I'm using an NFS root filesystem on a diskless system with Red Hat EL5, and see problems if iptables is enabled. I'm using NFS v3 over TCP when the problems happen, but switching to UDP causes everything to work. However, for various reasons, we'd like to continue using NFS over TCP. The iptables configuration is normal, except for adding ports 161 udp/tcp and 162 udp for SNMP monitoring.
The symptoms and analysis so far: Boot proceeds nicely until iptables starts, and then it hangs for 10-15 minutes trying to load the ip_conntrack_netbios_ns kernel module. If I force it to not load that module, by commenting it out of /etc/sysconfig/iptables-config, then the startup hangs on 'touch /var/lock/subsys/iptables', which is a file on the NFS server, since we're booting diskless. Using ethereal on the NFS server (a RHELAS4u4 box) shows a lot of NFS traffic from client to server and back, until the moment that iptables starts, when an NFS GETATTR reply packet from server to client gets blocked by iptables with an ICMP 'host administratively prohibited' packet. This causes a very long sequence of NFS and TCP retransmissions, which finally stop when the iptables service is up, I assume. In any case, after a long hang, the boot completes. So, my question is: does the iptables startup block all traffic for a while until the configuration is read and processed, modules loaded, etc.? If so, how does this square with a diskless client where the files are all on an NFS server, and how do I get around this problem without disabling iptables? Thanks, Chris _______________________________________________ rhelv5-list mailing list [email protected] https://www.redhat.com/mailman/listinfo/rhelv5-list
