nfs issue...

Pete Nesbitt pete at linux1.ca
Fri Jul 2 03:04:47 UTC 2004


On July 1, 2004 06:43 pm, bruce wrote:
> got it...
>
> it was the iptables....
>
> now... how/what do i have to do to the iptables app to get it to
> run/coexist with nfs...
>
> a former "linux" admin had set things up..and he's nowhere to be found!!!
>
> thanks..
>
> -bruce
>


IPtables is controlled by the script  /etc/init.d/iptables
The default setup is that the script uses the info in /etc/sysconfig/iptables 
to configure the rules. In many cases, /etc/init.d/iptables is replaced with 
a all-in-one script or calls something that is more readable/editable.
The tool redhat-config-securitylevel writes to  /etc/sysconfig/iptables.

If you just want to get nfs thru the servers firewall, make a backup copy of 
/etc/sysconfig/iptables file (if it exists), then either use this as the 
file, of append the 2 lines with "--dport 2049":

*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
-A RH-Firewall-1-INPUT -p 51 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 2049 -j 
ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 2049 -j 
ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT

--
all I did was use the redhat-config-securitylevel tool to make a www (port 80) 
hole, then edited the file to port 2049 plus duplicated for UDP (not sure if 
it needs it).
 
This is not a very good way to build a firewall but it should poke nfs thru 
the servers firewall, and if there are existing rules in place, you will need 
to combine the old and new rules. On the other hand, if you want to write 
your own rules, there is lots of information on line (www.netfilter.org etc) 
and lots of knowledgable people on this list to help.

-- 
Pete Nesbitt, rhce





More information about the redhat-list mailing list