[gentoo-user] nfs and iptables

Fri, 23 Jun 2006 02:14:02 -0700 

Hi all,

I'm trying to configure my firewall in order to be able to mount a
remote NFS exported directory.

AFAIK I must open port 111 tcp/udp (portmat). rpcinfo confirms it:

# rpcinfo -p
   program vers proto   port
    100000    2   tcp    111  portmapper
    100000    2   udp    111  portmapper

Well, so I set next rule in my firewall:
-A INPUT -d 193.146.196.198 -i eth0 -p tcp -m tcp --dport 111 -j ACCEPT
-A INPUT -d 193.146.196.198 -i eth0 -p tcp -m tcp --dport 111 -j LOG
--log-prefix "NFS (tcp) Input: " --log-level 7 -A INPUT -d
193.146.196.198 -i eth0 -p udp -m udp --dport 111 -j LOG --log-prefix
"NFS (udp) Input: " --log-level 7 -A INPUT -d 193.146.196.198 -i eth0
-p udp -m udp --dport 111 -j ACCEPT


And restart my firewall.
(I use same rules for other ports, ssh, smtp...)

Well, I'm no able to mount the directory, and I see this in logs:

UDP privileged ports DROP:IN=eth0 OUT=
MAC=00:11:11:20:6e:81:00:16:35:0a:a8:b6:08:00 SRC=193.146.196.234
DST=193.146.196.198 LEN=56 TOS=0x00 PREC=0x00 TTL=64 ID=57 DF PROTO=UDP
SPT=111 DPT=822 LEN=36

and this logs comes from next rule:

-A INPUT -d 193.146.196.198 -i eth0 -p udp -m udp --dport 0:1023 -j LOG
--log-prefix "UDP privileged ports DROP:" --log-level 7 -A INPUT -d
193.146.196.198 -i eth0 -p udp -m udp --dport 0:1023 -j REJECT

which is at bottom of all rules...

I don't understand what happen, cause I can telnet to port 111 and get
response. And I hace portmat in that port:

#netstat -putan |grep 111
tcp        0      0 0.0.0.0:111             0.0.0.0:*               LISTEN      
10028/portmap
udp        0      0 0.0.0.0:111             0.0.0.0:*                           
10028/portmap

I do the mount:

lx-arnau ~ # mount -t nfs hostname:/export/media /mnt/musica/
mount: RPC: Program not registered

Got the error... but:

lx-arnau ~ # netstat -putan |grep 111
tcp        0      0 0.0.0.0:111             0.0.0.0:*               LISTEN      
10028/portmap
tcp        0      0 my_IP:60394             nfs_server:111     TIME_WAIT   -
udp        0      0 0.0.0.0:111             0.0.0.0:*                           
10028/portmap

...

If I disable firewall, I can mount with no problem...
what am I missing?¿

Thanks in advance.

-- 
Arnau Bria
http://blog.emergetux.net
"Flanders, de nada sirve rezar: yo mismo acabo de hacerlo y los dos 
no vamos a ganar"
~Homer J. Simpson~

-- 
gentoo-user@gentoo.org mailing list

Reply via email to