NFS trough firewall problem

[Tony Dietrich]

On Wednesday 05 Jan 2005 16:34, Damir Dezeljin wrote:
> Hi.
>
> I have two NAT-ed network segments. One is my internal network and one is
> a 'semi internal' network. Computers from semi-internal network should
> have access only to the internet, whiles computers on internal network
> should have access both to the internet and limited access to
> semi-internal network (telnet, ssh, ftp, ..., NFS).
>
> I read that nfs4 is designed to work also beside firewalls. For this
> reason it uses only TCP port 2049. So I added a rule to my firewall:
> ----
> iptables -A FORWARD -s <in_net> -d <semi_net> -m state --state NEW -p
>   tcp --dport 2049 -j ACCEPT
> ----
>
> I ran FC3 on both computers (on my semi-net - NFS server and on my
> internal net - NFS client). When I'm trying to mount an exported share
> with a command like:
> ----
> mount -t nfs4 <semi_net_ip>:/exports /mnt/semi_net
> ----
> I'm getting an error 'mount: Permission denied'.
>
> The same command executed on a NFS client on the semi_net works fine.
>
>
> BTW: computers on semi_net uses only /etc/hosts files to resolve names
> from internal net. Internal computers uses the internal DNS server for
> this purpose. The names are correct ... the only difference is that IP-s
> can be reverse resolved in the DNS (PTR records) whiles /etc/hosts file
> doesn't contain PTR records (heh ... of course ;) ).
>
>
> Some sugestion how to solve the problem?
>
>
> Best regards,
> Dezo

I'm assuming you have two internal network ranges.

Sound like you have an IP based permissions problem ... check your exports 
file to make sure you are making the NFS export available to both network 
segments.

Your iptables rule should work (I didn't test it) but it will still reveal the 
originating IP to the NFS server.  If your export rules in /etc/exports don't 
permit a client from the in_net segment to access the share, thats the 
message I'd expect.
-- 
Tony Dietrich
-------------
Good night, Mrs. Calabash, wherever you are.