Hello all,
I have a server on my private network that is configured as an NIS server and mapped to a "public" IP address on a firewall. All other TCP ports (SSH, iperf, you name it) are visible from the outside - but the portmapper-managed ports (port 111 itself and the YPSERV/YPXFRD ports, etc.) are not visible from the outside - even though they are alive and well on the internal network.
So, here's the question: is there anything special as far as portmapper's networking/security setup that is at play here?
Thanks.
Boris.
Boris Epstein wrote:
Hello all,
I have a server on my private network that is configured as an NIS server and mapped to a "public" IP address on a firewall. All other TCP ports (SSH, iperf, you name it) are visible from the outside - but the portmapper-managed ports (port 111 itself and the YPSERV/YPXFRD ports, etc.) are not visible from the outside - even though they are alive and well on the internal network.
So, here's the question: is there anything special as far as portmapper's networking/security setup that is at play here?
Is it open to the correct destination in iptables?
mark
On Thu, May 31, 2012 at 5:08 PM, m.roth@5-cent.us wrote:
Boris Epstein wrote:
Hello all,
I have a server on my private network that is configured as an NIS server and mapped to a "public" IP address on a firewall. All other TCP ports (SSH, iperf, you name it) are visible from the outside - but the portmapper-managed ports (port 111 itself and the YPSERV/YPXFRD ports, etc.) are not visible from the outside - even though they are alive and well on the internal network.
So, here's the question: is there anything special as far as portmapper's networking/security setup that is at play here?
Is it open to the correct destination in iptables?
mark
I believe so. Basically, iptables is set to forward any and all traffic arriving on an external public IP to the internal private one. For multiple ports it seems to work fine. I use the same approach to forward NFS mounts to a private NFS server on the same private network - and that works like a charm which actually makes it even more mysterious, IMO.
Boris.
On Thu, 31 May 2012, Boris Epstein wrote:
On Thu, May 31, 2012 at 5:08 PM, m.roth@5-cent.us wrote:
Boris Epstein wrote:
Hello all,
I have a server on my private network that is configured as an NIS server and mapped to a "public" IP address on a firewall. All other TCP ports (SSH, iperf, you name it) are visible from the outside - but the portmapper-managed ports (port 111 itself and the YPSERV/YPXFRD ports, etc.) are not visible from the outside - even though they are alive and well on the internal network.
So, here's the question: is there anything special as far as portmapper's networking/security setup that is at play here?
Is it open to the correct destination in iptables?
I believe so. Basically, iptables is set to forward any and all traffic arriving on an external public IP to the internal private one. For multiple ports it seems to work fine. I use the same approach to forward NFS mounts to a private NFS server on the same private network - and that works like a charm which actually makes it even more mysterious, IMO.
I'll note that access to portmap can be manipulated via /etc/hosts.{allow,deny}, just in case that's an issue here.
On Thu, May 31, 2012 at 5:27 PM, Paul Heinlein heinlein@madboa.com wrote:
On Thu, 31 May 2012, Boris Epstein wrote:
On Thu, May 31, 2012 at 5:08 PM, m.roth@5-cent.us wrote:
Boris Epstein wrote:
Hello all,
I have a server on my private network that is configured as an NIS server and mapped to a "public" IP address on a firewall. All other TCP ports (SSH, iperf, you name it) are visible from the outside - but the portmapper-managed ports (port 111 itself and the YPSERV/YPXFRD ports, etc.) are not visible from the outside - even though they are alive and well on the internal network.
So, here's the question: is there anything special as far as portmapper's networking/security setup that is at play here?
Is it open to the correct destination in iptables?
I believe so. Basically, iptables is set to forward any and all traffic arriving on an external public IP to the internal private one. For multiple ports it seems to work fine. I use the same approach to forward NFS mounts to a private NFS server on the same private network - and that works like a charm which actually makes it even more mysterious, IMO.
I'll note that access to portmap can be manipulated via /etc/hosts.{allow,deny}, just in case that's an issue here.
-- Paul Heinlein heinlein@madboa.com 45°38' N, 122°6' W _______________________________________________
Paul,
Thanks. I thought the same thing. I have two CentOS 6.2 machines, hosts.allow and hosts.deny are blank on both, both get redirected traffic via the firewall in the same fashion. Yet you can connect to one on port 111 (RPC mapper) from the outside but not to the other!
Boris.
-
Boris Epstein -
m.roth@5-cent.us -
Paul Heinlein