iptable in fc5

Christopher K. Johnson ckjohnson at gwi.net
Mon May 15 22:33:40 UTC 2006 

Hongwei Li wrote:
> I tried:
> -A RH-Firewall-1-INPUT -s 128.252.85.0/255.255.255.0 -m state --state
> NEW,ESTABLISHED,RELATED -p tcp --dport 2049 -j ACCEPT
> -A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
>
> and for other ports 137,139 etc. Still the same: as long as the last line is
> there, nfs does not work.  Comment it out, problem is gone.
>   
NFS requires more than just port 2049.  In fact by default those other 
ports are not fixed, thus a problem to firewall well.
You need to add an /etc/sysconfig/nfs file to specify the ports 
configured via nfs and nfslock services, and then you need iptables 
rules for all the nfs ports, and portmap.

Suggested contents of /etc/sysconfig/nfs:
----------------------------------------------------------------------------------------------------------------------------------
# /etc/sysconfig/nfs
# Created 7-5-2004 by Christopher K. Johnson
# Based on earlier work by Chris Lowth,
# adjusted to use features supported by original Fedora Core 2 init scripts.
# Updated 4-16-2005 by Christopher K. Johnson for Fedora Core 3 init 
scripts.

# The following may be relevant in a virtual host environment
#STATD_HOSTNAME=

STATD_PORT=4000
STATD_OUTGOING_PORT=4004

LOCKD_TCPPORT=4001
LOCKD_UDPPORT=4001

MOUNTD_PORT=4002
#MOUNTD_NFS_V2=no
#MOUNTD_NFS_V3=no

RQUOTAD_PORT=4003
#RQUOTAD=no
----------------------------------------------------------------------------------------------------------------------------------


Suggested /etc/sysconfig/iptables addition:
----------------------------------------------------------------------------------------------------------------------------------
#
# Permit NFS access sample
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 111 -j 
ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 111 -j 
ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 2049 
-j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 2049 
-j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 
4000:4003 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 
4000:4003 -j ACCEPT
#
----------------------------------------------------------------------------------------------------------------------------------
I place those lines below "-A RH-Firewall-1-INPUT -m state --state 
ESTABLISHED,RELATED -j ACCEPT"
and above "-A RH-Firewall-1-INPUT -j REJECT --reject-with 
icmp-host-prohibited"

With both of these in place then:
service nfs restart
service nfslock restart
service iptables restart

And that should do it.
Add -s arguments to the iptables rules if you want to restrict ip 
addresses that can access the ports.

This configuration is tested on FC5.

Chris

-- 
   "Spend less!  Do more!  Go Open Source..." -- Dirigo.net
   Chris Johnson, RHCE #804005699817957

More information about the fedora-list mailing list