Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
nfs, ssh, and iptables
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
The Doctor
Moderator
Moderator


Joined: 27 Jul 2010
Posts: 2546

PostPosted: Sat Aug 23, 2014 1:26 am    Post subject: nfs, ssh, and iptables Reply with quote

I'm trying to turn my old computer into a file server. So far, it seems mostly successful, with a few major exeptions:
    ssh isn't using public keys authentication
    the firewall blocks ssh traffic
    the firewall blocks nfs traffic


I would also like the system to fail gracefully if the server isn't online since this will probably be most of the time. Is there a simple way to accomplish this? Waiting for netmount to fail took about 2 minutes.

My ssh config on the server
Code:
X11Forwarding yes
Protocol 2
PermitRootLogin no
PubkeyAuthentication yes
AuthorizedKeysFile      .ssh/authorized_keys
#HostbasedAuthentication no
#PasswordAuthentication no
#PermitEmptyPasswords no
AllowGroups wheel admin
SyslogFacility AUTH
LogLevel INFO
Subsystem       sftp    /usr/lib64/misc/sftp-server
AcceptEnv LANG LC_*


My firewall basically drops everything except what is allowed. I added these lines to allow ssh
Code:
iptables -A OUTPUT -p tcp --dport ssh -j ACCEPT
iptables -A INPUT -p tcp --dport ssh -j ACCEPT
The complete script I use to configure iptables (shamelessly coped from the forums and slightly modified)

Looking at F12 it looks like the catchall FIREWALL is blocking it.
_________________
First things first, but not necessarily in that order.

Apologies if I take a while to respond. I'm currently working on the dematerialization circuit for my blue box.
Back to top
View user's profile Send private message
Ant P.
Watchman
Watchman


Joined: 18 Apr 2009
Posts: 5592

PostPosted: Sat Aug 23, 2014 2:42 am    Post subject: Reply with quote

For netmount, you could have a cron @reboot job or /etc/local.d/ script start the service manually, which then wouldn't block other initscripts from starting up.
Back to top
View user's profile Send private message
The Doctor
Moderator
Moderator


Joined: 27 Jul 2010
Posts: 2546

PostPosted: Sat Aug 23, 2014 3:32 am    Post subject: Reply with quote

Thanks for the idea.

Unfortunately, it doesn't work in practice. :cry:
_________________
First things first, but not necessarily in that order.

Apologies if I take a while to respond. I'm currently working on the dematerialization circuit for my blue box.
Back to top
View user's profile Send private message
szatox
Veteran
Veteran


Joined: 27 Aug 2013
Posts: 1717

PostPosted: Sat Aug 23, 2014 8:26 am    Post subject: Reply with quote

For ssh to use publik key authentication you jst need to
1) generate a pair of keys (using ssh-keygen)
2) apped public key to ~/.ssh/authorized_keys (this part happens at server site, in $HOME of user you want to login as)

NFS is rather hard to get to work through a firewall since it choses random port for data transfer. At least it used to be this way. However, if you consider your network secure enough for NFS, you might consider more permissive rules. E.g. accept everything that comes from your LAN and block everything that comes from the world (unless you asked for it -> conntrack handles this well). You usualy don't want to expose your NFS to the outside world anyway
Back to top
View user's profile Send private message
py-ro
Veteran
Veteran


Joined: 24 Sep 2002
Posts: 1733
Location: St. Wendel

PostPosted: Sat Aug 23, 2014 10:20 am    Post subject: Reply with quote

Or use nfs >= Version 4, only one TCP Port, no Portmap.
Back to top
View user's profile Send private message
Hu
Moderator
Moderator


Joined: 06 Mar 2007
Posts: 13498

PostPosted: Sat Aug 23, 2014 4:03 pm    Post subject: Reply with quote

I hope that script is only a reference for how you configured it. You should never use a script that runs iptables repeatedly if you want to wipe and load an entire set of rules. Instead, use iptables-restore to load the rules as a single operation. Since you do not set -e, your script will blow past any failures and leave you with a misconfigured firewall if any of the commands fail.

http://pastebin.com/yaMh8nHH:
iptables -A ICMP -j DROP
Why do you lump ICMP echo request in with state notification messages like host unreachable?

http://pastebin.com/yaMh8nHH:
iptables -A INPUT ! -i lo -s 127.0.0.0/8 -j LOOPSPOOF
This is handled automatically if you have reverse path filtering enabled.

http://pastebin.com/yaMh8nHH:
iptables -A INPUT -f -j BOGUS
Fragments are not always bogus. Why are you dropping them?

http://pastebin.com/yaMh8nHH:
iptables -A INPUT -p tcp --dport ssh -j ACCEPT
Did you intend to offer ssh service to the world?

http://pastebin.com/yaMh8nHH:
iptables -A OUTPUT -p icmp -j ICMP
This is just wrong.

http://pastebin.com/yaMh8nHH:
iptables -A OUTPUT -p udp --dport 53 -d 8.8.8.8 -j ACCEPT
iptables -A OUTPUT -p udp --dport 53 -d 8.8.8.8 -j ACCEPT
Repeating the rule does not increase its effect.
Back to top
View user's profile Send private message
The Doctor
Moderator
Moderator


Joined: 27 Jul 2010
Posts: 2546

PostPosted: Sat Aug 23, 2014 5:58 pm    Post subject: Reply with quote

Thanks for the replies.

@szatox.
I do have the keys properly set up. Currently, aurthorized_keys is identical to my public key. This is partly why I'm finding the ssh problem to be so puzzling. As far as I can tell, it should be working with my configuration, but it isn't.

@Hu,

Yes, the script is purely for initial configuration and memory. Once the rules are set the iptables runscript takes care of the rest.

Thanks for the set -e. I was completely unaware that it existed.

I'm afraid I don't have any good answers to the whys of the firewall. I have never been able to really get my head around iptables, so I end up 'borrowing' configurations that other people use. Part of the problem is that there doesn't seem to be an good documentation on the subject. About the only source I found is the Arch wiki. Does this look better? It seems to work perfectly as it allows both nfs and ssh.

As for offering ssh, I don't particularly mind if it is open on the local network since the router doesn't forward ssh.
_________________
First things first, but not necessarily in that order.

Apologies if I take a while to respond. I'm currently working on the dematerialization circuit for my blue box.
Back to top
View user's profile Send private message
Hu
Moderator
Moderator


Joined: 06 Mar 2007
Posts: 13498

PostPosted: Sat Aug 23, 2014 10:04 pm    Post subject: Reply with quote

That looks better. You now accept effectively all unsolicited inbound connection attempts on TCP and UDP. This is fine for systems that are meant to be public access or are meant to be protected by some other firewall. It may be undesirable if you want to restrict offered services and have no other device handling that job for you.
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum