[CentOS] NFS and firewall issues

Tue May 16 12:45:34 UTC 2006
Craig White <craigwhite at azapple.com>

On Tue, 2006-05-16 at 14:34 +0200, Niki Kovacs wrote:
> Hi,
> I have a small home LAN, where one machine ( connects to the
> internet via dialup (no DSL here) and shares the connection with IP
> masquerading. To achieve this, I tried out various recipes found on the
> internet, and finally put this in /etc/rc.d/rc.local:
> --8<------ rc.local ------------
> #!/bin/sh
> #
> # This script will be executed *after* all the other init scripts.
> # You can put your own initialization stuff in here if you don't
> # want to do the full Sys V style init stuff.
> touch /var/lock/subsys/local
> # Setup IP Masquerading
> iptables -F; iptables -t nat -F; iptables -t mangle -F
> iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE
> # Secure it
> iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
> iptables -A INPUT -m state --state NEW -i ! ppp0 -j ACCEPT
> iptables -P INPUT DROP
> iptables -A FORWARD -i ppp0 -o ppp0 -j REJECT
> --8<---------------------------
> I don't understand much about iptables. Documentation about it is on my TODO
> list (I'll keep it for after my death:oD).
> Now I have a problem. I fiddled a bit with NFS, and I had a firewall-related
> problem with it. In short, when iptables (the firewall) runs, I can't do an NFS
> mount. But as soon as I stop it (service iptables stop), NFS mounts are
> possible.
> Now what can I do to 1) go on sharing my ppp connection 2) be able to do NFS
> mounts while 3) still having a reasonable secure system?
I think that you should look at David Ranch's scripts for iptables...