,ftp
ACCEPT     udp  --  net-XXXXX  anywhere             state NEW multiport dports ftp-data,ftp
ACCEPT     tcp  --  net-YYYYY  anywhere             state NEW multiport dports ftp-data,ftp
ACCEPT     udp  --  net-YYYYY anywhere             state NEW multiport dports ftp-data,ftp
ACCEPT     tcp  --  anywhere             anywhere             state NEW tcp dpt:875
ACCEPT     udp  --  anywhere             anywhere             state NEW udp dpt:875
ACCEPT     tcp  --  anywhere             anywhere             state NEW tcp dpt:662
ACCEPT     udp  --  anywhere             anywhere             state NEW udp dpt:662
ACCEPT     tcp  --  anywhere             anywhere             state NEW tcp dpt:8090
REJECT     all  --  anywhere             anywhere             reject-with icmp-host-prohibited

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
REJECT     all  --  anywhere             anywhere             reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         

(XXXXX and YYYYY are two IP ranges; my client machine's IP address is in the range XXXXX)
As far as i can tell, Port 2049 (nfs) is open on the nfsserver; i get a connection when i use telnet:
Code:
 $ telnet nfsserver 2049
Trying XXX.XXX.XXX.XXX...
Connected to nfsserver.
Escape character is '^]'.

When i do a 'sudo mount -v -t nfs nfsserver:/data/jw_simulations localdata/' on the client machine, i get
Code:
mount.nfs: timeout set for Mon Apr 25 18:10:25 2016
mount.nfs: trying text-based options 'vers=4,addr=XXX.XXX.XXX.XXX,clientaddr=YYY.YYY.YYY.YYY'
mount.nfs: mount(2): Protocol not supported
mount.nfs: trying text-based options 'addr=XXX.XXX.XXX.XXX'
mount.nfs: prog 100003, trying vers=3, prot=6
mount.nfs: trying XXX.XXX.XXX.XXX prog 100003 vers 3 prot TCP port 2049
mount.nfs: prog 100005, trying vers=3, prot=17
mount.nfs: trying XXX.XXX.XXX.XXX prog 100005 vers 3 prot UDP port 33098
mount.nfs: portmap query retrying: RPC: Unable to receive - No route to host
mount.nfs: prog 100005, trying vers=3, prot=6
mount.nfs: trying XXX.XXX.XXX.XXX prog 100005 vers 3 prot TCP port 45637
mount.nfs: portmap query failed: RPC: Remote system error - No route to host
mount.nfs: trying text-based options 'vers=4,addr=XXX.XXX.XXX.XXX,clientaddr=YYY.YYY.YYY.YYY'
...

(this block of output is repeated 'endlessly')

I have the same services running on the nfsserver as before (when mounting worked before i added the iptables):
Code:
 $ /etc/init.d/nfs status
 * status: started
 $ /etc/init.d/rpcbind status       
 * status: started
 $ /etc/init.d/rpc.statd status
 * status: started


Any ideas what might be the problem here?

Thank You
jody


Last edited by jody on Tue Apr 26, 2016 4:14 pm; edited 1 time in total
Back to top
View user's profile Send private message
szatox
Veteran
Veteran


Joined: 27 Aug 2013
Posts: 1717

PostPosted: Mon Apr 25, 2016 5:24 pm    Post subject: Reply with quote

Well, you clearly have made it safer.

Which NFS version do you use? AFAIR NFS3 uses random ports. No idea about NFS4.
Have you tried sniffing network traffic at either of those machines? Perhaps it would let you spot a connection that doesn't get fully initiated.

Also, why set a rule like
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
when you can just set policy to reject?
Back to top
View user's profile Send private message
jody
Guru
Guru


Joined: 16 Oct 2007
Posts: 509
Location: Switzerland

PostPosted: Tue Apr 26, 2016 4:13 pm    Post subject: Reply with quote

By removing the rule
Code:
REJECT     all  --  anywhere             anywhere             reject-with icmp-host-prohibited

the remote drives could be mounted again.

I copied the rules for my nfs server from a different server with different OS - i must admit i don't know what this rule is for....
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum