Re: [gentoo-user] nfs and iptables
Hi, I solved it adding next at top of rules: -A INPUT -p tcp ! --syn -j ACCEPT -A INPUT -p udp -j ACCEPT for what I read, it allows my connections established to pass filter without evaluating other rules. Is this a correct config? Thanks to all for your attention, -- Arnau Bria http://blog.emergetux.net "Flanders, de nada sirve rezar: yo mismo acabo de hacerlo y los dos no vamos a ganar" ~Homer J. Simpson~ -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] nfs and iptables
On Fri, 23 Jun 2006 12:20:34 +0200 Rick van Hattem <[EMAIL PROTECTED]> wrote: > On Friday 23 June 2006 11:04, Arnau Bria wrote: > > Hi all, > > > > I'm trying to configure my firewall in order to be able to mount a > > remote NFS exported directory. > > > Have a look at the gentoo-wiki :) > http://gentoo-wiki.com/HOWTO_Share_Directories_via_NFS#Setting_Up_Firewall_.28Client_Side.29 Yes, I've read that howto. But, if you see at the bottom, it says: "Setting up firewall on the client side is much much simpler. The only relevant port is 111 tcp/udp. This is the port for portmap, the only service required for client to run." And that's what i'm trying to do, and where I'm having problems. thanks! -- Arnau Bria http://blog.emergetux.net "Flanders, de nada sirve rezar: yo mismo acabo de hacerlo y los dos no vamos a ganar" ~Homer J. Simpson~ -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] nfs and iptables
On Friday 23 June 2006 11:04, Arnau Bria wrote: > Hi all, > > I'm trying to configure my firewall in order to be able to mount a > remote NFS exported directory. > Have a look at the gentoo-wiki :) http://gentoo-wiki.com/HOWTO_Share_Directories_via_NFS#Setting_Up_Firewall_.28Client_Side.29 -- Rick van Hattem Rick.van.Hattem(at)Fawo.nl pgpAEq4Yp5ynQ.pgp Description: PGP signature
Re: [gentoo-user] nfs and iptables
On Fri, 23 Jun 2006 12:38:13 +0300 (EEST) "Daniel Iliev" <[EMAIL PROTECTED]> wrote: > > On Fri, June 23, 2006 12:04 pm, Arnau Bria wrote: > [...] > My first guess is that you have another FW rule which matches those > packets and drops them before they meet the rule you mention. > You could try: > -D INPUT -d 193.146.196.198 -i eth0 -p tcp -m tcp --dport 111 -j > ACCEPT > -I INPUT -d 193.146.196.198 -i eth0 -p tcp -m tcp --dport 111 -j ACCEPT Well, that was what I first tough, but this is my first rule: Chain INPUT (policy ACCEPT) target prot opt source destination ACCEPT udp -- anywhere my_host_name udp dpt:sunrpc ACCEPT tcp -- anywhere my_host_name tcp dpt:sunrpc then ssh rule then smtp rule then the drop one I posted in first mail. ssh and smtp works fine, and, I can telnet to 111!! that's really strange, cause if I can telnet, it means I have my port open... so, why when I try to mount, it's blocked by a later rule? thanks! -- Arnau Bria http://blog.emergetux.net "Flanders, de nada sirve rezar: yo mismo acabo de hacerlo y los dos no vamos a ganar" ~Homer J. Simpson~ -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] nfs and iptables
On Fri, June 23, 2006 12:04 pm, Arnau Bria wrote: > > Well, so I set next rule in my firewall: > -A INPUT -d 193.146.196.198 -i eth0 -p tcp -m tcp --dport 111 -j ACCEPT > -A INPUT -d 193.146.196.198 -i eth0 -p tcp -m tcp --dport 111 -j LOG > --log-prefix "NFS (tcp) Input: " --log-level 7 -A INPUT -d > 193.146.196.198 -i eth0 -p udp -m udp --dport 111 -j LOG --log-prefix > "NFS (udp) Input: " --log-level 7 -A INPUT -d 193.146.196.198 -i eth0 > -p udp -m udp --dport 111 -j ACCEPT My first guess is that you have another FW rule which matches those packets and drops them before they meet the rule you mention. You could try: -D INPUT -d 193.146.196.198 -i eth0 -p tcp -m tcp --dport 111 -j ACCEPT -I INPUT -d 193.146.196.198 -i eth0 -p tcp -m tcp --dport 111 -j ACCEPT (drop the rule and insert it on top of all other) -- Best regards, Daniel -- gentoo-user@gentoo.org mailing list
[gentoo-user] nfs and iptables
Hi all, I'm trying to configure my firewall in order to be able to mount a remote NFS exported directory. AFAIK I must open port 111 tcp/udp (portmat). rpcinfo confirms it: # rpcinfo -p program vers proto port 102 tcp111 portmapper 102 udp111 portmapper Well, so I set next rule in my firewall: -A INPUT -d 193.146.196.198 -i eth0 -p tcp -m tcp --dport 111 -j ACCEPT -A INPUT -d 193.146.196.198 -i eth0 -p tcp -m tcp --dport 111 -j LOG --log-prefix "NFS (tcp) Input: " --log-level 7 -A INPUT -d 193.146.196.198 -i eth0 -p udp -m udp --dport 111 -j LOG --log-prefix "NFS (udp) Input: " --log-level 7 -A INPUT -d 193.146.196.198 -i eth0 -p udp -m udp --dport 111 -j ACCEPT And restart my firewall. (I use same rules for other ports, ssh, smtp...) Well, I'm no able to mount the directory, and I see this in logs: UDP privileged ports DROP:IN=eth0 OUT= MAC=00:11:11:20:6e:81:00:16:35:0a:a8:b6:08:00 SRC=193.146.196.234 DST=193.146.196.198 LEN=56 TOS=0x00 PREC=0x00 TTL=64 ID=57 DF PROTO=UDP SPT=111 DPT=822 LEN=36 and this logs comes from next rule: -A INPUT -d 193.146.196.198 -i eth0 -p udp -m udp --dport 0:1023 -j LOG --log-prefix "UDP privileged ports DROP:" --log-level 7 -A INPUT -d 193.146.196.198 -i eth0 -p udp -m udp --dport 0:1023 -j REJECT which is at bottom of all rules... I don't understand what happen, cause I can telnet to port 111 and get response. And I hace portmat in that port: #netstat -putan |grep 111 tcp0 0 0.0.0.0:111 0.0.0.0:* LISTEN 10028/portmap udp0 0 0.0.0.0:111 0.0.0.0:* 10028/portmap I do the mount: lx-arnau ~ # mount -t nfs hostname:/export/media /mnt/musica/ mount: RPC: Program not registered Got the error... but: lx-arnau ~ # netstat -putan |grep 111 tcp0 0 0.0.0.0:111 0.0.0.0:* LISTEN 10028/portmap tcp0 0 my_IP:60394 nfs_server:111 TIME_WAIT - udp0 0 0.0.0.0:111 0.0.0.0:* 10028/portmap ... If I disable firewall, I can mount with no problem... what am I missing?¿ Thanks in advance. -- Arnau Bria http://blog.emergetux.net "Flanders, de nada sirve rezar: yo mismo acabo de hacerlo y los dos no vamos a ganar" ~Homer J. Simpson~ -- gentoo-user@gentoo.org mailing list