iptable in fc5
Christopher K. Johnson
ckjohnson at gwi.net
Mon May 15 22:33:40 UTC 2006
Hongwei Li wrote:
> I tried:
> -A RH-Firewall-1-INPUT -s 128.252.85.0/255.255.255.0 -m state --state
> NEW,ESTABLISHED,RELATED -p tcp --dport 2049 -j ACCEPT
> -A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
>
> and for other ports 137,139 etc. Still the same: as long as the last line is
> there, nfs does not work. Comment it out, problem is gone.
>
NFS requires more than just port 2049. In fact by default those other
ports are not fixed, thus a problem to firewall well.
You need to add an /etc/sysconfig/nfs file to specify the ports
configured via nfs and nfslock services, and then you need iptables
rules for all the nfs ports, and portmap.
Suggested contents of /etc/sysconfig/nfs:
----------------------------------------------------------------------------------------------------------------------------------
# /etc/sysconfig/nfs
# Created 7-5-2004 by Christopher K. Johnson
# Based on earlier work by Chris Lowth,
# adjusted to use features supported by original Fedora Core 2 init scripts.
# Updated 4-16-2005 by Christopher K. Johnson for Fedora Core 3 init
scripts.
# The following may be relevant in a virtual host environment
#STATD_HOSTNAME=
STATD_PORT=4000
STATD_OUTGOING_PORT=4004
LOCKD_TCPPORT=4001
LOCKD_UDPPORT=4001
MOUNTD_PORT=4002
#MOUNTD_NFS_V2=no
#MOUNTD_NFS_V3=no
RQUOTAD_PORT=4003
#RQUOTAD=no
----------------------------------------------------------------------------------------------------------------------------------
Suggested /etc/sysconfig/iptables addition:
----------------------------------------------------------------------------------------------------------------------------------
#
# Permit NFS access sample
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 111 -j
ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 111 -j
ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 2049
-j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 2049
-j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport
4000:4003 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport
4000:4003 -j ACCEPT
#
----------------------------------------------------------------------------------------------------------------------------------
I place those lines below "-A RH-Firewall-1-INPUT -m state --state
ESTABLISHED,RELATED -j ACCEPT"
and above "-A RH-Firewall-1-INPUT -j REJECT --reject-with
icmp-host-prohibited"
With both of these in place then:
service nfs restart
service nfslock restart
service iptables restart
And that should do it.
Add -s arguments to the iptables rules if you want to restrict ip
addresses that can access the ports.
This configuration is tested on FC5.
Chris
--
"Spend less! Do more! Go Open Source..." -- Dirigo.net
Chris Johnson, RHCE #804005699817957
More information about the fedora-list
mailing list