IPTables +NFS

[silverchris]

I have tried to set up IPTables to let NFS through. I have set all the ports nfs uses to be staticly set and then let them through iptables but I still get no connection through Iptables. It works fine with IPTables stopped.

Code: Select all

server chris # rpcinfo -p
   program vers proto   port
    100000    2   tcp    111  portmapper
    100000    2   udp    111  portmapper
    100024    1   udp  32765  status
    100024    1   tcp  32765  status
    100003    2   udp   2049  nfs
    100003    3   udp   2049  nfs
    100021    1   udp   4001  nlockmgr
    100021    3   udp   4001  nlockmgr
    100021    4   udp   4001  nlockmgr
    100021    1   tcp   4001  nlockmgr
    100021    3   tcp   4001  nlockmgr
    100021    4   tcp   4001  nlockmgr
    100003    2   tcp   2049  nfs
    100003    3   tcp   2049  nfs
    100005    1   udp  32767  mountd
    100005    1   tcp  32767  mountd
    100005    2   udp  32767  mountd
    100005    2   tcp  32767  mountd
    100005    3   udp  32767  mountd
    100005    3   tcp  32767  mountd

Code: Select all

server iptables # cat  /var/lib/iptables/rules-save 
# Generated by iptables-save v1.3.5 on Sat Aug 18 08:30:13 2007
*nat
:PREROUTING ACCEPT [297879:22726091]
:POSTROUTING ACCEPT [18739:1145168]
:OUTPUT ACCEPT [18739:1145168]
COMMIT
# Completed on Sat Aug 18 08:30:13 2007
# Generated by iptables-save v1.3.5 on Sat Aug 18 08:30:13 2007
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [870518:198725392]
:SSHD - [0:0]
:blockhosts - [0:0]
:fail2ban-Pureftpd - [0:0]
[0:0] -A INPUT -p tcp -m tcp --dport 21 -j fail2ban-Pureftpd 
[18:806] -A INPUT -p tcp -m tcp --dport 21 -j fail2ban-Pureftpd 
[118:7344] -A INPUT -s 192.168.0.3 -i eth0 -p tcp -m tcp --dport 10000 -j ACCEPT 
[23619:7822306] -A INPUT -i lo -p tcp -m tcp --dport 3306 -j ACCEPT 
[0:0] -A INPUT -i lo -p udp -m udp --dport 3306 -j ACCEPT 
[91798:5868120] -A INPUT -p tcp -m tcp --dport 22 -j SSHD 
[417:42034] -A INPUT -s 127.0.0.1 -j ACCEPT 
[0:0] -A INPUT -s 192.168.0.1 -i eth0 -p tcp -m tcp --dport 3306 -j ACCEPT 
[0:0] -A INPUT -s 192.168.0.1 -i eth0 -p udp -m udp --dport 3306 -j ACCEPT 
[864617:919168655] -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT 
[14:764] -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT 
[1:60] -A INPUT -p tcp -m state --state NEW -m tcp --dport 20 -j ACCEPT 
[844:49664] -A INPUT -p tcp -m state --state NEW -m tcp --dport 21 -j ACCEPT 
[1549:85284] -A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT 
[1911:114660] -A INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT 
[305909:24426575] -A INPUT -j REJECT --reject-with icmp-port-unreachable 
[0:0] -A INPUT -i lo -p tcp -m tcp --dport 25 -j ACCEPT 
[0:0] -A INPUT -p tcp -m state --state NEW -m tcp --dport 111 -j ACCEPT 
[0:0] -A INPUT -p udp -m state --state NEW -m udp --dport 111 -j ACCEPT 
[0:0] -A INPUT -p tcp -m state --state NEW -m tcp --dport 2049 -j ACCEPT 
[0:0] -A INPUT -p udp -m state --state NEW -m udp --dport 2049 -j ACCEPT 
[0:0] -A INPUT -p tcp -m state --state NEW -m tcp --dport 4001 -j ACCEPT 
[0:0] -A INPUT -p udp -m state --state NEW -m udp --dport 4001 -j ACCEPT 
[0:0] -A INPUT -p tcp -m state --state NEW -m tcp --dport 32764:32767 -j ACCEPT 
[0:0] -A INPUT -p udp -m state --state NEW -m udp --dport 32764:32767 -j ACCEPT 
[10:488] -A SSHD -s 157.100.98.18 -p tcp -m tcp --dport 22 -j DROP 
[4:240] -A SSHD -s 192.168.0.133 -p tcp -m tcp --dport 22 -j DROP 
[13:580] -A SSHD -s 62.143.255.133 -p tcp -m tcp --dport 22 -j DROP 
[9:420] -A SSHD -s 210.7.71.117 -p tcp -m tcp --dport 22 -j DROP 
[18:806] -A fail2ban-Pureftpd -j RETURN 
[0:0] -A fail2ban-Pureftpd -j RETURN 
COMMIT
# Completed on Sat Aug 18 08:30:13 2007

As far as I know it should be working now?

[Irom]

I don't know what's wrong, but I would just let iptables tell me with the log target.

For example instead of just DROP/REJECT use your own table:

Code: Select all

${IPTABLES} -N M_REJECT

# log everything that gets dropped. The limit will avoid filling the logs, so not everything is logged!
${IPTABLES} -A M_REJECT -m limit --limit 3/minute --limit-burst 3 -j LOG --log-level 2 --log-prefix "Firewall:  "
                 
${IPTABLES} -A M_REJECT -p tcp -j REJECT --reject-with tcp-reset
${IPTABLES} -A M_REJECT -p udp -j REJECT --reject-with icmp-port-unreachable
# the rest
${IPTABLES} -A M_REJECT -j DROP

Then look in /var/log/messages if you can see packets that get rejected, but shouldn't.

Also you seem to have ACCEPT as default policy for INPUT, FORWARD and OUTPUT. It's better to drop everything by default and only whitelist everything that should go through. This way you are on the safe side if you misconfigure something.

[edit: removed misleading comment from code]

[silverchris]

I will give that a try. I have heard that it is better to default to drop. I was gonna try that after I get everything working cause causing my ssh to drop would make me have to find a keyboard and monitor for my server lol

[silverchris]

Hmm as soon as I added that to it and removed the line that said: [305909:24426575] -A INPUT -j REJECT --reject-with icmp-port-unreachable it started working.
Here is what I have for my iptables now

Code: Select all

server chris # cat /var/lib/iptables/rules-save 
# Generated by iptables-save v1.3.5 on Sat Aug 18 12:25:43 2007
*nat
:PREROUTING ACCEPT [298394:22774966]
:POSTROUTING ACCEPT [18904:1155648]
:OUTPUT ACCEPT [18887:1154968]
COMMIT
# Completed on Sat Aug 18 12:25:43 2007
# Generated by iptables-save v1.3.5 on Sat Aug 18 12:25:43 2007
*filter
:INPUT DROP [69:8214]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [882172:202800467]
:M_REJECT - [0:0]
:SSHD - [0:0]
:blockhosts - [0:0]
:fail2ban-Pureftpd - [0:0]
[0:0] -A INPUT -p tcp -m tcp --dport 21 -j fail2ban-Pureftpd 
[18:806] -A INPUT -p tcp -m tcp --dport 21 -j fail2ban-Pureftpd 
[2568:159187] -A INPUT -s 192.168.0.3 -i eth0 -p tcp -m tcp --dport 10000 -j ACCEPT 
[24637:8170039] -A INPUT -i lo -p tcp -m tcp --dport 3306 -j ACCEPT 
[0:0] -A INPUT -i lo -p udp -m udp --dport 3306 -j ACCEPT 
[95156:6102072] -A INPUT -p tcp -m tcp --dport 22 -j SSHD 
[417:42034] -A INPUT -s 127.0.0.1 -j ACCEPT 
[0:0] -A INPUT -s 192.168.0.1 -i eth0 -p tcp -m tcp --dport 3306 -j ACCEPT 
[0:0] -A INPUT -s 192.168.0.1 -i eth0 -p udp -m udp --dport 3306 -j ACCEPT 
[869868:920278720] -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT 
[16:884] -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT 
[1:60] -A INPUT -p tcp -m state --state NEW -m tcp --dport 20 -j ACCEPT 
[844:49664] -A INPUT -p tcp -m state --state NEW -m tcp --dport 21 -j ACCEPT 
[1599:87848] -A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT 
[1911:114660] -A INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT 
[0:0] -A INPUT -i lo -p tcp -m tcp --dport 25 -j ACCEPT 
[2:120] -A INPUT -p tcp -m state --state NEW -m tcp --dport 111 -j ACCEPT 
[0:0] -A INPUT -p udp -m state --state NEW -m udp --dport 111 -j ACCEPT 
[0:0] -A INPUT -p tcp -m state --state NEW -m tcp --dport 2049 -j ACCEPT 
[1:160] -A INPUT -p udp -m state --state NEW -m udp --dport 2049 -j ACCEPT 
[0:0] -A INPUT -p tcp -m state --state NEW -m tcp --dport 4001 -j ACCEPT 
[0:0] -A INPUT -p udp -m state --state NEW -m udp --dport 4001 -j ACCEPT 
[0:0] -A INPUT -p tcp -m state --state NEW -m tcp --dport 32764:32767 -j ACCEPT 
[0:0] -A INPUT -p udp -m state --state NEW -m udp --dport 32764:32767 -j ACCEPT  
[0:0] -A INPUT -i eth0 -p tcp -m tcp --dport 2401 -j ACCEPT 
[72:7905] -A INPUT -j M_REJECT
[29:3000] -A M_REJECT -m limit --limit 3/min --limit-burst 3 -j LOG --log-prefix "Firewall:  " --log-level 2 
[32:1672] -A M_REJECT -p tcp -j REJECT --reject-with tcp-reset 
[98:11806] -A M_REJECT -p udp -j REJECT --reject-with icmp-port-unreachable 
[30:2520] -A M_REJECT -j DROP 
[10:488] -A SSHD -s 157.100.98.18 -p tcp -m tcp --dport 22 -j DROP 
[4:240] -A SSHD -s 192.168.0.133 -p tcp -m tcp --dport 22 -j DROP 
[13:580] -A SSHD -s 62.143.255.133 -p tcp -m tcp --dport 22 -j DROP 
[9:420] -A SSHD -s 210.7.71.117 -p tcp -m tcp --dport 22 -j DROP 
[18:806] -A fail2ban-Pureftpd -j RETURN 
[0:0] -A fail2ban-Pureftpd -j RETURN 
COMMIT
# Completed on Sat Aug 18 12:25:43 2007
server chris # 

[Rob1n]

Comparing the two rules sets, I think the problem in the first one is with the order the rules are applied - you're rejecting the packets before they reach the ACCEPT rules. You need to make sure that any global rejects are at the end of the rule set.

[silverchris]

Thats probably it then. This is my first time using IPtables.