Hello everyone,
I am setting up a new system for use as a testing/demo/trial-and-error system. I have installed CentOS 4.4 on it. There is not an X-environment, so I will need to fix this from the command line (via ssh access).
I am trying to do an nfs export from this box to another on my internal home network. I have figured out that it is a firewall issue on the CentOS box (I turn off the CentOS firewall and the mount works).
My problem is that I am not sure how to resolve this. I have not done any configuration with iptables before. In the file /etc/sysconfig/iptables are the lines: -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 2049 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 2049 -j ACCEPT
and there are not any deny lines above these. I think those lines were added when I ran system-config-securitylevel-tui. Those are the only lines that I can find that mention port 2049 or nfs.
Those lines look to me like they are for accepting incoming connections only. Is that correct?
What do I need to do so that I can do the nfs export out of this box? -- Doug
Registered Linux User #285548 (http://counter.li.org) ---------------------------------------- Random Thought: no maintenance: Impossible to fix.
My problem is that I am not sure how to resolve this. I have not done any configuration with iptables before. In the file /etc/sysconfig/iptables are the lines: -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 2049 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 2049 -j ACCEPT
and there are not any deny lines above these. I think those lines were added when I ran system-config-securitylevel-tui. Those are the only lines that I can find that mention port 2049 or nfs.
Those lines look to me like they are for accepting incoming connections only. Is that correct?
What do I need to do so that I can do the nfs export out of this box?
These lines accept NEW connections. If the connection lags/times out but does not start again as 'new', it may be blocked. You should consider just allowing 2049 from a particular subnet, without other constraints on the packets.
NFS is also a bit like ftp, and likes to play with random ports, which tend to make firewalls angry. You'll want something in /etc/sysconfig/nfs like the following:
STATD_PORT=4000 STATD_OUTGOING_PORT=4004 LOCKD_TCPPORT=4001 LOCKD_UDPPORT=4001 MOUNTD_PORT=4002
Obviously you'll need to salt this to taste, and ensure that ports 4000:4004 are open (in this example) as well in your firewall.
On Sat, 2006-09-30 at 20:18 -0400, Jim Perrin wrote:
In the file /etc/sysconfig/iptables are the lines: -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 2049 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 2049 -j ACCEPT
and there are not any deny lines above these. I think those lines were added when I ran system-config-securitylevel-tui. Those are the only lines that I can find that mention port 2049 or nfs.
These lines accept NEW connections. If the connection lags/times out but does not start again as 'new', it may be blocked. You should consider just allowing 2049 from a particular subnet, without other constraints on the packets.
NFS is also a bit like ftp, and likes to play with random ports, which tend to make firewalls angry. You'll want something in /etc/sysconfig/nfs like the following:
STATD_PORT=4000 STATD_OUTGOING_PORT=4004 LOCKD_TCPPORT=4001 LOCKD_UDPPORT=4001 MOUNTD_PORT=4002
Obviously you'll need to salt this to taste, and ensure that ports 4000:4004 are open (in this example) as well in your firewall.
Jim,
Thanks for the information.
Unfortunately, I tried this (and I thought I did it right) and I am still having the same firewall problem. Evidently, I am still doing something wrong. Since I haven't done this before, I am sure that I am missing something, but at this point, I am not sure what.
I added the /etc/sysconfig/nfs file with your lines (it wasn't there before). I changed the /etc/sysconfig/iptables to point to ports 4000:4004 instead of 2049 for both TCP and UDP. I left the rest of those lines, and everything else, in iptables the same.
After making the changes, I have restarted the nfs, nfslock and iptables services. I also did an exportfs -ra after making the changes.
Not sure what else to do at this point. -- Doug
Registered Linux User #285548 (http://counter.li.org) ---------------------------------------- Random Thought: QOTD: "When she hauled ass, it took three trips."
I added the /etc/sysconfig/nfs file with your lines (it wasn't there before). I changed the /etc/sysconfig/iptables to point to ports 4000:4004 instead of 2049 for both TCP and UDP. I left the rest of those lines, and everything else, in iptables the same.
You still need 2049 open for nfsd, and you need 111 open for portmap. These are in addition to the other ports.
On Sun, 2006-10-01 at 16:54 -0400, Jim Perrin wrote:
I added the /etc/sysconfig/nfs file with your lines (it wasn't there before). I changed the /etc/sysconfig/iptables to point to ports 4000:4004 instead of 2049 for both TCP and UDP. I left the rest of those lines, and everything else, in iptables the same.
You still need 2049 open for nfsd, and you need 111 open for portmap. These are in addition to the other ports.
Thanks for your help Jim. That is what I needed. It works now.
Thanks again for all of your help. -- Doug
Registered Linux User #285548 (http://counter.li.org) ---------------------------------------- Random Thought: The nice thing about standards is that there are so many of them to choose from. -- Andrew S. Tanenbaum
Thanks for your help Jim. That is what I needed. It works now.
Thanks again for all of your help.
No problem. Keep in mind that NFS is amazingly insecure and should only be used on internal trusted networks. I personally would not use it outside a protected lan, but if you feel inclined to do so, you're going to want to limit traffic to specific machines etc and take other precautions based on the risk involved with nfs.
On Sun, 2006-10-01 at 20:30 -0400, Jim Perrin wrote:
No problem. Keep in mind that NFS is amazingly insecure and should only be used on internal trusted networks. I personally would not use it outside a protected lan, but if you feel inclined to do so, you're going to want to limit traffic to specific machines etc and take other precautions based on the risk involved with nfs.
Jim,
Thanks again for the additional information. Currently this is for a small internal network only. The entire network (and the systems inside of it) are all behind a firewall from the outside. I am also currently limiting the nfs export to a specific machine in my /etc/exports file.
Eventually, I will be trying to do nfs over ssh for a little more security, and if I want to take this to an outside network. I will also look into limiting access by subnet and/or machine addresses.
Thanks again for the info. -- Doug
Registered Linux User #285548 (http://counter.li.org) ---------------------------------------- Random Thought: One can never consent to creep when one feels an impulse to soar. -- Helen Keller
On Sat September 30 2006 19:57, Ski Dawg wrote:
My problem is that I am not sure how to resolve this. I have not done any configuration with iptables before. In the file /etc/sysconfig/iptables are the lines: -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 2049 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 2049 -j ACCEPT
First off we would need to know what is in your /etc/sysconfig/iptables file. There could be many things that are killing this. Since it looks like you are doing statefull inspection I would assume that there is a statement for ESTABLISHED,RELATED in there also. What are the default policies? Are you logging your firewall drop/rejects? Check message file to see if there are any clues in there. We need to know how it is setup completely so one command isn't killing another.
and there are not any deny lines above these. I think those lines were added when I ran system-config-securitylevel-tui. Those are the only lines that I can find that mention port 2049 or nfs.
Normally you would want your Deny lines towards the bottom on your chains if you have any.
Those lines look to me like they are for accepting incoming connections only. Is that correct?
Yep.
What do I need to do so that I can do the nfs export out of this box?
Well paste bin your firewall rules and post the URL here. That would be a start.
-
Jim Perrin -
Robert Spangler -
Ski Dawg